Wikipedia talk:Arbitration Committee Elections December 2009/Feedback

SecurePoll
The section inviting feedback on SecurePoll looks at the technical implementation only. Given the heated discussion in the run up to the choice to use SecurePoll, and some acrimony about how the final decision was reached, should we not now invite feedback on that choice? Before the results are announced but after people have had a chance to use the system in this election, seems to be to be a natural time to do so.

I suggest we open new section dealing with that aspect - although it may deserve a subpage of it's own. It may be deserving as well to invite those who participated in the earlier discussions. --rannṗáirtí anaiṫnid (coṁrá) 19:50, 16 December 2009 (UTC)


 * I think we're going to have a re-run of this year's RfC next year to gauge the community's desires, so I'd be inclined to restrict the scope of the feedback here to what worked well and what did not, with some suggestions, rather than tackling major reform.  Skomorokh   19:59, 16 December 2009 (UTC)
 * Perhaps—or is it that having seen SecurePoll in action, few people are complaining? Rann, why not raise your concerns here? Tony   (talk)  12:42, 17 December 2009 (UTC)


 * Tony, perhaps. It's a difficult question to answer without actually asking it.
 * For my own part, having voted using the system (not for the first time) the same issues remain. My major concerns lay with scrutiny and community confidence. The method chosen for conducting scrutiny of the election has only exacerbated those concerns for me. We went from a completely open ballot (lacking even a degree of formality) to a "hyper-secret" one. If the method of selecting scrutineers — hand-picked, known-to-the-foundation stewards not active on the en.wiki — had been chosen by the community, it would have struck me as being paranoid. As it was, I don't know who made that decision. Or why. Given the level of community opposition to moving to a secret ballot at all, was there not a middle ground? Was leaping from one extreme to another very wise? Did they (whoever they are) feel it was necessary? How did they come to that conclusion?
 * Of other people's opinions, I would be interested to know, now after the we have all had a chance to use the system in an ArbCom election, if those who were in favour of moving to a secret ballot still feel that secrecy is necessary? Or whether it was the form of voting, and in particular how it reduced drama and eased the process, that was the core benefit? (It is possible to have one without the other - or one without the "hyper-secracy".) --rannṗáirtí anaiṫnid (coṁrá) 19:30, 17 December 2009 (UTC)

I don't think we should dive back into the social questions posed by SecurePoll until after the entire election is concluded, and the Arbitrators have taken their seats in the New Year. From that more detached position, we can and should have a thorough re-evaluation of the questions posed in the first RfC, without the unwanted time pressure of a looming election. We most definitely should not leave such a discussion until next November. Happy ‑ melon 20:10, 17 December 2009 (UTC)
 * (e/c) @Tony1: Please don't take silence as acceptance, yet. Speaking for myself, I still have strong concerns about using secret voting.  However, I haven't been offering a comment on it yet, because I wanted to first see the results of this year's vote.  My nightmare scenario is that because of lack of public community feedback on a particular candidate (such as an obvious overwhelming number of public opposes on clearly unsuitable candidates), that one or more of those candidates might have garnered a higher percentage of votes under secret voting, than they would have under public voting, simply because many of the voters would have been unaware of clear problems in that candidate's history.  For my own voting guide, I probably spent a good 40 hours researching all the candidates, but I doubt that most voters were able to spend that much time looking into the history of each candidate.  That's one of the reasons that I like public voting, is that it allows editors who do have prior knowledge of a specific candidate, to bring up concerns about which other editors may be unaware, so that the other editors aren't "voting blind". However, my concerns about a nightmare scenario may be unfounded. Right now I'm in a "wait and see" mode. Once we see the results, it will be easier to offer a more specific opinion on how well the secret voting system worked. --Elonka 20:21, 17 December 2009 (UTC)

Scrutineers
Continued from main page to save space.


