Can decentralized systems be

truly “democratizing” – and how?

Prof. Bryan Ford

Decentralized and Distributed Systems (DEDIS)
Swiss Federal Institute of Technology (EPFL)
dedis.epfl.ch – [email protected]

ChainScience – March 5, 2024

We’re facing hard global problems

Climate Exploding
change inequality
Global problems need global tools

Like decentralized systems … right?

Is our decentralized infrastructure…

Helping us find In everyone’s

wise solutions? collective interest?
 The world’s most urgent need for DI
A coherent, secure, inclusive “global town hall”

→ Decisions,
action plans that
transparently & security
represent everyone’s interests
 Talk Roadmap

●
A need: sane collective decision & action
●
A vision: representative global deliberation
●
A medium: liquid democracy or variations
●
A foundation: proof of personhood
●
A challenge: voter coercion, astroturfing
●
A program: decentralized infrastructure for all
 Talk Roadmap

●
A need: sane collective decision & action
●
A vision: representative global deliberation
●
A medium: liquid democracy or variations
●
A foundation: proof of personhood
●
A challenge: voter coercion, astroturfing
●
A program: decentralized infrastructure for all
 Global town hall: requirements
We need a scalable decentralized platform
that gives everyone a voice! ...right?

Like…
UseNet?

(R.I.P.)
 What UseNet was (thought to be)
Netizens: On the History and Impact of Usenet
A great historical perspective on how “netizens”
thought UseNet would democratize the world!
Distributed! Decentralized! Democratizing!
Scalable! (huge, deep newsgroup hierarchy)
Delay/disruption tolerant! Everyone has a voice!
But… (oops)
no useful spam control, no effective governance,
no way to identify (real) people for deliberation, …
 Whatever happened to UseNet?
It’s still “there” and still “works”! (Try it!)
…but nobody’s really there due to spam overrun

The Post-Usenet world fragmented into tribalism

- Private mailing list tribes (MailMan etc.)
- Online platform tribes (Friendster, Facebook, …)
- Blockchain/Web3 tribes (Bitcoin, Ethereum, …)
- Emerging: AI/LLM tribes (ChatGPT! …)
 A few transformative technologies

Internet
Computing
Electricity
Printing
Democracy

Time

-1000 0 1000 2000

 Is the Internet “Democratizing”?
1997 2013

Chapter 18 “Democracy’s Fourth Wave?

“The Computer as a Digital Media and the
Democratizer” Arab Spring”
Is the Internet “Democratizing”?

2016
Why democracy…and what is it?
Council of Europe, Robert Dahl,
“Democracy” “Democracy & its critics”
 Why democracy…and what is it?
Council of Europe, Robert Dahl,
“Democracy” “Democracy & its critics”

Key criteria: Key criteria:

●
Individual autonomy ●
Effective participation
●
Equality ●
Voting equality
●
Enlightened understanding
●
Control of the agenda
●
Inclusiveness
So is the Internet “Democratizing”?
●
Giving “everyone” ●
Equality?
a voice & a platform ●
Enlightened
understanding?
●
Effective
participation?
 Global town hall: requirements
The real requirements for “democratizing” systems
●
Open to participation by all (of course)
●
Accessible anywhere, even if poorly-connected
●
Coherent global-scale discussion, deliberation
●
Genuinely self-governed, not by “guardians”
●
One person one vote, not one dollar one vote
●
Ensure that participants represent themselves
UseNet mostly got the first 2…the others are hard!
 Talk Roadmap

●
A need: sane collective decision & action
●
A vision: representative global deliberation
●
A medium: liquid democracy or variations
●
A foundation: proof of personhood
●
A challenge: voter coercion, astroturfing
●
A program: decentralized infrastructure for all
 Global Online Self-Governance
Can digital forums and communities self-govern?
 “Democratizing” requirements

Key requirements based on democratic theory:

●
Open to participation by all (of course)
●
Accessible anywhere, even if poorly-connected
●
Coherent global-scale discussion, deliberation
●
Genuinely self-governed, not by “guardians”
●
One person one vote, not one dollar one vote
●
Ensure that participants represent themselves
Coherent global deliberation: How?
Some deeper “beyond UseNet” problems:
●
Even if everyone can speak (post, tweet, etc),
no one can pay attention to everything going on
– How to address limitations of human attention?
●
Complex problems require deep analysis with
help of expertise – but how to choose experts?
– How to ensure experts serve everyone’s interests?

Do we have distributed infrastructure for this?

