Verifiable Voting for DiEM25

Problem description

The Organising Principles of DiEM25 assume random elections for the Validating Council and electronic elections over the Internet for the representatives to enter the Coordinating Collective. In neither case a specific procedure is given on how to implement them, and given how these elections are currently based on 100% trust in people in a webmaster role, they are at risk of being ruled undemocratic by any judge in Europe. Any political movement must provide transparent verifiable methods of election in order to legally claim to be democratic. DiEM25 is therefore currently at risk that any member, even non-paying ones, can sue the movement and have the CC and VC delegitimized by the judge, throwing the movement in a condition of chaos and urgency to form a new initial bootstrap assembly, not to mention legal expenses and the risk to lose public credibility.

Assessment: Computers cannot be trusted for secrecy

In 2009, the Constitutional Court of Germany ruled that computer ballots are insufficient to satisfy the requirements of democracy being that "the citizen must be able to oversee and verify all steps of the voting procedure and determination of results without any need for technical understanding." Other supreme courts may not have followed suit, yet, but it can't be recommendable to base a political movement on the edges of legality. But if you need a more concrete technical explanation why electronic voting on a website cannot be secure, [see below](voting#8).

For the purposes of aleatory democracy, selecting people randomly from a pool of candidates, it is not transparent and verifiable to trust in a computer's random number generator. In fact, Random Number Generation is itself a huge topic of concern, especially in cryptography, which isn't easily solved.

For the purposes of elections, it is not possible to keep a secret count of the votes in a computer while at the same time being verifiable to the citizen participating in the voting procedure. So for both of these requirements we need a different kind of solution:

Part 1: How to embrace Aleatory Democracy

Here's to the easier part of the problem. Instead of trusting a computer with random number generation, we can base elections on the outcomes of national lotteries Europe-wide. Each of them are implemented physically, with notaries obliged to check their correct operation at each run. The results of the lottery can frequently be observed on television and scrapped from several websites on the Internet. For a voting method that is safe even in case that DiEM25 someday be the largest political faction in the European Parliament (and therefore under massive risk of abuse), it should be enough to mathematically combine the lottery results of several countries, thus requiring a complicated transnational conspiracy of notaries in order to control the outcome of DiEM25 elections (which can be considered reasonably unlikely).

The Italian Pirate Party uses aleatory democracy to elect its Coordinating Group. Silvan of the Italian Pirates has provided us with an algorithm using Italian lottery results. Follow the link for further explanations. A DiEM fellow called Johann has proposed an elegant cryptographic solution written in Haxe, but I'm afraid the concept of hashing is beyond most people's school-days knowledge of maths. I mention my own attempt using multiplication for completeness, but I regard Silvan's as easier to comprehend with bare school maths knowledge.

So, for DiEM25 the new procedure would be: The list of candidates and an ordered list of lotteries is published in the internal website days before the lottery extractions. Whoever wants to check the accuracy of the elections can store such data so that they can later independently verify the results on their own laptop or smartphone.

Part 2: How to embrace Representative Democracy

As a disclaimer ahead, we of the Structure Working Group recommend a shift towards liquid democracy and policy-oriented voting rather than elections of representatives. The verification problem is historically one of the initial sparks that triggered the creation of the liquid feedback software, so this is a political topic at least ten years old.

If you, DiEM25, insist on having elections of people, then we must assert, that you cannot have both secret digital voting and verifiability. We recommend reading section three of the seminal book reflecting the state of the art on the subject, "the Principles of LiquidFeedback", ISBN 978–3–00–044795–2.

Lorenzo Marsili asked, whether a group of trusted experts could be given access to the voting server as to ensure its correct operation. There are several issues with such an approach. It is enough for one person to have access to the membership database in order to simulate false voting procedures of dormant members using their credentials from the database. Even if a dozen experts have access to the logs, it is a cat and mouse game that can't be won to spot false voting operations amidst thousand of legal ones. Additionally, we are living in a time and age whereby it is very hard for anybody to set up a server that cannot be hacked and controlled by at least the Five Eyes services if not any competent person that knows how to make use of the tools recently published by Wikileaks.

Therefore the recommendation we can make is to organize large general assemblies and elect the CC by paper ballot. Another option is to have the CC elected by lottery, just like the VC.

If you really want to have electronic elections, you must accept the lesser evil of disadvantages, that is to make the election procedure transparent. Yes, that means that for each election it is public who has voted for whom (information that would otherwise only be available to the webmaster), therefore allowing to contact people that voted in an unexpected manner whether they really voted that way. Secret voting doesn't actually do what people intuitively think it does. Its usefulness is vastly over-estimated:

We found that the imposition of the secret ballot always increases the scope of vote buying — more people vote insincerely under the secret ballot than under the open ballot. We also found circumstances where, paradoxically, the imposition of the secret ballot makes it easier for interest groups to wield influence. In particular, for close elections where the bulk of the supporters of an interest group's desired policy are lukewarm, it is cheaper for that interest group to buy the election under the secret ballot than under the open ballot. Taken together, this suggests that the common intuition about the effectiveness of the secret ballot as a robust deterrent to electoral corruption needs to be revisited.

