I trust you, M-P. That's not the issue. It's that you have access to checking the vote at all. That's not a secret ballot.
That's the point, indeed. I'm quite sure that M-P isn't snooping through the votes as they are coming in, but the voting method itself is highly questionable.
My intention in the next Cosa, is to change the system to use a non-reversible encryption.
Here is what I was thinking...
A hash is a value you obtain from another value from a mathematical function, but of a fixed size. For example, an MD5 is composed of 20 characters. So, if you take a 2 letter string and calculate it's MD5, it's 20 characters. If you take War and Peace and calculate it's MD5, it's also 20 characters.
But, it's obvious that those 20 characters DO NOT contain War and Peace: it's a non-reversable encryption.
Md5 is broken, so I would use SHA1 instead. I could create function called "EncryptCitizenNumber" which would take:
1 ) The citizen number of the voter, for me, it's 101
2 ) The current time stamp (which will be stored the citizen voted table, but not with the vote itself), right now, it's 13883126593
3 ) The vote (I'll explain later): In my case, it's RUMP (I voted publicly)
4 ) A secret string only I will know. Something hard, like 0F5N3.d!fKl89a
Then, I concatenate (glue) everything:
"10113883126593RUMP0F5N3.d!fKl89a"
The SHA1 result for this is: f2244149392ecfdca8c1fa6104c457f498373b12
Then, I store the vote with this value instead of 101.
So, in the table: citizenvoted
I add:
Citizen: 101
Cosa: 47
tstamp: 13883126593
In the election vote table, I store:
sha1: f2244149392ecfdca8c1fa6104c457f498373b12
party: RUMP
secret: 1
Cosa: 47
What are the advantages?
1 ) *I* can glance in the database how many people voted for which party, and which citizens did vote but I can no longer glance who made the votes themselves.
2 ) Any citizen is still table to confirm their vote was entered properly, how?
A ) They login to the database using their own password.
B ) The citizen can enter the number of the Cosa, and the party they remember voting for (that's why it's in the system so that you can only confirm a vote, but fetch one)
C ) The system fetches the timestamp from the citizenvoted table, and uses the supplied vote to find the SHA1 in the table.
D ) The system can then say: Yes, you voted for that party, or No, it doesn't match, and here is the SHA1 to report to the SoS so that they can fix your vote
3 ) I, as the SoS, will have a much, much harder time to validate the vote, for a simple reason: I will need to fetch the data from both tables, manually calculate the SHA1 for each possible party, and test it.
Yes, in theory, the database administrator could go in and retrieve the votes, but it would make it really hard while still allowing the citizens to validate their votes.
Why do I insist on validating the votes? Because we don't have actual paper ballots as a proof. What if it's 100% secret, and I decide to change a few votes for the RUMP, just enough to win an election the RUMP might have lost.
How can you prove I cheated if it's not possible to validate the votes? Even if you re-ask all voters, I might reply that now that it's not secret, they are lying.
With a validation, each citizen can confirm their vote was entered properly.
Plus, no one but ME, personally, will be able to manually decode the votes.
BUT, there is another way... it is possible to encrypt a PHP file so it's not readable anymore, but so it's still executable...
We could have the King modify a php file I created with a secret value of his choice, and then use an online encryption tool so that even I cannot see his string. That way, the secret key, the "0F5N3.d!fKl89a" from above, would be hidden. I wouldn't know what it is...
I would still be able to use the decryption function, so it's still not 100% safe, but now, I need to use the function itself. For example, we could have the function (in the encryption itself) send an email every time it is run to a few people, with the citizen number, IP address, citizen number, etc...
That way, if I ever try to read all of the votes (and again, only I would be able to), people would be notified... but if we really need to dig in and retrieve who voted for which party, I'll be able to do it, but all of the receivers of the email will know.
I think that this is the solution that can properly safeguard our votes.