Formal Verification for Meek's Method of Single Transferable Vote

Home , Ballot, Droop quota, Single transferable vote

Single Transferable Vote (STV) Overview of work Surplus transfer phase Conclusion

Formal veriﬁcation for Meek’s method of Single Transferable Vote

Jake Palmer

AIAI, School of Informatics, University of Edinburgh

June 22, 2020

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Overview of work Surplus transfer phase Conclusion Outline

Single Transferable Vote (STV) Deﬁnition Variants Meek’s method

Overview of work

Surplus transfer phase Representation Assumptions Proofs

Conclusion

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Outline

Single Transferable Vote (STV) Deﬁnition Variants Meek’s method

Overview of work

Surplus transfer phase Representation Assumptions Proofs

Conclusion

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Voting methods in general

Voting theory is about aggregating preferences over alternatives to choose a single alternative. For us speciﬁcally: I A set of candidates C, non-trivial when |C| ≥ 2, interesting when |C| ≥ 3. I A set of ballots B, weak-or-strict and partial-or-total linear orderings. Big results include Arrow’s impossibility theorem and the Gibbard-Satterthwaite theorem.

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Single Transferable Vote (STV)

For STV speciﬁcally:

I Alternatives are sets of candidates of size S > 1, where S is the number of seats to be ﬁlled. I But voters rank candidates, not S-candidate sets. I Ballots are interpreted as instructions for transfer.

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Brief history

I T. W. Hill proposes I A. Clark introduces transferable voting (1819) Hare-Clark STV to I Carl Andræ proposes for Tasmania (1896) Denmark (1855) I Local Government I Danish Rigsdag (1856) (Ireland) Act 1919 I T. Hare independently extends STV to be used conceives of STV (1857) in all Irish elections

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Brief history cont.

I USA cities (1915–60ish) I Canada various locally I New Zealand locally off and regionally off and on and on (1917–1933) (roughly 1926–71) I All elections in Malta I India uses STV for Rajya (1921) Sabha upper house (1992?) I Cambridge, Massachusetts (1941) I New Zealand locally and for all district health I Meek proposes his method (1969, English boards (2001,04) translation 1994) I Scotland locally (2004/7)

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Aspects of STV: positive

I Strategic voting* less of I Less prone to an issue gerrymandering** I Intuitive I Local representation I More than ﬁrst preference I Proportionality I Not many “wasted votes”

* e.g. resulting from vote-splitting concerns ** given large enough number of seats

I Non-monotonic* I Doesn’t list outcomes I Problem of early elimination** I Sacriﬁces some proportionality for local representation STV almost always (except for Schulze, CPO) reduces to AV/instant-runoff voting for single-winner; see its properties for more.

* except Schulze-STV ** e.g. everyone’s second preference, nobody’s ﬁrst

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Variants

Quotas Transfer method

Everything Else STV?

Algorithm

Sort-of-STV Non-algorithmic variation

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Variants: quotas

T T Q = Q = + 1 S (S + 1) Hare Droop

T T − E(st) Q = Q(st) = S + 1 S + 1 Hagenbach-Bischoff Dynamic HB

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Variants: transfer method

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion

Alternative Vote (AV) (S=1, Q=501)

First preferences (round 0)

600 Ballot distribution 144 27 98 160 145 153 126 148 ABBCDEFG 450 BCFGGCAF CGAFFBD GDACA EEE 300

First preferences 150 ABCDEFG 144 125 160 145 153 126 148 0

Alice Bob Erin Claire Dave Frank Grace Example from Miller’s “The butterﬂy effect under STV”.

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion

Alternative Vote (AV) continued (S=1, Q=501)

Round 4 600 Ballot distribution 144 27 98 160 145 153 126 148 CFG 450 CFGGCF CGFF GC E 300

150 Round 4 ABCDEFG 0 0 484 0 0 224 293 0

Alice Bob Erin Claire Dave Frank Grace

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Scottish STV

Used for the ﬁrst time in 2007. I Uses the Droop quota bT /(S + 1)c + 1. I If there is a surplus, transfer the candidate’s with the largest, else eliminate argminc∈C(Vc(st)). I Each elected candidate c has a keep-value (aka weight) wc. I wc is set when a candidate is ﬁrst elected as wc = Q/Vc. I A fraction 1 − wc of each ballot going to c is passed to the next listed hopeful candidate. I An elected candidates’ votes may also consist of part-votes, a further smaller fraction of which are passed along. Recommended by OpaVote for organisations considering STV.

