Wikipedia talk:Requests for comment/ArbCom secret ballot

General comments

 * Voting guides and individual pages with an users comments on candidates will still exist. And the same or similar process for Q&A. What I want to eliminate is inflammatory comment on the page. So ample opportunity for the Community to exchange thoughts with the nom, and exchange opinions with each other about a candidate.
 * The difference is that private voting page will help people vote more freely without people worrying about other people/s reacting to their vote. FloNight&#9829;&#9829;&#9829; 01:14, 29 July 2009 (UTC)

Verifying results?

 * As I understand it, some kind of checking is done on the results in WMF elections. Given that socking and stacking were also concerns, is it proposed the raw results be used regardless, or is some checking going to be needed here too? If so, what kind? FT2 (Talk 01:08, 29 July 2009 (UTC)
 * That's actually an interesting question. The Board vote has a small committee tasked with overseeing the election results as they roll in to spot irregularities while the vote is in progress; I would expect we could use much the same method ourselves &mdash; but I'd be interested to know exactly how much suspicious activity the boardvote committee actually gets and manages.  &mdash; Coren (talk) 01:17, 29 July 2009 (UTC)
 * During the current OS and CU election, some votes made by ineligible voters have been struck. So, we need to have something in place to monitor for ineligible voters. FloNight&#9829;&#9829;&#9829; 01:22, 29 July 2009 (UTC)
 * Actually, the voting extensions understand suffrage, and can validate it automatically. &mdash; Coren (talk) 01:25, 29 July 2009 (UTC)
 * Ok. So the only issue would be mature sock accounts voting. This is tough to stop, anyway. FloNight&#9829;&#9829;&#9829; 01:28, 29 July 2009 (UTC)
 * Right, I don't think secret ballot make them any easier or harder to spot, so they're always going to be an uncontrollable variable. &mdash; Coren (talk) 01:31, 29 July 2009 (UTC)


 * SecurePoll provides tools similar to Checkuser for identifying abusive behavior. LiCom rejected ~40 votes (out of 18000) for sockpuppetry and covert manipulation. An additional ~1000 votes were rejected as overvotes when someone voted multiple times from one or more linked accounts (e.g. Coren@enwiki, Coren@dewiki, and Coren@huwiki all tried to vote independently even though technical evidence showed they are unambiguously one person). Some of those overvotes were probably an attempt at vote stacking, though others may simply have been people who didn't understand it was one vote per person and not one vote per account. Overall, the tools seemed to work relatively well, and manipulations did not seem to be a big problem in that poll. Of course, the software also required you have 50 edits on the account at least 6 weeks before the poll opened, so that probably helped. The ArbCom election won't have the issue of cross-wiki visitations, but on the other hand ArbCom elections are probably a more contentious issue than the licensing update, and so one might have more people try to manipulate things here. Dragons flight (talk) 01:41, 29 July 2009 (UTC)
 * Ah, thank you. That's actually valuable information.  How similar are the tools?  I.e.: does it allow matching IPs with actual account names?  If that's the case, that means that any group tasked with overseeing the election need to do so under the privacy policy (which means that, in practice, only oversighters and checkusers on enwp).  &mdash; Coren (talk) 01:45, 29 July 2009 (UTC)
 * Yes, IPs can be matched to account names, and yes the people doing that work are bound by the privacy policy and must be identified to the Foundation. A limitation is that the check is based only on the information garnered from votes, and does not have access to the larger database of recent changes data.  But yes, it is a CU-like right, and would require a similar level of trust (whether one uses existing Checkusers or appoints people specifically for this task).  None of us appointed by the WMF to do this work during the licensing vote were enwiki Checkusers.  Dragons flight (talk) 02:04, 29 July 2009 (UTC)


 * Coren: the question of system integrity, checks and balances etc. needs better introduction on the RFC page. Current public voting at least assures that no vote cast is lost. Struck out, sometimes, but not lost. Why should I trust some black box that does not provide this basic safeguard? NVO (talk) 18:57, 29 July 2009 (UTC)


 * SecurePoll provides a public list of every voter (e.g. ) though I doubt if many people have known how to find it. Dragons flight (talk) 20:06, 29 July 2009 (UTC)
 * Link doesn't work - says admins only. NVO (talk) 08:10, 30 July 2009 (UTC)
 * That link, which goes to the voter list, should work for everyone. On the page are links to "Details" which contain restricted information for admins only.  Can you see the voter list?  Dragons flight (talk) 09:21, 30 July 2009 (UTC)
 * List - yes. Question is, can User:Notsysop check his own record? And if all data is open to admins (is it?) then what's the point of locking it away from unwashed peasants? NVO (talk) 16:45, 31 July 2009 (UTC)

A logical existent group for this task is the Audit Committee, which already has a role of oversight and is composed of users with CU and OS permissions. Participants in the election should recuse. You'd need to enlarge it, but on the long term, it's not a problem. Cenarium (talk) 20:09, 29 July 2009 (UTC)


 * One thing that must be avoided is the voting trend becoming known while the election is still running. We had an incident one year during a Foundation election where the results halfway through became known, and extra votes were requested for a candidate who wasn't doing well. The Foundation put measures in place to prevent that happening again, I believe, though I don't know what they are. I'd suggest no one associated with the ArbCom be involved in this, which would rule out the Audit Committee. We could perhaps ask some stewards from other wikis to help out. SlimVirgin  talk| contribs 20:15, 29 July 2009 (UTC)
 * Or we could make the audit committee entirely independent of ArbCom, or arbs in the audit committee would have to recuse from this task. Even if this were assigned to independent stewards, they may not have all the necessary information to interpret the data, so they may have requests for information (it may even require CU information), and those could be directed to the Audit Committee. Cenarium (talk) 21:22, 29 July 2009 (UTC)
 * Or this could be jointly, with the Audit Committee and a few independent stewards. Cenarium (talk) 21:32, 29 July 2009 (UTC)