Liquid aka Delegative Democracy
 Pre-Internet precedents
Lewis Carroll, “Principles of
Parliamentary Representation”
(1884)

James C. Miller,
“Direct and proxy voting
in the legislative process”
(1969)
 Internet-based Liquid Democracy
●
Bryan Ford, “Delegative Democracy” (2002)
●
Dennis Lomax, “Beyond Politics” (2003)
●
Joi Ito, “Emergent Democracy” (2003)
●
Sayke, “Liquid Democracy” (2003)
●
James Green-Armytage,
“Direct Democracy by Delegable Proxy” (2005)
●
Mark Rosst, “Structural Deep Democracy” (2005)
●
Mikael Nordfors, “Democracy 2.1” (2006)
●
…
 Liquid Democracy: Key Intuition
Everyone can’t be knowledgable in everything
But most people are interested in something

So let people
self-specialize
●
Vote directly
on topics you
follow closely
●
Delegate your
vote on others
 Democracy is Social Anyway
If we trust a friend on a particular issue/election,
we may freely follow their advice when voting
●
Decision is always
individual voter’s

Liquid democracy
is just automated
advice following
●
Voter can always override or revoke delegation
●
Maximizes free choice of representatives
Experiments in Liquid Democracy

Widely used for

policy debates within
Pirate Party for
several years
Worked…but raised some concerns
 Promising recent academic work
●
Liquid Democracy: Potentials, Problems, and
Perspectives [Blum & Zuber 2016]
provides normative foundation in political theory
●
The Fluid Mechanics of Liquid Democracy
[Gölz et al 2021] on voting power concentration
●
Liquid Democracy in Practice: An Empirical
Analysis of its Epistemic Performance
[Revel et al 2022] tests it for “finding expertise”
●
Liquid Democracy Workshop [UZH 2022]
 Global deliberation at scale
Liquid democracy is:
●
(Still) promising for scalable deliberation
●
(Still) an incomplete work in progress

A few (of many) lingering issues:

●
How (and whether) to avoid vote concentration?
●
How to create, (self-)govern large topic space?
●
How to avoid tribalism, incentivize consensus?
 Talk Roadmap

●
A need: sane collective decision & action
●
A vision: representative global deliberation
●
A medium: liquid democracy or variations
●
A foundation: proof of personhood
●
A challenge: voter coercion, astroturfing
●
A program: decentralized infrastructure for all
 Who gets how much influence?
Wealth-centric Person-centric
●
One dollar, one vote ●
One person, one vote

[Kera] [Verity Weekly]

 “Democratizing” requirements

Key requirements based on democratic theory:

●
Open to participation by all (of course)
●
Accessible anywhere, even if poorly-connected
●
Coherent global-scale discussion, deliberation
●
Genuinely self-governed, not by “guardians”
●
One person one vote, not one dollar one vote
●
Ensure that participants represent themselves
 Who gets how much influence?
Wealth-centric Person-centric
●
Stock corporations ●
Democratic states
●
Loyalty programs ●
Elected parliaments
●
Online gaming ●
Membership clubs
●
CAPTCHA solving ●
Committees
●
Proof-of-work ●
Town hall meetings
●
Proof-of-stake ●
Direct democracy
●
Proof-of-X for most X ●
Liquid democracy
 Contrasting Influence Foundations
Wealth-centric Person-centric

Largely Solved Largely Unsolved

 Which could help “save the world”?
Wealth-centric Person-centric

Been there, No guarantee

done that… of success, but…

it’s the status quo! No other plausible

option to get
global buy-in
 A Fundamental Problem
Today’s Internet doesn’t know what a “person” is

Internet ?
People aren’t digital, only profiles are

[Pixabay, The Moscow Times]

Fakery is exploding, especially w/ AI

[Ian Sample, The Guardian]

 Brief problem statement
●
How to “identify” real (human) persons…
– For online messaging, participation, deliberation
– Ensuring accountability, “one person one vote”
●
…without actually “identifying” them?
– Protect participant privacy, anonymity, freedom
– Avoid requiring real ID cards or trackable proxies
●
Achieve “proof of personhood” not “identity”?
Preprint: https://bford.info/pub/soc/personhood/
 Key desirable (required?) goals
Can we achieve Proof of Personhood that is:
●
Inclusive: open to all real people, not to bots
●
Equitable: all people get equal power, benefits
●
Secure: correct operation, verifiable by people
●
Privacy: protects rights & freedoms of people
“We must act to ensure that
technology is designed and
developed to serve humankind,
and not the other way around”
- Tim Cook, Oct 24, 2018
 Personhood Online: Approaches
●
Documented Identity: e.g., government-issued
– Privacy-invasive, IDs not hard to fake or buy
●
Biometric Identity: India, UNHCR, Worldcoin
– Huge privacy issues, false positives+negatives
●
Trust Networks: PGP “Web of Trust” model
– Unusable in practice, doesn’t address Sybil attacks
●
Physical Presence: in-person participation
– Requires no ID, trust, connections: just a body
– Proposed in Pseudonym Parties [SocialNets ‘08]
 A few Proof of Personhood efforts
●
Pseudonym Parties [Ford, 2008]
●
Proof-of-Personhood [Borge et al, 2017]
●
Encointer [Brenzikofer, 2018]
●
BrightID [Sanders, 2018]
●
Duniter [2018]
●
Idena [2019]
●
HumanityDAO [Rich, 2019]
●
Pseudonym Pairs [Nygren, 2019]
●
DFINITY Virtual People Parties [Williams, 2021]
●
Worldcoin [Worldcoin, 2023]
 PoP based on physical presence
●
Ford/Strauss, “An Offline Foundation for
Online Accountable Pseudonyms” [2008]
– In-person pseudonym parties to create PoP tokens
 PoP based on physical presence
Principle: real people have only one body each
●
Attendees gather in “lobby” area by a deadline
●
At deadline entrances close, no one else gets in
●
Each attendee gets one token while leaving

