Social Enactment of NI4D

Background

The National Initiative for Democracy (NI4D) is a proposed constitutional amendment and federal statute which adds an initiative process to the US. An initiative process allows people to propose laws and have the people vote on them. It does not alter congress. It adds an orderly process such that decisions can be made directly by the people. It should be noted that the current constitution does not add any provision for the people as a whole to change the constitution hence making it very difficult (perhaps for good reason).

Congress has no incentive to dilute their powers by allowing initiatives; therefore the chance that NI4D is enacted by congress is close to nil. Secondly, the text laid out in NI4D is written in such a way to be as fair as possible with the process siding with the people. If Congress were to design such a process or try to rework the NI4D text, it would likely be ruined. Therefore, there is really only one way for this to be passed into law and that’s to hold an initiative (or a sort of self-referendum) directly with the people. If we have a government by the people for the people, it’s the people who can choose their method of government and hence they have the right to change the constitution. In other words, we the people do not need permission from the government in order to do this.

Therefore, in order to get an initiative process, we need to ask ourselves, the people, if we want to have an initiative process. The process defined here only needs to be done once to bootstrap an initiative process. Once an orderly initiative process is in place, a normal voting procedure can be used to vote on all future initiatives. The only other time when this sort of mechanism will need to be used is when the orderly voting process is not usable (i.e. corrupt, or broken in some way)

Introduction

This document proposes a process to vote on The National Initiative for Democracy by The People and certify that vote using a purpose built social network.

The purpose of holding an election is to determine if we, the American people, want the National Initiative for Democracy or not. The process involves people voting and the ballots being certified. Some people who vote will help certify the vote by becoming certifiers and in turn get other people to vote. A person can be certified by more than one person.

The certification of a ballot means that the person voting the ballot is

  1. who they say they are,
  2. a registered voter, and
  3. they are the owner of the ballot.

The person certifying should not know how a person voted.

The system should ensure that people only vote once by using the identifying data a voter enters.

 

In a Governmental election, poll workers are entrusted with these similar duties. They ensure that when people show up at the polls that they are the person they say they are (some states allow poll workers to ask for an ID) and they verify they are registered

The election of the National Initiative shall be as good as or better than any government run election. We will ensure this through a reasonable certification process using people who have been certified to certify each voter.

At the end of the election, each ballot and certified voter ID will be published so that people can verify that each voter can see for themselves that their vote was indeed counted the way they voted. (Ballot IDs in this election should be held as private information and not disclosed).

The certification repository

The process requires one or more certification repositories to track the vote. For the purposes of this election for The National Initiative for Democracy, the certification repository shall be run by the non-profit organization Philadelphia 2.

The social certification

To begin with, two individuals publicly certify that they are who they say they are. This can be publicly shown to be true using some form of government issued identification. This is illustrated in figure 1.

After these two people show they are who they say they are to the other person, they have certified each other. These people can then certify other people as shown in figure 2.

Person 3 can become a certifier by getting certified by at least 2 different people as shown in figure 3.

Anyone of these people can then certify other people. Only people who have been certified by at least 2 other people can certify other people.

In this way, people who are interested and willing to help can help by getting other people to vote and by certifying those people as legitimate voters.

The ballots

The way someone voted shall be private. The person certifying another person should not know how a person voted, but they will be able to ensure that their ballot belongs to the person they are certifying.

A voter has a voter identification which they can share with a certifier. A ballot has a ballot number which they must keep secret.

To become certified, the voter presents their voter identifier to a certifier for certification along with their identification. Once the ballot is certified, the certifier informs a central repository. The central repository keeps track of who has voted and the certifications. The voter will be marked as certified.

To show complete openness and transparency of the election, all ballots are published with their ballot identifier but no identifying information (i.e. just the identifier and whether it was voted for or against). This allows any individual holding a ballot to look up their ballot identifier and see that their ballot was indeed voted the way they intended. Since only the ballot identifier is published with no identifying information, and since a voter never disclosed their ballot identifier, it will be impossible to identify who voted which ballot.

In order to ensure a person votes only once and to allow them to change their ballot, internally within the respository is a linking table linking the ballot and voter together (which can be encrypted for security). Once the election is completed, this table can be discarded.

Certification of Ballots

After a person votes, they received their voter and ballot identifiers. They need only present their voter identifier to someone for certification. The process of certifying a ballot is as follows:

  1. The certifier shall verify the identity of the person using an acceptable form of identification (driver’s license, passport, or other government issued identification). Note that some states do not even ask for identification when a voter shows up to vote.

