“They Can Do It All on a Computer”

“They Can Do It All on a Computer”

Google Alerts directed me to this brief article. Not particularly exciting, but I wonder what people think of the idea of random selection taking place entirely on a computer like this. Happens quite a lot, I gather–I think that’s how the Dutch medical school lottery is done. But it’s rather hard to verify that a lottery is fair when it’s just a guy typing commands into a computer in the comfort of his office. Thoughts? Does this matter?


28 Responses

  1. Peter,

    Just as with elections, transparency is essential for public confidence in any high-stakes process like this. Many or most people will be suspicious of the people who run the computer (were they bribed to favor a particular group?) It is far better to have a big show of an open and incontestably fair lottery. Frankly, I like the idea of a certain amount of pomp and circumstance in the drawing of lots… to the point of making a big deal about the child who gets to draw the first number from the hat (or other kleroterion machine).


  2. There are ways to make algorithmic selection verifiable. See for example the procedure for selecting the IETF Nominations Committee. The basic idea is to start from a random seed (in the case described they suggest using sport results or public lotteries to create this seed) and then use a deterministic and verifiable algorithm to compute the result. Anybody can check what the results of the agreed upon events were and thus calculate what the selection result ought to be. Another way to create the seed would be to have a number of independent parties create the random data, but requiring them to publish a hash (think of it as a signature) of their data before publishing the random data itself. This, if done properly, would would create a truly random result even if only one of the participants were honest.


  3. Two methods of generating randomness that are fully disconnected from human involvement: atmospheric static or radioactive decay.

    See random.org


  4. In my article
    I suggested the use of a computer.
    As long as the software is open-source, it is verifiable. I don’t see that it matters much whether the numbers are truly random or pseudo-random. What does matter is that the data base of eligible citizens should be open for public inspection, in order that every person can check that he/she is on the list. There should also be a list of names added and removed from the list, so that they can be compared with births, deaths, and immigration/emigrations all of which must also be available.


  5. Two methods of generating randomness that are fully disconnected from human involvement: atmospheric static or radioactive decay.
    See random.org

    That is solving a very different problem. That is about being truly random (as opposed to pseudo-random, which for as far as I can see is perfectly fine for our goals), not about being verifiable. The person making the measurements might be sure he has a real random number, but you will still have to trust him…

    @Campbell Wallace
    While for verification the algorithm has certainly to be public, open source software alone won’t solve the problem of how the seed is chosen (if this isn’t clear I can elaborate…). That is why I proposed multiple parties creating a random seed of which first they all publish a hash.


  6. The clerk of the court under the old system would be just as capable of corrupting the result as the computer boffins. I agree with Terry that publicity is important, not just for the sake of ensuring impartiality but also to emphasise the dignity and honour that go with a citizen being selected to represent her peers. Something akin to the Venetian system and Harrington’s reworking thereof, under which the randomisation machine would assume the status of the Delphic oracle. I also agree with him that we need a modern equivalent of the Heliastic Oath. Rousseau’s strictures on the importance of civic ceremonial in encouraging citizens to seek the general good are worth reading; even if Fustel de Coulanges was wrong about the ancient use of the lot (and I doubt it) there’s no reason why moderns should ignore the functional role of civic religion as the cement that binds us all together.


  7. >”open source software alone won’t solve the problem of how the seed is chosen”
    >” there’s no reason why moderns should ignore the functional role of civic religion”

    The augur, (dressed in white samite, mystic, wonderful) having taken the Heliastic oath and washed his hands in the sight of all, presses the ON button, and turns in the direction of Delos. At the first appearance of a bird on his right (left in the southern hemisphere), he types the sacred command “uptime” in the holy computer. The result of this, converted to nanoseconds, gives the seed.

    The congregation, which has been fasting and waiting in silence since midnight for this moment, raises a shout, and the choir (magnificent in their red robes) sings the Sortition Hymn.

    Many in the congregation are moved to tears by the spectacle.


  8. Lovely! (although just a tad OTT). And the augur would probably turn to Davos, rather than Delos.


  9. >”Lovely! (although just a tad OTT). And the augur would probably turn to Davos, rather than Delos.”

