DOCSLIB.ORG

Practical Distributed Voter-Verifiable Secret Ballot System

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Practical Distributed Voter-Verifiable Secret Ballot System Practical Distributed Voter-Verifiable Secret Ballot System Edoardo Biagioni Yingfei Dong Wesley Peterson, Kazuo Sugihara Dept. of Info. and Comp. Sci. Dept. of Electrical Engineering Dept. of Info. and Comp. Sci. 1680 East-West Road, POST 317 2504 Dole St, Holmes Hall 483 1680 East-West Road, POST 317 Honolulu, HI 96822 Honolulu, HI 96822 Honolulu, HI 96822 ABSTRACT trusted. A few improved voting systems have become com- In this paper we propose an end-to-end voter-verifiable sys- mercially available [5]. Also, several innovative schemes such tem, which is more transparent than existing solutions. Its as PunchScan and ThreeBallot have been devised that per- distributed nature permits its use both for supervised vot- mit voters to check whether their votes have been included ing at a polling place and for online remote voting. We in the tally correctly [6], [7], [8], [9]. Meanwhile, these sys- use Chaum’s blind signatures to ensure voter anonymity. In tems strongly prevent voters from being able to prove how particular, voters can verify that their votes are recorded they voted, to prevent vote selling and coercion. As a result, exactly as cast, and all ballots can be made public so that they are not completely transparent. anyone can verify the election results. We further address In a recent paper, Yasinsac and Bishop [4] make several key security issues such as server corruption in the proposed interesting points. Their first sentence is “At the end of system. The case is made that this can be the basis of a the day, elections are about counting votes.” The accuracy practical voting system. and assurance of the vote counting should be the highest priority. They find that paper ballots or receipts, although safer than many DRE voting machines, are lacking in this Categories and Subject Descriptors regard. They state that “Audit trails are essential to voting K.4.0 [Computers and Society]: General—Voting Sys- systems”, and also suggest that “Relaxing the ‘vote non- tems; K.4.1 [Computers and Society]: Public Policy Is- provability’ principle” in the interest of providing audit in- sues—Anonymity Verifiability; K.6.5 [Management of Com- formation or making the voting process more transparent, puting and Information Systems]: Security and Protec- may be desirable. We have come to the same conclusions, tion and in this paper we suggest a voting protocol that is much more transparent than most existing systems and that we General Terms believe can be the basis of a practical election system. We call this system Distributed Voter-Verifiable Secret Ballot Security, Algorithms (DVVSB). DVVSB can be used for both voting at a su- pervised polling place and remote voting on the Internet, Keywords compared with most end-to-end voter verification solutions that are designed for polling stations. It is especially use- voting systems, end-to-end, voter verifiable, secret ballot ful to complement increasing popular mail voting [12]. It provides a concrete example of what can be done if the non- 1. INTRODUCTION provability condition is relaxed. It has been clearly established that existing direct-recording In the proposed system, we separate voter authentication electronic (DRE) voting machines cannot be trusted [1], [2], and vote tallying in a distributed environment, including [3]. On these systems, votes can be lost or altered, and no an authentication server, a tally server, and voter clients. effective way is provided for detecting such failures. There- We assume that voter registration has been conducted sep- fore, the need to audit or recount has led to the widespread arately and we have a list of eligible voters. This list is pro- use of paper ballots, either as the primary ballots or as the vided to an authentication server for voter authentication. backup of voting machines. However, paper ballots are vul- We assume that each voter obtains an identifier and authen- nerable to forgery, loss, or substitution [4, 12]. The election tication keys during the voter registration process. For vote officials handling the paper ballots at every point must be tallying, a tally server collects all cast ballots into a tally database. Each ballot has a ballot identifier randomly as- signed by a voter client. Furthermore, for tally verification, the list of eligible voters and the tally databases are made Permission to make digital or hard copies of all or part of this work for public at the end of an election. In particular, the voter can personal or classroom use is granted without fee provided that copies are use the ballot identifier to check whether that ballot is in the not made or distributed for profit or commercial advantage and that copies tally database, and check the exact contents of the ballot. bear this notice and the full citation on the first page. To copy otherwise, to In principle, anyone can access the entire contents of this republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. tally database and count the ballots themselves. This will SAC'09 March 8-12, 2009, Honolulu, Hawaii, U.S.A. give transparency to the vote-counting process and assur- Copyright 2009 ACM 978-1-60558-166-8/09/03 ...