This still doesn't solve the problem that the database may be filled by sock puppets with cheap phone numbers. Names that no-one has ever met at any DSC meeting. Is it really democracy if people that never participated in anything have a decisive role in electing leadership? To close this loophole, the Italian Pirates are considering to oblige voters to participate in meetings regularly. You could also introduce a rule by which only people that show up at DSC meetings every few months are entitled to vote. At the World Economic Forum, Ehud Shapiro suggested we should use electronic identification to solve this problem. It's also fine to use a paper-based identity certification system with DSC members acting as testimonies for each other.

Feedback from the CC

An unnamed source in DiEM25's CC has commented as follows:

Hey, of course the code can be audited by anyone who expresses the wish to do so, I call it DiEM25-source - any DiEM25 member can get access.

It is totally irrelevant which software runs the non-verifiable random number generator or the non-verifiable database of voting data. If the data isn't, in democratical terms, verifiable, the software is only an additional source of insecurity. The theory that keeping the source closed is going to keep the hackers away has been proven wrong through-out hacking history. While open source enables the good guys to find the bugs, closed source guarantees that the bugs will be there for the well-equipped hacker to find, as has recently happened to the Movimento 5 Stelle who dared to use the same approach. DiEM25's leadership is therefore acting against all public and scientific wisdom. This absurdity may not be obviously illegal in Italy yet, but it sure will be in other parts of Europe.

But we're not asking to get a look at the software, because to our understanding the software is not providing verifiable voting or elections in any of the constellations needed, so it is probably breaking laws and its development should better be discontinued. DiEM25 doesn't need people to develop custom software that may not respect Europe's many laws. DiEM25 should use existing software that is known to do things correctly.

However, as the group points out themselves, once you've verified that the code is well-intentioned and that it's not possible to hack it, there is still a major weakness: the webmaster.

If even the most established and formally verified Wi-Fi protocol WPA2 got cracked against all expectations from professionals, how can you expect that anyone writing or reading that code would be able to declare it "impossible to hack" ? It's an impossible thing to claim! What is your background in computing security that leads you to say something that companies would only say in advertisements?

Whoever has commandline access to the database can change any vote or can take over the identity of an inactive member and vote for that person. There's no way to prevent that.

At least one thing we agree upon. So, by logical consequence something has to happen. Either we change the method or such method cannot be publicly proclaimed as being democratic. Maybe it is legal if DiEM25 openly admits to not be strictly democratic for technical reasons. Not sure how many European jurisdictions allow a political movement not to exercise verifiable democracy inside. Since DiEM is active in all of them, we cannot afford to be legal in some and illegal in others. It is even a shame for a political movement to gamble with legality in the first place.

[removed a summary of this page without commentary or criticism]

For the VC, they suggest using lottery numbers rather than truly random numbers, because lottery numbers are verifiable and random number generation has proven to be a difficult problem in CompSci. That has the disadvantage that they are far from random (e.g. one number cannot be drawn twice, and all numbers are in ascending order), so any drawing based on that would be more flawed than the current state-of-the-art CompSci random number generation...

Saying that public lottery isn't random enough for elections is incorrect. Have a conversation with a real mathematician please. Scientists haven't beaten lottery, they only managed to double their chances of winning by predicting what the rest of the population is betting on — which has nothing to do with our use of lottery numbers.

You may be confused by cryptography here. Lottery numbers would not be enough to do cryptography, not because of their extraction method, but simply because they are not many enough, and crypto can be attacked by brute-force. You can't apply brute force neither to lottery, nor to elections. Or at least we wouldn't advocate for that. So your emotions about the entropy of lottery numbers is misapplied.

It isn't even correct that all nations extract lottery numbers in ascending order, but that has little importance as the entropy of physically extracted lotto numbers is more than sufficient for election purposes. If you think lotto numbers do not have enough entropy, why haven't you won any lotto games recently? If your point was correct, you should be able to hack all lotteries and roulettes on Earth!

In short, I don't think any of their solutions are practical.

Regarding the lotto extractions that is simply not true. The solution is very practical and easy and a huge step forward. Silvan even provided you with an easy to copy and use Javascript app.

Regarding VIP elections, Nobody said you would get a free meal and eat it. One way to do secret elections properly is to make them less important: that is, reduce the power and importance of the role of the CC, and rather empower the movement's participants to take all necessary thematic decisions so that the CC is indeed just executing the movement's decisions. Then it doesn't matter if the CC was elected at a general assembly using paper ballots instead of the unverifiable Internet, a method which is an ongoing existential threat to the future of DiEM25.

