Proposing a New OSMF Board Election System

General talk
1

Hello OSM Community :crab:,

Over the past week, I have been contemplating a new system for the OSMF board election process. Today, I am publishing the Specification for OSMF Electronic Voting System 1.0, and I am seeking your feedback.

The new system is designed to address privacy, security, and various other issues I have identified with the current OpaVote system. The specification is somewhat technical, as it aims to encompass all aspects of the voting procedure and core implementation decisions.

For the less technical audience, I have created a table that highlights the benefits of the proposed solution over OpaVote.

OpaVote OSMF-Voting
Open Source :x: proprietary :white_check_mark: free and open source
Privacy :x: “trust us”, google-analytics tracking on the voting page, email delivery via sendgrid, external dependencies :white_check_mark: no external dependencies, no tracking
Security Guarantees :x: “trust us” :white_check_mark: verifiable, mathematically proven
“Artificial Members” Attack :x: possible :yellow_square: partially mitigated
Voter Eligibility :question: trust OpaVote and OSMF :yellow_square: trust OSMF
Voter Anonymity :question: trust OpaVote :white_check_mark: cryptographically secured
One Vote Per Member :question: trust OpaVote :white_check_mark: cryptographically secured
Ballots Confidentiality (knowing the results before the deadline) :question: trust OpaVote :yellow_square: trust OSMF
Results Verification :question: trust OpaVote :white_check_mark: independently verifiable
Code Audits :x: no independent audits :white_check_mark: public audits

Note: The “trust OSMF” is marked in yellow and not green because in the perfect electronic voting system, one wouldn’t have to trust anybody. While I have deep trust in the Foundation, when designing a resilient voting system, one must always consider the worst-case scenario.

Highlight: Privacy

I find the OpaVote privacy questionable. Their website employs Google Analytics tracking, which is also present on the voting page itself. The voting page includes several external dependencies, such as Google Fonts, Google CDN, and Bootstrap CDN. Additionally, all emails are delivered using a third-party delivery service, SendGrid. It also appears that they utilize Amazon Web Services (AWS), as per their privacy policy.

Do you now understand why AdBlock needs to be disabled when voting on OpaVote?

I contacted OpaVote with some of my findings but received no further response.

Highlight: Security

Creating a well-designed and secure electronic voting system is a challenging task. Whenever someone claims “trust us” in the context of security, I am naturally skeptical. Unfortunately, OpaVote appears to rely solely on the “trust us” security model.

Allow me to quote the “Indisputable Results” section:

We’re an independent third-party with no stakes in your election, and we’ve built OpaVote so it can only operate like a non-biaised and uninterested referee that you and your voters can trust.

This statement provides no guarantees beyond the “trust us” model. They do not seem to address obvious risks such as bribery or the “5$ wrench attack”.

Disclaimer: Please note that this project is not affiliated with the OpenStreetMap Foundation. It’s the result of my voluntary work and personal choices.

1 Like
2

Two immediate comments: (1) Historically the OSMF has published the ballots after the vote and it was therefore possible for third parties to verify that OpaVote evaluated them correctly. Would this not mean that “trust OpaVote” on the “Results Verification” line should be replaced with “with OSMF cooperation” or somesuch? (2) Voter disenfranchisement is a huge topic; you mention this on your readme under “techincal limitations”/“complexity”. Anything that makes voting more difficult is likely to make some voters go “meh”. Do we want that? Personally, while I certainly possess the ability to install a crypto wallet extension into my web browser, I’m not even sure if I would (because I dislike anything to do with cryptocurrency - its adherents tend to be not my kind of person). So if you want to keep me away from voting in the future, requiring a crypto wallet extension is certainly a good first step :wink:

13 Likes
3

  1. Let me challenge your argument. It’s still OpaVote that provides the final ballots list. They have full control over what is included on the ballots. External verification only proves that what OSMF published matches what OSMF received from OpaVote. Nobody has a way to verify that what OpaVote publishes matches actual votes cast. In contrast, the proposed solution allows anybody to validate the results by directly inspecting the votes cast.