 * It's unfortunate to see anything as being "set in stone", we have after all just gone with SecurePoll in the last couple of weeks. We should avoid seeing things in black and white - that the ballot can either be closed or open, with little middle ground. Rarely are secret ballots genuinely "secret" - even "real life" ones - for pragmatic reasons. Adopting a stance of "hyper secrecy" is not pragmatic IMHO.
 * Special:SecurePoll/list/80 shows a list of users who voted but it doesn't show those users votes. After the current scrutineers round of verification ended, we could open the ballot for all to see. (This is the first time we have used a secret ballot for this election, so opening the ballots for scrutiny after the election would simply mean a delay in revealing information that would previously have been public information all along.)
 * I don't think that opening the ballots to all is likely to meet with approval from the community (there are benefits to maintaining secrecy, I agree) but having a process whereby some community members could inspect the ballots - for the purpose of both scrutinising the count and reassuring the broader community that the count was correct - would be of benefit IMHO. I don't think it is necessary that such scrutineers would need to be drawn from admins or check users or stewards alone (indeed I think it would be better if such people were drawn from all "sides" and "classes"). It it would be necessary however that these people would limited in number and have the community trust to maintain the secrecy of the ballot.
 * We could also open an anonymised list of ballots for all (i.e. no user names, no check-user type data, just the ballots in random order.) Again, these are just examples of what we could do to improve scrutiny and community confidence, not specific suggestions.
 * "... the privacy policy protects a logged-in user's private data absolutely, not just in connection with them." That fair enough but en.wiki check users would be able to view that data in the way as the current scrutineers? --rannṗáirtí anaiṫnid (coṁrá) 12:04, 19 December 2009 (UTC)
 * To be absolutely clear: the ballots for the 2009 Arbitration Committee Elections will not be opened to anyone, because they were cast in the understanding that they would remain closed. I think you understand that and are talking about the future, but just in case there is any confusion there.
 * Opening the ballots in future elections, either to the scrutineers or to everyone, is a social issue that I agree warrants consideration, although I doubt it will be popular. Publishing an anonymised set of ballots once the election had concluded would be possible, but I'm not convinced that it would be of any use: the fact that a vote had been double-counted was hiding in plain sight on the log page for ten days during, and four days after, the election, but no one noticed (ie, no one bothered to look for) it.  We can make SecurePoll provide all manner of interesting auditing data, but if no one is going to actually look at it, it serves no purpose.
 * I'm not quite sure what you're saying with your last paragraph. Casting a ballot in SecurePoll does not make a record in the Checkuser data tables; the information is isolated to SecurePoll and so is accessible only to scrutineers and election admins.  The privacy policy has no bearing on enwiki checkusers accessing the private data where necessary, only that the data should not be generally released, whether or not it is tied to a particular user.  I'm not sure what your point is here.  Happy ‑ melon  12:52, 23 December 2009 (UTC)
 * Yes, and I want to remind people that stewards are invested with a greater level of trust (and power) than anyone else in the Wikimedia system, except perhaps some of the staff/developers in narrow respects. If we cannot trust stewards, we may as well throw in the towel. The fact that the six scrutineers were selected from the ranks of non-en.WP stewards should place them beyond doubt as able to manage the secure parts of the election. It is easy to accuse, to develop conspiracy theories, but please consider the picture and be practical. Yes, it is possible that one of the foreign stewards took a bribe or was tempted to cook the books, but it is as likely to happen, and to have been invisible to the other five stewards, as the appearance of a worm-hole to Mars. Tony   (talk)  13:21, 23 December 2009 (UTC)