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Meek’s method “MeekSTV is the creme de la creme of STV counting rules” – OpaVote’s Jeff O’Neill. I Invented in 1969 I Allows transfer to already-elected candidates I Dynamic quota I Each round, solves equations Vc(w) = Q(w) for each elected c

Meek, B. L. “Une nouvelle approche du scrutin transférable.” Mathématiques et sciences humaines 25 (1969): 13-23 (“A new approach to the Single Transferable Vote” Voting matters 1 (1994): 1-11).

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Principled critique

“One of the criticisms of STV which is often made is that its rules are too complicated, and are not derived from principles which can be simply stated.” Meek’s two principles (within the general framework of STV): I “If a candidate is eliminated, all ballots are treated as if that candidate had never stood.” I “If a candidate has achieved the quota, he retains a ﬁxed proportion of every vote received, and transfers the remainder to the next non-eliminated candidate, the retained total equalling the quota.”

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion Fairness critique

Two things: I Treatment of voters with newly-elected candidates I Treatment of voters with already-elected candidates

Additionally claims that wasted votes are not minimised, and existing methods were open to strategising.

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion The state: weights Like Scottish STV, uses weights: I Weight vector w over all candidates. I w (0) =< 1, 1, ... >. (i+1) (i) (i) (i) I w = w Q(w )/Vc(w ) Suppose ballot is a > b > c:

I a gets wa.

I b gets wb(1 − wa).

I c gets wc(1 − wb)(1 − wa).

I Leaving (1 − wc)(1 − wb)(1 − wa) exhausted. If B is the set of ballots (hence |B| = T ) and listed(b) returns the set of candidates listed on b, the excess can be written E(w) = Σb∈BΠc∈listed(b)(1 − wc).

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion

Pseudocode (highly stripped down enlisting variant)

Input: , ballots w 0 = w w =< 1, 1, .. > for all c ∈ elected w do 0 elected = λw. {c.Vc (w) ≥ Q(w)} wc = wc Q(w)/Vc (w) V ← initial allocation end for while |elected w| < seats do w = w 0 if sum of surplus < then V ← recalculate votes cs = {c. ∀k. Vc (w) ≤ Vk (w)} end while c = random from cs end if wc = 0 V ← recalculate votes else end while while sum of surplus > do return elected

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion

Meek (S=3, Q=250.25)

First preferences (round 0)

400 Ballot distribution 350 144 27 98 160 145 153 126 148 ABBCDEFG 300 BCFGGCAF CGAFFBD 250 GDACA EEE 200

150

Round 4 100 ABCDEFG 50 144 125 160 145 153 126 148 0

Alice Bob Erin Claire Dave Frank Grace

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion

Meek continued (S=3, Q=250.25)

Round 4 Ballot distribution 400 144 27 98 160 145 153 126 148 CEFG 350 CFGGCF CGFF 300 GC EEE 250

200

Round 4 150 ABCDEFG 100 0 0 250.25 0 153 234 373.75 50

Alice Bob Erin Claire Dave Frank Grace 3 5 wC = 250.25/331 ≈ 0.76, wG = 250.25/373.75 ≈ 0.67

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Deﬁnition Overview of work Variants Surplus transfer phase Meek’s method Conclusion

Meek continued (S=3, Q=243.6, E≈ 26.69)

Round 5 Ballot distribution 400 144 27 98 160 145 153 126 148 CEFG 350 CFGGCF CGFF 300 GC EEE 250

200

Round 5 150 ABCDEFG 100 0 0 250.25 0 153 ≈ 284.81 250.25 50

Alice Bob Erin Claire Dave Frank Grace 3 5 wC = 250.25/331 ≈ 0.76, wG = 250.25/373.75 ≈ 0.67 6 6 wC ≈ 243.6/331, wG ≈ 243.6/373.75

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Overview of work Surplus transfer phase Conclusion Outline

Single Transferable Vote (STV) Deﬁnition Variants Meek’s method

Overview of work

Surplus transfer phase Representation Assumptions Proofs

Conclusion

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Overview of work Surplus transfer phase Conclusion Overview of work: what we want

Termination Fills seats (uniquely)

2.718

☑ ☑ ☑ ☒ ‽

Property satisfaction Non-distorting parameters

Jake Palmer Formal verification for Meek’s method of STV Single Transferable Vote (STV) Overview of work Surplus transfer phase Conclusion End-to-end auditability (E2E) About voter-verifiable and trustworthy voting systems, beyond just verifiably correct voting algorithms. Ideally, we want:

I Individual and universal possibility of ballot stufﬁng) veriﬁability I Minimal additional I No possibility of coercion complexity (including receipt freeness, vote-selling, and re-voting) I No possibility of or forgery de-anonymisation I Only valid voters can vote, I No need for a central, and only once (implies no trusted election authority

Somewhat outside the scope of this work, but...

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Overview of work Surplus transfer phase Conclusion E2E cont.

... E2E systems exist where one need not change the algorithm, besides additional print-statements for auditing.

For more see Ali, Syed Taha, and Judy Murray. "An overview of end-to-end veriﬁable voting systems." Real-world electronic voting: Design, analysis and deployment 173 (2016).

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Representation Overview of work Assumptions Surplus transfer phase Proofs Conclusion Outline

Single Transferable Vote (STV) Deﬁnition Variants Meek’s method

Overview of work

Surplus transfer phase Representation Assumptions Proofs

Conclusion

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Representation Overview of work Assumptions Surplus transfer phase Proofs Conclusion Surplus transfer phase

Meek proposes to solve the equations:

T − E(w) T − Σb∈BΠ ∈ ( )(1 − wc) V (w) = Q(w) = = c listed b c S + 1 S + 1 using a method of iterative approximation:

(i+1) (i) (i) (i) w = w Q(w )/Vc(w )

This leads to elected candidates’ votes Vc(w) “chasing” Q(w), but never reaching it.

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Representation Overview of work Assumptions Surplus transfer phase Proofs Conclusion Modelling the phase for proof

Following* “Algorithm 123: single transferable vote by Meek’s method” by Hill et al.:

I Let E be the set of elected candidates at some round. I Assume we are at some intermediate round where E 6= {} and |E| ≤ S, call it “round 0”. I Assume there is at least one listed hopeful candidate. I Assume ∀c. wc ∈ [0, 1] and ∀c. c ∈ E → Vc(w) ≥ Q(w). I Characterise Q, V , E in terms of changing w, regardless of B.

* Using different notation and some different conventions.

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Representation Overview of work Assumptions Surplus transfer phase Proofs Conclusion In Isabelle/HOL: constants and functions

A candidate can have one of three exclusive statuses: elected, eliminated, hopeful. For reasons explained later, we do not deﬁne what it is to be elected. In Isabelle/HOL:

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Representation Overview of work Assumptions Surplus transfer phase Proofs Conclusion Characterising Q, E, V

From Hill et al. (notation slightly changed): “[...] we use the term ‘increases’ and ‘decreases’ in the weak sense. If one component wc of [an m-vector] w is decreased whilst all the other components are unchanged, then:

1. Vc(w) decreases, in exact proportion to the decrease in wc 2. each Vk (w) where k 6= c increases 3. the sum of the votes for all the ‘elected’ candidates decreases by an amount v ≥ 0 (since the contributions from each ballot paper decreases) 4. the excess vote increases, by at most v 5. the quota decreases, by at most V /(S + 1)”

A feasible vector w is one satisfying

∀ c ∈ E. wc ∈ [0, 1] ∧ Vc(w) ≥ Q(w)

where E is the set of elected candidates.

Similarly for solution vectors, with Vc(w) = Q(w). Slightly differently, in Isabelle:

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Representation Overview of work Assumptions Surplus transfer phase Proofs Conclusion Small example proof in Isabelle/HOL

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Representation Overview of work Assumptions Surplus transfer phase Proofs Conclusion Theorem 1, part 1: weights remain feasible – statement

“This Algorithm constructs a sequence of feasible vectors that converges to a solution vector.”

It is helpful to split this up into two distinct parts: I proving that the weight vector remains feasible, and I proving that the limit is a solution vector.

The ﬁrst part of Theorem 1 then proceeds by induction on the stage i: I Base case: stage 0. Follows immediately from the assumption feasible0. I Inductive step: given that the weight vector w (i) is feasible, show that w (i+1) is feasible. To do this: (i+1) I Show wc ∈ [0, 1]. (i+1) (i+1) I Show c ∈ elected0 −→ Vc(w ) ≥ Q(w ).