    The justification for using government issued ID is this is a well-accepted form of identification to convince ourselves (the American People) that we have taken steps to only allow registered voters vote on this initiative. By law in the US, all persons of the age of majority must carry some form of government issued identification. Since we are forced to carry this identification, there is no reason we should not use it.

  2. The certifier shall, using the information from step 1, look up the voter’s voter registration to verify that this person is indeed a valid registered voter. The exact method of doing this varies from state to state.
  3. Once the certifier is satisfied they person is who they say they are and they are a valid voter, they will send the following information to the public repository:
    1. The certifier’s identifier
    2. The voter’s identifier
  4. The central repository will do a reverse lookup of the voter’s identifier using the above mentioned linking table, find their ballot identifier, and mark it as certified

As mentioned in step 2, each state has its own registration database of voters. It is anticipated that some states may be far more difficult to certify a ballot in than others. Many states offer a way to verify a voter’s registration by a public web-site. Other states only publish voter registration information on paper on request. Some certifiers may choose to specialize in helping ballot certification in these more difficult states, for example, by volunteering to request the printed voter registration of the state. The public repository’s web-site will help link up voters and certifiers who have the appropriate capability to certify their ballot.

Ensuring a person voted only once

A person’s home address is necessary during the process to certify their vote. Often the home address is needed to look up a voter registration.

Since this election is not occurring on a single day, it will be easier for a voter to move and use a different address to try and (even inadvertently) vote twice. The only information we have that does not change when a person moves is:

  • Their name (their maiden name)
  • Their date of birth
  • Their place of birth
  • Maybe their email address

If we ask for maiden name, there is no way to verify this without asking for say a birth certificate. Secondly, this information is not typically shown in voter registration. However, if a person is honest and gives their correct maiden name and then tries to register again with a different last name (i.e. they were married in the intrum), we stand a good chance of knowing this is the same person.

Email addresses do change. But again, if we find someone with the same email address, date and place of birth, we can again judge that this is probably the same person.

Hence, the rule is, if 3 of the 4 of these above items match, we probably have the same person.

Becoming a certifier of certifiers

To be able to certify someone to certify other people as certifiers requires extra assurance.

  1. A certifier must certify at least 2 people.
  2. They must be certified by at least 2 people who themselves have met these conditions.

The organizers of the election (principally Philadelphia 2) will have to certify themselves as people who can certify others, otherwise it would be impossible to have an initial set of people who meet these conditions to certify other people.Social interactions

It is hoped and desired that permitting people to help certify the election will cause other people to help certify the election which will cause a sort of “viral” effort in certifying the election.

The central repository shall run a public web-site. Each certifier shall maintain a name or pseudonym which is used on the web-site. As certifiers certify people, the web-site will show how many people they have certified. The web-site will also be instructive in helping people find certifiers that are close to them geographically in order to get certified.

By showing who has certified the most people, it is hoped that a form of competition develops for people to certify as many people as possible.

Some people will be public certifiers

Fraud detection

In order to detect fraud, a statistical number of ballots shall be verified by an independent certifier. Should sufficient ballots certified by a particular certifier be found to be invalid, all the ballots certified by that certifier shall lose their certification from that certifier.

Ballots can be certified by multiple certifiers. Such ballots run far less risk of being invalidated by an unscrupulous certifier. Having one’s ballot certified two or more times, though not required, should be encouraged.

The math

If we think of an inverted tree where at each branch there are two branches as in figure 5:

Level 1 being Person 1 and 2, Level 2 being persons 3-6, Level 3 being persons 7-14…etc. After only 26 levels, more than 130 million ballots can be certified. This is merely an example. Clearly, not everyone is going to only certify 2 people. Some may certify only one other person, many will certify none at all, some more than 2. This example does however make it clear that this sort of certification is not only possible; it’s practical and can be accomplished very quickly. Many social networking sites on the internet garner up millions of new users in a very short period of time.

Scenarios

Online

A person wanting to vote finds the votep2.us web site.