 * @Happy-melon - as you may guess I'm unimpressed with the poor process whereby we made the shift to a closed ballot. I don't think that the way to remedy that is by further poor process. To my mind, the election just gone by was an "experiment" in using a closed ballot from which we can draw experience and make improvments going forward. So, no, I don't think the ballots should be opened this year.
 * "We can make SecurePoll provide all manner of interesting auditing data, but if no one is going to actually look at it, it serves no purpose." Don't. Raw data is best. Just let 'whoever' be capable of downloading a CSV (with or without fields blanked depending on privacy, access levels etc.) and let 'whoever' decide what to do with it. The way data is presented has a tremendously influencing effect over how it is interpreted (and how a person feels they can express an interpretation of it publicly). By deciding how a user may want to inspect data, we (completely accidentally) restrict their ability to inspect it in other ways - ways that we may not even considered necessary or useful.
 * WTR to the error that was spotted, the voter list is an example of this. 'Technically', it was someone could have spotted the error using the voter list but practically it would have been quite difficult. What would a user have been looking for? A slightly different shade of text in a HTML formatted table spread across multiple pages that they could not 'interact' with? The eyes can play tricks even at the best of times and this is the sort of thing that Excel, Calc or even Google Docs eats up and makes far easier to spot such trivial mistakes. Ultimately, without a 'hard' indication of how the data was going to be used in the actual count, it was useless. It took all of two hours for a community member to spot the mistake and for you to post a correction after the count had been published. The eyes of interested people on meaningful data that they can genuinely interact with would prevent such errors happening in future.
 * (BTW by the last paragraph, I mean that there would be no issue with an en.wiki check user viewing to the "check-user type data" in the ballots for the purposes of scrutiny - as opposed to other en.wiki users, which you said would be contrary to the privacy policy. Is that correct?)
 * @Tony - trust and confidence are related by ultimately different concepts. Confidence can take in the concept of trust but 99 times out of 100 confidence is simply a matter of preventing human error and satisfying oneself that a result is correct. In the immediate case, despite all our trust, the election admins and scrutineers made a trivial error. It happens - no conspiracy theories required. Let's be practical and admit that no matter how great our trust, humans err. With that in mind, let's look at ways to prevent such errors (and greater ones) happening in future. And ways to ensure that the community confidence beyond saying "they have our trust", which 99 times out of 100 will not be the issue at all.
 * The common way - as employed in "real world" elections conducted by secret ballot - is to allow the process to be scruitinised by interested parties (where being 'interested' is different from being 'involved', such as are candidates or election administrators). That it should be by interested parties is very important. Uninterested parties, generally speaking won't look as hard or be as attentive to possible causes of error. In the "real world", uninterested parties are used to look at the overall process of an election to express their satisfaction or otherwise that an election was conducted in a generally appropriate manner. Interested parties, on the other hand, are used to genuinely scrutinise all aspects of an elections - from the means by which voters are enfranchised to the way each to the way each and every ballot gets counted to the manner that results are announced in. Errors, like the one we saw in this election, are typical of the kinds of errors that interested parties spot easily but that uninterested parties miss despite it being right in front of their eyes - as happened in this case. It's no poor reflection on anyone involved BTW, it just happens. It's why, in the "real world", scrutiny by interested parties is invited. --rannṗáirtí anaiṫnid (coṁrá) 10:38, 24 December 2009 (UTC)

