#require stru
#title Verifiable Voting for DiEM25
#headline Verifiable Voting for DiEM25
#toclink
#section Problem description
The Organising Principles of DiEM25 assume random elections
for the Validating Council and electronic elections over the
Internet for the representatives to enter the Coordinating
Collective. In neither case a specific procedure is given
on how to implement them, and given how these elections are
currently based on 100% trust in people in a webmaster role,
they are at risk of being ruled undemocratic by any judge in
Europe. Any political movement must provide transparent
verifiable methods of election in order to legally claim to
be democratic. DiEM25 is therefore currently at risk that
any member, even non-paying ones, can sue the movement and
have the CC and VC delegitimized by the judge, throwing the
movement in a condition of chaos and urgency to form a new
initial bootstrap assembly, not to mention legal expenses and
the risk to lose public credibility.
#section Assessment: Computers cannot be trusted for secrecy
In 2009, the [Constitutional Court of Germany ruled](http://www.servat.unibe.ch/dfr/bv123039.html) that computer
ballots are insufficient to satisfy the requirements of
democracy being that "the citizen must be able to oversee and
verify all steps of the voting procedure and determination of
results without any need for technical understanding."
Other supreme courts may not have followed suit, yet, but
it can't be recommendable to base a political movement on
the [edges of legality](http://wijvertrouwenstemcomputersniet.nl/Wij_vertrouwen_stemcomputers_niet).
But if you need a more concrete technical explanation why
electronic voting on a website cannot be secure,
[see below](voting#8).
For the purposes of aleatory democracy, selecting people
randomly from a pool of candidates, it is not transparent and
verifiable to trust in a computer's random number generator.
In fact, [Random Number Generation](https://en.wikipedia.org/wiki/Random_number_generation) is itself a huge topic of concern,
especially in cryptography, which isn't easily solved.
For the purposes of elections, it is not possible to keep a
secret count of the votes in a computer while at the same time
being verifiable to the citizen participating in the voting
procedure. So for both of these requirements we need a
different kind of solution:
#section Part 1: How to embrace Aleatory Democracy
Here's to the easier part of the problem. Instead of trusting
a computer with random number generation, we can base elections
on the outcomes of national lotteries Europe-wide. Each of them
are implemented physically, with notaries obliged to check their
correct operation at each run. The results of the lottery can
frequently be observed on television and scrapped from several
websites on the Internet. For a voting method that is safe even
in case that DiEM25 someday be the largest political faction in
the European Parliament (and therefore under massive risk of abuse),
it should be enough to mathematically
combine the lottery results of several countries, thus requiring
a complicated transnational conspiracy of notaries in order to
control the outcome of DiEM25 elections (which can be considered
reasonably unlikely).
The Italian Pirate Party uses aleatory democracy to elect its
Coordinating Group. Silvan of the Italian Pirates has provided
us with an (((ref aleatory/silvanopirata.html , algorithm using Italian lottery results))). Follow the link for further explanations.
A DiEM fellow called Johann has proposed an elegant
(((ref http://try-haxe.mrcdk.com/#AB0fb , cryptographic solution written in Haxe))), but I'm afraid the concept of hashing
is beyond most people's school-days knowledge of maths.
I mention my own (((ref aleatory/multilynX.html , attempt using multiplication))) for completeness, but I regard Silvan's as easier
to comprehend with bare school maths knowledge.
So, for DiEM25 the new procedure would be: The list of candidates
and an ordered list of lotteries is published in the internal
website days before the lottery extractions. Whoever wants to
check the accuracy of the elections can store such data so that
they can later independently verify the results on their own
laptop or smartphone.
#section Part 2: How to embrace Representative Democracy
As a disclaimer ahead, we of the Structure Working Group
recommend (((ref goals , a shift towards liquid democracy)))
and policy-oriented voting rather than elections of
representatives. The verification problem is historically
one of the [initial sparks that triggered the creation of the liquid feedback software](http://www.liquid-democracy-journal.org/issue/1/The_Liquid_Democracy_Journal-Issue001-02-Five_years_of_Liquid_Democracy_in_Germany.html), so this is a political topic at least
ten years old.
If you, DiEM25, insist on having elections of people, then
we must assert, that you cannot have both secret digital
voting and verifiability. We recommend reading section three
of the seminal book reflecting the state of the art on the
subject, (((ref http://principles.liquidfeedback.org/ , "the Principles of LiquidFeedback"))), ISBN 978–3–00–044795–2.