1. 2.
Lobby Lobby
Area Area

entrances closed
 Scalable via simultaneous events
Potentially at many grassroots-organized events
●
Even globally, in a few “timezone federations”
 Local Autonomous Organizations
Any person or group may create an ad-hoc LAO
 Organizer scans attendees’ tokens
Organizer: Participant:
 Encointer: in-person PoP system
●
Uses periodic synchronized encounters
to verify personhood in-person, mint coins, …
 Anti-tracking PoP tokens
Roll-calls are already privacy-preserving
●
Yield PoP tokens with no identifying information

But PoP tokens could still be tracked, correlated

●
Pseudonymity is not the same as anonymity!

Goal: blinded untraceable usage of PoP tokens

●
Pseudonym-friendly but accountable!
 3PBCS: a privacy-preserving
personhood-based credential system

3PBCS creates perdentials: credentials usable to

●
Reveal & prove properties about the bearer
– e.g., age > 18, have Ph.D. from U, usual SSI stuff
●
Create pseudonyms with “real person” status
– Sybils allowed! professional, personal, hobby…
●
Allow counts/quotas with 1-per-person weight
– Followers, likes, etc. count only unique real people
Builds on any PoP scheme + Coconut credentials
Perdentials: an illustrative scenario

PoP system Social media

e.g., PoP parties, 3PBCS system
Crypto-Book, perdentials centralized or
CanDID, etc. decentralized

Privacy
PoP tokens divider
1 per person @Alice
pseudonym
Follows
may be public
Dave
real person @Bob @Ellen
pseudonym pseudonym
2 followers
Charlie
real person hidden @Charlie verified
associations pseudonym real people
 Talk Roadmap

●
A need: sane collective decision & action
●
A vision: representative global deliberation
●
A medium: liquid democracy or variations
●
A foundation: proof of personhood
●
A challenge: voter coercion, astroturfing
●
A program: decentralized infrastructure for all
 Collusion and Coercion in PoP
Case study of the Idena PoP network, 2019-2022

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4749892
 Idena: essential idea
●
Account holders
(hopefully real humans)
participate online in
synchronized events
●
Must solve several
reverse Turing tests
(“FLIP” puzzles)
in 2 minutes
●
Run validation nodes,
earn “crypto-UBI”, …
 Idena: the Puppet Pool Takeover
Key lessons from “Compressed to 0” report:
●
FLIP challenges technically appeared to work
to filter and/or deter automated abuse
●
But network increasingly
dominated by pools
paying real people
to serve as puppets
●
Pool operators exploit
economies of scale,
information asymmetry
Idena: the Puppet Pool Takeover
Idena: the Puppet Pool Takeover
 “Democratizing” requirements

Key requirements based on democratic theory:

●
Open to participation by all (of course)
●
Accessible anywhere, even if poorly-connected
●
Coherent global-scale discussion, deliberation
●
Genuinely self-governed, not by “guardians”
●
One person one vote, not one dollar one vote
●
Ensure that participants represent themselves
 PoP for deliberation, governance
Can PoP enable online robust self-governance?
●
Adds missing “one-person-one-vote” foundation

But…

Whose interests
do participants
represent?
The Coercion, Vote-Buying Problem
How can we know people vote their true intent if
we can’t secure the environment they vote in?
The Coercion, Vote-Buying Problem
Both Postal and Internet voting are vulnerable!

July 30, 2019

The Coercion, Vote-Buying Problem
“Blockchain” could makes the problem worse!
The “fake credentials” solution [JCJ]
At registration time:
●
Give all voters real and fake voting credentials

At voting time:
●
Real and fake credentials both appear to work
●
Only real credentials cast votes that count
 The central challenge
When, where, how do voters get credentials?
●
Without being coerced at or after registration?

