Delegated voting
1a. How it would work: tagging
2. Why we need delegated voting
3b. Smartcards as the solution
3d. Why online should be the only option
6. Evolving existing democracies into direct democracies
Democracy, from the Greek: δημοκρατία – (dēmokratía) "rule of the people"
If democracy is the rule of the people, then in theory, every decision made by a country should be voted on by every citizen. In practice nobody lives in such a democracy because it does not scale - any country of interesting size needs to make so many decisions that even many politicians struggle to find the time to contemplate them all.
Delegated voting is a simple way to make democracy scale, by using new technologies and a change in the way voting is performed. It can be summed up like this:
Every citizen may cast a vote on every decision made. If they do not cast a vote then the system automatically votes for them according to how a delegate voted. A delegate is anyone whom somebody else (a delegator) has asked to vote on their behalf for a given set of topics. Delegation is recursive and all citizens must have at least one delegate, but may have more.
Let’s illustrate this with an example. Bob is a married electronics engineer with two children in high school. He cares a lot about his children’s education, things that impact the tech industry, his own finances and not so much about anything else. He is not a political man but still may have occasional opinions about things like foreign wars.
When a delegated voting system is introduced into his country, it is of course being brought in on top of an existing representative democracy, so Bobs account in the new system is configured by default to delegate all votes to his local member of parliament. In other words, from Bobs perspective nothing has changed - decisions are still being taken for him by his elected representative.
One day, Bob learns about what the new system can offer and configures it to his liking via a website. He decides to delegate all decisions about the education system to his local high school head teacher, whom he knows and trusts. He delegates all decisions related to taxes or finances to his accountant, who offers to vote in the ways that best reflect his interests for a small fee. He sets it up to notify him when decisions related to the tech industry are being taken, and leaves all the rest delegated to his local representative the same as before.
Although he can tell the system how he wishes to vote in a general way ahead of time (by telling it to simply copy how somebody else votes) at any point Bob can sign in and cast the vote himself, thus overriding all delegations.
For example, his local head teacher may, in turn, choose to delegate the majority of his votes to somebody from a head teachers association, in which case he would only briefly review how that association member is voting and might choose to vote himself solely in matters where they disagreed.
Ultimately, all votes must be cast. The system requires that every citizen have at least one delegate, with the exception of the prime minister who forms the root of the tree, and thus there can be no decisions which do not have sufficient votes contributed to be democratically legitimate.
The description above leaves out a lot of details! A full description of a real delegated voting implementation is beyond the scope of this paper, but we can flesh it out a bit.
For a delegated voting system to work, category based delegation is important. If you can delegate every vote only to one person, it’s an all or nothing proposition. That doesn’t reflect how real people work. Even the most politically disinterested people care about something that governments control, even if it’s only how much taxes they pay. Many people can probably name two things they care about, for instance their own tax bill and crime. The issue is no two people care about exactly the same set of things, and nobody cares about everything.
To scale the decision making process, decisions need to be appropriately classified so that the system can automatically delegate them without the citizens oversight or intervention. Let’s take a look at some recent decisions put before the UK Parliament and how they might have been classified using “tags” (short words and phrases).
The Armed Forces Bill is, according to her majesties government, “a bill to continue the Armed Forces Act 2006; to amend that Act and other enactments relating to the armed forces and the Ministry of Defence Police; to amend the Visiting Forces Act 1952; to enable judge advocates to sit in civilian courts; to repeal the Naval Medical Compassionate Fund Act 1915; and for connected purposes.”
One set of tags to describe this bill might be: army, navy, mod, armed forces act 2006, courts, naval medical compassionate fund act 1915
Many citizens don’t care about the details of running the army. Soldiers, generals and other members of the armed forces might well do … or at the very least they likely know and trust somebody who does. They could set up delegation rules that match any bill with the tag “mod” or “army” to automatically delegate. Other bills, for instance that deal with the National Health Service, would not match and would hit the default “fall through” rule that delegates to whomever is chosen as the default delegate - typically an MP.
There are many open problems with a tagging based scheme. To pick only a few:
In this paper, I argue the following points:
One key question any delegated voting scheme must answer is how the votes are cast.
There are three possibilities:
The chosen method must meet the following requirements:
Online voting has obvious appeal - for people who are familiar with computers it is low effort, it scales to large numbers of voters, can handle potentially any number of decisions (eg, multiple decisions being made in parallel) and generalizes well to polling. It also has the significant advantage that up to date information and debate can be made accessible right next to the voting system. However it is not widely deployed in practice, can be open to fraud and people without internet access are out of luck.
