[EM] A quick, dirty, and somewhat obvious method for a secret proxy ballot

[Abd ul-Rahman Lomax]

At 04:14 AM 11/16/2005, Scott Ritchie wrote:
>On Sun, 2005-11-13 at 19:28 -0500, Abd ul-Rahman Lomax wrote:
> > The obstacle is the tradition of secret ballot, considered necessary
> > to safeguard against coercion. However, it is my suspicion that the
> > dangers of open voting in a society functioning with rule of law are
> > drastically overstated, and, indeed, the use of secret ballot may
> > allow more abuse than it prevents.
>
>It is entirely simply to have a secret ballot by delegable proxy -
>simply keep the fact that someone is a proxy a secret!  It does,
>however, require some level of trust in a software counting program.

This kind of necessary trust is inherent in secret ballot and 
unnecessary in open elections. So, really, whether secret ballot is 
better or worse than open elections may depend entirely on the conditions.

Delegable proxy considered only as an election method will miss this: 
if proxies know who they represent, they can become a bidirectional 
synapse in the social nervous system. This is not so simple when 
there is secret ballot.

However, the election by delegable proxy page on the EM wiki proposes 
a hybrid system. The basic idea is that anyone may declare themselves 
available as a proxy. Yes, one possible implementation is that they 
are then assigned a number. This is merely for convenience in 
identification, names could be used, as with write-ins now (our local 
elections require a name *and* address for write-ins).

So at the base level votes are assigned to proxies by secret ballot. 
Above that level, it is completely open. People essentially choose to 
make themselves public voters. It's really the same now in the U.S. 
If you run for office as a representative, you are choosing to make 
your votes (on legislation, legislative officers, etc.) public.

One detail. If there is concern about small-scale coercion, perhaps a 
husband demanding that his wife assign him her proxy, I'd suggest 
that anyone who receives less than N votes be informed of that fact, 
and would then recast their votes, without knowing how many they 
received, to someone who received more than that threshhold. The 
threshhold would be very small, just large enough to make it 
impossible to know for sure that so-and-so did not vote for you. 
Three, actually, might be large enough to blur the issue.

In one conception, declared proxy candidates would not vote in the 
secret election. Their votes would be cast openly, later. In another, 
all would vote in the secret election, and then would only have as 
many votes to cast openly as they received; it would not be known if 
that included their own vote or not.

But as soon as secret ballot is involved, there must be a trusted 
election process. In open elections, fraud is essentially impossible, 
because votes can be validated and verified, by the voter himself or 
herself, and by others.

So it's a trade-off. Protecting individual citizens against coercion 
and retaliation, we open the door to fraud. We *know* that fraud is 
an issue, there is plenty of it in the U.S.

The question is how much coercion and retaliation there would be. 
What I generally propose is an open system with periodic secret 
ballot validation. But secret ballot delegable proxy would be almost 
as good, allowing anyone who fears retaliation to vote secretly. 
However, of course, the nefarious tyrant would order his victims to 
vote openly.

In the end, what I come up with currently is completely open 
delegable proxy in non-governmental organizations, where power is not 
directly exercised, there is only communication and voluntary 
coordination. There is not a lot of risk involved there. And then in 
public structures, *present* systems would be used. Or perhaps Asset 
Voting would be used, with some precautions.

>For example, give every registered voter a number.  If I wish to use
>someone as a proxy, I write his number down instead of my vote.

Or, in Asset Voting, you vote for him or her. Asset Voting creates, 
essentially, an electoral college with as members all those who 
receive votes, and each member has as many votes as they received. 
The original Asset voting scheme allowed 3-place decimal distribution 
of votes, i.e., you could vote 0.321 for one, 0.627 for another, and 
0.052 for a third. If your votes don't add up to one, your vote is 
tossed in the trash because you are obviously too math-challenged to 
qualify as a voter.... (Just kidding: Warren Smith is a math 
professor....) My simplification was to use approval-style voting. If 
you vote for one, that person gets one vote. If you vote for N, each 
of them gets 1/N vote. So, effectively, you vote for a person or for 
a committee.

Asset Voting was conceived as an election method, so these votes 
would then be recast by those holding the "assets." It would be 
fabulous for proportional representation; any candidate receiving the 
quota would be ipso facto elected (and would be able to recast the 
excess votes). But it would also work for single-winner, though with 
single winner there are almost inherently "wasted votes." Unless 
somehow the revoters can find a true consensus candidate.

With sufficiently large proportional representation, though, wasted 
votes would be held to a minimum. (As I'd have it, votes would not 
necessarily be wasted until the next election was held, because if at 
any time the remaining votes not cast for a winner were amalgamated, 
a winner would be created. Yes, if any votes are not recast for a 
winner, there would be at least one vacant seat. At least that is how 
I would do it, instead of using the Droop quota.

>   The
>computer then temporarily maps each voter to his vote choice, replaces
>each proxy vote with what it ultimately counts for, and then reports the
>results omitting the individual voter number/vote choice pairs.

Certainly that could be done, but it is inherently untraceable and 
therefore inherently vulnerable to fraud. Defective or deliberately 
manipulable software is only the half of it.

However, if the raw ballots remain available, presumably they could 
be independently analyzed, so the problem reduces to having secure 
ballots, guarded by ... who?

>If multiple voting machines are needed, then we can apply some simple
>cryptography and encrypt the votes before they reach the counting
>machine, such that they are never exposed in their readable state to the
>public until they've been stripped of their voter number/vote choice
>matchings.

If the proxies consent to *their* votes being public, there is no 
need for this kind of security. For basic protection, all that is 
needed is that the ballots be anonymously cast. I've mentioned the 
one fly in the ointment, the possibility that A would say to B, "Vote 
for me or else....," and then if A did not receive any votes, A would 
know that B was disloyal.

The fact is that this hazard exists now. But we can neglect it now 
because almost always anyone who actually runs for office gets a few 
votes at least. As a write-in, though....

However, consider this: my wife ran for the local school committee as 
a write-in. Nobody had qualified to be on the ballot. When the votes 
were counted, there were several persons reported as having received 
one vote each, and nobody more than that. Now, I'm sure I voted for 
my wife, she voted for herself, and we think several neighbors who 
knew about the candidacy also voted for her. So what happened? Well, 
it turns out that election officials can be a little flaky.... A 
member of the board of selectmen who was present for the vote 
counting said "I remember her name being on a ballot." He was not 
terribly exercised about the whole thing; he said, "If she wants to 
serve, just let us know and we will appoint her," which they had the 
power to do since the office was vacant....

I already knew from Florida how flaky vote counts really are....

(My wife decided that she didn't really want to do it anyway.)