In the interest of coherent program documentation, the following correction:
BGW issue 52:
(...) The anonymity relies on there being no way to link voter codes to specific email addresses. (...)
The anonymity for e-mail voting relies on there being no way to link a specific email address with a specific person. I assume that any encryption can be broken eventually, revealing the link between the e-mail address and vote-code. They come bundled together. To solve this issue, the e-mail addresses should be harvested in an anonymous way, as is explained elsewhere (see for instance here). The voter can then take care that the e-mail address does not reveal the identity of its owner. Using a known/identifiable e-mail address will make breaking anonymity very easy. Compare: J.H.Boersema@groningen.nl and firstname.lastname@example.org. The first is almost a dead give away, but the second ? In the interest of anonymous e-mail communications, hosts can be configured to host anonymous e-mail accounts.
BGW issue 52, continued:
(...) But there can be no guarantee of this, as email messages are transferred across the Internet. An attacker could create a database of email addresses and voter codes, by sniffing the ballot documents on delivery. (...)Exactly right.
Web-voting allows for other methods for anonymity. Voters may require no more then a password, or a password plus user-name, perhaps an agreed to encryption algorithm/key. These things can be negotiated during the registration for a voter, a process ideally taking place off line, data stored off line as well. If a voter takes care to use a computer that can't be (easily) tied to him/her, it will be difficult for an attacker to know who is behind which vote-code. The vote administration itself is ofcourse one of the major sources of anonymity attacks. It can be defeated using an anonymous registration process (see elsewhere).
Some political groups are attempting to accomplish comprehensive Internet logging. Regardless for what purpose this is (whether it is a good thing or bad things is a non-issue here), it is a threat to sede anonymity. If detailed records of business deals are being kept, perhaps saving surveillance tapes from the election/referendum voting days, even using an Internet café computer may not be anonymous enough. Using the logged data and video, it should be quite easy to reveal the communication channel of all voters using the café.
But if voters are going to meet up with each other, offer up their home computer as a polling-booth (voting party), it will become harder for a government (or any other group) to know from the Internet logs, who was voting which vote. Naturally this presents another problem: the rogue polling booth, where data is logged and videos are being made in an effort to compromise anonymity (if not to delete votes also). Since it only takes one break of anonymity to compromise the data-channel, voters should probably stick with the same polling-booth again and again if possible. This limits the exposure of any rogue polling booths. If a voter used a rogue one once, using it twice doesn't help the attackers breaking the anonymity.
To voting party bring laptop to decrypt/encrypt your ballots off line, and prevent decrypted ballot snooping. If the host knows where all (encrypted) ballots are, he/she can retrieve them before the voting party starts and send back the altered ballots after everyone has left. This makes it possible for voters to attend asynchronously, while their going in and out can not be matched with retrieving/uploading data from/to the Internet. Obviously this requires a trusted host. There are probably all kinds of things that can be done, to make a voting party more or less secure. It will help to gather up with people of different opinions, this will mix the votes and prevent political profiling of a group (which to a degree may be just as or more effective as breaking individual anonymity, since one would only have to log who goes somewhere to know their general opinion). It is perhaps interesting to have people with (wildly) different opinions meet like this for technical reasons.
While on the subject of anonymity: anonymity can also potentially be broken from received content alone. If there are a lot of votes taking place over the same communication channel (e-mail address, user/password combination, etc). After careful study, it may in some cases be possible to discern from a single comment or vote to whom the communication channel belongs. This could reveal in an instant all votes previously voted by that communication channel. Solutions for this attack: 1) voters may take care not to put too identifiable data in their votes/ballots, no "Frits Wallburg, if you read this, don't forget to feed my cat! (Cornerstreet 66, Newark, remember!?)" (if they care for anonymity), 2) the registration process should be renewed from time to time, and voters could then register a new communication channel. Such renewal would also properly put new voters in the mix, and clean out any compromised channels. Periodical renewal makes it necessary for all previously cracked anonymity (if any) to loose its value. The attackers need to start again, stressing their resources. If they can break 0.1% of channels in 1 month, re-doing all registrations every 2 years means they can only ever break 2.4% of channels (using strong encryption stresses brute force cracker resources even more).
BGW issue 52:
(...) As already mentioned in issue 25 of Brave GNU World, this project is somewhat controversial. Many people question the security of this kind of mechanism and its implementation. Also, some people would prefer mechanisms of this kind not to be implemented at all. (...)
I would like to point out to the casual reader, that `this project' was not mentioned in issue 25. What is meant is `this kind of a project': anything having to do with Internet democracy. But people rejecting e-democracy reached their conclusion without taking sede into account (sede didn't exist then yet, and/or was unknown). A major argument why Internet democracy is supposedly a bad idea, is that it according to some people would require biometric identity verification equipment, CPU serial numbers, Internet logging, and things of that nature, to make it work, to have a verified identity of a voter. Altering the make up of the Internet and destroying its freedom (if I understand it correctly). What may be of interest to the people believing this argument, is that sede does not require any of those. In fact (see also above), sede operation will be hampered by CPU serial numbers, Internet logging and certain biometric equipment (wrt anonymity).
Anti e-democracy people (if there is such a thing) are helping to create an environment where e-democracy `sede-style' could operate: arguing for freedom and anonymity on the Internet. Thanks. Because sede needs an anonymous Internet, supporting sede is supporting an anonymous Internet.