[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ga] votebot available
Please forgive the length of this post.
For those that may be interested, I have developed a simple email
votebot, freely available under standard open source conventions.
While it is simple, it has a number of features that I consider
useful and interesting -- it works with any email client with no
additional software, it automatically tallies the votes, provides for
auditing facilities, allows for people to be in different roles
(voters, registrars, and auditors), and is resistant to spoofing.
While it isn't cryptographically secure, it does authenticate the
votes, and, if desired (and if the votebot is run by a trusted
party), can provide some degree of privacy.
It uses files with lists of email address to define the voters,
registrars, and auditors. These lists may be hand-maintained for
small groups, or managed by a mailing list manager such as majordomo.
It is intended as a candidate for use in Working Groups of the DNSO,
but it is a general tool, and available to anyone.
The source is available as a tar file at
I have also set up a working version at email@example.com. It is
configured to deal with three majordomo lists: firstname.lastname@example.org,
email@example.com, and firstname.lastname@example.org.
You can subscribe to these lists by sending a message to
email@example.com, with the following contents in the body:
You can unsubscribe by sending
As a member of vtest_reg you can register ballots to create and manage
As a member of vtest you can vote in any such election
As a member of vtest_aud you can see the audit records for any such
The votebot is fully functional, though there is still some work to
do -- the logging needs to be fixed up; I want to add support for
other voting protocols; I want to add support for automatic
control of the opening and closing of the polls at pre-determined
times; and a few other features.
I am of course interested in any constructive criticism, or ideas
for improvements or features.
By its nature, it is hard for one person to meaningfully test a
votebot, so there are certainly some bugs.
To play with the votebot, join the above lists, cut out the sample
ballot included below, and send mail to firstname.lastname@example.org, with
a subject "register ballot", and a body with the sample ballot.
Finally, I would like to thank Dan Busarow, who's votebot used on the
PAB list provided the model and the inspiration for this:
Thanks, Dan :-)
Here is the current documentation file:
Votebot provides a method for taking votes among a group of
people on an email list. It provides several functions --
initializing an election, terminating an election, collecting votes,
tallying the votes, and auditing. All the data for each election
(all the received votes) are preserved until a system administrator
deletes them. The votebot uses a very simple security and auditing
model, adequate in many practical cases.
A primary design goal of the votebot is that it require no client
software except a minimal email client. The votebot is designed to
be used in conjunction with standard email list software, in
Installation instructions are at the bottom of this document.
Voters, Registrars, and Auditors
The votebot deals with three sets of email addresses -- the "voters",
the "registrars", and the "auditors". The voters can vote and see
the results; the registrars can initiate and terminate elections; and
the auditors can see all the votes cast. Each set is represented by
a file of email addresses, one per line. The files need not be
distinct -- for example, the voters, registrars, and auditors could
all be the same file. Note that use of the term "registrar" in this
document has absolutely nothing to do with DNS.
A more common approach would be to have a large set of voters, the
same set be the auditors, and a small subset be registrars (perhaps
elected officers of the group). This would imply a completely open
election in the sense that all the voters could see all the votes,
but that some elected officers (say the secretary or chair) would be
in charge of initiating and terminating elections.
Other combinations are possible.
Security, Privacy, and Authentication
Because email addresses can be spoofed, the votebot uses a simple
"cookie" handshake mechanism to guard against fake votes -- you are
first sent a unique "cookie" or "key" (a string of 26 hex digits, at
this time) that must be returned for each vote or other transaction
with the votebot. [There are two unauthenticated requests.]
Email is in practice actually very reliable, but can be lost.
Therefore, the votebot allows each voter to cast multiple votes --
the last one received will be counted. However, because the order of
delivery of multiple email messages is not guaranteed, it is not wise
to change your mind, because you can't guarantee which vote the
votebot will count.
"Vanilla" email is intrinsically weak from a privacy perspective, so
the votebot cannot provide high security secret ballot, even if the
operator of the votebot is trusted completely. However, some
privacy can be achieved by having a small set of trusted auditors,
and a trusted votebot operator.
Note that one of the design goals of this software was to provide a
voting mechanism that required nothing but a simple email client on
the part of the voters. It would, however, be straightforward to
construct an SSL gateway to the votebot, using a web browser as the
Votebot supports 8 functions: "register ballot", "open" (polls for
voting), "close" (polls), "list" (all votes in summary form), "audit"
(send a file of all ballots received), "tally" (return election
results), "vote" (cast a vote), and "help" (not yet implemented).
All the functions are activated by being specified in the "subject:"
header of an email message.
The general flow of processing for an election goes as follows:
1) One of the registrars creates a ballot (see below) and sends
it to the votebot address, in a message with "register ballot"
as the subject.