Question
Now that the election is completely over, I want to get back to the issue of deleting the actual votes (in other words, the data showing who voted for whom.) The first question I have is, where should this discussion take place? I don't think the right answer is to have it be one of several questions listed under "Discuss The SecurePoll System", where it has quickly become "lost." I am not sure it even belongs on the Feedback page at all. But my main concern is not where it is, but that it is somewhere "visible" where people will see it and comment if they wish. I think it is an important subject, because it calls into question whether this election can really be considered a "secret ballot" if the data on who voted for who remains in existence. The second question I have, before starting a discussion, is: What are the intentions of the people running the election, and/or the people who have access to the data? Do they intend to delete the data at some point? I seem to have been assuming that the plan was for the data to remain, but I realize there is no basis for that assumption. The logical thing would be for the data to be deleted at this point, since there is no need for it, and retaining it raises the potential that the secrecy of the data could be compromised, making this a non-secret ballot. So maybe that is really the first question: What is the plan? Neutron (talk) 19:22, 24 December 2009 (UTC)
 * Getting to the meat of your question, I can't think of a legitimate reason to keep that data. ~ DC (Talk&#124;Edits) 04:33, 25 December 2009 (UTC)
 * Deleting this data makes it impossible to fix any error or to use the data to improve processes going forward. As we saw, errors do take place. If the data had been deleted as soon as the scrutineers had completed their "work" then there would have been no way of discovering what their's and the elections admin's errors been.
 * To turn DC's comment on it's head, I can't think of any legitimate reason to delete that data. So long as it is kept in a non-publicly accessible place then the secrecy of the ballot is maintained (if that is important to people). Data, once deleted, is gone and gone for ever. In the "real world" - a place that was cited as a reason to move to a secret a ballot - election data of this sort is kept. This it not only to allow errors to be remedied but to allow analysis of voting patterns that lead to improved processes in future.
 * We have only just moved from a totally open process. Why the mad desire of this sort of hyper secrecy? The secrecy of the ballot is the sort of thing that can be maintained without resorting to destructive actions. It's a little paranoid, don't you think? --rannṗáirtí anaiṫnid (coṁrá) 14:57, 26 December 2009 (UTC)
 * No error discovered in the ballot will be fixed at this stage whether the data is deleted or not. The new Arbitrators have been appointed; if we were to discover an error at this stage, it would be impossible to rectify.  That is why we have two stages of scrutineering (the election scrutineers and Jimbo), both of which proved necessary this year, and which should definitely be institutionalised going forward.  To leave the election open to challenge after its winners have been seated is logistically impossible, and is not condoned in any real world election: after the results are announced challenges are often brought, that sometimes drag on for months; but once a winner is seated the gloves are back on.  For that reason, the ballots themselves - the raw data in a real world election - are not kept indefinitely, for the simple reason that they take up a huge amount of storage space if nothing else.  Once the winner is seated, they are collectively useless.
 * Personally I agree with you; I don't think the 'risk' associated with keeping the raw voting data is a realistic problem. I don't believe that any of our sysadmins are going to start reading the votes out of the database tables to Wikipedia Review, and I believe that anyone who does manage to hack the WMF databases will have bigger fish to fry (like eleven million users' email addresses and IPs). But it's not an open-and-shut question; it's essentially a question of which option is the 'least useless', and one that is worth discussing.  Happy ‑ melon  18:24, 26 December 2009 (UTC)
 * Not impossible to rectify: If it were proven that an error occurred that made a difference in the outcome, an honorable person would resign the seat or ask to be changed from a 2-year to a 1-year position.  I assume every candidate and certainly every new arbitrator qualifies as an honorable person in this respect.  Having said that, I think we can see snow in hell before we uncover any significant errors with the degree of proof needed to make someone resign at this stage.  It's not like the real world where you have people deliberately trying to rig an election for their favored candidate.  davidwr/  (talk)/(contribs)/(e-mail)  18:39, 26 December 2009 (UTC)


