Open voter ID

About

Open Voter ID was designed to be like OpenID, to allow third-party web-applications to confirm registered voters' city of residence, and thereby enable local civic participation without foreign interference. Open Voter ID uses scrambled government voter-registration data to confirm a user's name & address & verification data. But Open Voter ID does not reveal the user's data to application-websites, except for the user's city & an application-user-id only usable on that application-website.

Open Voter ID helps third-party application-websites build services that are specific to the citizens of a city, without needing to access nor store sensitive information about each user.

Open Voter ID helps users use multiple third-party application-websites providing a variety of civic services, using a single login, while remaining anonymous to the application-websites.

Goals

When creating Open Voter ID, we had the following goals:

Verify that a user is a registered-voter for a particular locale.
Allow the user to be verified on multiple application-websites, using a single familiar login-service and account verification.
Provide a stable user-ID so that application-websites can associate data with that user.
Do not allow application-websites to know who the user is, nor any other information beyond locale.
Do not expose voter-registration data to hackers.

Some of these goals conflict, such as anonymity versus application-websites storing user-activity-records.

Methods

To accomplish the goals, Open Voter ID was designed with the following features:

Login-service only stores hashes of user data.
- Voter registration data is converted to user-data-hashes that are uploaded to the login-service.
- user data = identity data (name + address) + verification data
- verification data may include: phone, birthdate, social security number, postal-mailed secret code
  - Governments that already mail yearly voter documents, can attach a short user-specific secret code to those documents.
- Login-service hit-tests users' login-form submissions against user-identity & user-verification hashes.
- Login-service does not send a session-cookie; only application-websites may set session-cookies, limiting the impact of session-cookie theft.
Login-service does not share user-data with application-websites.
- Login-service provides application user ID & locale to application-websites.
  - Application-websites cannot derive the original voter-registration user-data from the application-user-ID.
  - Application-user-IDs are specific to each application-website, so that users cannot be tracked across application-websites.
- Application-websites do not share records of user activities with login-service.
A compromised-device that tampers with votes on application-websites, may be detected by the user comparing their application-website records on a second differently-compromised device.
- This is similar to using a second vote display on paper.

Anonymity

Protecting user anonymity was one of the most important and difficult goals of the login system. No guarantee is possible, because users can intentionally de-anonymize themselves in their posts. However, the login-system should prevent accidental de-anonymization. Open Voter ID's methods help protect anonymity, as follows:

Login-service and application-website have to work together to break user anonymity.
Users' real identity must be known to break anonymity, because user-IDs used by login-service and application-website are non-reversible hashes of the real-identity.
Tracing from application-activity back to a real-identity is legally difficult, because many real-identities must be probed, searching for a real-identity that hashes to the target application-user-ID.
Application-websites can make tracing more difficult by re-hashing the application-user-ID with their own secret-salt, and storing records keyed by this application-private-user-ID.
The login-service lacks session-cookies, reducing the chance of tracing user activity across application-websites.

Sequence of events

Open Voter ID implemented the described login methods, using the following order of operations. All hashes use sha-512, and salt from an OS-specific randomness source.

Application website		Login website
		Upload voter-registration records Store each user's identity = hash(name + address) Store each user's verification = hash( identity + {birthdate / phone / social-sec / secret-code} ) Store each user's locale (city)
Application-website registers with login-service
Application provides return-URL	→
	←	Generate & store & return application ID, request-signing-secret, user-identity salt
User visits application-website
Generate login-request, using app-ID & request-signing-secret	→
		Verify login request Ask user for identity: name & address Verify that hashed user-identity exists Ask user for verification: birthdate / phone / social-sec / mailed-code Verify that hashed user-identity + verification exists Regenerate application-specific-user-ID as: hash( identity + app-salt )
	←	Return app-specific-user-ID and locale
Verify login-result request Verify user locale is eligible for service Store app-user-ID into browser cookie Store activity records keyed by app-user-ID

Existing instance

The implementation of Open Voter ID is non-proprietary, open-source, with a license that permits deriving commercial works.

An instance is running at https://openvoterid.net/about

To upload a city's voter-identity & verification hashes, contact Converj LLC.