5 reasons grids should use Bitcoin (if I ever get around to finishing the money server)

Maria Korolov has written a piece at Hypergrid Business called “5 reasons grids should avoid Bitcoin”.

Bitcoin can be a little bit difficult for people to get their heads around and her article contains some misunderstandings, but they’ve been fairly thoroughly addressed in the comments, so rather than go through the thing point by point, I’m going to go ahead and put the alternative case.

Here’s why the open metaverse needs Bitcoin, or something similar.

1) Users should be able to move their money easily from grid to grid.

When Linden Lab created Second Life, they built in a very nice, simple micro-payments system that allows you easily buy and sell content created by other users. You have to pay money into their system with a credit card, but you only have to do it once, and the same money will work wherever you go in Second Life. But their system depends on having a single company running everybody’s virtual spaces. The OpenSim vision is of independently-run grids connected together, so that you can easily jump from one grid to another. But when you do that, you don’t want to have to keep paying money into every grid you visit. We need one common balance that works everywhere. Meanwhile,

2) You don’t want to be baby-sitting too much of other people’s money.

Linden Lab are a big company with rich investors and their own lawyer, but in the Open Metaverse we want anybody to be able to run a grid, just like anybody can run a web server. If you maintain your own metaverse currency, you have to take on a lot of responsibilty that you may not want, and your users have to give you a lot of trust thay they may not want to give. You also open yourself up the risk that you’re somehow in breach of one of the many amazing regulations that surround currencies and payment processing.

It would be much better to leave your users in control of their own money and wash your hands of the whole thing. The only thing you want to be doing is prompting people to make payments and checking that they’ve been made. You don’t want to set yourself up as a participant in transactions between your users, and you certainly don’t want to look after people’s money for them.

3) When you have a single point of failure, it always fails.

If you’ve been reading this so far, you may be thinking, “No problem, I’ll use Open Metaverse Currency“. OMC is a virtual currency provided by a great little company called VirWox. You can install their money module on your server, and your users will be able to buy their virtual currency and spend it on any other participating grid.

But now, having gone to all the trouble to build OpenSim and avoid being dependent on Linden Lab, we’ve made ourselves dependent on VirWox instead. If they go bust, get bought out, take on a clueless manager, make a more interesting product and decide to focus on that, get shut down by the regulators or do any of the things that usually happen to technology start-ups, it’s goodbye to all your Open Metaverse Currency. Not only that, OMC effectively have a license to print money for themselves and devalue everybody else’s. VirWox seem like very ethical people, but to avoid the temptation to make up for a poor quarter by quietly debasing the coinage, they’ll have to be.

4) Online micro-transactions need cash, not credit cards.

Maria makes a big deal of how Bitcoin isn’t backed by a company, so there’s nobody checking for fraud and looking after you if you’re a victim of it. This is of course true. But in reality I don’t know how much luck you’d have getting your OMC or your Linden Dollars refunded if somebody stole your laptop. And a lot of the fraud that credit companies deal with is actually dealing with the gaping holes in their own security. For example, credit card security is based on the idea that your money is protected by a secret number that you tell everybody that you do business with. This turned out not to work very well, so then they came up with a special three-digit code and you had to tell everybody you did business with that as well. The only way to persuade buyers to adopt a system that’s so full of holes was to let them cancel payments after they’ve been made. But instead of making up the difference themselves, they charge the cancelled payment to the unlucky merchant who was supposed to be getting it. And that, dear grid operator, is you.

It isn’t like this in the real world. We’ve been doing small transactions in meatspace for millenia, and payment systems have never been bundled together with buyer protection systems. Last week I bought a cup of coffee from MacDonalds for 100 yen and got it home only to discover if was full of coffee grounds. I took it back to the shop and they gave me a new cup. A less generous vendor might have refused. But in neither case would I have been able to take my dispute to the Bank of Japan, who issued my 100 yen coin. Small transactions work best when they are final and non-reversible. That doesn’t mean that there is no accountability; if I hadn’t been happy I could have called the national MacDonalds customer support number, or taken it up with the consumer protection bureau. But the accountability mechanism is separate from the payment system. Trying to mush them together for small transactions turns out to be expensive, unfair and unpredictable. When you get paid, you need to stay paid.

5) Volatility doesn’t matter much.

There’s one serious point in Maria’s piece, which is that although it’s been quite stable recently, Bitcoin is prone to volatility that other currencies aren’t usually subject to. Real-world currencies in developed countries tend not to vary against each other by more than a factor of two, and vendor-backed currencies like the Linden Dollar and OMC are kept close to a real-world currency by controlling how much money is issued. Bitcoin has been all over the place, and may see more crazy price spikes if it’s subject to another wave of hype.

