Looking For Suggestions for an Email Voting System
Alan Dayley
alandd at consultpros.com
Fri Apr 20 20:08:26 MST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Phillips wrote:
>
> Why the browser user agent string?
>
> If I have firefox and IE installed on one machine, could I vote twice, once
> from each browser?
The Firefox plugin User Agent Switcher would let me vote as many times
as I have agent strings to choose from.
Just using the IP is not perfect either since my current IP is from home
but I'll have a different one at work and another at Schlotsky's.
> Let me see if I understand the concept -
>
> Email is sent with a link to an html page. The link could be of the form:
>
> http://some.web.server/form.jsp?vote=no
>
> The page then captures the vote = no, and displays a thank you page.
>
> How can I get the email recipient's email address in the query string? For
> example:
>
> http://some.web.server/form.jsp?vote=no&email=member@yahoo.com
So I could vote multiple times in other people's names just by changing
the URL to a different email address.
I'm not trying to be contrary to your problem. I am also not a web
developer so perhaps I should quit espousing possible solutions that I
have no experience implementing. But let me get to my point:
The only way to ensure that you will not have multiple votes by any one
person is to uniquely identify each person in a way that can't be
"spoofed" by someone else. That means passwords, pre-shared keys or
public/private key pairs like PGP. (Or some other security system that
I don't know about.) Anything else will be game-able.
The point to any of the easy three; agent string, IP address and email
address is to keep honest people honest. If you have a problem with
people gaming the system, I don't think any of the three easy solutions
will be good enough to prevent it.
Back to perhaps being helpful, I just had a thought. You could use one
of the easy tracking methods and publish some rules about the number of
votes. For example:
1 - If the total votes by the deadline are less than 80% of the eligible
voters, the vote does not count. (Encourage people to vote and get the
number close to the maximum possible.)
2 - If the total number of votes then exceeds the number of possible
voters, you know someone gamed the vote and it does not count. (This
way a "ballot box stuffer" has a disincentive to stuff too much and
their effect is minimized.)
This solution depends on nearly the entire community actually voting to
overwhelm any stuffers. The other weakness is that a stuffer can
invalidate the election every time if they want.
An interesting conundrum. Let us know how it goes.
Alan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFGKYAqDQw/VSQuFZYRAl27AJ9iJYe1FtpToUNom8vO+ZvbQJaP3wCdG7ie
fEp9F2cmldVp9WD1L40PKQk=
=617D
-----END PGP SIGNATURE-----
More information about the PLUG-discuss
mailing list