  2. Yes, I am fully aware of that. If this system ever needs to function, a proper choice of web wallet (one with an intuitive user experience) and good video and text tutorials are necessary. As I understand it, some software needs to be installed for us to have truly independent voting. Web wallets are the most convenient way to achieve that. The community should ask themselves whether they prioritize the legitimacy of the election or convenience. In my personal opinion, the use of OpaVote today is redundant, as highlighted issues show that with the current system, any party, whether it’s OpaVote or OSMF, could influence the results. By running in-house elections, we are limited to trusting just OSMF, reducing the potential attack vector. The proposed solution uses cryptography to further reduce the trust required in the OSMF and provide an independent voting infrastructure.

4

I have AdBlock enabled when using OpaVote, never seen such notification in there to disable it. The page worked properly all the way through the voting process.

2 Likes
5

Let me attach screenshots from both the voting email as well as the OpaVote website.

image

image
image754Ă—487 78.9 KB

I personally faced the issue, and given the amount of text talking about it, I assumed it’s a broader issue.

The following quote is the reason I said “AdBlock needs to be disabled when voting on OpaVote”:

“Disable any plugins that block content (like Decentraleyes or uBlock Origin). Otherwise the list of the candidates will not be visible and you will send an empty vote.”

6

I think that it would be better to spend time on improving OSM specific software like OSM Editors or OSM website or software making easier to use OSM data.

Verifying/testing/integrating brand new voting system alone is likely beyond our resources and outsourcing in this case seems to make sense.

If someone wants to design, implement, maintain etc a new complex software it would make more sense to use it more than once a year and have broader user base. Otherwise maintenance overhead alone will be terrible.

In similar way, it makes no sense for us to have own dedicated OS to run on OSMF servers or to write own software to run within internals of SSDs/CPUs and so on.

15 Likes
7

I am free to do whatever I want with my time :slightly_smiling_face:

Could you elaborate on that? I would like to better understand your stance!

The software we are talking about is very basic in nature - it has to be easily auditable. The complex part is only the specification. I would be happy to write one for reference after I finish the NextGen roadmap. I have already worked on a quite similar project in the past.

8

Secure, anymous and auditable Online Voting is a Hoax - It has been tried numerous times over decades and its simply broken.

Any attempt needs to make tradeoffs and can never reach the “Paper ballot voting”.

Trying to do so, and pour more crypto, more requirements, more complexity on it just does not make it any better.

So i consider discussing this an utter waste of time.

https://en.wikipedia.org/wiki/Electronic_voting

Security experts have found security problems in every attempt at online voting,[43][44][45][46] including systems in Australia,[47][48] Estonia,[49][50] Switzerland,[51][52] Russia,[53][54][55] and the United States.[56][43]

9 Likes
9

From a formal standpoint, voting is done by instructing a proxy to vote at the GM as you instruct. For convenience, we do this with advance voting, but the formalities matter for what we’re legally allowed to do. OpaVote doesn’t handle all of these ideally, such as someone turning up at the GM to vote, or giving their proxy vote to someone else then changing the proxy before the GM, but the membership is comfortable with the current limitations, so any new system has to handle everything the current one does.

In many ways, I’d be more comfortable with one of the UK firms who’s business is running company elections than OpaVote, but there’s a big cost difference and little practical difference.

Any barrier such as needing to install browser extensions, particularly uncommon ones, is not a viable option. Because most of the proposal relies on this, I’m not going to go into it in detail on your proposal, just point out a couple of problems with the first steps before you even run it

Members willing to vote download the .html application and install a cryptocurrency wallet as a browser extension.

How does this work on phones? Downloading and extensions are considerably different on mobile devices, which are over 50% of web traffic. Any voting method will have to work for mobile and desktop.

How does this work for users who have an environment where they can’t install extensions, even if on desktop?

Finally, by asking users to install a browser extension that few will have, you’re going to encounter those who are unwilling to do so because it could compromise their security. We can safely assume every OSMF member has access to a web browser, given one is required to interact with OSM in any meaningful capacity, as well as to sign up to be an OSMF member. This doesn’t rule out someone insisting on other means allowed by the companies’ act, but if you start requiring crypto extension installations and saving files, people will start using those methods and you will have to deal with ballots being submitted in other ways.

The application stores the signed tokens in the encrypted data-file, which is saved locally on the member’s computer.

Not all members will be voting from computers. What about mobile devices? What about library computers?

It doesn’t. One year there were issues with some ad blockers disabling the vote selection javascript for reasons that had nothing to do with external dependencies. One year some people submitted without first selecting who they wanted to vote for, because their adblock broke the UI.