Lorenzo Marsili asked, whether a group of trusted experts could be
given access to the voting server as to ensure its correct
operation. There are several issues with such an approach.
It is enough for one person to have access to the membership
database in order to simulate false voting procedures of
dormant members using their credentials from the database.
Even if a dozen experts have access to the logs, it is a
cat and mouse game that can't be won to spot false
voting operations amidst thousand of legal ones.
Additionally, we are living in a time and age whereby it is
(((ref http://youbroketheinternet.org/overview , very hard for anybody to set up a server that cannot be hacked and controlled by at least the Five Eyes services))) if not any competent
person that knows how to make use of the tools recently
published by Wikileaks.
Therefore the recommendation we can make is to organize
large general assemblies and elect the CC by paper ballot.
Another option is to have the CC elected by lottery, just
like the VC.
If you really want to have electronic elections, you must
accept the lesser evil of disadvantages, that is to make
the election procedure transparent. Yes, that means that
for each election it is public who has voted for whom
(information that would otherwise only be available to
the webmaster), therefore allowing to contact people that
voted in an unexpected manner whether they really voted
that way.
[Secret voting doesn't actually do](http://faculty.haas.berkeley.edu/rjmorgan/Negative.pdf)
what people intuitively think it does. Its usefulness is
vastly over-estimated:
#quote_start
We found that the imposition of the secret ballot always increases the scope of vote buying — more people vote insincerely under the secret ballot than under the open ballot. We also found circumstances where, paradoxically, the imposition of the secret ballot makes it easier for interest groups to wield influence. In particular, for close elections where the bulk of the supporters of an interest group's desired policy are lukewarm, it is cheaper for that interest group to buy the election under the secret ballot than under the open ballot. Taken together, this suggests that the common intuition about the effectiveness of the secret ballot as a robust deterrent to electoral corruption needs to be revisited.
#quote_end
This still doesn't solve the problem that the
database may be filled by sock puppets with cheap phone
numbers. Names that no-one has ever met at any DSC meeting.
Is it really democracy if people that never participated in
anything have a decisive role in electing leadership? To
close this loophole, the Italian Pirates are considering
to oblige voters to participate in meetings regularly.
You could also introduce a rule by which only people that
show up at DSC meetings every few months are entitled to vote.
At the World Economic Forum,
[Ehud Shapiro suggested we](https://youtu.be/GgS9myPsGUw)
should use electronic identification to solve this problem.
It's also fine to use a paper-based identity certification
system with DSC members acting as testimonies for each other.
#section Feedback from the CC
An unnamed source in DiEM25's CC has commented as follows:
#quote_start
Hey, of course the code can be audited by anyone who expresses the wish to do so, I call it DiEM25-source - any DiEM25 member can get access.
#quote_end
It is totally irrelevant which software runs the non-verifiable random number generator or the non-verifiable database of voting data. If the data isn't, in democratical terms, verifiable, the software is only an additional source of insecurity. The theory that keeping the source closed is going to keep the hackers away [has been proven wrong through-out hacking history](https://en.wikipedia.org/wiki/Security_through_obscurity). While open source enables the good guys to find the bugs, closed source guarantees that the bugs will be there for the well-equipped hacker to find, as [has recently happened to the Movimento 5 Stelle](https://www.reuters.com/article/us-italy-politics-5star/hacking-attacks-a-pre-election-setback-for-italys-5-star-movement-idUSKBN1CA1TM) who dared to use the same approach. DiEM25's leadership is therefore acting against all public and scientific wisdom. This absurdity may not be obviously illegal in Italy yet, but it sure will be in other parts of Europe.
But we're not asking to get a look at the software, because to our understanding the software is not providing verifiable voting or elections in any of the constellations needed, so it is probably breaking laws and its development should better be discontinued. DiEM25 doesn't need people to develop custom software that may not respect Europe's many laws. DiEM25 should use existing software that is known to do things correctly.
#quote_start
However, as the group points out themselves, once you've verified that the code is well-intentioned and that it's not possible to hack it, there is still a major weakness: the webmaster.