 * "That is why we have two stages of scrutineering (the election scrutineers and Jimbo), both of which proved necessary this year..." Has history rewritten itself? Was an error not discovered this year? Did the scrutineers and election admins not fail to discover it? We don't know if Jimbo spotted it (Jimbo?). It was a community member that saw the error before Jimbo had his say.
 * In government elections, the "raw data" (i.e. ballot papers) of 'real world' elections are normally kept. A few million ballot papers don't amount to a lot as a proportion of the overall paperwork that governments and local authorities archive each year. For other elections carried out by secret ballot, it varies from organisation to organisation. With pragmatic reasons behind each decision. In our case, data could be taken off the servers and stored in a SQL dump as a file - a digital equivalent to archiving. That would secure its secrecy without destroying it as information.
 * I agree with David that it is preposterous to say that it would be "impossible to rectify" an error. Yes, there needs to be process. Yes, lines need drawn at some point. But if errors are discovered, they should be corrected either, like david says, though candidates doing the 'honourable thing' or something more formal. --rannṗáirtí anaiṫnid (coṁrá) 19:32, 26 December 2009 (UTC)
 * I'm not sure we need a process for an event which, while hypothetically possible, is rarer than the odds of me winning the lottery. I don't have a process of "omg I won the lottery what will I do now" - I will handle that event ad hoc when and if it happens.  I think we can borrow from the real world here - in corporate America and in volunteer organizations, when anyone in any authority or leadership position loses the confidence of his constituency, "something happens" and the person either leaves the position, or he winds up holding the position "in name only," sidelined from any serious capability of misusing the office, or the organization or company dissolves and all principals re-form a new organization that takes over the role of the previous organization, leaving the unwanted incumbent "king of nothing."  Again, I don't see this as anything but the remotest possibility.  As such, it's worth discussing only for academic purposes.  davidwr/  (talk)/(contribs)/(e-mail)  20:01, 26 December 2009 (UTC)
 * Agree. It is far better to have a process that capable of spotting such mistakes before they happen and to have a culture that is capable of responding them should they be uncovered later.
 * I don't think the odds are in the realm of winning the lotter. It could be as simple as the error that occurred during this election. On this occasion it was not great enough to effect the outcome of the election. If more people had cast a change of votes in the same manner as M.K., Synchronism and Verbal it could easily have done. --rannṗáirtí anaiṫnid (coṁrá) 21:16, 26 December 2009 (UTC)


 * By "two stages of scrutineering", I mean the period between the close of voting and the publication of the election results as one stage, and the period between the publication of the election results and the announcement of the appointments as the second stage. During both stages, there is a specific group of people performing an examination, and at both stages the community is encouraged, begged even, to participate in identifying problems with the vote.  Remembering that the ultimate goal of the process is to appoint new Arbitrators, the second phase (where Jimbo is doing due dilligence and quietly ensuring that none of the top candidates have skeletons in their closets that would make them unacceptable appointments) is just as important as the first (where the scrutineers check that the election results are valid).  To imply that the community is not a key part of the scrutineering process in both phases is both incorrect and, I expect, not what you mean to suggest.
 * 27 million ballots were cast in the last British general election. 9 million US$1 bills fills (when tightly packed) a volume the size of a medium-sized car ; IIRC the ballot paper was closer to A4 in size, so multiply that by around 4, and you conclude that the ballots from one election take up a volume of at least 140 cubic metres, which is just over four standard shipping containers.  And weighs 97 tons .  How many elections-worth of paper is it feasible to keep? One, sure, two, maybe.  Here we're talking about keeping ballots in perpetuity; it doesn't take anything more than mathematics to realise that that simply isn't realistic, let alone economical.  Now, that's a side-issue, because you could quite correctly point out WP:NOTPAPER; indeed that's the exact argument I would use.  These votes haven't created a hundred tons of paper to store, they take up maybe a megabyte in a cluster that stores 4TB of data.  From a logistical perspective, it doesn't even register.  The only reason to delete it would be to give a greater sense of finality to the process.
 * I agree fully with David that a formal process for contesting an election after its winners have been seated is far more trouble than it's worth given the world of pain that would result. If in six months time we identify two hundred sock ballots, discard them and retally, and find a new set of winners, there is no way to proceed that avoids the firestorm that arises from trying to reverse-engineer a solution that satisfies as many people as possible.  Deciding what 'the honourable thing' actually is depends on the nature of the error, the nature of the candidates, how they have performed during their time in office, how much time they have remaining. That's not an action taken on the basis of the election results, that's a whole new world of pain that has precious little to recommend it.  That's why I'm not aware of any real world electoral process that permits challenges after the winning candidates have been seated.  Challenges galore, yes, and often they delay the seating of the winner for weeks or months, but you're right: a line has to be drawn somewhere, a point at which the election is deemed 'over', and everyone, winners and losers, have to move on and find new ways to pick at each other.  That line doesn't prevent people from 'doing the honourable thing', of course not.  But it separates that recourse from the formal challenge process, because leaving that looming over the winners' heads for the duration of their time in office, is simply unviable.  Happy ‑ melon  21:23, 26 December 2009 (UTC)
 * Just remember, while we're comparing it to real-world elections (I honestly had no idea they kept ballots), those ballots are completely anonymous, whereas ours aren't. ~ DC (Talk&#124;Edits) 06:39, 27 December 2009 (UTC)