$5.00. ance that the votes are correctly counted. However, there is database is also public, anyone can see who voted. How- no way to find which ballot was cast by which voter. The ever, there is no reliable information to tell which ballot voters know their own ballot identifiers, but they cannot corresponds to which voter from the contents of the two prove that, because the ballot identifiers are all public and databases. We will discuss in later sections how to deal with anyone could claim to have cast any ballot. compromised authentication and tally servers by splitting the authentication and tally responsibilities among multiple 2. BASIC PROTOCOL servers. The proposed basic protocol uses Chaum’s blind signa- Table 1: Notation. tures [10] to achieve vote anonymity. Blind signatures have A original ballot been proposed for use in elections [11]. Our proposed pro- B blinded ballot tocol is based on these ideas. Our scheme is similar to [14], C signed, blinded ballot but allows the use of multiple, redundant servers, which also D signed ballot prevents a corrupt signing authority from casting ballots for n RSA modulus voters who do not cast a vote. e public key In the basic protocol, each voting operation involves three d private key entities: a voter client (VC), a ballot authentication server k blinding factor (BAS), and a vote tally server (VTS). The BAS maintains an eligible voter database (EVD), which is used for authenti- Here are the mathematical details of using blind signa- cating and recording blinded ballots from voters and track- tures for voter authentication and anonymity. Blind signa- ing which voter has voted. Each entry in the EVD includes tures use RSA. In this section, assume that n is an RSA a voter identifier, a vote flag indicating whether the voter modulus and e and d are the public and secret keys, respec- has voted, and a signed, blinded ballot from the voter if the tively. Then for any X, if C = Xe mod n, then X = Cd mod voter has voted. The VTS maintains a vote tally database n, and similarly, if C = Xd mod n, then X = Ce mod n. (VTD) by collecting all cast ballots. Each entry in the VTD The notation is summarized in Table 1. We use A to denote includes: (i) a unique ballot number chosen by a VC; (ii) the an original ballot prepared by a voter client. The voter client voter’s choices; (iii) a BAS digital signature confirming that selects a random number, kept secret, k < n, that has an −1 this is a valid ballot. inverse k modulo n, and blinds the ballot by multiplying The first step in the protocol is for the election authority A by ke modulo n. The result is the unsigned, blinded bal- e to furnish each voter with a voter identifier VID and secret lot B = Ak mod n. The ballot authentication server then authentication keys. The keys should be kept secret, because signs B. We denote the signed, blinded ballot by C. Then d e d d ed d anyone who has them can vote. We have not addressed the C = B = (Ak ) = A k = A k mod n (since in RSA, problem of doing this securely. We assume that the election ed = 1mod n). To unblind this, the voter client multiplies −1 d authority has a procedure for identifying individual voters this by k mod n, and the result is D = A mod n, which and authorizing their voting. is exactly what would have resulted if the authentication Next, a voter client (VC) on a computer prepares a ballot server had directly signed A. However, the authentication with the voter’s choices and with a randomly-generated bal- server has not seen A and has no knowledge of the fact that d lot identifier BID. The BID must be large enough such that it has signed A. It is this value D = A mod n that the voter the probability is negligible that two voters will by chance sends to the tallying server. The tallying server then verifies choose the same ballot identifier. Then the voter blinds the the signature from the authentication server by calculating ballot using a randomly chosen number less than n. A = De mod n, and can then tally the voter’s choices from Then the voter client sends the blinded ballot along with the content of A.
Load more

Recommended publications
  • Black Box Voting Ballot Tampering in the 21St Century
    This free internet version is available at www.BlackBoxVoting.org Black Box Voting — © 2004 Bev Harris Rights reserved to Talion Publishing/ Black Box Voting ISBN 1-890916-90-0. You can purchase copies of this book at www.Amazon.com. Black Box Voting Ballot Tampering in the 21st Century By Bev Harris Talion Publishing / Black Box Voting This free internet version is available at www.BlackBoxVoting.org Contents © 2004 by Bev Harris ISBN 1-890916-90-0 Jan. 2004 All rights reserved. No part of this book may be reproduced in any form whatsoever except as provided for by U.S. copyright law. For information on this book and the investigation into the voting machine industry, please go to: www.blackboxvoting.org Black Box Voting 330 SW 43rd St PMB K-547 • Renton, WA • 98055 Fax: 425-228-3965 • [email protected] • Tel. 425-228-7131 This free internet version is available at www.BlackBoxVoting.org Black Box Voting © 2004 Bev Harris • ISBN 1-890916-90-0 Dedication First of all, thank you Lord. I dedicate this work to my husband, Sonny, my rock and my mentor, who tolerated being ignored and bored and galled by this thing every day for a year, and without fail, stood fast with affection and support and encouragement. He must be nuts. And to my father, who fought and took a hit in Germany, who lived through Hitler and saw first-hand what can happen when a country gets suckered out of democracy. And to my sweet mother, whose an- cestors hosted a stop on the Underground Railroad, who gets that disapproving look on her face when people don’t do the right thing.