    Actually, that was not quite right. The augur wears a laural wreath, carries the fillet of far-shooting Apollo on a golden staff, and is accompanied by the Lady of the Lot, (it is she, of course who is dressed in white samite), and she presses “Enter” on the augur’s signal. The command “uptime” has already been typed in by an acolyte, in order to prevent the scandal of the computer spitting out “segmentation fault” instead of the Holy Seed in the event of a typo.
    All this is strictly on topic. I leave out the feasting on the hundred spitted oxen, and the drunken orgies that follow, although the profits made by business large and small from these activities would certainly delight those who go to Davos.


  10. The drunken orgies and fatted calves would certainly address Oscar Wilde’s claim that “the trouble with [sortition] is it takes up too many evenings”. Those who draw the golden ticket need to feel honoured and privileged, not just press-ganged into performing jury service.


  11. An energetic conversation, and I haven’t joined in what I consider my ‘special subject’!

    Many years ago (in 1994) I was on jury service, and asked the question: “How is the random selection made?” “Oh, a clerk in a back room has the electoral register, and picks out names with a pin.”

    “And can I observe this process?” said I; “Certainly not!” was the reply, “but we have heard that the LCD (Lord Chancellors Department, the state body which runs the Justice system) will be installing a computer system to do it.”

    Further enquiry with the LCD produced a stonewall of ‘privacy’. No attempt at creating confidence in the process there, anyway. And this from the English legal system, the self-styled Rolls-Royce of justice. But we trust them on this don’t we?


  12. I have written about this at length in my book Lotteries for Education, on p209 onwards. Here is an extract:

    “The core difficulty is inherent in the lottery process: it is meant to be a sudden, non-reversible cut-off event. Once the random numbers have been produced, or the balls drawn, there is no trace of how it was done. This is ‘blind chance’ and leaves no audit trail. If a disgruntled victim of a lottery-choice feels that some chicanery went on then there is no way that they can be re-assured, especially if the draw is done in private or the numbers have been produced by some mysterious computer. Unless the draw was done openly, with some form of independent testing possible then there can always be doubt. It is for this reason that many schools use trustworthy outside agencies like the Electoral Reform Society to carry out the actual draw.”


  13. >If a disgruntled victim of a lottery-choice feels that some chicanery went on then there is no way that they can be re-assured.

    Notwithstanding the fact that those who play the National Lottery are desperate to win there are never any complaints (apart from aggrieved syndicate members who failed to pay their sub), so we can predict a high level of confidence in a political lottery where nobody would want to win. Or perhaps the tranquility of the former is only on account of the National Lottery being a tax on the stupid.


  14. Why no complaints from the disgruntled about the National Lottery? Observe the level of care to convince the punters that it is a genuine draw; note the level of surveillance; and all of the results are available for scrutiny. They’ve made damn sure that there’ll be no complaints! Difficult to see how fraudsters could bend the draw either.

    Now compare that with the US Green Card lottery, which is conducted by a mysterious computer.


  15. Yes indeed, it’s no coincidence that the Florentine political lottery was called the Scrutiny. Publicity and (arguably) ceremonial is essential, although this would still not, in principle, prevent some fiendish boffin from fixing (or even hacking) the computer from behind the scenes. It’s a lot easier to have confidence in a few balls juggling around in a tumble-drier in front of the TV cameras than for a computer to disgorge the result.

    But it’s hard to envisage anything other than a computerised solution for a political lottery given the huge numbers involved. Ex-post scrutiny would be possible in that those allotted could be surveyed as to their age, sex, occupation, income, religion, ethnicity, geographical region, political leanings etc to make sure that the sample was statistically accurate on a few gross dimensions. Bear in mind it doesn’t matter WHICH individuals are selected, only that the resultant group is a reasonably accurate portrait in miniature of the target population.


  16. Organizing state-sponsored gambling based on the results of the political drawing could be an easy way to attract public attention.


  17. he types the sacred command “uptime” in the holy computer. The result of this, converted to nanoseconds, gives the seed.

    The problem here is that it is not straightforward to check that a real (not rigged) version of uptime has been used. Sure, somebody can check the computer in advance and afterwards, but now you have to trust the person checking the computer. That is why I insist on independent parties generating seeds. Of course you need enough interested parties (for a jury it could be the accuser and the defender).

    What should be done in any case is publishing the algorithm that goes from the seed to the resulting selection. Now even if the attacker were able to control the seed he would have to try many of them compute the result they would give, have a way to evaluate the result, and hope one of them pleases him. He would be blocked from hand picking his candidates. For most trials this should be enough, however if there is more at stake one of the parties could request a collaborative seed generated the way I described.