But as a grid operator, or indeed a user, this is probably not actually a big problem in practice. You don’t keep all your money in a metaverse micro-economy, so a change in value just means a bit of variation in the value of the small amount of money you’d hold for transactions, which could go up just as easily as it goes down. If you find adjusting prices tiresome and want to peg them to the Dollar or the Yen that’s not a huge technical hurdle – we can probably build it into the money server.

Make me decentralized, but not yet.

Having said all that, there is a real reason why grid operators shouldn’t use Bitcoin yet, which is that so far there is absolutely no technical infrastructure to do it. At a minimum, we need a version of the money server designed to handle Bitcoin addresses, broker transactions and deliver inventory when they are complete. (I’m working on this, but most of my spare time goes into SLOODLE and Avatar Classroom.) And to make the process both really smooth for the end user and fully decentralized, we’ll also need integration with the viewer.

There’s some technical work to do here and I’m not confident that the metaverse will end up adopting Bitcoin. But it should.

Can Anyone Sell Me A Transparent Cloud?

Recently I’ve run into a couple problems related to things like online voting and payment escrow and where I wanted to be able to provide a hosted service for something, that would be transparent and verifiable. To minimize the amount of trust the users would have to put in me, I wanted to not only make the code that I was running publicly available, but also give people the ability to check that my hosted service was actually running the code that I said it was, and I hadn’t deployed something different, or done something to my server that would make it behave differently.

This kind of transparency didn’t seem like a particularly exotic thing to want, so I googled around for people running a platform that would let me do that kind of thing. But I couldn’t find anything, so I thought I’d write it up and see if anyone has done this, or has thoughts on how it should be done.

Why do I want to make hosted stuff transparent? Here’s an example.

Adam and Bob make a bet, and Chris agrees to referee if one of them tries to cheat. To do this, they agree that two people out of three will need to agree to access the money. If Adam and Bob settle the bet as planned, Chris doesn’t need to do anything. If Adam or Bob loses the bet and disappears, Chris will make sure the money goes to the winner. And if Chris wants to run off with Adam and Bob’s money, he’ll have to persuade one or the other to conspire with him.

To help with transactions like these, someone – let’s call them Dave – runs a website that lets them do the following:

• Adam goes to Dave’s website and types in his own, Bob’s and Chris’s e-mail addresses.
• Dave’s server creates a private BitCoin key and a public BitCoin address. The private key can be used to access money sent to the public address.
• Dave’s server splits the private key into three parts, and sends a different two parts of the three to each of Adam, Bob and Chris along with the public BitCoin address.
• Dave’s server deletes the key, so it won’t be able to access the money that Adam and Bob are about to pay in.
• Adam and Bob pay their stakes to the public address.
• When the bet is settled, the loser sends their part of the private key to the winner, who can now access the money.
• If the loser fails to send the winner their part of the private key, the referee will send theirs to the winner instead.

(*) The BitCoin people have a plan to solve this problem properly by building multiple-signature features right into the transactions, so hopefully when they’re done it’ll take care of itself.

The problem:
How can Adam, Bob and Chris trust that Dave isn’t going to secretly copy the private key, then use it to steal the money?

The solution:
The software and hardware Dave is running should be publicly verifiable wherever possible, or failing that verifiably in the control of a large, trusted organization with little incentive to cheat.

Thinking about the way cloud hosting works right now, we might do something like this:

• The server hardware the service runs on is controlled by Rackspace/Amazon.
• The server OS and core software are based on a publicly available image, if possible created using a transparent process by a trusted party (ideally Rackspace/Amazon, as we have to trust them anyway).
• The setup steps for the publicly available image are automated based on a public source code repository whose history cannot be modified, and nobody is able to log into the server and change them.
• A public record is available showing which image is being used for the IP address of the service.
• A public record is available showing which source code repository was used.