 * It's what happens during the election that is the key. We have to make sure that no one has access to the results who can be seen to have a personal interest in them. That would include anyone associated with the ArbCom, or with any of the candidates, so the safest thing would be to have non-en stewards oversee things. Any interpretation of results once the election is closed is less sensitive, because they can't affect the voting patterns. SlimVirgin  talk| contribs 01:18, 30 July 2009 (UTC)
 * I agree completely that during the voting phase, only independent stewards should have access (though they may still have requests for information to the Audit Committee), but after the voting phase, results could be reviewed in consultation with non-recused members of the Audit Committee, and possibly other appointed users. Cenarium (talk) 01:50, 30 July 2009 (UTC)
 * Someone "associated" with ArbCom has been involved with every previous election I'm aware of without incident or even complaint.--Tznkai (talk) 02:04, 30 July 2009 (UTC)
 * Involved in what way, Tznkai? SlimVirgin  talk| contribs 02:57, 30 July 2009 (UTC)
 * The most immediate example I can think of is that I acted as an election clerk last election as did AGK, both of us ArbCom clerks. Checkusers are sometimes requested to make checks, and are monitored by the Arbitration Committee or occasionally are asked to do checks. Many arbs, former arbs, and related persons vote.--Tznkai (talk) 08:23, 30 July 2009 (UTC)
 * Under the current regime, no one has access to vote tallies until the vote closes and the vote reviewers have finished striking any sockpuppet votes. If things stay they way they are, your concern is basically a moot point because even the people running the vote would have no idea how it is going till the end.  As an alternative, TenOfAllTrades has called for giving everyone an ongoing tally of the vote.  There are pros and cons to that (prevents people from spending time reviewing lost causes, but also increases the possibility of manipulation).  I think either of these positions is perfectly defensible.  However, I don't see any reason why one would change the software to allow reviewers (and only reviewers) to have a special running tally of how things were going.  So, I think the question of overseers leaking information that would alter the direction of the vote is entirely avoidable. There is no reason to give them special access to running tallies to begin with.  Dragons flight (talk) 02:06, 30 July 2009 (UTC)


 * Okay, thanks. I do know that it used to be the case that certain people could see the running tally, and one year someone tried to change its direction by requesting more votes for someone. That's the kind of thing we need to avoid, for obvious reasons. SlimVirgin  talk| contribs 02:57, 30 July 2009 (UTC)


 * Imo, if anything, a vote in two rounds would be preferable to publicly reveal tallies during the election (as users could be influenced by the trends). The first round could only consist of endorsements, and users who didn't reach an arbitrary number would be removed, or of a support/oppose system, with a minimal number of votes and a minimal number of net supports. Cenarium (talk) 03:49, 30 July 2009 (UTC)


 * From what I have seen, the stewards hate being in a role other than flicking switches in an uncontroversial manner. I have suggested the de.wiki arbs or the meta crats are similarly uninterested parties who might be more willing to take on a subjective role.  MBisanz  talk 02:06, 30 July 2009 (UTC)


 * I'd support the de.wiki arbs overseeing it. SlimVirgin  talk| contribs 02:57, 30 July 2009 (UTC)


 * They may still need additional information, for example when they suspect a sockpuppetry case but can't confirm it, and their results should also be transmitted to a responsible body for possible action. Cenarium (talk) 03:49, 30 July 2009 (UTC)

Voting method?
I originally intended to not broach on the actual vote system, given that this is arguably orthogonal to the choice to move to a secret ballot, but Irbisgreif makes a good argument that some may feel unconfortable to move to a secret ballot unless a well-defined methodology is also picked. Should this be the object of a simultaneous RfC or just another point in this one? &mdash; Coren (talk) 01:39, 29 July 2009 (UTC)


 * It needs to be done at the same time, but I don't know for sure if it should be separated or not. On one hand, it's intimately related to this RfC and the point is meant to emphasize that the method needs to be picked at the same time, which should alleviate any manipulation concerns. However, it /is/ a different idea, and the method might need much more debating than the secrecy. Irbisgreif (talk) 01:46, 29 July 2009 (UTC)
 * Actually, while writing that, I realized that it does need to be here. The secrecy is part of the method, and the two are inexorably linked. Irbisgreif (talk) 01:46, 29 July 2009 (UTC)


 * Well, if you edit your statement to actually propose that we move to Schulze, my endorsement will still stand. &mdash; Coren (talk) 01:55, 29 July 2009 (UTC)


 * Ah, I had said that, but in a way that's probably too roundabout. I've edited it to reflect this. Irbisgreif (talk) 01:59, 29 July 2009 (UTC
 * I may support the shulze method when I understand it, and someone can write a "Shulze method for dummies." --Tznkai (talk) 02:05, 29 July 2009 (UTC)
 * It's quite easy for the voter, everybody gets a list of candidates and then gets to rank them in the order they prefer them. From this, a mathematical method determines who has the greatest amount of support. I'm afraid I can't think of a simple way to explain the math on it. Irbisgreif (talk) 02:12, 29 July 2009 (UTC)
 * It's actually fairly mathematically opaque, but the nutshell of it is: it picks the set of top candidates who have the general support from the most people (i.e. it would prefer a candidate that is second preference to everyone rather than one who is the first preference of some and last of some). It guarantees a number of desirable features, such that every vote counts, every vote for a candidate actually favors that candidate, tactical voting is worthless, and so on.  The list at Schulze method is actually more informative than the math preceding it; looking at the satisfied criteria themselves should give you an idea why I'd favor it.  &mdash; Coren (talk) 02:15, 29 July 2009 (UTC)
 * I could probably understand this given a couple hours, but only because I'm a total nerd - my concern is that any sort of vote is best served when the electorate can intuit the impact of their own vote and more or less understand the system behind it. Obscurity by transparency is not transparency at all.--Tznkai (talk) 02:20, 29 July 2009 (UTC)
 * What we need is someone who is familiar with the system to write a good primer for it for people who want to know the basics without delving in the specific math. I'm going to venture the guess that there already is such a beast around on the 'net, but I'm about to go to bed.  I'll look for one tomorrow.  &mdash; Coren (talk) 02:22, 29 July 2009 (UTC)
 * I understand the system fairly well, which is why I do not support the use of the Schulze system for anything other than a single position to be filled; in fact, I don't like it being used for the WMF Board now that we're using it for 3 positions. Preference is not particularly relevant when multiple candidates are being elected. I would prefer a straight support/oppose/neutral option for each candidate. Risker (talk) 17:10, 31 July 2009 (UTC)
 * Interestingly, I support the use of that system for the same reason you do not: the (in)ability for strong direct opposition that has more weight presently than direct support. It seems perverse to me that someone who is deemed acceptable (even if not ideal) by a vast majority of voters would be sunk by a small group of opposers &mdash; with the result that a candidate which is much less favored by the majority ends up overtaking the generally more favored ones.  &mdash; Coren (talk) 17:50, 31 July 2009 (UTC)
 * The problem I see with Schulze when there are large numbers of candidates is pretty clearly stated by Dragons flight below. That is, unranked candidates are all assumed to be worse than ranked candidates: a decision not to rank a candidate is effectively an oppose vote.  With more than thirty candidates in last year's ArbCom election – and no reason to expect that pool to get smaller this year – it strikes me as unlikely that all voters will have the time or inclination to review and rank all of the candidates.  Human nature being what it is, this is apt to result in a significant, unintended penalty to the candidates with names in the bottom half of the alphabet.  TenOfAllTrades(talk) 20:57, 31 July 2009 (UTC)