Because of the problem that year, and because any page can be broken by adblockers, people are advised to turn them off. I’ve never had to turn off an adblocker to vote, but someone, somewhere will have one configured in a way to break the page. This is generally a safe assumption with webpages - there’s always someone who has modified their browser in such a way to break everything.

8 Likes
10

IMHO it does not make any sense for the OpenStreetMap community to put effort into designing & building a custom voting system. As others have mentioned, we’d be much better off improving software that relates to our core competency (mapping!).

5 Likes
11

definitely! Just that in this case chances of it actually being used for OSMF elections seem negligible. And while you and others have no obligation whatsoever to listen to my suggestion what they implement[*] - it seems to me that someone interested in their work being used by others can easily find more impactful project.

[*] except cases when I hired someone or act on behalf of someone who hired them, what applies only and solely where it covers such job. This has happened so far once, in situation involving Gmail eating OSMF mails.

Using a brand new voting system would require testing it, integrating and verifying that it works. Especially if OSMF election would be first serious use of it. What requires time from people who setup OSMF election vote.

Far more time than current solution (use OpaVote) requires.

It seems unlikely that we will have enough volunteers interested in doing this and cover extra work.

5 Likes
12

Yes, but OSM is primarily an online community, so paper voting is out of the question. I never stated that my solution is perfect; the specification contains a limitation section with points for consideration. However, I am strongly convinced that anything other than OpaVote will be a better choice for OSMF voting in the future, whether it is an in-house voting or the proposed decentralized voting.

13

Yes. For computer transactions you can have anonymous or you can have secure. Applications that need security, like banks, are not anonymous at all, and the bank knows exactly what transactions you’ve made with them. When voting in person with paper, you can arrange it so that all the involved parties can watch the voting process, see who voted, and not see how they voted, all the while maintaining zero trust in other parties, including who is running the election. That is not possible online.

14

I haven’t given much thought to this yet, but I am sure there exists a reasonable solution for that. Thank you for pointing this out!

On mobile, wallets come in a form of an application with an embedded web browser. The experience is pretty much similar but with a different interface.

Could you please point me out in the good direction? I am completely new to this act!

15

In general: OpaVote is not ideal. It would be nice to have a better system.

But also having operating system for servers better than Linux also would be nice. And having better SSD.

It does not make sense for us to start producing own SSD, writing own OS or implementing own voting system for dedicated use by OSMF. Voting system is easiest from this three, but still it is not a weekend project. And there is opportunity cost here.

(though one of OSM mappers can design and produce own SSD, write own OS or implement system strictly better than OpaVote)

1 Like
16

My response will be slightly off-topic.

Firstly, never say never :slightly_smiling_face::

I believe there is a lot yet to discover when it comes to zero-knowledge proofs and zero-trust security in general. Just because something is not possible today, doesn’t mean that it will not be possible tomorrow. The mathematics is a really deep subject that we are still trying to understand.

I couldn’t prepare a more specific response because your example lacked some detail. For instance, if nobody can see the votes, who is the one counting the votes? In the real world, it usually involves a selected group of people (so there is someone who can see the votes).

17

General response to the community

Let me post a small clarification.

I am not saying we should all go and implement the proposed solution right now, nor change the current OpaVote system. The primary goal of this thread is to have a broader discussion about current election issues and a potential solution (I avoid talking about issues without presenting some solution). Today, please see it as just food for thought.

1 Like
18

Yes, but not in this case (or at least my case).

When I checked the console logs during voting, the application script crashed due to a missing .js file import (which was blocked by the adblocker). This prevented the voting table from being rendered properly, which is done in a later part of the application script. The table itself was not blocked by the adblocker; it simply never rendered because of a broken script.

And sadly, because OpaVote is proprietary software, there is no simple way of resolving that issue (despite knowing the exact root cause). (I did report my findings to the OpaVote but as previously stated, I received no further response)

19

The problem with this, is that you’ve presented it in a way that isn’t “here’s a problem, and a potential solution”. You’ve presented it as “here’s a solution to a problem that hasn’t been discussed”. I see absolutely nothing in your original post talking about election issues outside of the comparison between OpaVote and your project, and having to then clarify it in a reply later just echos this.

If you want to have that discussion, start a new thread that actually talks about it, without bringing up this project.

3 Likes
20

Hey! Please notice: