Online voting/fraud

From ICMS
< Online voting
Revision as of 13:23, 5 June 2011 by Woozle (talk | contribs) (moved Online voter fraud to Online voting/fraud: reorganizing a bit)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

{{#set:thing type=problem}}

About

Online voter fraud is the phenomenon of voter fraud as it applies specifically to online voting techniques. Voter fraud is any situation where an individual voter deliberately causes their vote (i.e. expression of preference) to be counted towards the final vote results in ways that violate the rules under which the voting system is supposed to operate -- typically for the purpose of exercising disproportionate influence over those results.

Voter fraud is actually very rare in traditional voting methods, for reasons which have probably been studied (though I do not have any specific data). My understanding of the reasons why this is are solely speculative at this point, but one obvious conclusion is that the degree of verification done before any individual is allowed to vote means that the required effort is very high even to double one's legitimate vote, while the gain per extra "weight" is very low -- with the bottom line being that effort to influence the vote is best spent elsewhere. (Further data is needed to confirm if this is in fact the case, or if there are other factors which might be considered when designing an online voting system.)

Online voting, however, is particularly vulnerable to voter fraud due to the difficulty -- and in some cases the undesirability -- of verifying identity in online voting situations.

This article is chiefly concerned with methods of minimizing online voter fraud (rather than rigorously preventing it), to the point where we can be reasonably sure that it is not a factor affecting the final outcome. Ideally, we should be able set a level of confidence that we need for any given decision, and tweak various parameters to meet that level of confidence by trading off for various other factors.

Context

This discussion makes some assumptions about the context in which voting is taking place:

  • The voting software will be just one of a particular set of tools designed to work together.
  • The various tools, the web site they run on, and the group of users at that site, constitute a social node.
  • Social nodes will share voting data with each other to produce decisions on matters affecting more than one node.
  • The key software for running a social node is designed to make it easy for disgruntled users to fly off and open another branch.
    • software is free/open-source
    • sufficient user data is exposed to at least invite all users to a new node
  • By the time these processes have gained enough usershare to have any significant influence, there will be many different social nodes in use (comparable to the number of wikis currently in existence).

Methods

Crude and Intrusive

The obvious, brute-force method of voter fraud prevention (online or off) is to require every voter to identify her/himself using some universally available form of unique identification. We couldn't use credit card or bank account numbers, for instance, because individuals commonly have more than one bank or credit card account, and they are very easy to obtain.

government ID: unsatisfactory

The obvious, essentially "air tight" method of identification would be to require government identification, such as a driver's license or passport. Since a large part of the reason we are even looking into this question involves a goals of local autonomy and decentralization, however, this is less than satisfactory. (Even if it were satisfactory, it would still be relatively easy to fool, since we would only be looking at images of government documents, which are very easy to alter.) This method would also require a privileged class of user with authorization to view those documents and act as gatekeepers. We do not want either of those things, although there are ways to make them accountable and reasonably fair.

street address: half-satisfactory

A less "air tight" but also far less government-dependent method of verification would be to require every voter to furnish a street address, to which a postcard with a password would be mailed. This method is flawed, but would probably produce at least as accurate an approximation of democracy as the system we use now.

Some concerns, and answers to them (where applicable):

  • This method would actually cost money -- postage isn't free. We would have to secure funding for postage, not to mention the machinery to print out and mail all those cards.
  • What do you do if someone from another address reads the password off your postcard?
    • At some point, two people will be trying to use the same account number and password; this will be detected. At that point, corrective measures can be taken
  • What about houses with higher occupancy than we are allowing for? Or houses with lower occupancy, whose occupants register up to the limit just because they can?
    • There are a number of hit-and-miss methods we could use to minimize this. (Going into them doesn't seem worth the time, as I am not really seriously considering this option either; I'm mainly bringing it up to illustrate the issues that arise.)
    • To some extent, how much does this really matter? At most, we have a percentage of our votership getting N times their official voting influence, where N is the maximum number we assume for a house. Are such voters likely to have a specific influence on elections? Can anyone use this discrepancy to influence the system? I don't really see how, especially if we take steps (see previous point) to make it difficult to get away with this.
  • Again, this requires a privileged class of user able to access personal information of other users and allow or deny them voting privileges. This isn't a total dealbreaker, but it certainly renders the scheme less than satisfactory if we want a level, peer-to-peer, decentralized structure.

Decentralized and Organic

A method that may become useful later on, as the task of user-management becomes larger and difficult to centralize, is what I will call crowdsourced reputation, for lack of a better term. It can be applied to a number of online decision-making processes, but here is how it applies to voting.

Local Centralization

A simpler solution that addresses all of the above issues is for each node to have a supreme dictator-sysop deciding which users are real and which are not, deploying whatever assistance or tools s/he feels are helpful in making that determination -- remembering that there would be many nodes for each user to choose from, and that any user or group of users who become disaffected with the way recognition is handled would be free to fly off and open another branch.

(Note for libertarians: this means that we have multiple local "governments" "competing" with each other for votershare in an "open marketplace". You will have to decide if you love this concept because it is "free market" or hate it because it is not only "government", but multiple governments spawning and breeding.)

One thing to note is that this scheme gives a certain amount of (limited) power only to those with sufficient technical skills to set up a node. While any kind of power is subject to possible misuse, the ability to leave the node in cases of mismanagement serves as a sharp check on this power -- and practical technical competence (as opposed to certified technical competence) as a pre-requisite for limited power seems refreshingly meritocratic when compared to the current political system.

This system seems like the best system to use early on, while the software is still in a state of testing and tweaking (and when multi-node vote aggregation is less of an issue), since it will require less programming work to produce something usable.

Possible exploits include:

exploit: single user, multiple nodes

A single user could gain recognition at multiple social nodes and thereby have more than their "fair" share of influence, especially if they are a gregarious person known to many people with different interests.

While this scenario would be a problem if we want to keep strictly to a rule of "one person, one voteshare", it seems to me that the extra effort involved in getting to know more people and spending more time discussing things means that each extra voteshare of influence would be paid for in terms of participation-time, which is something we want to encourage. This is something to watch, but I do not yet see any mechanisms by which it could actually cause a problem.

Individual supreme dictator-sysops could also do some cross-checking amongst themselves, using people's real names in private, to minimize -- or at least prevent misuse of -- this activity.

exploit: rogue sysop, phantom users

A sysop could invent and "recognize" fake users sufficient to gain essentially total control of a node's decisionmaking process and its influence on larger votes.

(This is actually more analogous to election fraud, but in decentralized and peer-driven systems the line between who is an "official" and who is a "voter" is -- intentionally -- less clear.)

Using the "local centralization" solution recursively -- treating each node in a node-group as being like a "user" on a node, and allowing some central authority to decide which nodes count and which don't -- does not work here, as the power gets more and more concentrated as we get to larger scales. Concentration of power is, arguably, the main problem we are trying to solve by designing these new voting systems.

I'm not going to try to work out a solution in detail yet, because it doesn't seem the most important thing to do right now, but here are some things to keep in mind:

  • For any given decision, there will be one or more people actually implementing it.
  • Implementing a decision generally requires some kind of cooperation between a large number of people. If the decision is to build a bridge over a highway, for example, then you have:
    • one group of people to design the bridge
    • another group to produce the necessary materials
    • a third group to obtain the necessary equipment and do the work of putting everything together
    • a fourth group to check things over afterwards to make sure it was done right
    • further groups afterwards, indefinitely, to handle usage, maintenance, safety, and other concerns
  • All of these groups of people need to feel confident that all of the other groups are not only "on board" with the project but also competent to do their part and sufficiently reliable that they will be prepared to start when it is their turn.
  • Whatever the process is, it must provide that confidence. (What we're trying to do here is provide that confidence with explicit consent from all involved, based on open and honest dialogue about the issues before making a decision, where the current system provides that confidence through economic incentives controlled largely by a small number of players chosen by a system that occasionally allows democratic input.)

(The above bullet-points should probably go onto a separate web page about the nature of power or decisionmaking or something.)