The best I think I could do using existing services would be something like:

• On EC2 someone (let’s call them Ed) would create a publicly available AMI based on an official Linux AMI, and publicize the steps he used to make it. I’ll call it Ed’s Transparent AMI.
• Ed’s Transparent AMI would have SSH logins disabled.
• Ed’s Transparent AMI would run a script on boot specified by a parameter.
• Dave would create his setup script and check it into a public Subversion repo on Google Code.
• Dave would create read-only credentials for his EC2 account and publish them.
• Dave would launch an instance using Ed’s Transparent AMI, specifying his setup script.
• Dave would (probably) map a DNS name to the IP address of his instance.
• If the system allowed Dave to update things after the instance was set up, his changes would have to go through public version control, probably using something like Puppet.
• If Adam, Bob or Chris wanted to check up on Dave, they would:
  • Look up the IP address of the site.
  • Use the public EC2 credentials to find out which instance was attached to the IP address.
  • Use the public EC2 credentials to check which script the instance was using.
  • Check the history of the script on Google Code to make sure Dave hadn’t done anything suspicious.
• If anyone wanted to check Ed’s Transparent AMI, I guess they’d follow the steps he said he’d used to create it and compare what they got with what he was providing, which is the best we can do for third-party AMIs right now.

Anyone have any thoughts? Friendly person from Rackspace on Twitter?

Power to the MP-ple: How Carswell and Hannan could save Nick Clegg’s Bacon

A Hung Parliament leaves Nick Clegg with a nasty choice. His campaign promised a new start, a different way of doing things and a fresh choice. But one way or another, he has to install one or other of the old politicians. Back Cameron, and his left-leaning supporters will desert him. Back the party that just lost, and floating voters will lynch him. Force a new election, and everybody will hate him.

But what if there was another way? What if, instead of an arrangement between a Conservative PM and the Liberal Democrats, Clegg could arrange for an arrangement between a Conservative PM and the entire House of Commons?

Under the current system, there would be no such thing. A British Prime Minister and his inner circle has enormous power of patronage, a tight grip over what legislation considered by the House of Commons and a lock on the national wallet. Whatever promises he might extract, the real power would live with whatever individual he supported in a confidence vote. The MPs hardly get a look-in.

But some people think there should be another way. Many of those people are in the Conservative Party. Libertarian right-wingers Daniel Hannan and Douglas Carswell advocate slashing the powers of the executive – while lamenting that once lodged in government, Cameron may go the way of Jim Hacker.

And some of these ideas – in a watered-down form – are official Conservative policy.

Clegg should take it further. He should set, as the only condition for allowing Cameron to form a government, a massive transfer of power from the Prime Minister and the cabinet to the House of Commons. For example:

• Take the formulation of laws away from the ministers, and give it to balanced all-party parliamentary select committees.
• Let committees control the legislation of the departments they oversee.
• Give powers exercised by cabinet ministers back to the Commons.
• Reduce the control of the whips.
• Give parliament a veto over quango appointments.
• Change the procedural rules to make it easier to pass legislation that the government disapproves of.
• Do that all-party committee on the public finances they were talking about.

A request like this would be very hard for Cameron to resist. It would appeal to floating voters, who by definition aren’t attached to one of the parties and like the idea of everyone having grown-up discussions rather than locking the losing party out. It gives power to all MPs not just the LibDems, so it doesn’t sound as self-seeking as insisting on PR. And allows the occasional Lib/Lab alliance to assert itself on a few chosen high-profile issues, keeping their mutual tactical-voting flame alive.

Neuter the executive, and empower the legislature. A legislature which still – by the skin of its teeth – has a centre-left majority.

Thanks to jsfl at politicalbetting.com for pointing out the Carswell/Hannan connection.

Update: Carswell blogs:

Yet over the past three days we’ve seen a tiny handful of people meeting in private to determine the shape of the next government.

This is wrong.

Rather than cutting secret deals behind closed doors in Whitehall, should we not be having these debates on the floor of the Commons, led by the people’s tribunes?

A more efficient way to waste time on politicalbetting.com (Firefox, Chrome, Safari, maybe others)

Mike Smithson’s provocative, tightly-written articles at politicalbetting.com attract some very astute and interesting comments.

But the site lacks a few useful features, which makes it quite hard work to follow.

• There’s no “reply” button, so people address each others’ posts using comment numbers, but the numbers themselves sometimes change when a comment comes out of moderation.
• The discussion tends to move quite fast, but the only way to get the latest comments is to refresh the page.
• Some days you don’t have time to read the whole thing, but there are some people you don’t want to miss.
• Not everybody who posts there is astute and interesting, and there are some people you’d just like to skip.
• The site only sometimes manages to remember your name and e-mail address, and often loses it.

