The primary security issue the collaborative system must protect against is ballot-box stuffing. If a large enough group of people start using the system to filter their incoming news, stuffing the ballot-box for or against articles will become a way of harassing and censoring groups of users on the net. To prevent the opinions of any individual from having undue effect on the outcome of the collaborative filtering process, the collaborative system should ensure that each individual can only cast one vote for each article.
Unfortunately, there is a trade off between the desire to allow users to vote anonymously and the desire to prevent ballot-box stuffing. If every vote is transported through the system authenticated with a digital signature[24] from the user casting the vote, it is possible to prevent ballot-box stuffing completely as the final consumer of the votes can ensure that each user votes only once. Gone, however, is the ability to aggregate votes into summaries as each vote must be transported in its digitally signed form. Further missing from such a system is the ability to cast votes anonymously. If preventing ballot box stuffing became crucial to the success of the collaborative system, a more complicated system proposed by Chaum for use with anonymous digital certifications could be used.[4] This certification system involving two additional independent agencies would allow users to vote anonymously while still preserving the end user's ability to verify that each user voted only once. The overhead involved in such a system may well prevent its application to Net News however.
For the purposes of this thesis, we propose a system which is not perfect, but provides protection against the most common means of attack. If users have their votes posted to vote files, then the existing systems for file protection can insure that only authorized users read or write votes in the vote file. Because vote files are associated with individual people, it is not possible to stuff the ballot box using a vote file. Interface modules reading the vote file can insure that the file only votes for each article once.
Preventing a user from sending multiple votes for a single article to a vote server is harder problem to solve. Since the votes distributed by the vote servers are anonymous, there is no way to detect if single user has voted multiple times once the votes are aggregated into the stream of distributed votes. However, some security can be provided if the communication between an interface module and a vote server is not anonymous. An honest vote server can enforce a one vote per article per user rule by requiring users to authenticate themselves to the vote server before transmitting any votes. The local vote server can record which users have cast votes for each article, and prohibit the same user from casting a second vote for the article. Under this system the local vote server will know which articles a user has voted on. Since the vote server is local to the user's site, it can be trusted to obey the local policy determining the privacy of personal information in electronic form and presumably maintain the user's anonymity. Many sites now have policies which declare who on the system can legitimately access system logs containing personal information.[5]
Users will authenticate with their vote server by sending their user identification number (uid) along with their votes to the vote server. This will prevent casual attempts at ballot-box stuffing, but would not stop a person who writes a program which masquerades as an interface module to the vote server. This stuffing program could generate an arbitrary sequence of numbers for uids - effectively casting votes for all the users on the system. Another approach for securing the system would be to require the transmission of an actual password as part of the vote server protocol. Such an authentication mechanism has been proposed as part of NNTP II, the second version of the Net News Transfer Protocol, but appears unlikely to be implemented.
Vote servers can be configured to exchange votes only with specific peers, so there is little risk of an individual inserting fake vote packets into the stream of vote packets exchanged between honest vote servers. Unfortunately, there is little that can be done to stop dishonest vote servers from generating fake vote packets to stuff the ballot-box. Once a dishonest vote server is identified (most likely by human operators), the only option to secure the system is for peers to derecognize the dishonest vote server and cease exchanging votes with it. This approach is currently used on Net News itself to control users who forge messages.