Documentation of voting process

[E. Madison Bray]

Hi all,

Voting using Helios for the first time got me wondering exactly how
this process works. I believe details of it were deliberately left
out of APE-0, but I can't find any documented discussion (at least
publicly) about how this works, or how Helios was decided on. I'm
curious if I'm just missing something.

In particular, reading the papers on how this works, I understand that
(and correct me if I'm wrong) there is a distributed key over some
number of "trustees". After the votes are tallied the final vote is
decrypted using a derived key generated by the trustees' private keys.
However, in principle all trustees could collude (but are trusted not
to, hence the name) to also decrypt the ballots themselves.

So that got me wondering, who are the trustees in the Astropy voting
process? How was that decided, and where is it documented?

[Matt Craig]

Hi Madison,

Excellent questions, most of which I can answer. 

TL;DR: The only trustee is the helios server; there are no human trustees. Although the governance working group set up the coco election in helios, control of the election was handed off to the returns officer Arliss Collins of NumFOCUS (thanks, Arliss!) prior to the opening of the vote. helios was chosen because it was secure, free, open source, and we had prior experience with it.

The long answer (figured more detail was better for those interested):

I can't find any documented discussion (at least
publicly) about how this works, or how Helios was decided on.

Helios was chosen by the initial governance working group in March or April of 2021 prior to the first election for voting members. Though the link to the group's notes have been sent out once or twice, I would not count that as documented for the broad astropy community or the voting members. They weren't hidden or anything, but they weren't advertised either once we got underway (they are here).

We were looking for a voting system that was 1) open source, 2) free, 3) any of us had had experience with and 4) seemed secure. helios met those criteria (it had been used for a while in conda-forge and I had looked into using it locally for campus Senate elections).

In late July we became aware of another tool called belenios (https://www.belenios.org/) through numpy. Although this looked similar to helios, we decided to stick with helios for the CoCo election because we (and the voting members) had had some experience with it. 

You are correct that the details of the voting platform were left out of APE 0 deliberately -- the expectation was that the "best" solution would evolve over time. helios is a bit of a hassle in part because you must authenticate using google to set up an election.

In particular, reading the papers on how this works, I understand that
(and correct me if I'm wrong) there is a distributed key over some
number of "trustees".  After the votes are tallied the final vote is
decrypted using a derived key generated by the trustees' private keys.
However, in principle all trustees could collude (but are trusted not
to, hence the name) to also decrypt the ballots themselves.

So that got me wondering, who are the trustees in the Astropy voting
process?

There are no human trustees. The only trustee is the helios server itself. The snippet below is from the view (NOT from the CoCo election) in the settings for the trustees for an election (created a gibberish one so I could get to its settings):

"gfgs gfsdgsdf — Trustees [back to election]

Trustees are responsible for decrypting the election result.
Each trustee generates a keypair and submits the public portion to Helios.
When it's time to decrypt, each trustee needs to provide their secret key.

Helios is automatically your first trustee and will handle its keypair generation and decryption automatically.
You may add additional trustees if you want, and you can even remove the Helios trustee.
However, we recommend you do this only if you have a solid understanding of the trustee's role.

[ add a trustee ]

Trustee #1: Helios Voting Bot [x]
Public Key Fingerprint: MuBhJJ8du+kfTSrJTOBeOm7fBGmp0nHx4rHJgJme5bE"

In both the election for initial voting members and for the CoCo the trustee was left as just the helios server.

This has the downside side if the helios server were to go down before the tally is decrypted the election would need to be re-run. No person has the keys to decrypt the tally.

So that got me wondering, who are the trustees in the Astropy voting
process?  How was that decided, and where is it documented?

You didn't ask this directly but I wanted to explicitly describe how the CoCo election was conducted beyond the trustees. 

First, a new gmail account, astropy.coco.e...@gmail.com, was created so that it could be used to create the election in helios. Erik Tollerud and I had the initial password for this account.

A day before the election was to begin, I set the election up in helios using this new gmail account by transferring candidate statements from the discourse server to helios. I set the display of names to be randomized for each voter.

Arliss Collins from NumFOCUS is serving as the Returns Officer for the election -- a Returns Officer is required for the CoCo election under APE0. On the evening of August 17, we (the governance group) handed off the google account and hence the CoCo vote to Arliss, with a request that the google account password be changed so that we would have no access to the email or to the administrative view of the election.

Note that Arliss is not acting as trustee -- the trustee is the helios server.

The administrator of an election can see who has voted but not how they voted. Arliss is the only one who can see that for this election. 

Arliss will take care of asking helios to calculate the encrypted tally, then to decrypt the tally, and then share the results.

Thanks again for asking the questions -- I'm sure other people may have had similar questions about helios and/or how the election was conducted.

We will bring forward a set of minor suggested changes to APE0 based on the experience with the initial elections. 

Thanks,

Matt Craig on behalf of the governance working group 

--
You received this message because you are subscribed to the Google Groups "astropy-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to astropy-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/astropy-dev/CAOTD34YtcHUrWAFiXCy8cANCQvx7RBg%2B4PBaO60Uz3YB0agy8A%40mail.gmail.com.

[E. Madison Bray]

Hi Matt,

Thank you for the detailed response. To be clear, I have no qualms
with the use of Helios. Just in using it for the first time I became
curious about how it works technically. I missed the point where the
Helios server itself serves as the initial default trustee, and that
seems good enough to me (I don't think anyone is going to be
significantly invested in tampering with Astropy elections).

The process involving setting up the account and handing the keys over
to Arliss makes sense. Thank you. And yes, it would be good to
document how this was conducted in APE-0.

> To view this discussion on the web visit https://groups.google.com/d/msgid/astropy-dev/CAKxiDY%3DbPyGOgdKgLcyANf5hURrDPT%2BpOYcRf_ASnL0bOFgryw%40mail.gmail.com.

[Matt Craig]

Hi Madison,

To be clear, I have no qualms
with the use of Helios.  Just in using it for the first time I became
curious about how it works technically. 

Understood -- in fact, I misunderstood a key aspect of it also. It turns out everyone, not just the election administrator can see who has voted.

My thanks to the person who pointed this out to me. I think this is a plus since it makes it possible for anyone check sums of tallies if desired once the tally is released.

It remains the case that only the election administrator/Returns Officer Arliss Collins can generate those tallies.

Thanks,

Matt

 

To view this discussion on the web visit https://groups.google.com/d/msgid/astropy-dev/CAOTD34YmF6pKcXNLBq_RNCnUv2nbr_U25UZ%2B9VqGM5w-Aeh8Lw%40mail.gmail.com.