If, like me, you waste far more time on the site than you should, you might want to try this bookmarklet. To use it, install the bookmarklet in your browser, then browse to the page you want to read and click the link:

• An “Ignore” link will appear next to each comment. When you click on it, it will hide the text of any comments by the poster you chose to ignore. It stores this information in a cookie in your browser, so it will still be there next time you use the site. Ignored posters get an “Unignore” link next to their names, so you can restore their posts if you change your mind.
• A “Favourite” link will appear next to the “Ignore” link. Clicking that will highlight that poster’s comments, and create a link above their post to let you jump to the next favourited post.
• A “Reply” link will appear next to the “Favourite” link. Clicking on it will jump you straight to the comment box, which will contain a link to the comment that you are replying to. If you want to quote some text from the original comment in your reply, you can select the text before clicking “reply”. This is gone now we have Disqus, which already has a reply feature.
• A “Show more comments” link will appear under the final comment. Clicking that will fetch the latest version of the page behind the scenes and copy all the new comments into the page you’re reading, so you don’t need to refresh.

How to install it

• Make sure you have the bookmark toolbar showing in Firefox. (You can turn it on via View->Toolbars)
• Go to this page and drag the “PB Enhanced” link to the bookmark toolbar.
• If Firefox nags you that the bookmarklet may not be safe, tell it to go ahead anyway.

Update: Megalomaniacs4u has repackaged the bookmarklet as a Greasemonkey script, can install it once in Firefox and you won’t have to click it when you reload the page:

http://megalomaniacs4u.s3.amazonaws.com/political_betting_made_e.user.js

Update: Here’s a Greasemonkey version of the new version, for a Disqus-based comments system. This seems to work on recent versions of Chrome out of the box, with no need to install an additional extension.

Bugs and limitations

• I’ve only tested it on Firefox. It probably won’t work on other browsers. Apparently it works on Chrome as well. Thanks Chad for checking that out. And Safari.
• The “reply” button doesn’t always work for some reason.
• After you post a comment, you’ll have to click the bookmarklet again.
• If you ignore huge numbers of posters, your cookie will get too big, and something will go wrong.
• The “Show more comments” feature will show you the comments in the order that it gets them, so a comment that comes out of moderation will appear with the new comments, rather than further up the thread based on the time it was posted. This may make the numbering even more messed up than it already was. Fixed in Disqus version.
• The bookmarklet may open some kind of obscure security hole where somebody can put special characters in their username and steal your login information or something. It should be OK, but to be on the safe side I wouldn’t suggest using it while logged in as an administrator or moderator. Fixed in Disqus version.
• Updated I’m not convinced the cookies are carrying across different pages correctly. I’ll see if I can make another version that behaves better tomorrow. Fixed
• Updated Doesn’t keep the cookie when changing to a different subdomain. Fixed

Heads Or Tails Voting: A Secret Ballot In Plain Sight

It would be useful if people could vote secretly from home. If we could do this right, we could do all kinds of things to improve our political systems.

The problem is that if someone is voting outside a secure voting booth, we can’t be sure that someone isn’t watching how they vote. If someone can watch how you vote, they can bribe or pressure you to vote in the way they want. Some people have concluded that it’s impossible to have a secret ballot using online voting.

Heads Or Tails Voting gives you a secret ballot in plain sight. The voter has a single secret piece of information which is never displayed on their computer screen: Whether they are a Heads Voter or a Tails Voter. Using this secret, they can vote without anyone ever knowing how they voted – even if someone was looking over their shoulder as they did it.

Here’s how it works.

Registration

• You register in a secure booth. Like an existing voting booth, only one person is allowed in at a time, and you have to prove who you are before you are allowed to use it.
• Using the computer in the booth, you create a login name and password that you will be able to use from your PC or mobile phone.
• The computer randomly chooses either Heads or Tails, and tells you which it chose. This information is stored in the voting database along with your password, and no-one else knows whether your are a Heads Voter or a Tails Voter.
• You only have to visit the booth once, unless you forget whether you are a Heads Voter or a Tails Voter. Everything else can be done from your PC or your phone.

Voting (Yes or No)

• Log into the voting website using your login name and password.
• The screen shows the choices for Heads Voters on one side and Tails Voters on the other side.

• If you are a Heads Voter, click the top checkbox to vote “Yes” or the bottom checkbox to vote “No”.
• If you are a Tails Voter, click the top checkbox to vote “No” or the bottom checkbox to vote “Yes”.

Voting (Ranking Multiple Choices)

• Log into the voting website using your login name and password.
• The screen shows the candidates arranged in a random order.

(Click for a demo.)

• Rearrange the order of the candidates by dragging their names to the left or right.
• If you are a Heads Voter, put your favourite candidate on the left and your least favourite candidate on the right.
• If you are a Tails Voter, put your favourite candidate on the right and your least favourite candidate on the left.