    [Show full text]
  • Absentee Voting and Vote by Mail
    CHapteR 7 ABSENTEE VOTING AND VOTE BY MAIL Introduction some States the request is valid for one or more years. In other States, an application must be com- Ballots are cast by mail in every State, however, the pleted and submitted for each election. management of absentee voting and vote by mail varies throughout the nation, based on State law. Vote by Mail—all votes are cast by mail. Currently, There are many similarities between the two since Oregon is the only vote by mail State; however, both involve transmitting paper ballots to voters and several States allow all-mail ballot voting options receiving voted ballots at a central election office for ballot initiatives. by a specified date. Many of the internal procedures for preparation and mailing of ballots, ballot recep- Ballot Preparation and Mailing tion, ballot tabulation and security are similar when One of the first steps in preparing to issue ballots applied to all ballots cast by mail. by mail is to determine personnel and facility and The differences relate to State laws, rules and supply needs. regulations that control which voters can request a ballot by mail and specific procedures that must be Facility Needs: followed to request a ballot by mail. Rules for when Adequate secure space for packaging the outgoing ballot requests must be received, when ballots are ballot envelopes should be reviewed prior to every mailed to voters, and when voted ballots must be election, based on the expected quantity of ballots returned to the election official—all defer according to be processed. Depending upon the number of ballot to State law.
    [Show full text]
  • Contingent Election of the President and Vice President by Congress: Perspectives and Contemporary Analysis
    Contingent Election of the President and Vice President by Congress: Perspectives and Contemporary Analysis Updated October 6, 2020 Congressional Research Service https://crsreports.congress.gov R40504 Contingent Election of the President and Vice President by Congress Summary The 12th Amendment to the Constitution requires that presidential and vice presidential candidates gain “a majority of the whole number of Electors appointed” in order to win election. With a total of 538 electors representing the 50 states and the District of Columbia, 270 electoral votes is the “magic number,” the arithmetic majority necessary to win the presidency. What would happen if no candidate won a majority of electoral votes? In these circumstances, the 12th Amendment also provides that the House of Representatives would elect the President, and the Senate would elect the Vice President, in a procedure known as “contingent election.” Contingent election has been implemented twice in the nation’s history under the 12th Amendment: first, to elect the President in 1825, and second, the Vice President in 1837. In a contingent election, the House would choose among the three candidates who received the most electoral votes. Each state, regardless of population, casts a single vote for President in a contingent election. Representatives of states with two or more Representatives would therefore need to conduct an internal poll within their state delegation to decide which candidate would receive the state’s single vote. A majority of state votes, 26 or more, is required to elect, and the House must vote “immediately” and “by ballot.” Additional precedents exist from 1825, but they would not be binding on the House in a contemporary election.
    [Show full text]
  • Ballot Casting Assurance
    Ballot Casting Assurance Ben Adida C. Andrew Neff MIT VoteHere Abstract Universal Verifiability. Since the early 1990s, many cryptographic voting protocols have been proposed to We propose that voting protocols be judged in part on provide universal verifiability [11, 6, 1, 9]. In these ballot casting assurance, a property which complements schemes, any observer can verify that only registered universal verifiability. Some protocols already support voters cast ballots and that cast ballots are tallied cor- ballot casting assurance, though the concept has not re- rectly. Universal verifiability uses cryptography to re- ceived adequate explicit emphasis. Ballot casting assur- store the bulletin board of yore. Ballots are encrypted ance captures two well known voting concepts – cast and posted along with the voter’s plaintext identity. Uni- as intended, and recorded as cast – into one end-to-end versal verifiability thus provides a public tally, patching property: Alice, the voter, should obtain immediate and a large portion of the audit-ability hole caused by the se- direct assurance that her intended vote has “made it” into cret ballot. the tally. We review Neff’s scheme, MarkPledge, and show that Ballot Casting Assurance. Universal verifiability it provides ballot casting assurance. We also briefly show does not provide complete audit-ability. In addition to how Chaum’s “Punchscan” system also provides ballot knowing that all votes were correctly tallied, Alice would casting assurance, though under more complicated de- like direct verification that her vote was properly cast and ployment assumptions. We show how ballot casting as- recorded into this tally. We define this principle as ballot surance opens the door to realistic failure detection and casting assurance and argue that it, too, fills an audit- recovery in the middle of an election, a topic which has ability gap left by the secret ballot.
