Thanks, Joe.
Note this is in my mind a high priority so we can get testing and cross validation configured and tested so we can check the Board votes in the upcoming election.

I was able to reproduce.

Just curious if this has ever worked (i.e. is a Regression bug), or if this is a feature request?

I think this would need to collect decryption keys in a form in order to work. Perhaps no one ever created that form and logic.

• Low effort solution: the error message should be fixed to talk about encryption being the problem, since the election clearly does have votes.
• High effort solution: create a form to type in decryption keys, then use those decryption keys to properly generate a BLT file.

I don't think the tallier stores decryption keys, so checking the latest tally for decryption keys probably wouldn't work.

Note that "Dump (XML)" technically includes the votes, but the votes are still encrypted.

Would this be a security issue, to dump individual decrypted votes? I think BLT format lists each decrypted vote. This could allow someone to reverse engineer who voted for whom, especially if the votes were in chronological order.

More about the BLT format, showing one row per vote: https://stackoverflow.com/a/2234236/3480193

Note that "Dump (XML)" technically includes the votes, but the votes are still encrypted.

Would this be a security issue, to dump individual decrypted votes? I think BLT format lists each decrypted vote. This could allow someone to reverse engineer who voted for whom, especially if the votes were in chronological order.

After discussion in T400670, it seems like this is not a security issue because the votes are anonymized (they don't contain a vote ID or voter ID), the vote order is randomized for each dump, and you can only dump after a poll closes (not during the poll).

Dumps actually overlap a lot with tallying. Both dumps and tallying need to...

• collect decryption keys in an HTML form
• use the job queue because decrypting big elections can take awhile

To avoid duplication, and to leverage the already existing job queue code, I think we should consider merging dumps and tallies into one page.

The one possible challenge with this approach is we'd need to store each dump in the SQL database. Some thought would need to be given to that.

1. Do we add it to the existing securepoll_properties tally_result key? It's a MariaDB MEDIUMBLOB, which can store 16MB. Would we ever be at risk of overflowing that if we tallied a big election 20 times or something?
2. Do we create a new securepoll_property for each dump? If so, then we'd need to store a mapping between the tally and the dumps somewhere. Probably in securepoll_properties tally_result

I guess #2 is more scalable, so I'm leaning towards that.

Thanks for teasing out the options. What is the status?

The voting period for https://meta.wikimedia.org/wiki/Wikimedia_Foundation_elections/2025 starts in less than a month. We want to test this process, input a test election, get dumps, validate the tabulation of the test election, and be confident that we're good to go in explaining to the electorate that we aren't just relying on a single piece of software for the tabulation.

STV is famous for being difficult to configure and validate - they announced the wrong outcome and had to go to court in Alameda CA in 2022:

https://oaklandside.org/2023/01/05/oakland-school-board-election-registrar-resnick-hutchinson/ and https://oaklandside.org/2023/02/21/nick-resnick-resigns-from-oakland-school-board/

Thank you.

What is the status?

I gave an engineering plan above. Next step would be for someone to agree with the plan, then someone to code it up.

If it really is critical for the board election, I imagine jrbs will let the WMF Product Safety & Integrity Team know, and they'll assign someone to work on it. If it's not critical to the board election, this ticket will probably sit until it attracts a volunteer developer to work on it. The patch would be a decent amount of work.

FYI, there is currently a code freeze for SecurePoll (T399610: Code Freeze for SecurePoll during Board Elections in September 2025). Volunteers can't work on this extension until October 9.

Are you an election administrator for the board election? I think only election administrators can use the dump feature.

By the way, you can link your Phab account to your wiki account at https://phabricator.wikimedia.org/settings/user/NealMcB/page/external/ if you so desire. I went to see if you were a WMF employee and found no linked account.

More context: I am a member of the Wikimedia Foundation elections committee, and the subcommittee which is working on voter perceptions and understanding of STV. @jrbs created this based on my input.

I'm an expert in voting methods and election auditing. I helped run the 2019 ASBS board election for affiliate seats, and at that time we did considerable due diligence to ensure that the results of that STV election could be checked via open-source code that was easy for anyone to run.
See e.g. https://github.com/nealmcb/flexstv

That was a good thing, because the margin of victory in that election was a single ballot. That isn't unusual for PR elections with STV.

It seems phabricator isn't sending me notifications of updates, so this one slipped thru the cracks for me.

I've been trying to push this for years with the EC, originally as an advisory member of the committee, and now as a regular member. Evidently not with enough urgency or followup....

I strongly urge us to find a way to do this for the October election, even if it requires some ugly hooks and manual intervention for this election.

Thinking out loud a bit here, is it possible to convert XML to BLT?

XML dumps of encrypted elections can be downloaded, but are encrypted, e.g.