Showing the weights remain within a valid range also involves induction on the stage: I Base case: stage 0. Follows immediately from feasible0. I Inductive step: given w (i) is valid, show that w (i+1) valid. (i) (i) Case split on Vc(w ) ≥ Q(w ): (i) (i) I True: then we have Q(w )/Vc(w ) ≤ 1. For elected candidates (who satisfy this) the weight updates is (i+1) (i) (i) (i) wc = wc ∗ Q(w )/V (w ). From the inductive (i) hypothesis (IH) we know that wc ∈ [0, 1]. With these three (i+1) things we can conclude that wc ∈ [0, 1]. I False: then c is hopeful or eliminated, so its weight does not get updated, and it follows trivially from the IH.

“This Algorithm constructs a sequence of feasible vectors that converges to a solution vector.”

We deﬁne w∞, the limit of w, like so:

Proving w converges is simple, because we trivially have it that: I the weight vector is bounded below by 0, and I is always decreasing.

The tricky part is showing ∀c ∈ elected0. Q(w∞) = Vc(w∞).

Essentially about proving:

(i) (i) (i) 0 (i) (i+1) 0 ≤ Vc(w ) − Q(w ) = Vc(w ) − Vc(w ) ≤ T (wc − wc ).

Hill et al. dispatch the right hand by saying:

“since decreasing wc by δ cannot decrease Vc(w) by more than V δ”

which is simply a restatement of the inequality in English, for which we now provide the proof.

“The solution vector, whose existence was proved in Theorem 1, is unique.”

One would think this can be stated:

∃! weights. solutionw (Q weights)(V weights) elected0

but it has to be a little more complicated:

1. Construct the vector min 0 0 w = {vc. v = argminv ∈{w∞,weights}vc}. ∞ 2. Use w min to construct the solution vector w min . ∞ 3. Prove Q(w min ) = Q(weights) and min∞ ∀c. Vc(w ) = Vc(weights). min∞ 4. We have ∀c. wc ≤ weightsc. Take the set of weights for min∞ which wc < weightsc. min∞ 5. Show this set is empty, thus ∀c. wc = weightsc. min∞ 6. Repeat for w∞. Thus ∀c. wc = wc,∞. And so ∀c. weightsc = wc,∞, as required. Note that any c referred to above is in elected0.

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Representation Overview of work Assumptions Surplus transfer phase Proofs Conclusion Corollary to Theorem 2

There are two main corollaries to Theorem 2: the weights converged to are positive, and the two main variants are equivalent. Delayed election/enlistment:

< a(0), b(0), ... >→< a(∞), b(∞), c(0), ... >→< a(∞0), b(∞0), c(∞0)... >

Immediate election and enlistment:

< a(0), b(0), ... >→< a(i), b(i), c(0), ... >→< a(∞00), b(∞00), c(∞00)... >

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Representation Overview of work Assumptions Surplus transfer phase Proofs Conclusion Extension: ﬁlling seats

The proofs described do not prove any of the following: I Anyone will ever become elected. I Given n < S elected candidates, at least S candidates will eventually be elected. I No more than S candidates will be elected. I Once S candidates are elected, all that happens is other remaining candidates are eliminated and the surplus in the limit all goes to the excess. I A generalised Theorem 1 and Theorem 2. Showing these additional facts will be the job of an extended proof.

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Overview of work Surplus transfer phase Conclusion Outline

Single Transferable Vote (STV) Deﬁnition Variants Meek’s method

Overview of work

Surplus transfer phase Representation Assumptions Proofs

Conclusion

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Overview of work Surplus transfer phase Conclusion Future work

Will include: I Finishing off the material presented today (ongoing). I Abstracting a number of proofs and representation to apply to any STV (ongoing). I Extending the proof as described, including full termination proof (ongoing, pen-and-paper). I Finishing the instantiation and hence algorithm extraction (ongoing). I Non-distortion: ∃. ∀0 < . meek(B, ) = meek(B, 0). I Property satisfaction: Droop Proportionality Criterion.

Jake Palmer Formal veriﬁcation for Meek’s method of STV Single Transferable Vote (STV) Overview of work Surplus transfer phase Conclusion Conclusion

I Meek’s method clear target for formalisation: I Important existing proof I More interesting work to be done I Used in New Zealand as well as a number of NGOs I We have completed the presentation of the convergence proof with gaps ﬁlled, bar two lemmas I Could make novel contribution to Archive of Formal Proofs I Potential for a veriﬁed implementation to become the implementation of choice

Thanks

Jake Palmer Formal veriﬁcation for Meek’s method of STV