#quote_end
If even the most established and formally verified [Wi-Fi protocol WPA2 got cracked](https://galois.com/blog/2017/10/formal-methods-krack-vulnerability/) against all expectations from professionals, how can you expect that anyone writing or reading that code would be able to declare it "impossible to hack" ? It's an impossible thing to claim! What is your background in computing security that leads you to say something that companies would only say in advertisements?
#quote_start
Whoever has commandline access to the database can change any vote or can take over the identity of an inactive member and vote for that person. There's no way to prevent that.
#quote_end
At least one thing we agree upon. So, by logical consequence something has to happen. Either we change the method or such method cannot be publicly proclaimed as being democratic. Maybe it is legal if DiEM25 openly admits to not be strictly democratic for technical reasons. Not sure how many European jurisdictions allow a political movement not to exercise verifiable democracy inside. Since DiEM is active in all of them, we cannot afford to be legal in some and illegal in others. It is even a shame for a political movement to gamble with legality in the first place.
#quote_start
[removed a summary of this page without commentary or criticism]
For the VC, they suggest using lottery numbers rather than truly random numbers, because lottery numbers are verifiable and random number generation has proven to be a difficult problem in CompSci. That has the disadvantage that they are far from random (e.g. one number cannot be drawn twice, and all numbers are in ascending order), so any drawing based on that would be more flawed than the current state-of-the-art CompSci random number generation...
#quote_end
Saying that public lottery isn't random enough for elections is incorrect. Have a conversation with a real mathematician please. Scientists haven't beaten lottery, they only managed to [double their chances of winning](http://math2.uncc.edu/~imsonin/Lottery.pdf) by predicting what the rest of the population is betting on -- which has nothing to do with our use of lottery numbers.
You may be confused by cryptography here. Lottery numbers would not be enough to do cryptography, not because of their extraction method, but simply because they are not many enough, and crypto can be attacked by brute-force. You can't apply brute force neither to lottery, nor to elections. Or at least we wouldn't advocate for that. So your emotions about the entropy of lottery numbers is misapplied.
It isn't even correct that all nations extract lottery numbers in ascending order, but that has little importance as the entropy of physically extracted lotto numbers is more than sufficient for election purposes. If you think lotto numbers do not have enough entropy, why haven't you won any lotto games recently? If your point was correct, you should be able to hack all lotteries and roulettes on Earth!
#quote In short, I don't think any of their solutions are practical.
Regarding the lotto extractions that is simply not true. The solution is very practical and easy and a huge step forward. Silvan even provided you with an easy to copy and use Javascript app.
Regarding VIP elections, Nobody said you would get a free meal and eat it. One way to do secret elections properly is to make them less important: that is, reduce the power and importance of the role of the CC, and rather empower the movement's participants to take all necessary thematic decisions so that the CC is indeed just executing the movement's decisions. Then it doesn't matter if the CC was elected at a general assembly using paper ballots instead of the unverifiable Internet, a method which is an ongoing existential threat to the future of DiEM25.
And don't say you are already doing this, because of course by thematic decisions we intend fully transparent debates and verifiable consensus procedures, which luckily can easily be implemented using the appropriate and acclaimed software. Currently, thematic votes in DiEM25 are not only highly prone to demagogy, they are also just as unverifiable as the elections, even though legally and technically nothing impedes them from being fully public and transparent.
#section Feedback from a nameless advisor
Again, feedback has been forwarded to us
without naming its author.
#quote_start
It is just impossible to guarantee complete end-to-end verifiability of electronic vote. State-of-the-art e-vote solutions tend to focus on the election/tally parts, generally applying a bunch of cryptographic techniques, but they tend to overlook the biggest problem, which is indeed who controls the "big spreadsheet" you obtain at the end. Also, to the best of my knowledge state-of-the-art solutions are able to ensure that active voters can verify that *their* vote is in, that it is correct, and that has been accurately counted, but they break down for *inactive* voters that will not check or, worse, that will have others stealing their voting credentials and voting in their stead.
#quote_end
Stefan O. pointed us to
(((ref https://select.sec.uni-stuttgart.de))), an
electronic election system based on a research paper
on cryptographic voting. It does all the things a
cryptographer would expect from such a system, but
it has just the drawbacks you describe here.
Additionally, German Verfassungsgericht would still
complain, that it needs the competences of a cryptographer
to understand how this system works.