    [Show full text]
  • Security Evaluation of ES&S Voting Machines and Election
    Security Evaluation of ES&S Voting Machines and Election Management System Adam Aviv Pavol Cernˇ y´ Sandy Clark Eric Cronin Gaurav Shah Micah Sherr Matt Blaze faviv,cernyp,saender,ecronin,gauravsh,msherr,[email protected] Department of Computer and Information Science University of Pennsylvania Abstract EVEREST was the first major study of ES&S voting sys- tems, despite the system’s popularity (ES&S claims to be This paper summarizes a security analysis of the DRE the world’s largest e-voting systems vendor [1], support- and optical scan voting systems manufactured by Election ing more than 67 million voter registrations with 97,000 Systems and Software (ES&S), as used in Ohio (and many touchscreen voting machines installed in 20 states and other jurisdictions inside and outside the US). We found 30,000 optical ballot readers present in 43 states [4]), and numerous exploitable vulnerabilities in nearly every com- only the second comprehensive study that examined all ponent of the ES&S system. These vulnerabilities enable components – from backend registration systems to fron- attacks that could alter or forge precinct results, install tend ballot casting – of any electronic voting system. In a corrupt firmware, and erase audit records. Our analysis ten week period, our seven-member team was tasked with focused on architectural issues in which the interactions analyzing the nearly 670,000 lines of source code that between various software and hardware modules leads to comprise the ES&S system, encompassing twelve pro- systemic vulnerabilities that do not appear to be easily gramming languages and five hardware platforms1.
    [Show full text]
  • Sincere and Strategic Voting Norms on Multimember Courts Evan H
    University of Michigan Law School University of Michigan Law School Scholarship Repository Articles Faculty Scholarship 1999 Sincere and Strategic Voting Norms on Multimember Courts Evan H. Caminker University of Michigan Law School, [email protected] Available at: https://repository.law.umich.edu/articles/74 Follow this and additional works at: https://repository.law.umich.edu/articles Part of the Courts Commons, and the Supreme Court of the United States Commons Recommended Citation Caminker, Evan H. "Sincere and Strategic Voting Norms on Multimember Courts." Mich. L. Rev. 97, no. 8 (1999): 2297-380. This Article is brought to you for free and open access by the Faculty Scholarship at University of Michigan Law School Scholarship Repository. It has been accepted for inclusion in Articles by an authorized administrator of University of Michigan Law School Scholarship Repository. For more information, please contact [email protected]. SINCERE AND STRATEGIC VOTING NORMS ON MULTIMEMBER COURTS Evan H. Caminker* TABLE OF CONTENTS INTRODUCTION ............................................ 2298 I. SINCERE DECISIONMAKING IN SOLO AND COLLEGIAL ADJUDICATION ........................ 2303 A. Solo Judgment Formation ...................... 2304 1. Relational Judgment Criteria and Interconnecting Cases ...................... 2304 2. Sophisticated Consideration of Nonjudicial Actors' Views .............................. 2308 B. Sincere Judgment Formation on a Multimember Court .......................................... 2310 II. OPPORTUNITIES
    [Show full text]
  • Tallying Clerks Quick Reference
    PAPER TALLYING CLERKS QUICK REFERENCE 2016 Regular Elections QR-P-6 - Approved by the Secretary of State, 2016 CONTENTS TALLYING CLERKS' CHECKLIST ........................................................................ 3 Before the Polls Open ................................................................................ 3 GUIDELINES FOR COUNTING PAPER BALLOTS ...................................................... 5 Determining Voter's Intent .......................................................................... 5 Determining voter’s intent for paper ballot write-ins. ......................................... 6 Determining Voter's Intent for Write-In's ...................................................... 6 TALLYING PROCEDURE ................................................................................. 