And don't say you are already doing this, because of course by thematic decisions we intend fully transparent debates and verifiable consensus procedures, which luckily can easily be implemented using the appropriate and acclaimed software. Currently, thematic votes in DiEM25 are not only highly prone to demagogy, they are also just as unverifiable as the elections, even though legally and technically nothing impedes them from being fully public and transparent.

Feedback from a nameless advisor

Again, feedback has been forwarded to us without naming its author.

It is just impossible to guarantee complete end-to-end verifiability of electronic vote. State-of-the-art e-vote solutions tend to focus on the election/tally parts, generally applying a bunch of cryptographic techniques, but they tend to overlook the biggest problem, which is indeed who controls the "big spreadsheet" you obtain at the end. Also, to the best of my knowledge state-of-the-art solutions are able to ensure that active voters can verify that their vote is in, that it is correct, and that has been accurately counted, but they break down for inactive voters that will not check or, worse, that will have others stealing their voting credentials and voting in their stead.

Stefan O. pointed us to https://select.sec.uni-stuttgart.de, an electronic election system based on a research paper on cryptographic voting. It does all the things a cryptographer would expect from such a system, but it has just the drawbacks you describe here.

Additionally, German Verfassungsgericht would still complain, that it needs the competences of a cryptographer to understand how this system works.

Using a software like this however introduces a minimum of verifiability which makes it a least worst choice among the options for electronic secret vote. Try to read the scientific paper that explains the method and compare it to what DiEM25 is currently employing on its website! DiEM25 shouldn't use voting systems that no professor on Earth would vouch for.

Non anonymous voting is a solution to some problems. Debian uses it for every non personal votes --- that is, collective decision making on specific actions, as opposed to election of people to specific governance bodies.

So we agree that transparent topical voting is a good thing. Even better if you have a tool optimized to maximize consensus, so instead of just voting the least worst option you work on a common proposal until most people agree on it. This is possible for a lot of topics and dramatically improves the quality of the results.

Instead, it can have devastating consequences for the movement if a voting ends in 51:49 and half of the movement is left behind in a decision. This creates frustration, disenchantment and in-fighting. The voting for an electoral wing had about 40% suggest that DiEM25 is in need of a rewrite of its Operating Principles. This suggests DiEM25 is already split in half among those who think everything is fine and just needs to be improved and those who think too many fundamental things are wrong, like the way votings aren't verifiable and thus illegal, and urgently need to be addressed not only in deeds but also in legal documents.

I think it's a good compromise, because the community drawbacks of having non-anonymous votes for elections are pretty severe in the long term ("you didn't vote for me, I thought we were friends!").

On the topic of elections of personnel, Italian Pirates have been practicing transparent elections when unavoidable. The "I thought we were friends" moment has never arisen: If you don't think I am fit for a certain role I will deal with such criticism. I would be stupid to question our friendship because of that. It's more like a reality check — a moment of truth when even the most dishonest person will for once be honest with you, informally through a mouse click in favour of somebody else. It's still better to use paper ballots, but transparent elections aren't as bad as they are painted. Since the other alternative is to hold illegal pseudo-secret elections, we should accept the bluntness of transparent elections to remain in the field of legality.

While real time tallying is appealing to avoid abuses, I recommend against it. The risk of tactical voting are just too high. If the information is completely public, candidates (or supporters of specific items on the ballot) who are lagging behind we'll be able to rally support in real time, distorting the democratic process quite a bit, and generally in favor of who has more time to follow closely the election process. Which is a bad skew.

Liquid Feedback does not support real-time tallying. We have not recommended any such thing anywhere in this document. During the voting period, whoever has access to the LQFB database does have a little strategic advantage over its participants. We accept this drawback as the lesser evil compared to the scenario you describe above.

If on the other hand you have only a few people with access to the real-time tally, well, those people have a lot of power: they will be able to secretively rally support for the options they like without anyone able to keep that in check.

That is the known drawback in Liquid Feedback. The web masters obtain the power of selectively advertising tallies they are risking to lose. We have had such events in the past. It's not such a great power after all, because if the majority of participants is clearly of a different opinion, there isn't all that much support they can rally for.

Still, this phenomenon can be made to be kept in check. Its impact can be reduced by introducing methods of transparent or controlled systems administration, as in: every access to the database during the tally is logged and could be used to invalidate the voting procedure. Or, administration rights can only be exercised when two people who are unlikely to conspire (of opposing factions in the movement, for example) have to both introduce their half of the access credentials.