(undent) It would actually be trivial to change the input so that unranked candidates are placed exactly at midpoint. The ranking of "not ranked" candidates isn't a feature of Schulze &mdash; that simply presumes that there is a preference ordering &mdash; but a convention. &mdash; Coren (talk) 21:36, 31 July 2009 (UTC)


 * The Schulze method is explicitly intended for single-winner preferential voting. (First sentence of our article: "The Schulze method is a voting system developed in 1997 by Markus Schulze that selects a single winner using votes that express preferences." - emphasis mine) and I really do not think it is suitable for multi-winner voting, particularly when we are talking about anywhere from 5 to 15 seats being elected. I cannot think of a system that provides for what people think they are looking for here. Risker (talk) 21:48, 31 July 2009 (UTC)
 * Schulze STV. Modifications to it allow for multiple winners.Irbisgreif (talk) 21:56, 31 July 2009 (UTC)
 * (e/c) Actually, with STV, it works fine with multiple winners. I believe that's what SecureVote implements out of the box as well.  &mdash; Coren (talk)
 * More to the point, though, the best thing we can do is use it in an election before we adopt it and look at what the numbers did. &mdash; Coren (talk) 22:06, 31 July 2009 (UTC)
 * It's intended as a party-based system for proportional representation, not for selecting multiple winners of standalone "tickets", if you will. It is also untested in any real scenario; if this is what the WMF Board vote is, then I am even more concerned. I want to be able to say absolutely no to certain candidates, and to simply have no opinion at all about some of them (thus neither positively or negatively affecting their standing), and to be able to provide equal support to others. This system absolutely does not permit that.  Risker (talk) 23:00, 31 July 2009 (UTC)
 * The documentation in the software refers to and .  I assume that this is what was implemented for the WMF Trustee vote, though I haven't checked the implementation to verify that.  Dragons flight (talk) 23:38, 31 July 2009 (UTC)

Human monitoring
I've encouraged Jimbo to use a group of people to certify the election with his role becoming mostly ceremonial. He is considering several options now. ArbCom is discussing options, too. Soon I anticipate ArbCom recommending some firm changes, either as individuals or as a Committee. FloNight&#9829;&#9829;&#9829; 02:00, 29 July 2009 (UTC)
 * I think you have a tense problem up there, but I think this is an excellent way forward - perhaps Jimbo can serve as the head of the canvassing board equivalent? That seems a good legacy position for him to appoint a successor to when he wants to.--Tznkai (talk) 02:02, 29 July 2009 (UTC)
 * That was my recommendation to Jimbo initially. We now are talking about how many people to have doing the verifying. And how to include some checkusers in the process to clear noms and voters. He has some ideas, too, as he said recently on site. FloNight&#9829;&#9829;&#9829; 02:08, 29 July 2009 (UTC)
 * The problem of course being that a non trivial amount of checkusers are going to be running and or closely associated with those who do.--Tznkai (talk) 02:18, 29 July 2009 (UTC)

Perhaps it should be made clear that anyone who is selected to review the votes is allowed ONLY to review who voted, and not how they voted. Irbisgreif (talk) 02:21, 29 July 2009 (UTC)
 * I'm willing to bet that's already a feature of the securevote extension. It'd be stunning otherwise, but it bears verifying.  &mdash; Coren (talk) 02:23, 29 July 2009 (UTC)


 * Coren is right, SecurePoll Reviewers do not see what vote was cast, only who cast it. Dragons flight (talk) 02:28, 29 July 2009 (UTC)
 * Is there a way for reviewers to see a record of all votes with the voter's identity scrubbed or hashed?--Tznkai (talk) 02:32, 29 July 2009 (UTC)