  18. In medieval Genoa, there was a regular draw to select 6 magistrates from a pool of 91 of the elite (sorry, can’t remember the ref). This draw became the basis of a gambling lottery. Thus it was that a trustworthy people-choosing lottery became a reliable basis for a gambling lottery.

    Things are different now — we can rely on the National (gambling) Lottery, because they go to great lengths to make it trustworthy. So if a school-place or Green Card lottery needs numbers it should fall back on any well-run gambling lottery. All applicants should be pre-allocated a unique serial number. It does not take a math genius to work out how to pick the winners — fairly and openly. Next Saturday’s Lotto numbers will decide.

    Say NO to secret computers with baffling algorithms!


  19. I see what you mean, so if the balls in the Lotto machine disgorges the number 3,023,867 in front of the TV cameras then it’s your turn. However the gambling lottery works because punters are motivated not to lose their lotto ticket. If it’s a political lottery then the authorities have to track down the card-holder, who may well have moved house and there is always the possibility that the authorities will nefariously choose someone else as I can’t see anyone bothering to check if 300 10-12 digit numbers match their own card. Perhaps it needs to be combined with a cash prize! The other problem is that it could be used as a way of smuggling ID cards in, as your lotto card would become your identity as a citizen. Jean-Jacques would have liked it, but so would Adolf. The solution would be to issue new numbers every time the electoral register is re-drawn (every five years?)

    So the lotto machine is not exactly perfect but will certainly look better than the numbers coming up on the computer screen.


  20. Well, they have to have a list of eligible people somewhere anyway, right? Assigning everybody a number in that list should not be a problem.

    Just a note: I think the idea here is to use the lottery result as a start (seed) from which to calculate the candidates with a predetermined and thus verifiable mathematical procedure (algorithm). This is the exact procedure described in the paper I linked before. Expecting the lottery result to be directly equal to a serial number might require waiting for many lottery draws before having a result for a big body.

    Of course to be completely transparent the list of candidates and their numbers would have to be published, which might create privacy concerns. Again cryptography can come to our help and we could apply one way functions to the items of the list, and only publish the signatures.

    This way the selection committee might state that one of the selected is “John Smith, born 10/10/10 in Someplace serial:123456 salt:5454somenoise”. After which it can easily be verified by anybody that the hash of that string (a680b647) is indeed in the list of signatures previously published, and that if you apply the published algorithm to the results of the agreed upon Lottery you indeed get 123456.


  21. The key is that the selection algorithm be checkable even without any computer smarts. For example: names are in any order (random or alphabetical, geographic, etc.). One “seed” determines a frequency (every 127,343rd name), and then a separate seed drawn by different people using a different method picks a starting point (the 32,007,113th name on the list).


  22. Thanks to all the computer-savvy folk for indicating the technically-optimal way. But I agree with Conall that publicity is the most important factor and balls rolling out of a transparent perspex tumble-dryer in full view of the TV cameras has a pleasingly artificial resonance with the public lottery systems of antiquity. Could the seeding system with different sets of drawers form the basis of a public ceremonial (with or without augurs and white samite robes)?


  23. Fela, I’m sure you know more about this than I do, but:

    >”The problem here is that it is not straightforward to check that a real (not rigged) version of uptime has been used. Sure, somebody can check the computer in advance and afterwards, but now you have to trust the person checking the computer.”

    Uptime and the flight of the first sparrow or whatever were whimsical suggestions. Using a lottery result as seed sounds good to me. You could no doubt rig the seed in one sense by taking a few milliseconds more or less to hit the “enter” key, or throwing a stone to scare the sparrows, but in our context how much does the seed matter if you can’t manipulate it in a precise way?

    To rig the results in a meaningful way, a villain would surely have rig the {seed +(pseudo-)random number generator} to produce a predictable, reproducible result, for instance a large number of the members chosen to be on a notional list in his possession. So would it not be possible to check afterwards by repeating the procedure a number of times and seeing if some pattern appeared? I realise political beliefs are easy to hide and hard to verify, but there are proxies for them, and if one consistently got an unreasonable proportion of poultry farmers, stamp collecters, or persons over sixty years of age you might smell a rat.

    In any event, it would be relatively easy to check the composition of the members actually chosen for age, sex, occupation, place of residence, etc. I could imagine independent “watchdog” bodies keeping a running tally of these things and publishing it on the internet.