In contrast, offline voting is well understood, widely deployed, and the existing levels of fraud are deemed acceptable by the populace. It is also accessible to anyone who can read and write, which in modern democracies is close enough to everyone that it makes no difference. But it scales poorly - holding votes more often than a few times a year would be impractically high effort with offline schemes, and many voters find it difficult to reach a polling station during voting hours due to other commitments like their job. And it doesn’t help with getting good information about each vote to the voters.
I argue that internet based voting should be the only option in a delegated voting system, and address the problems below.
The first question we must address is fraud. Existing online voting systems are very often susceptible to vote stuffing and are thus rarely (if ever) used for votes of actual importance, unless the identity of the voters can be strongly verified. Yet for reasons discussed later, it is important that voters who are not proxying other voters are treated anonymously. This seems counter to the requirement to strongly verify identity before voting is possible.
It is possible to resolve this paradox by recognizing that the problem is not connecting a cast vote to a real world identity (name, address, government id number) but ensuring that:
The problem can be separated into three parts:
The easiest way to solve (1) and (2) is to issue cryptographic tokens at some physical distribution point. At these centers, proof of eligibility to vote is presented and the voter is then allowed to pull a token out of a hat (ie, at random). They can then walk away with their token, secure in the knowledge that it cannot be tied to their real identity.
What would such a token look like? Smart card technology provides a possible answer. Banks already issue smart cards to their customers throughout Europe, along with portable card reader devices that provide a user interface to the chip in the card. This system is known as the Chip Authentication Program (CAP) and was put in place to reduce phishing attacks against online banking networks. In countries like the UK where CAP is already deployed, reusing it has the advantage of being relatively cheap. The cards themselves cost only a couple of dollars (less for bulk orders).
In a delegated voting system that re-uses the existing deployed base of CAP readers, users would vote by inserting their voting card into their device, switching it on, entering a code that describes their vote and then typing the response shown on the device display into the voting website. The response would be a code that contained a digitally signed vote. This could then be authenticated by the voting control servers as being genuine.
In banking applications this process is usually protected by a PIN, however it would probably be unnecessary to do so for online voting as the value of an individual stolen card is very low.
The use of dedicated hardware ensures that even if the users computer is compromised, eg by a virus, that virus cannot directly forge or submit a vote. However we still have problem (3). In the worst case scenario our hypothetical political virus can adjust the instructions given to the user and trick them into entering a code that they thought implied a vote for option A when in fact it was a vote for option B. To solve this attack, we can rely on another piece of widely deployed secure infrastructure, namely the phone network. Once a user wishes to vote, an SMS with a description of the different options and the codes to enter into the device can be sent to the users mobile phone (alternatively a voice call can be used for those without mobiles). The security of the system relies on the fact that SMS messages cannot be intercepted or tampered with as they travel across the network.
To recap, the voting process involves visiting a website to read and study the available options. Once a decision is made, the options and associated codes are sent to the users mobile phone. They then pick the code needed for their chosen option, and enter it into the card reader. Finally they provide the card readers response to the voting website, which can now tally the users vote safe in the knowledge it was submitted by a real eligible human being.
The act of delegating the users vote to a proxy (for a given set of issues) can be seen as another form of casting a vote and performed in a similar fashion.
Whilst more complex than just picking options off a screen from home, this scheme is robust against the users computer being under the control of a malicious actor - unfortunately a situation that is common today and unlikely to change in the near future. Computers with robust security systems and remote attestation abilities, eg ChromeOS laptops, may allow the kind of direct on-screen interaction one would ideally hope for.
Whilst internet access is becoming ever more widespread, we must still consider users who do not have it. What part, if any, do they play in delegated voting?
The scheme outlined above can still be used without internet access, as long as the user has a phone number. By calling a national freephone number, the user could be provided with a brief description of the options, the associated codes and then would be able to speak the response shown by the card reader.
However, certainly this experience will be sub par compared to using the internet. This should not discourage us. It is in any case an open question how well informed somebody can be without the quick access to dissenting views and large quantities of information that the net provides.
Another simple approach for people who don’t wish to deal with technology is to simply ask a trusted friend or family member to vote for them. This is not quite delegation as the two votes may not be the same.