 * What exactly do you mean? Dragons flight (talk) 02:35, 29 July 2009 (UTC)
 * The real equivalent would be I show up to a voting station, have a ballot with my name on it, and a numerical value based on my name, address, and other identity details. When I vote, I tear off the section with my name, but not the numerical value. Later, a human can verify votes by taking all the paper ballots, and verifying each numerical value shows up only once, making sure the votes match tabulated values, and a unique value to track everything by. The master list of voter to value is obscured. Now that I type this out, I'm not convinced its necessary, but it'd just be part of the over the shoulder watching of the computer. (Another variation is obscuring the numerical value from everyone not the voter, who can later verify their vote went as planned)--Tznkai (talk) 02:46, 29 July 2009 (UTC)
 * Ah. Securevote does give you a cryptographical receipt when you vote, which you can then verify once the results are published.  I haven't looked into how it's been implemented in this specific case, but as a rule the basic principle is that your "receipt" is a signed encryption key (so that it can be authenticated as valid) that allows you to look your vote up in the final tallies (which cannot be otherwise read).  The idea is that everyone can then independently check that their vote was, in fact, tallied (or give their ticked for someone else to check).  Anyone can also add the actual votes up to see that the results are correct (but cannot know who voted without their reciept).  &mdash; Coren (talk) 19:00, 29 July 2009 (UTC)
 * Cenarium suggests using AUSC as the oversight, and while that subcommittee seems well situated, its fairly small and half of them are arbitrators. We usually have an unofficial team of clerks/monitors for the election anyway, my suggestion would be a team chaired by Jimbo, pulled primarily from OS, CU, AUSC, then AC clerks and other volunteers. Since secure voting solutions will require identification for at least part of the monitoring, the first three groups are well suited. I want to stress I do not wish to minimize the hard work done by others outside of the bureaucracy such as the bot operators, but I think having an "official" group might be useful here. --Tznkai (talk) 22:47, 29 July 2009 (UTC)

Comment on Ten of All Trade's statement
While I disagree with the (implied) conclusion to skip the secret ballot, I pretty much endorse everything else said, especially the keeping things in perspective part.--Tznkai (talk) 02:36, 29 July 2009 (UTC)


 * Personally, I think that everything ToA said is factually correct, but misses the point. Running tallies are an argument against visible votes: they are satisfying to our natural voyeuristic tendencies and our desires for instant gratification, but they are the basis of most tactical voting.  To wit: during the past elections, voter blocs who wanted to support a particular candidate specifically switched votes during the election to vote against candidates whom they also supported to alter the result order.  This means that candidates who, in fact, held wider approval fell behind as a strategic move.  &mdash; Coren (talk) 10:17, 29 July 2009 (UTC)
 * Exactly. Not to mention the difficulties in getting a 'tally' going with the method being discussed above. It's quite sensible here to ensure less tactical voting, not more. Irbisgreif (talk) 12:35, 29 July 2009 (UTC)
 * I'm not sure you're actually going to prevent – or even discourage – tactical voting by hiding the tallies. Perversely, what may happen is the generation of a more tortured outcome as voters – or voter blocs, if such things actually exist on Wikipedia – adopt more polarized voting strategies to compensate for their lack of information.  In the absence of a running tally, staunch supporters of borderline candidates will eventually realize that the single most effective way to advance their preferred candidate is to approve only that candidate, and explicitly oppose all the other candidates.  We lose out on any hope of them honestly evaluating anyone else.  'Tactical' or 'strategic' voting happens all the time in real-world, secret-ballot elections; it would be foolish of us to assume that hiding the votes and tallies would suppress it here.
 * One more point &mdash; we do need to be cautious in drawing parallels with real-world elections. In the real world, we have access to all kinds of information that is unavailable on-wiki.  We don't have tracking polls, we don't have party affiliations, we don't have extensive campaign literature.  The only feedback we have right now on how a candidate will fare in the election is the running tally in the election period itself.  The average Wikipedia editor, a person not deeply steeped in the politics of this place, but simply interested in participating in the process of electing the ArbCom, has no ready way to separate wheat from chaff among the candidates.  Living in a university town, the last federal election I saw included something like eleven candidates, but I knew I could safely ignore all but three to generate a deeply-informed decision.  Without tallies, we don't offer any similar signpost to our editors.  TenOfAllTrades(talk) 14:12, 29 July 2009 (UTC)
 * Consider reading up on the Shultze method, it's notoriously difficult to manipulate it for tactial voting purposes. Moreover, it should be considered that this 'lacking' information is a good thing. It would be far better to look through each person's edit history and comments and form an opinion about every one, without regards to popularity, than it would be for the election to turn into a 'top three'-fest. Irbisgreif (talk) 14:41, 29 July 2009 (UTC)
 * That would be ideal – checking through every candidate's full history and interacting with each one – but it's also not going to happen. Let's say that a cursory glance through a candidate's statement, response to questions, user talk page history, recent contributions, and perhaps asking a single question takes up a total of fifteen minutes.  There were 34 candidates in the last election.  That's more than eight hours of checking.  While a few policy wonks (bless them!) can afford to divert that much of their Wikipedia time to the election, most of us can't.  Moreover, it's reinventing the wheel.  If, after the first day or two, 70% of my colleagues (likely including, a high percentage of those obsessive policy wonk types) have established to their satisfaction that a particular candidate is unsuitable for ArbCom, there's precious little point to me repeating their evaluation.
 * If we assume that I did have eight hours to spend on the election, wouldn't it be better to devote that time to carefully weighing the candidates who have a ghost of a chance? Throwing out the 11 names with less than 30% support and the 6 individuals who withdrew during the race, we cut the candidate list in half.  That leaves me with a full half hour to consider each candidate; I can much more carefully weigh the pros and cons of each credible contender.  Our current process lacks any other winnowing scheme, and I am loathe to give this one up absent a replacement. TenOfAllTrades(talk) 15:08, 29 July 2009 (UTC)
 * We shouldn't structure the system for people not willing to do the work of learning who the candidates are. Irbisgreif (talk) 15:13, 29 July 2009 (UTC)
 * We should structure the system so as to not penalize good-faith voters who have more useful and productive things to do than to review hopeless candidates. That means screening them at some stage; I don't really care where it happens.  Either we need a higher bar for nominees, or a two-ballot process that drops the poorly-performing candidates, or a running tally, or some other suggestion.  I'm open to ideas, but so far I haven't heard any.  TenOfAllTrades(talk) 15:42, 29 July 2009 (UTC)


 * You're welcome to only evaluate a couple and rank them; the Schulze method actually does exactly the right thing in this case. All it means is that you will not materially affect the chances of the others, but will favor those you have ranked. The alternative you mention simply front-loads the election by giving the first couple of dozen voters disproportionate influence over the vote &mdash; regardless of whether they actually did evaluate the candidates or not.  &mdash; Coren (talk) 15:31, 29 July 2009 (UTC)


 * No, the Schulze method does not do exactly the right thing in that case. It assumes that the voter prefers all of the ranked candidates to any unranked ones.  If I evaluate and rank just a couple of the candidates, it penalizes all the other unranked individuals. TenOfAllTrades(talk) 15:42, 29 July 2009 (UTC)
 * Which is exactly what not voting would have done. I fail to see the difference.  &mdash; Coren (talk) 15:56, 29 July 2009 (UTC)
 * There's a subtle but important distinction there. By not voting, I have no effect on the final ordering of the candidates.  By voting on an incomplete slate, I bias the election in favour of all the candidates whom I ranked, while penalizing all those whom I did not rank.  Schulze assumes that I strictly prefer all the candidates whom I did rank to those I did not.  That assumption is not valid if I left a candidate unranked because I ran out of time and not because I disliked the candidate.  (In principle I could try to work around that by giving all of the unevaluated candidates a middle ranking between the 'good' and the 'bad' candidates I evaluated, but that's a sloppy hack and it requires a rather deeper understanding of the system than we should require of our voters.)  TenOfAllTrades(talk) 16:13, 29 July 2009 (UTC)
 * I will reiterate that we should not design a voting system for something as important as ArbCom with a way to 'ignore' a bunch of candidates. If someone gets proposed and questioned (&c.) and makes it to the ballot, then people should either rate them, or leave them to 'suffer' from the unrating. There shouldn't be a weeding out between nominations and elections, because that strikes me as defeating the purpose of an election. (Don't get me started on primaries). Irbisgreif (talk) 17:40, 29 July 2009 (UTC)
 * The problem is that there's no way to keep even obviously unqualified candidates off the ballot. I don't mind using my time to investigate legitimate candidates, but I very much resent wasting time reviewing lost causes.  'Weeding out' always happens somewhere in the process &mdash; not all the candidates will end up on ArbCom.  The 'purpose' of this election is to select the most qualified candidates to be members of the ArbCom.  I feel that some sort of opportunity for screening allows voters to focus their limited, valuable time and attention on deciding among the genuinely viable candidates and thereby generate a better result.  I believe that a lack of feedback during the process will require the responsible voter to spend more time than is reasonable (re)evaluating candidates.  Obviously, you disagree with that philosophy; that's your right. TenOfAllTrades(talk) 18:26, 29 July 2009 (UTC)
 * Then perhaps the nomination process should be modified, but as that's a different process, I'd suggest a separate RFC. Irbisgreif (talk) 19:09, 29 July 2009 (UTC)


 * Schulze gives your lowest ranked option more support than any of your unranked options. In our current system of Support/Oppose polling, a choice not to vote is effectively a neutral vote.  In the Schulze system, a decision not to rank a candidate is effectively an oppose vote.  That's an important and perhaps surprising distinction.  It is also a reason why I am somewhat uncomfortable using the Schulze system for an ArbCom election where there are many candidates and most people are unlikely to review them all in detail.  Dragons flight (talk) 19:49, 29 July 2009 (UTC)

2005 changeover question
I note that in the December 2004 elections, the method was by secret ballot via Special:BoardVote and that the January 2006 elections were held publicly on vote pages. Can anyone point me to the old discussion where this change was discussed? This was very long before my time and I suspect a page has become de-linked somewhere and dropped from the institutional memory.  MBisanz  talk 12:53, 29 July 2009 (UTC)
 * Well before my time. Might be on the mailing list somewhere?--Tznkai (talk) 16:01, 29 July 2009 (UTC)


 * You are looking for Wikipedia Signpost/2005-12-19/ArbCom election and the pages linked from there. Dragons flight (talk) 20:19, 29 July 2009 (UTC)


 * Thank you! I thought I was losing my mind. :-)  Clearly a lot has changed since the old days: I can't recall why we would have changed either. Jwrosenzweig (talk) 08:57, 20 August 2009 (UTC)

Just a somewhat egotistical request...
Could those endorsing the Statement by Coren with the "Shultze method should be used" caveat please endorse my statement to select the Shultze method as the voting method please? 1 - It shows consensus feelings for a method, 2 - I kinda would like more than three endorsements, considering as others seem to want the method as well. ;-) Irbisgreif (talk) 16:04, 29 July 2009 (UTC)

Test it?
I know there isn't an election as high profile as ArbCom, but is there another lower stakes election that we can test boardvote, public discussion, and the shulze method on, and see if it produces utterly crazy results?--Tznkai (talk) 18:33, 29 July 2009 (UTC)
 * Not as far as I know, but it might be worthwhile to set a "dummy" election up sooner rather than later with faux candidates. It would be a good dry run, and not break anything.  We'd even be able to publish the actual votes to match it up with the result and compare.  &mdash; Coren (talk) 18:43, 29 July 2009 (UTC)
 * Let's have a vote between Jimbo Wales, George Washington, Abraham Lincoln, and George W. Bush. :-) King of &hearts;   &diams;   &clubs;  &spades; 21:24, 29 July 2009 (UTC)
 * You'd have to throw in someone controversial like Adolf Hitler or Stalin and see how it ran ;) Casliber (talk · contribs) 21:39, 29 July 2009 (UTC)
 * PS: Crap, I see that role is already taken by Bush XD Casliber (talk · contribs) 21:40, 29 July 2009 (UTC)


 * Actually, this isn't such a bad idea. What about trialing it for electing people to the three community member seats of the Audit Subcommittee? There should be fewer candidates, there will definitely be fewer seats, and the fact that it is for a very circumscribed function may reduce the drama level. Risker (talk) 21:51, 29 July 2009 (UTC)
 * I think thats a good choice, and we're due for a vote anyway.--Tznkai (talk) 22:35, 29 July 2009 (UTC)


 * That's a great idea. I'll get the balls rolling for the technical side of things, see what we need to prepare and dig into the technical details.  &mdash; Coren (talk) 22:55, 29 July 2009 (UTC)
 * Well, don't run too terribly fast, the software barely managed to get updated for the WMF Board vote that just started, and it's probably an idea to have the devs verify there were no issues after that vote before we start using it too. I'm thinking late September for the vote, we want to give people time to consider the role, and we have not yet discussed the candidate requirements.  Risker (talk) 00:57, 30 July 2009 (UTC)
 * I thought the arbitrator seats existed only due to the concern that the Audit Committee would otherwise be undeserved. If we have six candidates elected, or more, will they not all serve in the Audit Committee ? There would be no more need for additional arbitrators seats, though a mailing list for communication between the committees should exist (e.g. ). Cenarium (talk) 01:15, 30 July 2009 (UTC)
 * There are only three community seats.here The three arbitrator seats are part of the design, and I think it is working well.  Using a secret ballot for the three community seats is a good idea.  John Vandenberg (chat) 04:59, 31 July 2009 (UTC)
 * In principle, SecurePoll can be run both locally and globally (e.g. for cross-WMF polls), but there haven't been any polls running it locally thus far. I suspect a local mode is what we really want for the things being discussed here. In addition, setting up polls has required very low-level actions by developers. Tim has planned to create an administrative interface that would allow new polls to be created without running SQL statements directly, but I don't think he has gotten to that yet. So, yes, some patience is probably required. However, I think if you outline what you'd like it to do and when you'd hope to see it be available, that the devs will try to be accommodating. Dragons flight (talk) 01:16, 30 July 2009 (UTC)


 * (warm and fuzzy pile-on support for trialling it in AUSC election) just thought I'd add it in :) Casliber (talk · contribs) 03:28, 30 July 2009 (UTC)


 * As a footnote to this discussion, I am about to leave on a long wikibreak. Obviously I've been pretty active on this page, and I am probably the person with the most practical experience with SecurePoll after running the LiCom vote.  So if people want to follow-up at some later point (when you are considering running a poll, for example), feel free to email people for any more feedback you might need.  Dragons flight (talk) 21:40, 3 August 2009 (UTC)

In ru.wiki we do it in parralel - last time results for a was identical (5 users with max YES votes and >66% YES/NO ratio). Year before official result was A B C D E and Shulce D A B E C but it was similar - only order have changed.·Carn !? 21:23, 23 August 2009 (UTC)

What next?
It seems clear that there is consensus to return to secret ballots for the next election, with human supervision, but there is no clear consensus about the actual electoral method to use.

Today, I have had the opportunity to discuss the technical aspects of the issue in person with Tim Starling (who maintains the Secure Poll extension), who assures me that he is both technically ready and willing to assist both in a test election (using the Audit Subcommittee as guinea pigs) and for the next election proper. He also suggested using single transferable vote as the actual election method as appropriate to our objectives.

I propose that we move forward on this matter with a test as discussed above; that we elect the next community members of the Audit subcommittee with a secret ballot and STV, then publish and analyze the results in detail before we make a decision about the ArbCom elections. This will give us an opportunity to "sanity check" the results to see if everyone agree they are as expected, to see if the system works well in practice, and to see if the actual voters agree the system is workable.

It is to be noted that, at this time, setting the vote up requires some developer assistance, but that the objective is to allow the wiki users to set and manage such votes up locally; that test will also serve as a workbench for Tim towards that process. He nonetheless feels comfortable that the voting system itself (as opposed to its setup) is both stable and reliable enough to be used for this (and, indeed, was used with success during the last board elections).

Once I return from Wikimania, I'll get the ball rolling on ArbCom's side since that would be the time where we would begin setting up for electing the subcommittee members anyways. Suggestions and caveats are very welcome. &mdash; Coren (talk) 03:37, 28 August 2009 (UTC)


 * When we discuss the concrete election method then, in my opinion, the first question is: a proportional representation system or a single-winner voting system at large? A Horse called Man 04:55, 28 August 2009 (UTC)


 * Yes, I should be asleep. In fact, I see two question; proportional vs first-past-the-post as one, and preference voting or not.  I think this is why it's important to have hard data we can massage, compare and analyze.  &mdash; Coren (talk) 06:08, 28 August 2009 (UTC)

I think the STV method is fine, and to be preferred to the Schulze Condorcet method used for board voting. Proportional voting is a nonstarter, and STV (or any preference voting) is preferable to a furthest past the post system. Nathan  T 18:28, 1 September 2009 (UTC)

I think selecting the canvassers (or such I will call them) and selecting the method by which we will select canvassers (and so on into infitenitum ad meta) is a good next step. Jimbo and AUSC were originally suggested as potential bodies for this task, but if we're using AUSC as the test subject, that may not work as well. Perhaps any AUSC members who are not standing for reelection?--Tznkai (talk) 04:49, 2 September 2009 (UTC)

Comment on closure: "resoundingly endorsed"
I'm a little worried about the same person opening the request, closing it, but I don't have a whole lot to be disagreeable about with the summary. However, I don't agree that the proposal was "resoundingly endorsed". To begin with we were asked for comment, not to endorse a proposal. "This RFC is to see if there is consensus for the principle of moving to a secret ballot..." - there was not consensus (see stats below). More specifically, as a request for comment, a large minority consistently raised the same concern that is mentioned as being merely "in addition". Addressing that concern, I think, is not simply "in addition" but a crucial element of the idea being truly "resoundingly endorsed" and of achieving genuine consensus (not simply majority view).

A few stats:
 * The ratio of statements (roughly) pro:anti was approx. 1:1
 * The ratio of endorsements for pro:anti statements was 2:1
 * The ratio of editors that endorsed pro:anti statements was 5:2.

So a minority of roughly a third spoke vocally against the idea. That is not a "resounding" endorsement. We are however in a fortunate position in so far that the concerns of those who spoke anti the idea can at least be reconciled with the wishes of the majority. As Coren pointed out, the need for human oversight/transparency was the recurring theme among those who spoke against the idea (myself included). If the majority want to press ahead with a secret ballot then that's cool my me but whatever system is chosen the transparency/oversight issue should be addressed up front as the primary concern of those that are critical of the idea. --rannṗáirtí anaiṫnid (coṁrá) 07:15, 28 August 2009 (UTC)
 * I think it's just that you missed the point that SecretPoll, the technical method, necessarily employs human overseers. In fact, I am aware of no available method for secret polling that does not.  Stating that people who endorsed the "must have human oversight" are not agreeing with secret polling is sorta saying that people who order an ice cream sundae don't want ice cream.  :-)  &mdash; Coren (talk) 17:20, 1 September 2009 (UTC)
 * (Or, put another way, nobody who endorses a return to secret ballots does so under the provisio that it be unsupervised, they just didn't all explicitly state otherwise). &mdash; Coren (talk) 17:24, 1 September 2009 (UTC)
 * To be more numerical, of all the people who have expressed opinions (by statement or endorsement):
 * 75% supported secret ballots explicitly (and 3% didn't care either way)
 * 35% explicitly stated that human oversight was necessary/important (nobody opposed)
 * 16.5% explicitly favored some sort of preference voting system, 3% opposed (the rest expressing no preference)
 * To me, this looks like a clear desire to move to secret ballot provided there is human supervision; but that more data is needed before people can decide whether to move to a preferential voting system (and if so, which). Your rough numbers above failed, I think, to take into account that many people opined on more than one statement.  &mdash; Coren (talk) 18:00, 1 September 2009 (UTC)
 * Your numbers roughly in line with mine. I say 29% were anti, you say 25% (quite the round number). We'll split the difference :) But if there was consensus for anything it was that oversight is a requirement, not that there is a "desire to move to secret ballot". That was the guts of "anti" statements, and a common feature of even those who endorsed "pro" statements.
 * "...this looks like a clear desire to move to secret ballot provided there is human supervision..." Yes. Provided there is human supervision. My concern is that your summary did not state this as a hard requirement but simply "in addition". I'd prefer if it had been put much more up front. --rannṗáirtí anaiṫnid (coṁrá) 18:24, 1 September 2009 (UTC)
 * I didn't think it wasn't clear, but I'm stating so explicitly now just in case. &mdash; Coren (talk) 18:31, 1 September 2009 (UTC)


 * "I think it's just that you missed the point ..." No. I didn't. Please don't begin a reply to any editor like that unless you are really sure that they really have missed the point. Nine time out of ten it will mean that you missed the point.
 * "... SecretPoll ..." Do you mean Special:SecurePoll?
 * "...the technical method, necessarily employs human overseers." Who are these human overseers? How can I, or anyone else, oversee the overseers? How can they verify that the ballots were counted correctly? How can they verify that all ballots were counted? As one commenter put it, "It does not matter who votes, it is important who counts." Do you get the point now?
 * "In fact, I am aware of no available method for secret polling that does not." You can begin by looking here.
 * "Stating that people who endorsed the 'must have human oversight' are not agreeing with secret polling is sorta saying that people who order an ice cream sundae don't want ice cream." No. It's kinda like saying that any method 'must have human oversight'. I feared that in your enthusiasm for the idea may have clouded your judgement about the conclusion of this RFC. Now you're liking the idea to ice-cream. This is why an editor who opens a request for comment should not be the one who closes it.
 * I'll simply restate the final line of what I wrote above, "If the majority want to press ahead with a secret ballot then that's cool my me but whatever system is chosen the transparency/oversight issue should be addressed up front as the primary concern of those that are critical of the idea." --rannṗáirtí anaiṫnid (coṁrá) 18:24, 1 September 2009 (UTC)
 * The difference, I think, lies only in that you count insistence for human oversight as opposition to secret ballots. I'm not sure how you reach that conclusion, but it's quite moot by the fact that SecurePoll (yes, that's what I meant in the first place) implements both, and I don't believe there was any question that any such ballot should be closely watched by humans. Incidentally, I see no secret ballot extension in that list that does not require human supervision.  :-)  &mdash; Coren (talk) 18:31, 1 September 2009 (UTC)
 * "...you count insistence for human oversight as opposition to secret ballots." Is that a straw man I see? Or do you simply not get it? (Edit: aaah, you are referring to "counting" as in the % above - my description of "pro" or "anti" is rough, this was an RFC, not a vote, all the statements are nuanced and cannot genuinely be divided into "pro/anti" or, as you count them, "pro/pro with proviso".)
 * "I see no secret ballot extension in that list that does not require human supervision." Cool. Could you link to one? Just because someone can see the ballots does not mean that everyone can trust what they say the result was. --rannṗáirtí anaiṫnid (coṁrá) 19:22, 1 September 2009 (UTC)
 * "I see no secret ballot extension in that list that does not require human supervision." Cool. Could you link to one? Just because someone can see the ballots does not mean that everyone can trust what they say the result was. --rannṗáirtí anaiṫnid (coṁrá) 19:22, 1 September 2009 (UTC)