    Do we really need to trust “the person checking the computer?” If the computer is available for inspection by anyone, is that not good enough? (by inspection I mean checking by repeatedly generating random lists, as above, with a few other obvious checks: no wired or wireless connection to the outside world, for instance).
    I have faith in open source software not because I check the source code myself, but because I believe that there are people out there who care about these things and do check. It does not matter to me who actually checks, as long as the possibility exists for anyone to do it at any time.

    These comments may seem horribly slipshod and sloppy if you think in terms of cryptography, but even with an imperfect algorithm the behaviour of members of parliament would be harder to predict or manipulate than numbers, and, in any case what could be worse than what passes for representation at present?

    >”That is why I insist on independent parties generating seeds.”
    How do you check that the parties really are independent?

    For the Luddites who have a knee-jerk distrust of computers:
    By the time any form of sortition gets adopted in choosing a government, not only will there be no-one who remembers a time when computers weren’t ubiquitous, but government will probably be in the hands of a robot dictator.
    I suspect people don’t protest about lottery results because they know that there is very little chance of them winning, not because they trust the mechanism or those running the show.


  24. I agree that it would be very quite hard to manipulate the system, using any seed, as long as a good pseudo random generator is used. Still I think using a trusted national lottery or multiple parties generating a seed would be better. Because I can think of attacks that could subtly change the results: sometime a little difference in outcome is enough to tip the result, or somebody can try to have at least one charismatic person selected among those in a big list. If the suspect of rigging comes after the fact it is to late for countermeasures. That is why I would feel safer with a cryptographically solid solution, while I do understand the position of some here that the average person should understands and trust the selection process…

    I continue to not quite understand what open source software would bring (don’t get me wrong, I’m all for open source in general… but here?). For the part that goes from the seed to the result it is enough that it uses a public algorithm, than everybody can check it with the software it wants (or everybody with enough knowledge), I think that on this we agree. But for the software generating the seed, sure you can check the source code of the open source software which has been claimed to have been used, but how can you be sure this really was the case? You could write a program that replaces itself after use leaving no trace. Sure you can check the software beforehand. But who will be allowed to do so? And do we trust him? Perhaps instead of using software you could use a hardware program so that no changes can happen, mmh now that I think of it such a hardware solution exist since thousands of years, it is called a lottery :)


  25. >mmh now that I think of it such a hardware solution exist since thousands of years, it is called a lottery :)

    Exactly. There’s no need to reinvent a very worn wheel.


  26. >”I continue to not quite understand what open source software would bring”

    What it brings is openness – anyone can check it.
    However I didn’t suggest that it be used for generating the seed. I’m perfectly happy with a lottery for that. Or sparrows.
    I used the example of OSS merely to illustrate the principle that you don’t really need to know every last detail to be able to trust something.

    And since you posit an open algorithm and an open database of eligible citizens we’re in agreement, although I’d still _prefer_ that the software generating the list of random numbers and translating that list to a list of names be OSS, and also the operating system that the whole thing runs on, stripped down to the bare minimum necessary to
    1 Generate its list of names and numbers.
    2 Publish that.
    3 Send a copy of itself to anyone who asks for it.

    You mention privacy concerns. I think the database could be in the form:
    Family name:Given names:Date of birth or accession to citizenship:Place of birth:Already selected (y/n)

    You query it with the first four fields, one after the other. Unless you already know all those, you get no information. If you do know them, then the only extra info you get is “yes, that person is on the list”, “no, that person is not on the list”, or “That person has already been selected”, ie is no longer eligible for selection.

    There are really only two ways you could tamper with the DB. If you add bogus names this will be detected when the “dead souls” fail to stand up. If you remove names, or change them to “already served” this can be detected by everyone checking his/her entry regularly.

    For security you’d probably want the DB on a separate computer, only communicating its DB to the selecting computer just before the time of the selection, and then the connection being broken.


  27. I think you’re both missing the point — the system has to be seen to be fair and transparent in the eyes of Joe Public, not the high priests of the computing industry. Hence the call for golf balls and a tumble dryer.


  28. Interestingly, Google Alerts brought up more news stories this morning touching on the subject. Apparently, the Philippines conducts random manual audits of its automated voting machines. They just switched to using a computer from drawing balls out of something called a tambiolo. Perhaps this means that Filipino fans of sortition should call themselves the Tambiolans?

    For more details, see…




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: