The name comes from Marie Jean Antoine Nicolas de Caritat, Marquis of Condorcet, French philosopher and mathematician, notably known for championing an election method that now named after him.
The goal of this project is to allow organisations of people working remotely to cast votes is a secure and transparent way, using a git repository to collect and authenticate votes.
If the vote is setup on a GitHub pull request and you have
gh
locally installed and logged in to your GitHub
account:
npx --package=@node-core/caritat-cli voteOnGitHub <pr-url>
Otherwise, you can specify the details manually:
npx --package=@node-core/caritat-cli voteUsingGit \
--repo=<repo-url> --branch=<branch-name> \
--path=<subfolder-where-the-vote-data-is-stored> \
--handle=<your-github-handle>
You can use one of the shell script from the sh/
folder. Requires openssl
(LibreSSL CLI is not compatible) and git
to be available on the local machine.
On a Unix-like OS:
sh/voteUsingGit.sh <your-github-handle> <repo-url> <branch-name> <subfolder-where-the-vote-data-is-stored>
On Windows:
sh/voteUsingGit.ps1 <your-github-handle> <repo-url> <branch-name> <subfolder-where-the-vote-data-is-stored>
Only works for vote that are hosted on a GitHub pull request.
Visit https://nodejs.github.io/caritat/, paste the URL of the pull request, and create the JSON file containing your encrypted ballot using GitHub web UI.
npx --package=@node-core/caritat-cli generateNewVoteFolder \
--repo "<repo-url>" --branch "<new-vote-branch-name>" \
--directory "<relative-path-to-new-vote-folder>" \
--subject "Vote subject" \
--candidate "Candidate 1" --candidate "etc." \
--allowed-voter "voter@example.com" --allowed-voter "etc@example.com" \
--shareholder "shareholder@example.com" --shareholder "etc@example.com" \
--shareholders-threshold 2
Requires openssl
(LibreSSL CLI is not compatible), gpg
, and node
.
Use the sh/generateNewVoteFolder.sh
script.
sh/generateNewVoteFolder.sh <path-to-dir>
This will generate three files that will be used to let participants vote. You can then commit those files and push this to a new branch (optionally open the vote pull request). If you are participating to that vote yourself, you should cast your vote right away using one of the methods described above.
You can build your own CLI to interface with Caritat so it's more fitted to your use-case and is more user-friendly.
Since we are using TypeScript, please rely on the type definition for documentation on how to use the API.
- As a Voter, you need to trust the Vote Instigator for:
- using a reliable hardware and software to generate the Vote Private Key and encrypt it, and to not store it anywhere.
- not leaking the Vote Private Key before the vote closes if they have kept it.
- not basing their vote in function of what other has voted (having the instigator always vote first helps alleviate this issue).
- As a Voter, you need to trust the panel of Secret Holders for:
- not reconstitue the Vote Private Key before the vote closes.
- not leaking the Vote Private Key before the vote closes (if they have reconstructed it, which they should not do).
- not basing their vote in function of what other has voted (if they have reconstructed the Vote Private Key, which they should not do).
- As a Voter or the Vote Instigator, you need to trust the git commits are genuine, and therefor you need to trust that the server hosting the vote repository is not compromised.
When using git, one could force push (or otherwise alter the git tree if they have direct access to the server) the branch and remove or modify ballots from other participants. Adding protection on the branch on which the vote is happening can help prevent this.
Ballots are encrypted using a public key generated for the vote, only someone in possession for the Vote Private Key is theoretically able to decipher the ballot. Typically, no one should be in possession of the Vote Prive Key (although there is no way of ensuring that, see "Who do I need to trust?" section) until the vote closes. Unless the vote needs to stay private, a recommended practice is to publish the Vote Private Key, effectively making everyone's choices public.
Making the non-encrypted ballot available publicly is a great way to ensure the election was not rigged. Everyone can check that the ballot counted as their has not been altered and that the result adds up. It's still possible to not make them public (to keep the vote anonymous), but that requires to trust a single authority (the Vote Instigator).