Using a software like this however introduces a
minimum of verifiability which makes it a least
worst choice among the options for electronic
secret vote. Try to read the scientific paper
that explains the method and compare it to what
DiEM25 is currently employing on its website!
DiEM25 shouldn't use voting systems that no
professor on Earth would vouch for.
#quote Non anonymous voting is a solution to some problems. Debian uses it for every non personal votes --- that is, collective decision making on specific actions, as opposed to election of people to specific governance bodies.
So we agree that transparent topical voting is a good thing.
Even better if you have a tool optimized to maximize
consensus, so instead of just voting the least worst
option you work on a common proposal until most people
agree on it. This is possible for a lot of topics and
dramatically improves the quality of the results.
Instead, it can have devastating consequences for the
movement if a voting ends in 51:49 and half of the
movement is left behind in a decision. This creates
frustration, disenchantment and in-fighting. The
voting for an electoral wing had about 40%
suggest that DiEM25 is in need of a rewrite of its
Operating Principles. This suggests DiEM25 is already
split in half among those who think everything is fine
and just needs to be improved and those who think too
many fundamental things are wrong, like the way votings
aren't verifiable and thus illegal, and urgently need
to be addressed not only in deeds but also in legal
documents.
#quote I think it's a good compromise, because the community drawbacks of having non-anonymous votes for elections are pretty severe in the long term ("you didn't vote for me, I thought we were friends!").
On the topic of elections of personnel,
Italian Pirates have been practicing transparent
elections when unavoidable. The "I thought we were friends"
moment has never arisen: If you don't think I am fit for
a certain role I will deal with such criticism. I would
be stupid to question our friendship because of that.
It's more like a reality check -- a moment of truth when
even the most dishonest person will for once be honest
with you, informally through a mouse click in favour of
somebody else. It's still better to use paper ballots,
but transparent elections aren't as bad as they are
painted. Since the other alternative is to hold illegal
pseudo-secret elections, we should accept the bluntness of
transparent elections to remain in the field of legality.
#quote While real time tallying is appealing to avoid abuses, I recommend against it. The risk of tactical voting are just too high. If the information is completely public, candidates (or supporters of specific items on the ballot) who are lagging behind we'll be able to rally support in real time, distorting the democratic process quite a bit, and generally in favor of who has more time to follow closely the election process. Which is a bad skew.
Liquid Feedback does not support real-time tallying.
We have not recommended any such thing anywhere in this
document. During the voting period, whoever has access
to the LQFB database does have a little strategic advantage
over its participants. We accept this drawback as the lesser
evil compared to the scenario you describe above.
#quote If on the other hand you have only a few people with access to the real-time tally, well, those people have a lot of power: they will be able to secretively rally support for the options they like without anyone able to keep that in check.
That is the known drawback in Liquid Feedback. The web
masters obtain the power of selectively advertising tallies
they are risking to lose. We have had such events in the
past. It's not such a great power after all, because if the
majority of participants is clearly of a different opinion,
there isn't all that much support they can rally for.
Still, this phenomenon can be made to be kept in check.
Its impact can be reduced by introducing methods of
transparent or controlled systems administration, as in:
every access to the database during the tally is logged
and could be used to invalidate the voting procedure.
Or, administration rights can only be exercised when
two people who are unlikely to conspire (of opposing
factions in the movement, for example) have to both
introduce their half of the access credentials.
Another option to enhance trust in the webmaster is
to simply have them elected in a physical assembly.
It cannot be a role appointed by the leadership as
that would be a case of conflict of interest.
#quote_start
If paper voting is an option for you at least in some occasions (dunno, plenary meetings or the like), I recommend resorting to it as much as possible. If it is not, then you have to bite the bullet and accept the above drawbacks. When you have to make compromises, my recommendations would be:
- non-anonymous voting for everything that is not a nominal election
- no real-time tallying, but only real-time monitoring of
participation/abstention (which does shield against some attack)
#quote_end
So ultimately we agree.
Now that even the CC's advisorship agrees with us, will the
leadership of DiEM25 take any measures in accordance?
#section Update: Guarantor Group won't help
In the 5-Star-Movement (M5S) the responsibility of ensuring the
correctness of the voting machinery has been passed to an
elected guarantor group. These people would look at the
source code, check the database and things like that.