9 Tallying in November of Even Years ............................................................... 9 Suggested assignments – counting board duties. ............................................. 9 Tally Procedure .................................................................................... 9 AFTER THE BALLOTS ARE TALLIED .................................................................. 10 i TALLYING CLERKS' CHECKLIST BEFORE THE POLLS OPEN 1. List of Supplies a. Tally Clerk Quick Reference b. Tally Books - 2 of Each Required 1) Judicial Tally Books (EP-3) - PRIMARY ONLY 2) Republican Tally Books (EP-4) - PRIMARY ONLY 3) Democratic Tally Books (EP-5) - PRIMARY ONLY 4) Constitution Tally Books (EP-6) - PRIMARY ONLY 5) Combined
    [Show full text]
  • Ivision 70-Soil an Ater Istricts Ommission Apter 2
    s s ivision 70-Soil an ater istricts ommission apter 2- Title Page 10 CSR 70-2.010 Conduct of Referendums . .3 10 CSR 70-2.020 Conduct of Supervisor Elections . .3 Roy D. Blunt (11/88) CODE OF STATE REGULATIONS 1 Secretary of state Title lo--DEPARTMENT OF which s/he has no control, the soil districts 10 CSR 70-2.020 Conduct of Supervisor NATURAL RESOURCES law provides that s/he may give a power of Elections Division ‘IO-Soil and Water Districts attorney to a taxpayer residing within the Commission county to represent him/her in this referen- PURPOSE: To fulfill the authority and Chapter Z-Referendums dum and election of supervisors. It is the policy duty assigned in section 278.080.5(2), of the commission to require that this taxpayer RSMo, this rule sets forth the basic 10 CSR 704.010 Conduct of Referendums not be a legal land representative for more proceduresfor the election ofsuperuisors than one (1) landowner, unless legal represen- to thegoverning body of a soil and water PURPOSE: This rule sets forth the basic tation has been estabished previously by conservation district, procedures for the conduct of a referen- reason of professional or paid farm manager- dum on the establishment or disestab- ship. (1) Definitions lishment of soil and water conservation (A) SWCD-a Soil and Water Conservation districts. District established in accordance with the provisions of sections 278.060 and 278.155, (llaTl’ local committee and election judges (5) Immediately after closing the polls, the RSMo. judges shall open the ballot boxes and care- (B) Landowner-any person, firm or corpo- (A) Publish successivenotices of the refer- fully count the ballots cast.
    [Show full text]
  • Appendix a I Appendix A: Compendium Of
    Appendix A i Appendix A: Compendium of problems, continued from Chapter 2 (Footnotes for this section located in “Footnotes: Chapter 2”) September 1986, Dallas, Texas: The number of voters changed on various report printouts, but votes for individual candidates remained the same. The problem was attributed to a computer-programming error. Note the date on this report: Officials have been expressing concerns about computerized vote- counting for nearly two decades. “With paper ballots, I can make the numbers add up ...” said Assistant Texas Attorney General Bob Lemens. “We are running into much tougher problems here.” Texas Attorney General Jim Mattox said the computerized vote-counting clearly has the potential for fraud. “I can’t send a reasonably good programmer to look at this system and determine that it is properly tabulating the ballots,” Mattox said. 72 November 1988, Hillsborough, Broward and Dade counties, Florida: A dropoff was observed in Senate votes from the previous general election, but only in counties that used computerized vote-counting machines. Counties without computerized vote-counting showed a 1 percent dropoff, while counties with computerized voting showed a dropoff of 8 percent. “Something stands out there like a sore thumb,” said Michael Hamby, executive director of the Florida Democratic Party. 73 November 1989, Lima, Ohio: Representatives of Sequoia Pacific, makers of the voting machine software for Lima, failed to appear as requested, and election results were delayed until someone could work out the programming error and recount the votes. Nobody was quite sure how many races were affected, but the mayoral race and the school board races were in question for nearly a week after the election.
