Proposing a New OSMF Board Election System

Hello OSM Community :crab:,

Over the past week, I have been contemplating a new system for the OSMF board election process. Today, I am publishing the Specification for OSMF Electronic Voting System 1.0, and I am seeking your feedback.

The new system is designed to address privacy, security, and various other issues I have identified with the current OpaVote system. The specification is somewhat technical, as it aims to encompass all aspects of the voting procedure and core implementation decisions.

For the less technical audience, I have created a table that highlights the benefits of the proposed solution over OpaVote.

OpaVote OSMF-Voting
Open Source :x: proprietary :white_check_mark: free and open source
Privacy :x: “trust us”, google-analytics tracking on the voting page, email delivery via sendgrid, external dependencies :white_check_mark: no external dependencies, no tracking
Security Guarantees :x: “trust us” :white_check_mark: verifiable, mathematically proven
“Artificial Members” Attack :x: possible :yellow_square: partially mitigated
Voter Eligibility :question: trust OpaVote and OSMF :yellow_square: trust OSMF
Voter Anonymity :question: trust OpaVote :white_check_mark: cryptographically secured
One Vote Per Member :question: trust OpaVote :white_check_mark: cryptographically secured
Ballots Confidentiality (knowing the results before the deadline) :question: trust OpaVote :yellow_square: trust OSMF
Results Verification :question: trust OpaVote :white_check_mark: independently verifiable
Code Audits :x: no independent audits :white_check_mark: public audits

Note: The “trust OSMF” is marked in yellow and not green because in the perfect electronic voting system, one wouldn’t have to trust anybody. While I have deep trust in the Foundation, when designing a resilient voting system, one must always consider the worst-case scenario.

Highlight: Privacy

I find the OpaVote privacy questionable. Their website employs Google Analytics tracking, which is also present on the voting page itself. The voting page includes several external dependencies, such as Google Fonts, Google CDN, and Bootstrap CDN. Additionally, all emails are delivered using a third-party delivery service, SendGrid. It also appears that they utilize Amazon Web Services (AWS), as per their privacy policy.

Do you now understand why AdBlock needs to be disabled when voting on OpaVote?

I contacted OpaVote with some of my findings but received no further response.

Highlight: Security

Creating a well-designed and secure electronic voting system is a challenging task. Whenever someone claims “trust us” in the context of security, I am naturally skeptical. Unfortunately, OpaVote appears to rely solely on the “trust us” security model.

Allow me to quote the “Indisputable Results” section:

We’re an independent third-party with no stakes in your election, and we’ve built OpaVote so it can only operate like a non-biaised and uninterested referee that you and your voters can trust.

This statement provides no guarantees beyond the “trust us” model. They do not seem to address obvious risks such as bribery or the “5$ wrench attack”.

Disclaimer: Please note that this project is not affiliated with the OpenStreetMap Foundation. It’s the result of my voluntary work and personal choices.

30 posts - 13 participants

Read full topic

Ce sujet de discussion accompagne la publication sur