 * In the UK, ballot papers are stored for a period of one year and one day after which they may be destroyed. And, yes, every single ballot can be traced back to the individual voter that cast it. They are not "anonymous". (Of course, in other elections conducted by secret ballot - e.g. in clubs and societies -neither of these may be necessary since voter fraud may be impossible or not a concern or because challenges at a date after the count may be unlikely or pointless.) This is all quite normal - and the same in every other jurisdiction I can think of - since the important point is that "secrecy" is not a principle of conducting a good election but a pragmatic means to ensure the freedom to vote according to one's conscience should the risk of coercion exists. Once that principle is safe, there is no pragmatic reason to maintain the veil of "secrecy" - and indeed there may be pragmatic reasons to remove it. Maintaing "secrecy" unnecessarily can adversely effect a genuine principle of running a good election: openness.
 * "...I'm not aware of any real world electoral process that permits challenges after the winning candidates have been seated." In elections for governments, it's called a Supreme Court. In clubs and societies (more applicable to us), the process is dictated by the club's/society's constitution or the mood of the club's/society's membership. In either case, it means the same thing: the community decides what to do (maybe nothing) according to it's own rules. In our case that likely be a consensus decision should the event arise. More important is not to make a mistake to begin with - or if one is discovered later, to handle it honestly and appropriately and to make sure it doesn't happen again (changing process if necessary).
 * "During both stages, there is a specific group of people performing an examination, and at both stages the community is encouraged, begged even, to participate in identifying problems with the vote." Well it's good to hear we are closer in our thinking - but do you accept that the official process failed this time around? (The consequence of failure on this occasion was not serious but it did fail.) I would make it a three-stage process, bringing the community officially into it and equipping the community with the data it needs to conduct its part fully (bearing in mind that the community's part is to both scrutinise the count and to satisfy itself that it is correct). This need not infringe on maintaining the "secrecy" of the ballot. The limited data available to the community this time around - while evidently necessary since it allowed the community the identify a trivial error that had evaded the scrutineers and election admins - is not sufficient going forward IMHO. The community could spot the error this time around. What error will the community miss next time owing to the insistence on keeping the community as much in the dark as possible? --rannṗáirtí anaiṫnid (coṁrá) 20:13, 27 December 2009 (UTC)


 * A Supreme Court is not part of an electoral process; it is the court of last resort for any and all disputes occuring within that jurisdiction. Resolving an electoral dispute via such a court is merely asking for a binding resolution on the "what is the honourable thing to do?" question.  This whole issue is very tangential; as you say yourself, such an eventuality would be handled (here or elsewhere) on a case-by-case basis, not by a formal and premeditated process.
 * It's rather counterproductive to describe the scrutineers and Jimbo as the "official" process, implying that the community's involvement is somehow 'off the books'; as I say (and you, I believe, agree) the community is an essential component in the scrutineering process; their involvement is every bit as "official" as the stewards' was. There certainly was a failure on the part of the scrutineers, although I refuse to get into 'assigning blame' for it.  However, remembering once again that the ultimate goal of the process is to produce new Arbitrators, not just to hold and tally an election, I don't see errors of this type as dangerous to that goal, provided that all parties are proactive in their role in the scrutineering process.  I don't agree that the data that's available to the community is particularly "limited". It's certainly totally crappily presented, and a proper API interface is high up the list of things that need to be done to SecurePoll. But what more actual data do you think would be helpful?  That's not "what more raw data could conceivably be provided?", but "what raw data will people from the community actually take the time to use to scrutinise the vote?"  Happy ‑ melon  21:32, 27 December 2009 (UTC)


