Especially when you have users across multiple servers and both want voting privacy AND being able to deal with vote manipulation. You need stuff like pseudonymous commitments per account attested to by the hosting instance, etc. The only thing that's simpler but still private is having instances just digitally sign a total vote tally, which also means you can't detect vote manipulation on other servers at all.

[–] General_Effort@lemmy.world 1 points 3 weeks ago (1 children)

But accounts are already pseudonymous?

Here's where I am at:

I can check if my votes are federated correctly by checking if any of my votes are suppressed or votes in my name are made up. If my instance sends a different random token with each vote, I can still do that, as long as I know which tokens are assigned to my votes.

But vote tallies can also be manipulated by making up new votes through fake/bot accounts. If a vote can be connected to posts, this can be checked to some degree. Say, if an instance has a lot of voters that never post, that indicates a problem.

I don't see how the second thing with E2EE.

[–] Natanael@infosec.pub 1 points 3 weeks ago (1 children)

The very very short TLDR is that anonymization is very hard, but there's auditable cryptographic voting schemes which preserves anonymity by using anonymous cryptographic commitments and one of a bunch of different techniques to count encrypted votes (homomorphic encryption, threshold encryption, etc).

You could set it up so you know which server each set of votes comes from but not which users on the server. You could also make it prove each vote comes from one real account and that no account voted twice. You could even make use of commitments plus ZKP to prove banned accounts can't vote!

It sounds complicated because it is complicated. And somewhat inefficient. But it's possible. And it would be fully encrypted and anonymous voting.

[–] General_Effort@lemmy.world 1 points 3 weeks ago (1 children)

You could also make it prove each vote comes from one real account and that no account voted twice.

How would it prove that the account is real? I suspect that the meaning of "real account" is not the opposite of bot or sockpuppet.

[–] Natanael@infosec.pub 1 points 3 weeks ago (1 children)

A discoverable non-banned account. Not from "ghost accounts". If a server creates a massive amount of accounts to use them to vote, you can see that a small server has a disproportionate amount of registered accounts too, which probably will be otherwise inactive. Then you can reject votes from that server.

[–] General_Effort@lemmy.world 1 points 3 weeks ago

I assume it proves that there is a public key associated with each vote.

It doesn't sound like cryptography is able to add anything worthwhile. You have to trust the instance to police itself. Self-hosted instances still don't vote anonymously.

A group of users has to cooperate to hide their votes from others and each other. Only the tally is known, but you have to trust the group. On the Fediverse, such a group will be the users of an instance. The more users the instance has, the more anonymous the individual becomes.

You have to trust the instance admins to weed out bots and sock puppets, which is extra hard when they don't see the votes either. Presumably, compensating by collecting and keeping other data, such as IPs, for longer is undesirable. You have to believe that admins, volunteers all, are willing to do the extra work and that they don't actually favor manipulation for ideological reasons.

The only way to uncover untrustworthy instances is to look at aggregated data. I guess you'd have to get/scrape data for some community and then analyze by instance if the number of posters is out of whack with the number of voters. I wonder if anyone's ever done such a thing. It's certainly more challenging than looking at oddities among voters who brigade some topic.

Admins of large instances could get away with having many sock voters among the real users, if they wanted to manipulate discussions for, say, ideological reasons.