Another option to enhance trust in the webmaster is to simply have them elected in a physical assembly. It cannot be a role appointed by the leadership as that would be a case of conflict of interest.

If paper voting is an option for you at least in some occasions (dunno, plenary meetings or the like), I recommend resorting to it as much as possible. If it is not, then you have to bite the bullet and accept the above drawbacks. When you have to make compromises, my recommendations would be:
  • non-anonymous voting for everything that is not a nominal election
  • no real-time tallying, but only real-time monitoring of participation/abstention (which does shield against some attack)

So ultimately we agree. Now that even the CC's advisorship agrees with us, will the leadership of DiEM25 take any measures in accordance?

Update: Guarantor Group won't help

In the 5-Star-Movement (M5S) the responsibility of ensuring the correctness of the voting machinery has been passed to an elected guarantor group. These people would look at the source code, check the database and things like that.

Still they have technologically no way to ensure that votes haven't been falsified on the way into the database, so the exercise of trust for the webmaster or whoever has technological access to the database (government agencies or even spare-time hackers as in the case of M5S' 0rogue0, the person who says to still have access to the M5S voting machine "Rousseau") simply has shifted from the general participants to the political project onto a bunch of elected guarantors who probably have an interest in proclaiming the safety of the voting system although they technically can not ensure its safety at all. Electronic secret voting on a website is technically impossible to secure, and whoever expresses guarantees in that regard is offending democratic constitutions. Please don't accept any such trick, should it be proposed to you.

Update: Why is secret voting on a website insecure?

I'll try to explain in layman terms. On one side we have the person who would like to exercise their political will by clicking on the appropriate button on a web page. On the other side we have a database on a server that is supposed to register that choice, and by means of cryptographic hashing could even make it difficult for later modification.

Yet, on that way there are several technologies that we are trusting blindly to operate in our interest: there is the manufacturer of your computer or smartphone, the manufacturer of the operating system, the manufacturer of the individual chips inside those devices that are involved in the transaction like central processing units, network interfaces and memory controllers.

And then there are all the Internet service providers, routers and gateways that could each do a man-in-the-middle attack on the insecure "https" encryption system. It may not be easy and frequent to do such an attack, but all of these companies and the governments behind them still have these powers. Remember, Snowden's PRISM program never stopped. Should DiEM25 one day be the political power governing Europe, then the governments behind these companies have an interest in intercepting each voter's mouse-click to make it click the wrong button. And don't say we'll have a better voting system then, because that is never true — people never change an apparently running system — the time to make the right choices is NOW.

Given the complexity of today's technology, even an intel processor (which has its own operating system and web interface inside) could be remotely instructed to intercept just that one click headed to internal.diem25.org and modify it just that little bit to indicate the opposite choice of what you clicked upon.

Same goes for every Android, iPhone or Windows 10 operating system. A "system update" could instruct them to modify all clicks to a specific internal.diem25.org URL in a specific way, just a few days before the start of the voting process. Then the update could get removed just after the presentation of the results. And suddenly we'd be surprised why the majority of DiEM25 voters wants to have a free trade agreement with the USA, to name an example scenario.

It's not something an average hacker may be able to do, but should DiEM become of any relevance, there are several nation state actors that do have that ability. Thanks to Snowden we even have partial evidence in that regard, not just logical deduction given the desolate condition of proprietary technology.

This is not science fiction. This is fact. That's why governments all over the world are struggling to obtain secure technology for their strategic communications. In our current technological situation there are privileged people from which it is impossible to have secrets and impossible to impede being manipulated by. We are using computers that are owned by other people — how can we expect them to do what we want? That's why we should have digital voting systems that are safe from such kind of abuse — by being fully transparent and verifiable. Nothing less will ever do.

And in the long run maybe we should make it illegal to have systems that affect human and democratic fundamental rights operate using proprietary technology that is owned by others, but that's the essence of pillar 7.

Update: EU has lowered democratic requirements on electoral wings

The EU has reduced the democratic requirements for projects that aren't proper parties yet (siehe Bundeswahlleiter hinsichtlich sonstige politische Vereinigungen). This means that it might be indeed legal to promote structures that have unverifiable voting systems that webmasters or foreign intelligence agencies are able to manipulate. One question is, can we ethically agree with the creation of structures that bypass verifiability just because it may not be obviously illegal yet?

The new regulation does however stress the need for member participation in the creation of policy, so a legal case whereby a court establishes that the methods used by DiEM25 aren't verifiable and thus cannot guarantee such participation (if the decisive parts have indeed been decided elsewhere), could kick the entire DiEM25 project out of the political race. At least any member of any electoral wing could bring such a EU court decision about, if not regular DiEMers.

Tweet thisShare on Facebook — Who is the Structure WG?
This site is licensed to the public under a
Creative Commons Attribution 4.0 license.