  1. They are asked to create a login on the site. There must be a capta to ensure the site is not overwhelmed by a denial-of-service attack.
  2. They can then vote on NI4D
  3. They are informed that their vote must be certified. They are shown a list of people close to them who can certify their vote. Note: Certifiers might be rated by voters. Certifiers should be classified by sex so that for instance, women might feel more comfortable contacting another woman. Also whether a certifier is willing to do a house call.
  4. They choose one or more people
  5. The site sends the certifier a message to contact the voter. This message is a canned invitation, not something the voter can create text in. This is to avoid someone being able to use the system to send out spam to certifiers.
  6. The certifier meets the voter.
  7. The certifier inspects their documents
  8. If acceptable, the certifier has the voter sign a form (an affidavit) that they have voted in the NI4D election along with their public identifier. This form can be in duplicate (carbon) or can be signed twice leaving one with the voter. (I think this may be unnecessary. Just having user check box and re-enter their password may be considered sufficient electronic signature, need legal advice on this).
  9. The certifier takes the signed form.
  10. The certifier mails or scans and emails the signed form back to Philadelphia2
  11. The forms at Philadelphia2 are kept electronically. (Legal advice needed on this, but I think this is ok in this day and age where signed faxes are considered legal, as are electronic filing of taxes and other documents, even bank checks can be filed by scanning them and discarding the paper check. Many electronic voting machines do not, as far as I know, keep a paper trail of votes).
  12. The certifier may optionally ask if the voter would like to donate, and if so, they are authorized to collect a donation and issue a receipt. This can be printed at the bottom of the affidavit. The voter is encouraged to register their donation on line.
  13. The voter is asked (on the website step 3, and by the certifier step 9) if they would like to help certify the election by becoming a certifier.
  14. If yes, they are given instructions how to certify a vote. They are instructed that they need to be certified by at least 2 different people. They must take a simple test to show that they understand the instructions of how to certify someone.
  15. Once they have met the requirements to be a certifier, they receive options to their votep2 login.
  16. When someone chooses them to be their certifier, they are sent an email with a link to the votep2 site to click on.
  17. They are brought to the votep2 site with a contact form to respond to the user. The site does not give out their email address. This is an anti-spam measure.
  18. They can choose to certify this person or send back a canned response with an apology.

We should also consider a real-time chat to link up voters and certifiers.

Notes:

  1. An alternate to steps 8-10 are to allow the certifier to check boxes on the web site and then “sign” the certificate by re-entering their password. This is depicted in the current mockup below.
  2. If at some later time a certification is discovered to be bad, either the administrator can remove that certification. This can cause a chain reaction as people below this person may no longer be certified as certifiers. They are sent an urgent message to become recertified.

Paper

With the paper method, the voter is executing a paper ballot. The paper ballot is in 2 parts, one which they will need to mail in, a second part which is the certification which the certifier mails in. In all likelihood it is a certifier who is handing out paper ballots.

  1. The certifier presents the ballot to the voter.
  2. The voter fills in their information and votes the ballot and slides it into an envelope.
    1. A more secure alternative is 2 envelopes or a ballot that folds over and seals and this goes in an outer envelope. The ballot has the ballot ID on it and how it is voted. The outer envelope has the voter’s information which is separate from the ballot but is marked with the public ID. Recall that only the central repository run by Philadelphia 2 can link these two together with a key. These two items are put into a single envelope and mailed; they are separated upon arrival at the central repository.
    2. The ballot and the registration could be sent in different envelopes to different addresses which would provide a higher level of confidence of a secret ballot.
  3. The voter keeps a copy with their ballot ID which will let them verify their vote and their voter ID which will allow them to log into the Votep2 website.
  4. The certifier certifies the ballot on a third form (also attached to the ballot). They keep a copy of the affidavit and forward it to Philadelphia 2.

 

Reimbursable costs

The certifier will incur certain costs in printing and postage. By the legislation, these costs are reimbursable. If NI4D is enacted and if Philadelphia2 gets reimbursed for their costs, a certifier should also get reimbursed for reasonable costs. A suggestion to do this is as follows:

For each person they certify, they are required to print out at least 2 pages of paper and mail one to Philadelphia 2. For each person they certify, we could estimate their expense. As an example, this might be 5¢ per page plus the cost of a first-class stamp 50¢ for a total of 60¢ per certificate if mailed.

Philadelphia2 could reasonable keep track of the number of certificates executed for eventual reimbursement to the certifier.

Security

This proposal currently depends on a single server. I’d love to be able to spread this across multiple servers somewhat like Wikileaks does but such that people running those servers can not compromise the integrity of what we are doing. For example, having a domain name use round-robin DNS to randomly choose a server. However, I would not want random people to have access to people’s votes, nor the ability to change someone’s votes. Some level of encryption would be necessary. I do not currently see how to do this correctly in a fully distributed environment without at least one central server.