It may be tempting to see delegated voting as merely a fancy form of referendum, the sort of thing that should be used a few times a year with a big fanfare. That would be a mistake. Delegated voting reaches its full potential only when all decisions are put before it. Otherwise citizens are not really any more empowered than before, as whether a vote is held is ultimately still up to the people who are already in charge, and who may or may not have incentives that align with the majority.
Supporting offline voting as well (ie in polling booths) means that this scale and rapid turnaround time can never be reached. That’s a fatal flaw and should rule out an entirely offline process from a delegated voting system.
In short, a healthy delegated voting system should be seeing multiple votes every week at minimum.
Axiomatic in the idea of democracy is that more people considering a problem results in better decisions for everyone. Vote buying works directly against this core principle by disconnecting a voters decision from what they actually think is best (assuming they hold any opinion at all).
In a standard democratic system with offline votes, vote buying is prevented by making the vote be anonymous. Crucially, a voter has no way to prove to anyone how they voted. Thus vote buying is pointless because the seller cannot prove they actually met the terms of the deal. Instead it’s much more effective to try and buy the politicians resulting from the vote, than the vote itself.
Delegated voting however requires at least some degree of transparency in how votes are cast, otherwise users will not feel secure in delegating their vote.
At first sight this is an apparent paradox that cannot be reconciled without making proxies special in some way and introducing a great deal of bureaucracy into the system. In fact, the use of internet voting gives a simple solution.
The same online voting system that is used to cast votes, set up delegation relationships and maybe learn about the issues at hand can also inform users how their chosen proxy voted. The crucial aspect is that only those who delegated their vote can view how the proxy voted.
This means that small scale vote buying doesn’t make sense, because to buy somebodies vote and be sure they really lived up to the deal, you’d have to delegate your own vote to them - in which case you’re one down, one up.
The only place it does make sense is if you can find a proxy who has an interesting number of delegated votes, and try to buy them. In this case you can delegate your own vote to them and discover if they met the terms of the deal. However as proxies with large numbers of votes would presumably inform their delegees how they intended to vote beforehand, no action is needed to ensure they actually vote that way - the real voters will ensure that for you. Buying proxies is in many ways no different to buying politicians today, in that blatant vote buying will be punished by delegation relationships being revoked and the system will self correct.
It is important that votes be anonymous not only to prevent vote buying, but also to protect voters against possible retaliation. Many studies have shown that people often claim they will vote for one thing, but then actually vote for another. Social pressures are often a cause of this.
The system described in section (3) offers this level of anonymity, with a one minor addition.
The first is that you should be able to control who delegates to you, such that unexpected delegations are not possible. Consider the model of “friending” on social networks like Facebook as an example - some people may wish to automatically accept all delegations, for example, if they are a politician, campaigner or respected local figure. Others may wish to review and approve each delegation. And the majority will likely prefer to always reject delegations and be leaf nodes in the tree.
Because the smart cards are not linked to a specific real world identity, and because the SMS containing the voting codes contains all possible options, it isn’t easily possible to associate a vote with a person or phone number. It would be possible to associate a vote with an IP address in a naively implemented system. As IP addresses are typically linkable to street addresses with the appropriate warrants and street addresses to real identities, security measures will be needed to prevent that. One example would be regular audits of the voting control servers to ensure their logs are not recording IP addresses. Another would be that ISPs could automatically reroute traffic to the voting servers via their own anonymizing proxy servers, meaning you have to trust only your ISP and not the voting agency.
No system should be considered unless there is a realistic plan for how it might be built.
A big reason delegated voting is so appealing is that a direct and simple deployment plan is obvious. A new political party can be formed (or an existing party co-opted) with delegated voting as its primary manifesto pledge. Its other policies would be as mainstream as needed to not scare people off who would have otherwise considered delegated voting.
The party can then field candidates, and each candidate that wins becomes the default proxy for their constituents. If constituents do nothing else, nothing changes - their votes are cast on their behalf by their member of Parliament, who also takes the majority decision for each vote and uses that to decide his own vote in the house. If constituents wish, they can override that delegation and vote themselves. Although the final vote must still be cast by the MP (to fit into the existing representational system) the MP may well end up voting in the house against the vote they cast themselves via the online system.
One can imagine in a successful deployment that eventually the mechanical translation of what the voting servers say into a neatly portioned set of votes between the representatives would go away and Parliament would become a center of debate rather than voting. It’s unlikely any implementation would reach this stage for a long time however.