0

I am working on an anonymous survey module in ERP-system and I am thinking if there is a common approach to implement such systems to make them "truly" (I do understand that there still will be an attack to collate results with users with some degree of certainty) anonymous while preventing users from voting multiple times.

My current approach is to record separately survey results and users who voted (not linking them together), and delete vote records after survey completion. But I don't like that system stores users who voted and relies on mechanism that will run after survey to delete vote records.

I was also thinking about generating unique vote links for each user that I will create and send on survey launch but there will a problem with delivery path, because email/sms/messenger service will log messages.

Is it possible to improve that approach?

Improve this question
5
  • 1
    So its important to know if a user has attempted to vote twice. But not know who they are, what they voted for, or if they voted at all? Commented Jul 14, 2020 at 10:40
  • The unique vote links are probably the best model. And your system should have a way to avoid logging sensitive information. Commented Jul 14, 2020 at 10:55
  • @Kain0_0, preferably I don't want to store any of these facts at any time during survey. In my model described in the question system never knows what user voted for, but knows that he voted (that fact will be erased after survey completion). Commented Jul 14, 2020 at 11:28
  • @MaciejStachowski, I think that there is a problem with unique link delivery because I am not in control of whole delivery path. E.g. in case of email, message with link will be stored in user email client and basically will be located at his PC within his organization. Commented Jul 14, 2020 at 11:36
  • 1
    Wasn't it actually proven that it is impossible to have an online vote which is simultaneously resistant to voting fraud, doesn't allow to match voters to their voting choices and does not require trust in a party? Commented Jul 14, 2020 at 12:11

3 Answers 3

Reset to default
1

Unique one-time links are a standard solution, but if the OP's requirements disallow sending the survey credentials to the user, the solution needs to use something that the user already has and the system knows of, and store it in a way that prevents reverse engineering and extracting identifiable information.

This, unfortunately, means that the user has to present some sort of proof of identity to the system, and the system must be able to tie that proof of identity to the user. But there's some leeway in how the data can be stored.

Let's say Alice wants to cast a vote in survey #42. The system can do the following:

  • Take Alice's username and password and authenticate her using the standard authentication mechanism, presumably involving a hash of the password.
  • Compute a hash of Alice|42|alicespassword and store that in the database alongside the vote.

Even if Eve manages to steal the entire database, she won't know that Alice has voted, and she won't be able to correlate votes across different surveys, since both would require reversing the hash. Eve will also not be able to cast a vote for Alice since Alice needs to authenticate to your system first, and Alice won't be able to vote again unless she changes her password (which a real solution should be secured against - I'll leave that as an exercise to the reader).

There are still attacks that can be performed - with write access Eve can add votes to the database without a real way of verifying that they're legitimate, and the system can capture Alice's credentials and try to match them against surveys she filled in. But since, as @Philipp stated, there's pretty much no way to have a 100% trustless solution (especially if the requirement is that no key can be provided from the system to the user) this seems like a reasonable compromise.

Improve this answer
0
1

An online voting system must have at least one of these properties:

  • Allow unauthorized voting / double voting
  • Allow to find out who voted for what
  • Require a party which can be trusted to not falsify or share certain pieces of information

When you have a trusted party, then that party can keep a tally of who voted and a separate tally of votes but intentionally destroy the relation between them (this is what the ballot box does in paper voting). But that party is able to falsify the vote tally and nobody can prove that they did. Also, there is no way for them to prove that they indeed destroyed the information about who voted for what.

It is possible to create systems which don't require a 3rd party. They require some form of shared ledger, like a blockchain. But the problem is that there is no way to separate the process of authenticating the voting rights of a voter from the process of verifying and tallying their vote. When you don't know who cast a vote, then you don't know if the voter was allowed to cast it. The only way to avoid that is by just accepting every vote, but now anyone can vote as often as they want, which makes the poll pretty pointless.

So you can not create an anonymous online voting system which requires zero trust. But you can at least try to create one your users find worthy of trust.

One option is a "nothing up my sleeve" approach to software development. Try to make the voting process as transparent as possible, for example by open sourcing the voting software and documenting the infrastructure. But the users will still require to trust you that the information you publish is indeed true.

Another option is to find a 3rd party with a good reputation and no stake in the poll, which makes that party unlikely to falsify it or break confidentiality. There are companies which promise to provide such services.

Improve this answer
1
  • Is the requirement is to make the system anonymous or verifably anonymous, though? My understanding is that the OP doesn't want to keep the identifiable information in case of eg. a data breach or a malicious actor trying to deanonymize the data, but the user still implicitly trusts the system. Commented Jul 14, 2020 at 12:36
0

You could use Blind Signatures, a concept David Chaum introduced in his paper Blind Signatures for Untraceable Payments

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.