Perhaps there could be one central server (a front end web server), but the database could be kept encrypted on many other servers offered by volunteers. In this way, a volunteer could offer up space on their server but they could not look at people’s votes nor change anything without altering the cryptographic signature. Some form of replication could be used to distribute the data. This would guard against the case of the site being shut down by a disapproving entity. The site could easily be brought up on a different front end server talking to the same back end data.

Great care must be taken not to distribute personal data, even encrypted. Even the best encryption is laid useless by keys being disclosed.

Care must also be taken to use at least an SSL EV certificate for the front end web site to allow people to discern a fake version of this site which might try to collect personal information out of people.

Workflow

Implementation

It is envisioned that this site be implemented in a web framework such as Python, perhaps on top of Django (https://www.djangoproject.com/) to leverage its existing functionality. Perhaps one of the social networking packages already written for Django could be leveraged? (http://djangopackages.com/grids/g/social/). If not, writing the social interaction from scratch may not actually be that difficult.

The secure voting part could be implemented using Helios (http://heliosvoting.org/) which is currently implemented in python. Helios takes care of the ballot part, it does not address the certification of the ballots which would still need to be a manual process in the US. There would be some integration to mark ballots verified which were executed by Helios. If one uses Helios, there must still be a way for people to file paper ballots which are hand entered without knowing who one is entering a ballot for (only the number printed on the ballot).

In Helios technical terms, this election would be openreg=true, user_foter_aliases=true, and one single question with a binary result whether the voter approves or disapproves enacting The National Initiative.

It is envisioned that the site will update itself in real time using a REST architecture such as piston (https://bitbucket.org/jespern/django-piston/wiki/Home). ExtJS and/or JQuery may also be useful widgets to leverage for this site. Piston seems to be the preferred method of doing RESTful APIs in Django at the moment. Though the system shall be highly real-time, it should not depend on javascript working. The system shall function without javascript enabled. This also allows for the writing of test scripts.

The “My Connections” tree widget could be implemented using one of several open source packages such as Protovis (http://mbostock.github.com/protovis/ex/), D3.js (http://mbostock.github.com/d3/), or Graphviz (http://www.graphviz.org/Gallery.php). It is envisioned that a person could navigate around the tree and see who they are connected to.

The source code and layered images (such as adobe psd files) shall all be open sourced.

The system shall be implemented on top of an open platform. It is envisioned that we will use Linux as an operating system and Postgres SQL as a database.

Testing

There shall be an automated set of tests to catch errors on the site. This site contains a good list of test methodology for web applications such as this: http://www.softwaretestinghelp.com/web-application-testing/

Error reporting

There shall be an error reporting mechanism which will bring errors to the attention of the operator by email. It is important not to flood the operators with email or grave errors will go undetected. For example, if there are certain errors which can occur over and over, it might make sense to summarize the count of these errors letting the operators of the system drill down into them. Log4j (http://logging.apache.org/log4j) logging service may be useful to log the errors the database for easier summarization to the operators.

Screen Mockups

Login screen

Registration screen

The above 3 boxes are modal popups from clicking on the note linkes.

 

Voting screens

The above screens 1-5 show the progression of the screens through the voting process.

Main screen

The above Settings box is a modal popup

Certification screens

An email is sent to user:

Congradulations, you have become a certified voter in the National Initiative. You can log in to your account at any time. From your account you can update your information and connect with other people.

Would you consider helping this effor by inviting your friends to vote? Would you be willing to become a certifier yourself? Log into your account and see how you can become involved.

Thank you for your involvement.

When they log into their account, they will have a message waiting detailing how to become a certifier and how to add friends as voters.

NOTE about scren 4 above: Certain US states, it will be possible to look up the voter’s registration electronically. In this case, the certifier is only verifying that the person is who they say thay are. Screen 4 in this case will connect with the states voter registration database, find out if this is a registered voter and present a good/bad response on this page. There must be a way for the system to interface with these external modules to search for a voter registration within a state’s voter registration system. Each state is different. We are currently researching this in each state. Documentation will follow.

Management screen

The management screen shall be accessible only to managers of the election (principally members of Philadelphia and people who it delegates)

This shows that from the management screen that a manager can access people’s registration and account. However, a manager will not be able to access a person’s ballot.

Note: The “tree” like widget on the right side of the Manage page and in the My Certifications section could be constructed with some sort of flow chart widget. It does not necessarily need to look exactly like the mockup but it must represent the same information visually: how the user is connected, and who they are connected to.

Also from the management screen, a manager will be able to:

  • Delete messages from any of the group message lists
  • Add/delete/modify the documents which are on the lower left (the text of NI4D, the privacy policy, About Us…etc)