When setting up the vote, the Vote Instigator creates the following keys:
- the Vote Private Key (RSA 2048 bits)
- the Vote Public Key (derived from the Vote Private Key)
- the Vote Secret (a random binary string)
- the Vote Secret Key Parts (derived from the Vote Secret, as many key parts as there are Secret Holders)
Then a vote.yml
file is created:
- the Vote Public Key,
- the Vote Private Key encrypted using the Vote Secret,
- the Vote Secret Key Parts encrypted using PGP (each key part is encrypted using Secret Holder public key),
- a list of candidates (only those candidates are allowed in a ballot),
- a list of allowed Voters,
- a vote subject, header and footer instructions to give more context to the voter directly in the ballot,
- the method to count the ballots (only Condorcet is supported at the time of writing),
- miscellaneous vote options, such as
canShuffleCandidates
.
The Vote Instigator pushes to a newly created vote branch (when using git) the
vote.yml
, as well as a file containing the public key and a ballot example.
The two other files can be used to vote without parsing the YAML file.
Encrypting the ballot is necessary to ensure people voting early do not interfere or influence folks voting after them. At the end of the vote, the the Vote Private Key can be made public, so anyone can decrypt the ballots and verify the result themself. Or it can decided that the Vote Private Key won't be shared in order to keep the votes anonymous, and a large enough panel of Secret Holders (depending on the vote settings) need to share their key parts, decrypt the ballots, and share the vote result without disclosing the content of the ballots.
An encrypted ballot is a JSON object which contains at least two keys:
-
encryptedSecret
: the Ballot Secret encrypted using the Vote Public Key. -
data
: the YAML ballot, encrypted using the Ballot Secret.
There could be other keys in that JSON object, they will be ignored.
Voters can sign their commit using PGP. When doing the counting, the system uses the git commit metadata to attribute a ballot to a voter. If a voter casts several ballots, the system only counts the most recent one.
The vote ballots cannot be deciphered, the process needs to start again (unless you have a quantum computer at home to break the RSA encryption).
The license makes no restrictions on how this tool should be used, but keep in mind that, as any electronic voting system, it can only be trusted as long as the unanonymized vote ballots are made public as soon as the vote closes, which may or may not be OK depending on the type of election you are using this for.
The default vote counting system is the Condorcet method (preferential ranked votes). This repository is probably not the best place to learn about vote theory, but all you need to know it's the best option to pick an option that majority of voters will agree with.
Let's for the sake of simplification take a situation where you are the only voter, and there are three candidates (A, B, and C). You set score 100000 to candidate A, score -100000 to candidate B, and 0 to candidate C. Here's how Caritat will count the votes:
- Caritat puts up A against B, see that you set a higher score to A, and count your vote for A. Because in this example, you're the only one voter, there's no other ballot to count. A gets 1 vote, B gets 0 votes, A wins the duel against B.
- Caritat puts up B against C, see that you set a higher score to C, and count your vote for C. C gets 1 vote, B gets 0 votes, C wins the duel against B.
- Caritat puts up A against C, see that you set a higher score to A, and count your vote for A. A gets 1 vote, C gets 0 votes, A wins the duel against C.
Caritat will show the following table of result:
Candidate | Number of won duels |
---|---|
A | 2 |
B | 0 |
C | 1 |
The winner is A, as it is the candidate that wins the most duels (also called the Condorcet winner).
It's worth noting that the exact numbers on the ballot (like 100000, 0, and -100000) don't change the result of the vote. What really matters is how these numbers stack up against the other candidates' numbers in your ballot: if they are bigger, smaller, or the same. The numbers used in the other ballots have no effect on how your ballot is counted.
In practice, there will be probably more than one voter, and potentially more than three candidates, but the same principles apply: each pair of candidates is evaluated, the candidate that wins the most duels is the winner.
Sometimes, the vote result can include more than one winner:
- It's possible to get an exact equality between two options (e.g. 3 voters prefer A against B, 9 voters are indifferent, 3 prefer B against A), in which case the duel is won by neither option. Having an equality is not really a big deal, unless there are no other candidate that wins against both options. In that case, Caritat will show more than one winner. At this point, re-running the vote should yield the same result, unless the list of voter changes.
- Another situation would be a Condorcet triangle (e.g. A wins against B, B wins against C, and C wins against A). As in love, those triangles are unlikely to get resolved in a way that keeps everyone happy.