<vote>
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvd2lraS9TcGVjaWFsOlNlY3VyZVBvbGwiLCJzdWIiOiIxMDciLCJtdy1leHQtc3Atdm90IjoiK0lYUEszVnZseEc1Zmdvaktrb3BPeFhsa0pTSERyVHZyRi9ZeWZITWduMnprWlY3dnZETitlcCsrVDhKTjlYYTlTUzdOTm90S290MW53SWlFRTJNNVNoNWt5VVJPM0lHaVFaa2VlWVpNSy9QVnZjR0VIUUczOUpXbFZ3OU45WmsyZktYcDEzeGErVT0iLCJtdy1leHQtc3AtYWxnIjoiYWVzLTI1Ni1nY20iLCJtdy1leHQtc3AtZW52IjoiT1JwM21LQUdwR0g2a0diVkl4SnNzS29SZ2R4bUNUNmd0aEkyaWM1eW5uaEpoQnhiZlJyckJENWxVWWpySTV0YkdUdVM5KzR5Tzc2djhFMEFFNFo5ckNyQU4vZjBkVEpnV2FhOHI1bWdPVkxHWkZVOW90NlFnZkFSYnFZZmREM28wRTBmSitPZzZmU3hFRmtZY3NyNnA2VlVNSWRJeHlOZTEzSFZQclNKNkQydkNtMVRPRytndmJ4eDhleFZGQU03by9SZUlmcU9rb29qd1p2VStRa3pUSVhJY2FPdFdmeEpqZGpZMHZGUlFRYUJYRkVmakJ0UnpHaXFmZ1pTb1NyY2VneUMreWE3QXdqZzQ3VkdjQURteDdxUUFyUkpySG80bHRCaUI1NWplUFNTTDY1ODh6WGhDQyt6Mm9UNU5laTdZeEhPMUNwS0lFTjZScWJtc2YxVHh3PT0iLCJtdy1leHQtc3AtdGFnIjoidFVBc3ZzUE9mNktjYTVJY29CUE5JUT09IiwibXctZXh0LXNwLWl2IjoiREg5VnF0QzdJRldXRXhRaCIsIm13LWV4dC1zcC1tYWMiOiI4OWJmMGJhOGY4NTY0ODM4ZDJlZGI4MDQzMTFlNDk0ZWQ0NjEyMjg2ZDQ4NmE3ZDdhNmZlMmIwMjI2MjNjZTRjIn0.VaYN5Ttr20f6bHYdw4DBZ-PyuYPbZtM4SPsebWwUkxRQSjb66PJJraKAVkLs1Witp25oOYkDI8-_3yQlhjP3VnfX-EXcFrodQ1EePUbH_3PwumgxxoLvHNk13WHRniBz1u-MwIeaVH8ENu8dP09MgR0Rf6jzjc5QC6RTO9WrENBtfyV5mzi_NbbneTJar9AXCI6HP-cyqhijduOfPmIp0H_EUHi0klll9LbDY8BtlCXbhx8QaWR9o1yOKeex2NuX4QX2bnId3JYy9CBvNl80cGQwkejcVr8hBBkIlXP94jo0NfsJAUKHTHiBUXzgeH4Mpu9OATO-W9JJBWs315OVUg
</vote>

instead of

<vote>
{&quot;vote&quot;:&quot;Q00000067-C00000068-R00000000--Q00000067-C00000069-R00000001--Q00000067-C0000006A-R00000002--&quot;}
</vote>

Probably wouldn't be useful in solving this ticket unless it were decrypted.

In T400666#11169699, @Novem_Linguae wrote:

XML dumps of encrypted elections can be downloaded, but are encrypted [...] Probably wouldn't be useful in solving this ticket unless it were decrypted.

Wouldn't the BLT dump then also be encrypted? I don't know if there's a way to decrypt them, at least not easily, without using the tally interface in the extension.

Wouldn't the BLT dump then also be encrypted? I don't know if there's a way to decrypt them, at least not easily, without using the tally interface in the extension.

I think that feature ("Dump BLT" for encrypted elections, with encrypted votes in the BLT file) was never coded or is broken. But yeah, if it were working, I think it'd need to collect a decryption key in the UI, then decrypt, in order to be useful. I can't think of any use for an encrypted BLT file. The votes would also need to be shuffled to preserve voter anonymity. (Easy to do, but mentioning so we don't forget.)

In T400666#11184393, @Novem_Linguae wrote:

I think that feature ("Dump BLT" for encrypted elections, with encrypted votes in the BLT file) was never coded or is broken. But yeah, if it were working, I think it'd need to collect a decryption key in the UI, then decrypt, in order to be useful. I can't think of any use for an encrypted BLT file. The votes would also need to be shuffled to preserve voter anonymity. (Easy to do, but mentioning so we don't forget.)

Fair enough, so the file will need to be decrypted in the backend and the decrypted version available to download.

The only issue there is that ideally it would not be accessible to the public before the Foundation has been able to verify and communicate the results. This is especially important with the Board since there is a lot of press work that needs to happen in the immediate aftermath of the election. So perhaps we could have some kind of "enable dump" config option for each election or something like that, which would allow us to decrypt -> tally -> verify -> communicate -> enable dump for verification.

I don't think dumps are public. I think you have to be an election administrator for that particular election to get a dump. Would that be sufficient security for dumps?

Above I proposed automatically creating dumps at the same time as tallies. Tallies are also election admin-protected. So seems like that solution would meet your needs, if I'm understanding everything correctly.

Yes, I think that would work!

Just to set expectations, I'm in my busy season at my day job and probably can't do any complex patches until November. If this is urgent, you'll probably want to ask PSI to work on it.

Change #1190564 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] [WIP] Allow viewing of blt output from encrypted STV elections

https://gerrit.wikimedia.org/r/1190564

Change #1190564 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] Allow viewing of blt output from encrypted STV elections

https://gerrit.wikimedia.org/r/1190564

Change #1191436 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] Refactor blt/dump logic

https://gerrit.wikimedia.org/r/1191436

Looks like the recently merged patch appends BLT dumps to the end of the tally page. Seems like a reasonable way to do it. That skips the complexity of having to create more jobs, more pages, more links, more properties in the database, etc. Quite an elegant solution that does the job with a minimum of complexity.

I also tested to make sure the vote order was randomized, and it was, so that's good.

Thank you to everyone for your work on this!