 * Your point might have been better made by asking how SecurePoll provides for human oversight, since you don't actually disagree with his conclusion of the RfC (only the apparent weight given to concerns in his summary). I think that is a reasonable question that Coren or anyone familiar with the mechanics of SecurePoll can answer, and I imagine it involves an oversight body (like an election committee) to receive the results. With the Board election, anonymised voting data is typically released so that anyone can compute the election outcome or match counted ballots with their own submitted ballot. Nathan  T 18:34, 1 September 2009 (UTC)
 * That's an actually interesting technical question. SecurePoll provides a number of mechanisms to ensure election fairness:
 * The actual votes are (can be) released at the end, with encrypted voter information. This allows you to see the votes (but not the voters), but allows you to check that your vote is in the list and matches what you voted.
 * Likewise, the released votes allows anyone to tally the results for themselves.
 * During the election, the oversight body (whomever so selected) can check for irregularities like double voting, etc, so they see voters but not the votes, preserving secrecy.
 * The extension source can be examined by anyone so inclined to check that it is both functional and fair.
 * I'm going to guess there are more safeguards in place, but Tim would probably be the best to discuss those in detail. &mdash; Coren (talk) 18:41, 1 September 2009 (UTC)
 * Sounds good, but some questions: Who are the oversight body? Why should I trust them? How do we know that the installed source code has not been altered from the published code? How does the system prevent ballot stuffing (not by the same user but by fabricated users)? If users can check for their vote against the published result, how do they know that it is uniquely their vote that they see (and not the vote of 10 or 20 other people who simply voted the same as them)? How do I know that when I check the result that, while my vote is accurate, the vote of others have not been fabricated to show my vote accurately but the overall result fraudulently?
 * I hope you don't think I am being a dick but sorting these kind of issues out up front and thoroughly will, I think, resolve nearly all of the issues raised and open the doors for a genuine consensus. --rannṗáirtí anaiṫnid (coṁrá) 19:12, 1 September 2009 (UTC)
 * No, those are all legitimate concerns, with a number of answers of varying satisfaction value. In random order:
 * Who would do the oversight has not yet been decided. It's an interesting question, and no instantly obvious answer comes to mind; we probably want to investigate how the team picked for the board election was selected.
 * There is more than one system administrator, and a discrepancy would be noticed &mdash; but even if you allow for a conspiracy of all of them, the total vote disclosure would spoil any malicious code change
 * Because the encryption key you get when you vote verifiably uniquely encodes your identity
 * It's theoretically possible to game that system (self check votes), but made impossible because you cannot know in advance who would check. You have a list of people who voted (so someone who didn't vote who was on the list would notice immediately, so would someone who voted that wasn't); and a complete list of votes anyone can match against their own vote.  Any attempt to defraud the system would be a gamble that nobody who checked had one of the falsified votes&mdash; something that becomes diminishingly improbable as the number of falsified entries increases.
 * Those are all questions that have been asked before; the idea of verifiable electronic secret ballot is not new. I don't think you're being a dick by worrying about this, but I do think you're both overestimating the likelihood of fraud being possible undetected and the stakes involved.  :-)  &mdash; Coren (talk) 23:14, 1 September 2009 (UTC)


 * @Nathan Yes, in essence it's simply a matter of weight (but I think it is a very heavy weight). There are other methods too. Parallels to real-world elections are for tally men to have supervisory access over the counting process (e.g. in our case this may be code-level access to the extension that will be doing the counting and to the DB that stores the ballots during the duration of the poll) or parallel polls that mirror the role that exit polls serve real world elections.
 * This is not a big problem, I think, in the sense that it is a run-of-the-mill problem for all secret ballots (real-world and online) but it is one that needs to be addressed up-front as the major sticking point for those critical of the idea (and many of those even who endorsed it). Before even the electoral method as it is the key issue when moving from an open ballot to a secret ballot.
 * A solution here should IMHO have the potential to be rolled out to other Wikimedia elections too. --rannṗáirtí anaiṫnid (coṁrá) 18:55, 1 September 2009 (UTC)


 * @Coren -
 * "I don't think you're being a dick by worrying about this..." Good. Thanks.
 * "...but I do think you're both overestimating the likelihood of fraud being possible undetected..." If the possibility of fraud is a number greater zero, it is a legitimate concern.
 * "...and the stakes involved." That's nothing uncommon. I remember the contestants of first series of Big Brother on UK TV used to tell to each other, "It's only game show.". At the end of the day, this is only Wikipedia, but if we are going to do this, let's do it right.
 * Talking about fraud prevention, by the very nature of the topic, has an air of paranoia about it. That's unfortunate but it has to be done. None of us know each other and there is no tangible audit trail. The stakes involved in staying with an open ballot are minimal (is there any real suggestion of voter intimidation? it's not even officially binding). Moving to a secret ballot is fine, but it brings up the potential for fraud, let's address that issue up front and thoroughly. It's not an insurmountable problem and it is one that is applicable to other Wikimedia elections.
 * I don't think there's benefit to discussing this any more, right now. I'll download SecrurePoll and take a look through it's code to see what's in there right now. I'll contact Tim (did he develop the extension from start-to-finish?) for more details if I need to. I'll come back with concrete ideas for addressing the "fraud" issue even if these are only at the level of how to ease people's minds.
 * (BTW, do you intend to push for ArbCom elections to follow an actual electoral system and for the results to be actually binding? That would be another issue in itself, surely?) --rannṗáirtí anaiṫnid (coṁrá) 08:31, 2 September 2009 (UTC)

(undent) I think Tim did most if not all of the coding, though I'm sure others have participated. As for the election vs. advisory nature of the election, I think it's pretty clear Jimbo's already heading that way &mdash; or that matter, that's been the case in practice since the first election. I'm sure that having the elections be less open to manipulation is a significant factor that will ease the transition. &mdash; Coren (talk) 10:32, 2 September 2009 (UTC)
 * "...less open to manipulation..." (And not a hint of irony.) Well that's something we both agree on then - just look at it from different angles. I'll get back with something within about a fortnight or so. It might be that I say SecurePoll is all fine IHHO, it might be that I recommend something. --rannṗáirtí anaiṫnid (coṁrá) 10:51, 2 September 2009 (UTC)

Proposal: Secret ballot process
Leading from the above discussion, I have prepared a proposal to provide measures to assure voters against the possibility of fraud when using a secret ballot for Wikipedia elections.

I would welcome comments from editors that contributed here first before advertising the proposal any wider:


 * Secret ballot process

The proposal would involve changes to Special:SecurePoll, if agreed to - but nothing very extensive.

--rannṗáirtí anaiṫnid (coṁrá) 16:40, 20 September 2009 (UTC)

New RfC about secret ballots and Schulze method for ArbCom elections
Here is a new Wikipedia poll about public/secret voting and about the election method used for the upcoming ArbCom elections: Requests for comment/Arbitration Committee 2 -- A Horse called Man 05:13, 1 November 2009 (UTC)