[Noisebridge-board] Ballot system suggestion

Albert Sweigart asweigart at gmail.com
Wed Jan 12 08:49:39 UTC 2011

Hey all, I wanted to run a ballot system by you. I'd like to have
something a bit more than just pieces of paper dropped in a bin. What
do you think of this system? (Can you find any flaws?) Is this system
a good mix of security, privacy, convenience, and cost? IMPORTANT
NOTE: It doesn't have to be totally secure, just more secure than last
year's system of filling in a piece of paper and putting it in the

1) Trusted person Genevra (who is not running in the election)
generates 200 (or however many for the number of ballots we need, plus
some extra spares) random serial numbers that are, say, 16 random

2) Genevra then adds four random words from a dictionary to the serial
numbers, and SHA1 hashes them. This list of hashes is the
"verification list" and is made public. The words are just used to add
length to the serial numbers before hashing (but are easier to type in
than a longer hash). Genevra is trusted to destroy any lists of the
original serial numbers she might have made in the process of printing
out the ballots.

For example, at the top of the ballot is "ELEPHANT POTATO CHERUB
HEARTLESS F7OI36JO4IEF99VB" and on the verification list would be the
entry "145b5bb5df48d8aefc47e20dbb8045610f80829c"

3) The ballots are printed by Genevra, each with a unique serial
number (plus random words) printed at the top. The top of the paper is
folded and taped down by Genevra so that you cannot see the serial
number or the random words. The ballot is now "sealed". Genevra must
be trusted not to print duplicate ballots.

4) Genevra hands out the sealed ballots to other trusted members, "the
ballot distributors" (let's call them Alice, Bob, and Carol) who can
be at the Noisebridge space to hand out ballots to people on the list
of Noisebridge members in good standing (let's call them Mona, Mike,
and Mark). So Alice would have a stack of ballots and Noisebridge
member Mona randomly selects one of the ballots. This would prevent
Alice from knowing what Mona's serial number is. Mike and Mark
randomly pick ballots from Alice, Bob, or Carol (whoever is nearby to
get a ballot from.) The distributor crosses off the name of the member
getting a ballot so the member doesn't get a second one.

5) Mona, Mike, and Mark can untape (i.e. unseal) the top and re-hash
the random words and serial number to verify (using the public
verification list) that they didn't get a fake ballot from Alice et

6) Mona & the other voters write in their votes and drop them off in
the ballot box. The ballot has a bottom part where they can write down
a copy of their votes and tear it off for their own records.

7) When counting the votes, the vote counters verify the serial number
from the verification list (preventing voters from dropping off fake

8) Alice, Bob, Carol and the others who were given ballots to
distribute give back their remaining ballots. They are unsealed and
verified, marked as void, and the number of ballots given to them and
returned is checked. The votes are publicly posted (as they were last
year) so people can check to make sure their vote was counted.

I'm not sure about how we can secure the ballot box. Probably just
nail & glue the damn thing shut and require crowbarring it open before
counting? Again, it just has to be better than the usual system.


More information about the Board mailing list