[EM] proxies and confidentiality
Abd ul-Rahman Lomax
abd at lomaxdesign.com
Fri Mar 10 19:48:17 PST 2006
At 11:07 AM 3/9/2006, Raphael Ryan wrote:
Something which raises an interesting possibility I had not considered before:
>...Another option would be something like meta-proxies. You vote
>for a meta-proxy and they get to vote your vote. However, they
>promise that they will vote it as requested by your actual
>proxy. They could then also provide an online interface.
>In principle, this meta-proxy could provide secure communication
>between the voter and the proxy. The proxy could then know that the
>communication is from a voter who has named them as proxy.
>However, this then allows a voter to prove to a proxy that they have
>selected them as proxy (by sending a message with a code word or
>something). The meta proxies would have to only allow "honourable"
>proxies to register as proxies with them so as to protect the voter.
>This could be mitigated with a two stage process.
>Each person submits a secret ballot naming the meta-proxy that they
>feel is most honourable. This step is counted by the government.
>These proxies are given vote strength in proportion to their votes.
This is Secret ballot Delegable proxy. This is not a metaproxy, it is
what I usually call a direct proxy, and I will call it that. As I
read what was written, in the second part, the direct proxy does not
initially know who has given him or her a proxy, unless and until the
voter validates it; the proxy only knows how many votes have been
received. And the government also knows that number. The identity of
the voters giving their proxies to the metaproxy is secret unless the
voter chooses to disclose it, and, in the scheme shown (which,
without getting into details, I think could be done), there is a
means whereby the voter can do this, a password which is entered with
the casting of the ballot.
However, I must note that this scheme requires there to be a direct
proxy who is publicly known, but who only functions to assign a proxy
to the second level. This is, in fact, simply delegable proxy with a
rule that the first proxy does not function beyond that level. And
the direct proxy names the first indirect proxy as directed by the
voter. So we have this person, Raphael calls a metaproxy, who is, in
fact, simply a proxy with a specific task, and who must be considered
trustworthy by the voter.
I'd say that this is precisely the task of a direct proxy. The
proposals made for secret ballot delegable proxy don't *prohibit*
voters and proxies from communicating; this scheme merely makes it
possible for the secretly-assigned proxy to be opened to the proxy in
a validated way. I'm not sure that is necessary, that it would be
worth the effort of managing the password system, and any password
system makes it possible to coerce votes.
If the voter can prove to the proxy that the voter has voted for the
proxy, then the proxy can coerce the voter and can know whether or
not the voter has complied, simply by demanding proof. No proof, watch out!
On the other hand, assuming that there is a significant risk of
coercion or retaliation, secret ballot assignment of direct proxies
seems worthwhile. And voters can then *claim* to have voted for the
proxy. If they didn't, so what? The proxy can still refuse to
communicate with them, or can listen to them. Proxies are not rubber
stamps; rather, they are trusted servants, trusted to make good
decisions in the *absence* of the master. The master may review their
work, and may discharge them. They are not slaves, however, the
masters cannot coerce them, nor can they coerce the masters into
I no longer think, after this discussion, that secret ballot
assignment of direct proxies would significantly inhibit the
communication that I think essentially to a well-functioning proxy
system. The reason is that voters may communicate with their proxies
and the proxy may use his or her judgement in deciding what to do as
a result of the communication. The essence of the proxy assignment is
a collection of trust, and that trust is passed on if the proxy is
not fully qualified at the top level.
I am opposed to voters naming a proxy and instructing that proxy whom
to name at the next level. I do not see, indeed, proxies distributing
their votes according to the instructions of all those they
represent. Yes, a proxy could agree to do this, I don't think it
should be *forbidden*, but I, as a voter, would not want to do it,
and, were I a proxy, I would not want the hassle.
Delegable proxy does something quite interesting if everyone simply
selects one proxy, the person they choose to act for them in the
relevant arena, when they are absent or cannot otherwise act.
Aside from loops, this creates a natural hierarchy. Loops are
considered a problem by some students of delegable proxy. They are
simply a condition, and an inevitable one if everyone selects a
proxy. Even if every person in the universe selects one person as a
proxy, who acts in the absence of this superproxy?
A loop is necessarily created, or else the superproxy is unique and
does not select a proxy. And someone incapable of trusting others is
not someone I would want in such a vastly powerful position.
The only problem is when loops are small and exclusive, resulting in
the lack of representation of a group of people at a higher level.
And all that need be done about *that* is to inform the members of the loop.
In a secret ballot system, this cannot be done reliably; however, it
is not necessary to so inform the involved voters themselves, individually.
In secret ballot DP, I'd suggest, proxies also vote in the secret
ballot system, but they would routinely vote for themselves. Then
they would select their own proxy generally from public proxies,
others who are acting publicy.
In ordinary DP, the proxy simply votes for himself or herself, and
the votes of those represented are automatically added. In
secret-ballot DP, the proxy's vote would be included in the votes
assigned secretly, and would not be added to the secret votes.
So loop recognition need only deal with the public part of the
system, and, further, membership in a loop should be determinable by
anyone. (A proxy might not care that he's in a loop, but those who
vote for him secretly might not like that sometimes they are
unrepresented at a higher level, and that the proxy has not acted to
correct this. And so they could, at next opportunity, change their
secret proxy assignment.)
>Proxies can register at the meta-proxies. However, a meta-proxy can
>refuse to accept a proxy due to the proxy being corrupt (or for any
I think this is simply delegable proxy with the "metaproxy" being
restricted in some ways, and I see no reason for that restriction.
The metaproxy is not going to instruct the "proxy" how to vote or to
whom to assign their proxy in the assembly, so why should the
metaproxy be instructed?
The basic rule for voting in secret-ballot DP is to vote for someone
you trust, presumably you trust the person's character, you trust
their intelligency, you trust that their general opinions will be
harmonious with your own, or that if they are not so harmonious,
maybe the proxy is right and you aren't....
It can be hard to find someone to trust who is also willing to take
on the responsibility of representing you. It largely does not happen
today, distrust of politicians is endemic, even by those who vote for
them. They vote for them as the best option available. I've written
that they will vote for someone they know is lying to the public,
because at least he tells them the lies they want to hear and
promises to give them what they want, so maybe he will deliver on
some of those promises, whereas the opponent is not even promising
what they want. And, these people think, they all lie, so lying is
not a disqualification.
So, once you have found someone you can trust, why not simply name
this person as your proxy, if the person is willing to function
publicly (as a "metaproxy" must be in the scheme proposed). Why waste
that person, making him or her merely into a messenger who mindlessly
-- but honestly and accurately -- passes on a vote for someone else?
I can't think of a reason.
> >I really don't think that secret ballot is necessary any more, in
> >most places. But many will still want it, and, as long as reports of
> >coercion are taken very, very seriously, allowing people to
> >voluntarily vote openly, which makes things *very* simple and
> >efficient, make more sense to me than a complex scheme.
>You are probably right. However, secret ballots prevent the drift
>to a situation where they are actually needed.
I disagree. Many dictators or dictatorial regimes were voted into
power by secret ballot. Secret ballot is corruptible. Open assignment
is not. And I strongly doubt that a delegable proxy democracy could
ever drift toward coercion in any way that would be preventable by
secret ballot. (I'm much more concerned about direct coercion by
government than I am about coercion of votes, which is indirect and
expensive. The "unanimous" election of Saddam Hussein was carried
out, supposedly, by secret ballot. I find it utterly incredible that
there were no votes against him, so I assume that there were, but the
ballots disappeared. However, it is credible that many would have
voted for him in fear that a vote contrary to what was demanded could
result in serious personal harm. The problem was established coercive
power, not the possible exposure of votes.
Secret ballot is largely moot in a dictatorship. In a relative
democracy, it is a protection against rogue elements, not against a
general drift toward coercive government, which secret ballot will
not prevent in any way superior to that of open voting. Coercion by
neighbors is a problem, to be sure, but is also illegal, if truly
coercive, and the problem with massive coercion is that it is very
difficult to keep secret.
As I've written, secret ballot complicates delegable proxy a little,
but not much. The system moves into the light, presumably, at a
certain level. It is the open system that will be really interesting.
More information about the Election-Methods