Online registration or PoP

●
Unclear there’s any plausible solution that
doesn’t make unrealistic/magical assumptions

In-person registration or PoP

●
We can leverage physical security (again)!
 PoP based on physical presence
In-person attendees get short-term tickets
●
Not (yet) long-term PoP credentials

1. 2.
Lobby Lobby
Area Area

entrances closed
 PoP based on physical presence
In-person attendees get short-term tickets
●
Not (yet) long-term PoP credentials
Use tickets in a supervised privacy booth nearby
●
Create long-term real and fake PoP credentials

Lobby
Area
In private Check out
get real, fake show any
Check in – get 1-use ticket credentials credential
Key technical & behavioral problems
The coercion problem is still far from “easy”
●
What happens in the privacy booth?
●
How much must voters trust what’s in it?
●
How do they “know” which credential is real?
●
How to ensure a coercer can’t learn this?
●
Can voters “hide” real credential from coercer?
●
Can voters understand and use the process?
●
Can and will voters lie to a coercer? …
 In-person Coercion Resistance
TRIP: Trust-limited Coercion-Resistant
In-Person Voter Registration
●
https://bford.info/pub/sec/trip/ (preprint)

E-Vote Your Conscience: Perceptions of

Coercion and Vote Buying, and the Usability of
Fake Credentials in Online Voting
●
https://bford.info/pub/sec/trip-usability/
(to appear in IEEE Security & Privacy ‘24)
 TRIP workflow overview
Attendees use digital kiosk in privacy booth
to print real & fake paper credentials
●
Cheap, easy to hide from a coercer
●
Attendees not under coercion
need not trust the kiosk
 TRIP paper credential design
Kiosk prints three QR codes on a receipt printer
●
Printing sequence determines real versus fake
●
Voter observes but can’t prove it later
 User studies on TRIP
●
Preliminary user study in early 2022
– 41 EPFL PhD student participants (15 female)
– System Usability Scale (SUS) score of 64.3
●
Industry average is in 60-70 range
– 40 created a fake credential (7 created two)
– 6 made minor process mistakes
– Learned from mistakes, suggestions in next phase
●
Study was approved by EPFL’s ethics board
 User studies on TRIP
●
Larger, more diverse study in fall 2022
●
Study was approved by EPFL’s ethics board
– 150 participants recruited in park in greater Boston
– Broad spectrum in age, gender, ethnicity, education
– Used A/B testing to compare 5 variants of TRIP
– Incorporated introductory videos to “educate” users
– Used exit surveys to study a variety of questions
●
Study was approved by EPFL’s ethics board
Prototype kiosk setup for full study
 User study – summary of lessons
●
Is the problem of voter coercion important?
– 26% reported experience by someone they know
– Most likely scenario: ballot selfies; source: family
●
Is the TRIP kiosk usable by ordinary people?
– SUS usability score of 70.4 → 58th percentile
●
Can voters successfully use TRIP?
– 83-95% success rate depending on metric
●
Will users detect & report a malicious kiosk?
– 30% without, 57% with, “security education”
 Next steps, goals, questions
●
Real series of presence-based events
– Tentative: hybrid online/in-person seminar series
– Participate online or at one of several/many sites
– Only in-person participants get “voting rights”
– Social and educational forum: inform participants
●
User studies of proof-of-presence processes
●
What participatory forum(s) to build on top?
– Simple polls; social media; deliberative debate?
●
What will make PoP compelling, sustainable?
 Talk Roadmap

●
A need: sane collective decision & action
●
A vision: representative global deliberation
●
A medium: liquid democracy or variations
●
A foundation: proof of personhood
●
A challenge: voter coercion, astroturfing
●
A program: decentralized infrastructure for all
 Is a true “global town hall” feasible?
For robust discussion of important global issues

→ Decisions,
action plans that
transparently & security
represent everyone’s interests
 Towards a true global town hall
If climate change is world’s most urgent problem,
collective action is most urgent meta-problem.
●
Must get everyone “at the table” on equal basis
●
Hard choices require transparency for buy-in

I believe we can create distributed infrastructure

to solve the meta-problem (then the problem)…
●
Start by recognizing how hard meta-problem is
●
We have promising pieces, but need systems
 Towards “Democratizing” Systems
To be truly democratizing our systems must be:
●
Not just “decentralized” and “open to all” but…
●
Facilitate true global interaction, deliberation
●
Ensure one person, one vote, one reward
●
Ensure participants represent themselves

Only in-person approaches appear able to offer

coercion-resistance, social context, education
●
Build systems, but also get out and be human!