 * I agree with most of the above. Save:
 * I don't see what's counter-productive about describing the scrutineers' and Jimbo's role as the "official" process. Not least because I don't see where the community was actively invited to participate in the process or what "official" role the community had. It struck me more that the community was placed in a 'wait-and-we'll-tell-you-then-Jimbo-will-make-it-official' role. In fact, looking at the means to select scrutineers, it seems to me that every effort was made to keep the role of performing scrutiny as far away from the community as possible.
 * I agree, there is no point to assigning "blame". Humans err. We learn from our mistakes. It's no big deal. Harping on about process is not the point, I agree, process is not an end - but it is a means to an end. (Is this page not about requesting feedback on the process though?)
 * WRT what data should be available, there's not really a whole lot of scrutiny to do with election data. There's not to many questions beyond asking are all the votes counted and are all the votes counted correctly. Currently the community can see if all the votes were counted. What the community cannot see is if all the votes were counted correctly. There's a number of ways to achieve this. We could, for example, replace the current voter list with a alphabetised voter list (one entry only per voter, no date information) and published an anonymized list of ballots (i.e. minus check user type data and user names replaced with a number unique per voter). I also think each voter should be able to identify if their vote was recorded correctly. Better too IMHO, like I suggested above, if this data is given in a spreadsheet-friendly format. (In addition to the current scrutiny process - which I think should be opened to en.wiki check users ... but that's just my opinion.)
 * BTW we've gone off-topic for this section - which was about the how long data should be stored before it was deleted. --rannṗáirtí anaiṫnid (coṁrá) 22:43, 27 December 2009 (UTC)
 * I had hoped I'd made the role of the community sufficiently clear in this statement. I think it was considered important that the final judgement as to whether a vote should be struck or not should be from outside parties; I don't have a particularly strong opinion on whether that's necessary or worked out overall. But there's a distinction between being involved with the scrutineering process, which everyone was, and having to make the final decision on each particular situation, which the scrutineers themselves had to do.
 * It's highly unlikely that the software would be able to record a vote correctly, but then add them up incorrectly; if the tally is going to be different to how voters voted, then any list of votes is likely to be also wrong. The software's arithmetic was flawless this time around, and it happily publicised details of how it was going to work for a fortnight; the problem was that no one noticed that what it was going to add up wasn't what we wanted it to add up :D.  A list of votes and the final tally are essentially certain to agree, because they come from the same underlying data.  Checking whether that data agrees with the way people actually intended to vote is much more important; hence voter receipts and ballot memory will have a much greater positive impact, IMO.  An anonymised list of votes might be worthwhile in their own right for statistical purposes, and I'm not adverse to making that available, but I don't think it would help scrutineering particularly; unless we discover a PHP bug whereby 1+1!=2.
 * It's true that this has wandered a bit, but IMO the original question (whether the votes should be deleted) needs to be addressed in a full RfC rather than anywhere else. We're planning a new RfC to address the social issues raised from this election, probably mid-January.  So I don't feel particularly guilty about the thread drift :D  Happy ‑ melon  23:57, 27 December 2009 (UTC)


 * My apologies, I didn't see that post. The community was indeed invited to scrutinise the voter list.
 * RE: "...the final judgement as to whether a vote should be struck or not should be from outside parties..." That's a good procedure, I agree. Decisions do need to be made cleanly and impartially and there is a difference between scrutinising and making decisions based on scrutiny.
 * "A list of votes and the final tally are essentially certain to agree ... unless we discover a PHP bug whereby 1+1!=2." Stranger things have happened ... like the software not recognising that a ballot was a 'change-of-vote' if the user cast it on a different server ;-) If it doesn't hurt to show it then I'd say let it out. At a very minimum people will feel better for being able to see it ... and who knows, maybe it will allow an error to be caught. --rannṗáirtí anaiṫnid (coṁrá) 00:45, 28 December 2009 (UTC)