Continuing the discussion from PEP 8001: Python Governance Voting Process:
I wanted to follow back up on this. On python-committers it appears that a number of people are not entirely comfortable with public ballots. In that thread @skrah , @barry , and myself all expressed concerns that we weren’t entirely comfortable with public voting but would still be voting, while @tim.one expressed that he was planning to abstain from the vote entirely because the ballots were public.
So I think given you have at least one prominent core developer stating that they’re planning to abstain completely, and 3 people saying it at least makes them feel uncomfortable we should consider the idea of making the ballots private.
Now the problem with private ballots is that it relies one having one of two things:
- Some novel cryptographic scheme that allows computing the final result without leaking who the ballots belong to (Helios provides this for approval and plurality voting).
- Some trusted person or system to anonymize the ballots before publishing them.
Given that I am unaware of any novel cryptographic schemes that exist for ranked ballots (much less is already implemented in a usable piece of software) that leaves us with trusting some person to handle it for us.
My suggestion then is that we should use CIVS to enable us to manage this vote, and still have private ballots. I would further suggest that we use the following settings:
[x] Private [ ] Make this a test poll: read all votes from a file. [ ] Do not release results to all voters. [x] Enable detailed ballot reporting. [ ] In detailed ballot report, also reveal the identity of the voter with each ballot. [ ] Allow voters to write in new choices. [ ] Present choices on voting page in exactly the given order. [ ] Allow voters to select “no opinion” for some choices. [ ] Enforce proportional representation
- People’s identities are kept secret.
- This assume that the people running that online system are discarding the voters like they claim to be. I don’t think they’re likely to be lying and it’s a popular online service so they’re unlikely to do anything nefarious specifically to attack us.
- The actual ballots are public, and available to be viewed and even downloaded in CSV format.
- The results are computed for us. There is no “pure” Condorcet option, but a nice property of the Condorcet method is that when there is a Condorcet winner, no matter what method you choose it will pick it, so the differences between the Condorcet methods are only in what they do in the case of a cycle. In the case of CIVS, we can differentiate a Condorcet winner (aka a “Pure” Condorcet winner) by if the tallied results say “Condorcet winner: wins contests with all other choices” instead of “Not defeated in any contest vs. another choice” and verifying that the extend ballot explanation has all green boxes for that person.
- As a downside, the list of people who voted are not made public (it considers not participating at all to be something that deserves secret as well). This means that we won’t know who participated as well as not knowing how they voted.
- As an upside, it will randomize the order ballots are in by default, and there is science/evidence to suggest that when ballots are in the same order for everyone, that items closer to the top of the ballot are more likely to win. Randomizing ballot order helps with this.
- It doesn’t require you to make a total ranking of all the options (it allows you to rank some items equal). This is fine with Condorcet (it just means a cycle is slightly more likely).
- A single person has to act as the election administrator, which basically only gives the power to start/stop the election and to add voters (you can’t add the same email address twice, doing so just re-sends the email to that person).
You can read more about the security/privacy implications of using CIVS here. You can see an example of a ballot with a “Pure” Condorcet winner here and one where we would consider it a “tie” and need to implement tie breaking procedures here.
Now if we go this path, there are two things we would need to contend with:
We can’t extend the vote a week as a tie breaking procedure, because once the election is ended and the results made public, CIVS doesn’t allow you to reopen the voting. We can do something similar though by just re-running the election for a week, but only amongst the options that were involved in the cycle. That would mean that people who are happy with any item that tied could just abstain from voting, and only people who feel strongly about one of the choices over another need to get involved in the tie breaking procedure.
We would need to pick someone to act as an election supervisor. This person sets the election up, starts it, adds voters, and finally ends it. The powers they have to influence the elections are fairly limited, the things I can think of are:
- They can turn off randomized ballots, slightly favoring whatever options they put first (and disfavoring whatever they put last).
- They can add “puppet” voter email addresses to the election, and thus given themselves extra votes. However they can’t see the results until after voting is closed, so they won’t know how many votes they’d need to make their preferred option win and if they did it extensively we’d be able to detect it by seeing an abnormal number of votes.
- Maybe they can disenfranchise someone by ending the election right as that person is voting?
I’m not really worried about anyone we’d pick doing anything nefarious here. I went ahead and reached out to @EWDurbin and asked him if he would mind acting as the election supervisor for us if we went with this option. He said he was fine with that, and I think he represents a pretty good choice since he’s a PSF employee, he’s well known in the community, we trust him a whole hell of a lot already (he has root on like, every PSF box, admin on the Github org, is a PyPI core dev, etc), and he’s not a core committer nor does he have a PEP in the list of proposed PEPs so he is pretty neutral. Another fine choice would be Ewa, but I haven’t asked her if she would be willing.
Honestly, I think really any core developer could do it as well, the power an election supervisor has is pretty limited, and I don’t think any of us would do anything to try and violate the integrity of the election.
To try to make this easier, I’ve gone ahead and created a PR to PEP 8001 which basically implements the above. I’m happy to make any changes (or have the PR merged and further changes made to it). If people agree with the move to a secret ballot and using the CIVS system, then we can just merge that PR.