Whenever organizing democratic decisions, a crucial task is the accreditation of eligible voters. The democratic principle “one person – one vote” is vital for the overall fairness of any election or decision making process. Usually the accredition is executed by authorized agents of an organization (in case of decisions within an organization) or by polling clerks (in case of public elections). If a democratic process is properly designed, then the overall process (from accreditation to casting a ballot) can be publicly supervised such that it is not possible to use the accreditation process to violate against the principle of “one person – one vote”. However, even in these cases, a centralized organization (possibly including a voter register or similar database) is usually required.
The previous articles in this Issue #6 of “The Liquid Democracy Journal on electronic participation, collective moderation, and voting systems” explained how a completely decentralized democratic decision making system can be created. For such an electronic system, each eligible voter has the same rights and there is no central authority with certain administrative privileges.
This article will explain how to connect a totally decentralized system with real-world processes that are necessary to perform an accreditation of eligible voters. It should be noted that “one person – one vote” doesn't always imply that every human being gets a vote. Usually an organization wants to empower their members and not people outside of the organization. A municipality wants to empower its citizens or residents. In case of hierarchical organizations, certain decisions might be restricted to people belonging to a certain division of the organization (e.g. a local chapter). But it isn't just a matter of figuring out who should be deemed an eligible voter; we also need to find ways to identify those people.
The simplest approach to collectively perform an accreditation is to conduct a vote on every new person to be added to the set of eligible voters. When we consider a decentralized decision making system such as presented in the previous article, we do not just need to approve the eligible voter but also provide means of authentication of that voter (i.e. after successful accreditation, the system needs to be able to validate whether some input has been really sent by or on behalf of that voter).
Technically, a validation of a person's request could be done using an asymmetric cryptographic key. In a world where every person has appropriate end-user devices that are trusted, this would be the most natural solution. In this case, a person's public key fingerprint would need to be made public, e.g. by reading it in front of an audience at a public assembly. Then everyone would be entitled to submit a request to the system that the owner of the corresponding private key is to be added to the list of eligible voters.
The idea that every person can have a public/private-key pair and that they are technically able to keep their private key secret is an idealization (see also [PLF, section 3.5]). The idea might have been practicable during the 90s, but quickly end-user devices were increasingly becoming interconnected in such a way that regular software updates are common. Only a small fraction of internet users has real control over their devices; most users will regularly install many megabytes (or even gigabytes) of unknown machine code that has been provided to them from companies like Microsoft, Apple, or Google.
Consequently, storing a private key on an end-user device isn't necessarily the best choice these days. While aiming for decentralization, a technological monoculture (e.g. if a majority of participants uses a certain operating system or a certain chipset) could introduce a single point of failure to the system.
A different approach for identifying people would be to entrust a local chapter of an organization (or any other known group of people) with the particular job of maintaining a person's account (and to act as proxy for that person). Such an entity could use united resources to monitor security issues in a better way than the average person might do when being on their own. Each person could freely choose the entity he or she entrusts with managing his or her account (or manage the account themselves, if desired). This way, single points of failure might be more easily circumvented. Combining this with a public accreditation process, a person would state his or her identity and publicly announce which technological provider will be his or her proxy.
If, from a technical point of view, all eligible voters decide about including a new member in a democratic decision, one may wonder if that constrains the statutes of an organization? Would the approval of each new member application depend on the absolute discretion of a majority of members?
While the approval of a new entrant is technically implemented through a majority decision, this doesn't impose constraints on the statutes of an organization using such a decentralized accreditation system. The semantics of the technical voting procedure on approving a new member can be defined in such a way that the voters do not state whether they want the new member to be accepted but whether they confirm or do not confirm that the member fulfills the requirements necessary to be approved. It could be each member's obligation to truthfully answer this question. Of course, if a majority of members fail to act according to the rules, the overall system fails. As previously discussed in the article “Roadmap to a Decentralized LiquidFeedback” [Roadmap], it is a reasonable (and necessary) assumption that a majority of participants behave benevolently.
Of course, the use of transitive delegations (Liquid Democracy) could keep the additional overhead for most participants as small as possible. Members of a political party, for example, could simply delegate the job of accreditation to someone they trust (or to someone who they trust to know someone trustworthy).
The proposed system is different from a classical web of trust. While a web of trust (such as used with PGP, GnuPG, or similar cryptographic software) is also capable of verifying one's true identity (and to connect it with a public/private-key, for example), a classical web of trust isn't capable of creating a consensus because the trust level of an entity depends on the point of view from which you look at the network (i.e. each participant concludes different trust levels).
The key feature of a distributed decision making system, however, is to find a consensus [Note: With “consensus” we do not mean unanimous decisions but a consensus based on majorities. See also [PLF, section 4.13].]. A web of trust could be modified in such way that there is a “seed” of trusted members, i.e. the trust wouldn't depend on the point of view but would originate from those members. Treating certain members different from other members, however, doesn't fulfill the equal treatment of all participants (and thus conflicts with our goals for a decentralized accreditation system). Therefore, the “seed of trust” needs to be dynamic and ultimately reflect all members equally. [Note: It would still be possible to temporarily restrict new members from deciding about accepting other members, but this should only be a temporary condition.]
It is not sufficient to provide mechanisms for new members, but there also need to be mechanisms for removing the accreditation of a person. Even in cases where there is no expulsion of members allowed, it is always possible for a human to die. In this case, his or her accreditation would need to be removed to avoid misuse of his or her voting power. The previous statements regarding new entrants also apply to removing member accounts. The mechanism for removing accounts could also serve as a last resort for healing identity theft such as loss of a private key.
Decentralized accreditation is similar to the concept of “web of trust” but differs from it in certain regards. Most importantly, decentralized accreditation aims to create a common point of view on a set of eligible voters and their means of authorization.
A simple approach to decentralized accreditation is to conduct votes for each new person to join a group of eligible voters. While from a technical point of view, this empowers the electorate to decide about each accredited person, the elecorate could be bound to rules when executing this task. These rules must be well-defined and take into account removal of member accounts as well.
While it is possible to use public/private-key pairs for authorization, it is not required that each eligible voter securely stores a private key him- or herself. Technical providers can handle identity management and authorization of several voters at the same time as long as each eligible voter is able to freely choose such technical providers and/or use their own technical infrastructure.