    [Show full text]
  • Voting Matters
    ISSN 1745-6231 Voting matters To advance the understanding of preferential voting systems published by The McDougall Trust Issue 24 October 2007 Contents Editorial . i 1 I D Hill: STV in Northern Ireland 1 2 Jonathan Lundell and I D Hill: Notes on the Droop quota 3 3 H R Droop: On Methods of Electing Representatives 7 4 E Stensholt: Review — Elections in split societies 47 About the McDougall Trust (reg. charity no. 212151) The McDougall Trust is a charitable trust formed in 1948. The charity’s purposes as stated in its governing scheme of 1959 are to advance knowledge of and encourage the study of and research into: • political or economic science and functions of government and the services pro- vided to the community by public and voluntary organisations; and • methods of election of and the selection and government of representative organ- isations whether national, civic, commercial, industrial or social. The Trust’s work includes the maintenance and development of the Lakeman Library for Electoral Studies, a unique research resource, the production and publication of Representation: The Journal of Representative Democracy, and, of course, this pub- lication Voting matters, that examines the technical issues of the single transferable vote and related electoral systems. For further information on the Trust, please contact: The Secretary, McDougall Trust, 6 Chancel Street, London SE1 0UX, UK. Telephone: +44 (0)20 7620 1080 Facsimile: +44 (0)20 7928 1528 Email: [email protected] Web: www.mcdougall.org.uk For further information on this publication, please contact B A Wichmann, the Editor at the above address or by email at: [email protected] Review The McDougall Trustees recently asked a senior academic to undertake a review of Voting matters, partly due to some comments on the Internet.
    [Show full text]
  • Essays on Strategic Voting and Mechanism Design
    Essays on Strategic Voting and Mechanism Design Vinayak Tripathi A Dissertation Presented to the Faculty of Princeton University in Candidacy for the Degree of Doctor of Philosophy Recommended for Acceptance by the Department of Economics Adviser: Dilip Abreu June 2008 c Copyright by Vinayak Tripathi, 2008. All Rights Reserved Abstract In the first chapter, we consider the problem of first-best implementation in dynamic, interdependent-value environments where agents have quasi-linear preferences and private types are correlated. Our first candidate solution (I.M.) relies on methods typically seen in games with imperfect monitoring. We derive conditions under which this approach gives the planner the flexibility to implement efficient mechanisms that are ex-post budget balanced and collusion proof. If agents are required to make one final payment after they exit the system, the I.M. mechanism can also satisfy individ- ual rationality and adapt to finite horizon settings. When such payments cannot be enforced, but a cyclic monotonicity condition is satisfied, the planner may adopt our second mechanism (P.A.). This alternative approach employs a technique originally developed for surplus extraction in static auctions. It allows the planner to align ev- ery agent's preferences with his own and implement socially optimal outcomes while satisfying ex-ante budget balance and individual rationality. Both mechanisms per- mit the planner to implement any sharing rule when redistributing surplus. In the second chapter (co-authored with Sambuddha Ghosh), we examine a paradox of strategic voting. Consider an electorate whose individual rankings of alternative policies may change between the time they vote for a candidate and the date a policy is implemented.
    [Show full text]
  • Towards Fair Representation in Crowdsourced Top-K Recommendations
    Equality of Voice: Towards Fair Representation in Crowdsourced Top-K Recommendations Abhijnan Chakraborty Gourab K Patro Niloy Ganguly MPI for Software Systems, Germany IIT Kharagpur, India IIT Kharagpur, India IIT Kharagpur, India Krishna P. Gummadi Patrick Loiseau MPI for Software Systems, Germany Univ. Grenoble Alpes, Inria, CNRS Grenoble INP, LIG & MPI SWS ABSTRACT Such recommendations implicitly rely on crowd-sourced pop- To help their users to discover important items at a particular time, ularity signals to select the items. Recently, concerns have been major websites like Twitter, Yelp, TripAdvisor or NYTimes provide raised about the potential for bias in such crowdsourced recom- Top-K recommendations (e.g., 10 Trending Topics, Top 5 Hotels mendation algorithms [2]. For instance, Google’s search query au- in Paris or 10 Most Viewed News Stories), which rely on crowd- tocomplete feature has been criticized for favoring certain political sourced popularity signals to select the items. However, different parties [38]. In another work [9], we showed that the majority of sections of a crowd may have different preferences, and there is Twitter trends are promoted by crowds whose demographics differ a large silent majority who do not explicitly express their opinion. significantly from Twitter’s overall user population, and certain Also, the crowd often consists of actors like bots, spammers, or peo- demographic groups (e.g., middle-aged black female) are severely ple running orchestrated campaigns. Recommendation algorithms under-represented in the process. today largely do not consider such nuances, hence are vulnerable In this paper, we propose to reimagine top-K non-personalized to strategic manipulation by small but hyper-active user groups.
    [Show full text]