2) The votebot verifies the ballot is in correct form, converts
it to a canonical form, and sends a message to each registrar
with subject "open <key>" (where <key> is one of the above
mentioned 26 hex digit "cookies"). The registrars verify that
the canonicalized ballot is as they expect. In general, the
votebot deals with the common email quoting convention (some
combination of ">" and " " characters prepended to lines), and
modifications to subject lines are handled fine, as long as the
original string appears somewhere in the line. Thus,
"Subject: RE: Vote 33d80d6162b599e74b41a07b0b (was Re: blat)"
works just as well as
"Subject: Vote 33d80d6162b599e74b41a07b0b"
3) When it is time to start voting, one of the registrars replies
to the votebot, with exactly that same "open <key>" string in the
subject of the reply message (the body of this reply is ignored
by the votebot).
4) The votebot receives the "open <key>" message, and
a) Sends copies of the ballot to each address in the "voters"
list. The subject of this message reads "Vote <key>". The
voter fills out the ballot and returns the message, with the
same "Vote <key>" string somewhere in the subject. This
vote may be returned any number of times -- all votes will
be recorded, and the last one received will be the one that
b) Sends a "Close <key>" message to each registrar. If a
registrar returns this message to the votebot, the polls
will close. This is irreversible -- once an election is
closed, it is closed.
c) Sends a "List <key>" message to each auditor. If an
auditor returns this message, a list of all votes cast so far
will be returned. If the auditor changes the "List <key>"
to "Audit <key>" (that is, changes "List" to "Audit" in the
subject line), a full audit will be returned, with the full
text and headers of every email ballot submitted for the
5) The votebot collects votes. A receipt with a unique checksum
is sent for each received vote. (The checksum is *not* a cookie,
though it looks like one.)
6) One of the registrars closes the election.
7) Anytime after the election is open, "tally <key>", "list
<key>", and "audit <key>" messages may be sent. Note that the
"<key>" used in "tally" and "audit" messages is just the precise
same key that the votebot returned for the "vote", "list", and
Ballots are quite free-form, and just depend on a few syntactic
features for recognition. Reserved words on the beginning of a line
are used to delimit sections; two characters are reserved for use on
the ballot, the left and right square brackets '[' and ']'.
Text in the ballot is divided into two classes: single lines of
syntactic importance, which always have a keyword or symbol as their
first non-blank characters, and "noise" -- everything else, which may
be important explanatory text, but is ignored by the votebot.
Examples of keywords are: 'ID:', 'Question:', 'Polls Open:', 'Polls
Close:', 'voters:', 'Created by:' and 'Protocol:'. Case is not
significant. Leading whitespace is OK. The 'ID:' and 'Created by:'
keywords are added by the software.
Ballot choices are indicated by '' as the first non-blanks on a
line. For concreteness, here is an example ballot, as it would be
submitted in a "register ballot" message:
Polls open: Mon Sep 6 00:00:01 GMT 1999
Polls close: Wed Sep 8 00:00:01 GMT 1999
Question: "We believe you, Anita"
protocol: select one
Question: William Jefferson Clinton should be impeached
 Are you crazy?
After the ballot is processed by the votebot, it is returned to the
registrars for approval. A registered ballot has
more fields added. Concretely, this is the mail message that was
returned for the above ballot:
Date: Sat, 6 Nov 1999 09:08:13 -0800
Subject: Open defff0884450598834770278cd
Created by: email@example.com
Polls Open: Mon Sep 6 00:00:01 1999 UTC (Sun Sep 5 16:00:01 PST)
Polls Close: Wed Sep 8 00:00:01 1999 UTC (Tue Sep 7 16:00:01 PST)
QUESTION: "We believe you, Anita"
PROTOCOL: select one
QUESTION: William Jefferson Clinton should be impeached
 Are you crazy?
The "subject:" line of the above message is
Subject: Open defff0884450598834770278cd
At this point in the election cycle the ballot has been registered,
but the polls are not open. A reply to the above message, with that
same subject line, will open the polls, and send individual ballots
to every member of the "voters" list. The parsing is relatively
forgiving of "Re:" prefixes and so on in the subject line. The content
of the message is ignored in processing an "open".
In a future version the votebot will only accept votes cast within the
window defined by the "polls open" and "polls close" keywords, if they
are present. Currently, all that is done is to generate a GMT version
of the times.
Also, in a future version, the "protocol:" keyword will be parsed,
and individual questions may be tallied through different voting
Legalities, Installation, and Configuration
Votebot is released as open source -- the license is at the top of
the code. If you make useful improvements, please send them to me:
The votebot is extremely simple to install, but you must have a
functioning perl5 installation with the Digest::MD5 and Date::Manip
modules installed. (It also requires Fcntl and POSIX, but I believe
these are part of the base installation of perl5.) For perl and
perl modules, see http://cpan.org.
Put the votebot code somewhere appropriate, then set up an email
alias to run it. For example, with sendmail an alias like this works:
votebot: "| /home/kent/votebot/votebot"
The votebot currently is configured by editing the variable
assignments in the "config" subroutine at the bottom of the
code. The comments there describe each configuration variable.
Kent Crispin "Do good, and you'll be
firstname.lastname@example.org lonesome." -- Mark Twain