Still they have technologically no way to ensure that votes
haven't been falsified on the way into the database, so
the exercise of trust for the webmaster or whoever has
technological access to the database (government agencies
or even spare-time hackers as in the case of M5S' 0rogue0,
the person who says to still have access to the M5S voting
machine "Rousseau") simply has shifted from the general
participants to the political project onto a bunch of
elected guarantors who probably have an interest in
proclaiming the safety of the voting system although they
technically can not ensure its safety at all.
Electronic secret voting on a website is technically
impossible to secure, and whoever expresses guarantees
in that regard is offending democratic constitutions.
Please don't accept any such trick, should it be proposed to you.
#section Update: Why is secret voting on a website insecure?
I'll try to explain in layman terms. On one side we have
the person who would like to exercise their political will
by clicking on the appropriate button on a web page. On the
other side we have a database on a server that is supposed
to register that choice, and by means of cryptographic
hashing could even make it difficult for later modification.
Yet, on that way there are several technologies that we are
trusting blindly to operate in our interest: there is the
manufacturer of your computer or smartphone, the manufacturer
of the operating system, the manufacturer of the individual
chips inside those devices that are involved in the transaction
like central processing units, network interfaces and memory
controllers.
And then there are all the Internet service providers, routers and
gateways that could each do a man-in-the-middle attack on the
[insecure "https" encryption system](https://secushare.org/broken-internet).
It may not be easy and frequent to do such an attack, but all of
these companies and the governments behind them still have these powers.
Remember, Snowden's [PRISM program](https://en.wikipedia.org/PRISM) never
stopped. Should DiEM25 one day be the political power governing Europe,
then the governments behind these companies have an interest in intercepting
each voter's mouse-click to make it click the wrong button. And don't
say we'll have a better voting system then, because that is never
true -- people never change an apparently running system -- the time to
make the right choices is NOW.
Given the complexity of today's technology, even an intel processor
([which has its own operating system and web interface inside](https://www.youtube.com/watch?v=kNsL4_as4io))
could be remotely instructed to intercept just that one click
headed to internal.diem25.org and modify it just that little bit
to indicate the opposite choice of what you clicked upon.
Same goes for every Android, iPhone or Windows 10 operating system.
A "system update" could instruct them to modify all clicks to a
specific internal.diem25.org URL in a specific way, just a few days
before the start of the voting process. Then the update could get
removed just after the presentation of the results. And suddenly
we'd be surprised why the majority of DiEM25 voters wants to have
a free trade agreement with the USA, to name an example scenario.
It's not something an average hacker may be able to do, but should
DiEM become of any relevance, there are several nation state
actors that do have that ability. Thanks to Snowden we even
have partial evidence in that regard, not just logical deduction
given the desolate condition of proprietary technology.
This is not science fiction.
[This is fact](https://youbroketheinternet.org/overview).
That's why governments all over the world are struggling to obtain
secure technology for their strategic communications. In our current technological
situation there are privileged people from which it is impossible to have
secrets and impossible to impede being manipulated by. We are using
computers that are owned by other people -- how can we expect them to
do what we want? That's why we should have digital voting
systems that are safe from such kind of abuse -- by being fully
transparent and verifiable. Nothing less will ever do.
And in the long run maybe
[we should make it illegal](https://youbroketheinternet.org/#legislation)
to have systems that affect human and democratic fundamental
rights operate using proprietary technology that is owned by others,
but that's the essence of pillar 7.
#section Update: EU has lowered democratic requirements on electoral wings
The EU has reduced the democratic requirements for projects that aren't proper parties yet ((((ref https://www.bundeswahlleiter.de/service/glossar/s/sonstige-politische-vereinigungen.html , siehe Bundeswahlleiter hinsichtlich sonstige politische Vereinigungen)))).
This means that it might be indeed legal to promote structures
that have unverifiable voting systems that webmasters or
foreign intelligence agencies are able to manipulate.
One question is, can we ethically agree with the creation of
structures that bypass verifiability just because it may not
be obviously illegal yet?
The new regulation does however stress the need for member
participation in the creation of policy, so a legal case
whereby a court establishes that the methods used by DiEM25
aren't verifiable and thus cannot guarantee such participation
(if the decisive parts have indeed been decided elsewhere),
could kick the entire DiEM25 project out of the political race.
At least any member of any electoral wing could bring such a
EU court decision about, if not regular DiEMers.
#footnotes
#index
#repost goals