What Happens If…

• If you forget whether you are a Heads Voter or a Tails Voter, you can go back to the registration booth and find out.
• If someone tries to force you to vote the way they want, you can trick them by lying about whether you are a Heads Voter or a Tails Voter, and make your actual votes go to whoever you think will annoy them the most.
• If someone steals your login name and password, they’ll have to guess whether you are a Heads Voter or a Tails Voter. Since they only have a 50/50 chance of guessing right, they will be as likely to hurt their chosen candidate as help them.

Constitutional QWERTY: Democracy without the stuck keys

With the chance that Britain may soon decide to experiment with democracy by replacing the House of Lords with an elected second chamber, there’s been a fair bit of discussion recently about what form it should take; Some people want only 100 or so senators, others want to use all the seats in the room. Some people want them to be up for election repeatedly, and some people thing they should serve a single term then retire. But there’s very little controversy about the basic design: One way or another, usually involving occasional popular votes, we come up with a list of representatives who will make all the decisions for us.

When nineteenth-century engineers set out to design a keyboard for their new-fangled typewriters, they had some serious technical limitations to deal with. Famously, the typewriters of the day suffered from jammed keys if you typed too fast on them, so we ended up with an arrangement that spread the keys out to put the frequently-used ones further apart.

People designing electoral systems up until the nineteenth-century had some even more constraining limitations to deal with. They were supposed to represent the wishes of millions of people, but it was hard to arrange a meaningful discussion between more than a few hundred. They were supposed to help us make decisions affecting people over hundreds of miles, but getting just a single communication – let alone a conversation – backwards and forwards between someone at one end of the country and someone else at the other end could take over a day. Asking people their opinions was expensive, so you couldn’t afford to do it too often.

Like the keyboard designers, people came up with some creative solutions. The country is arbitrarily divided into electoral areas (constituencies) and each area elects its own representative. People can decide on representatives without knowing what’s going on at the other end of the country, and can make their decisions based on a discussion with somebody close to them. To avoid lots of expensive votes, you pick your representative only once every few years; since the choice you’re making is simple and local, it’s easy to administer. Primitive versions of this system would have a single choice, marked with an “x” (in case you couldn’t write) per person per election. It was simple, crude and cheap, tailored to fit the technology of its time.

Modern keyboards don’t have a problem with stuck keys, and the logistical problems that we worked around with constituencies and parliaments have now been solved. We can have discussions with people without them all being in the same room. We can count a million electronic votes in less than a second. We don’t need constituencies with arbitrary boundries gerrymandered by parties arguing about over bus routes, and we don’t need to restrict our choices in elections to whatever bozo did the best job of sucking up to the local party.

If we wanted a democratic, responsive government, and we weren’t worried about nineteenth-century logistics, here’s how we do it:

1) Start with the concept that everyone gets a vote on everything. If you want to have your say on Article 234Z of Amendment 4B of the Dry Cleaning Regulation Bill, you should be able to exercise it. That didn’t used to be practical; now we have the internet. Vote on everything that way. Problem solved.

2) We don’t need everyone in the same room – we can talk about everything on the web. That means we don’t need a limit on how many people can participate; let anyone join in whatever discussions they like, and let people use whatever ignore filters and reputation systems they like to make sure the people with the most to say get heard.

3) Most people won’t know or care about a lot of issues, or they’ll prefer to let someone they trust figure it out for them. Let them delegate their votes to anyone they like – a friend, a political party, a union, a charity, anyone.

4) Logistically, we don’t need constituencies anymore, and they don’t serve any other useful purpose, so get rid of them. If people value having someone local to represent them, they can delegate their votes to the person of their choice. If for some reason they don’t identify with that local area (as in “I am British, I am English, I am European, but most of all I belong to Oxford West and Abingdon!”) they can delegate their votes based on something else.

This is how Democracy will look in the future. Direct democracy where you want it, representative democracy where you don’t. A local connection where you prefer, national expertise if you’d rather have that instead. Five-year elections and parliaments will be confined to the dustbin of history. We will look back on them as a thing of the past, like those weird old-fashioned qwerty keyboards. Oh, hang on….

Originally posted at Orange By Name.

I think that the

…argues a commentator writing for AP.

Is Google changing voters’ brains?

Right around the time we all started getting mobile phones, people often used to comment that they were losing the ability to remember phone numbers.

As we get used to having Google on-demand, people are starting to say that they’re using the ability to remember anything.

Much as it may upset the Daily Telegraph, this is a rational response to the acquision of our new information super-powers. When information was hard to get, you needed to spend your time hoarding knowledge that you might need. Now that we can pull up all the information we want in a few minutes, it makes sense to tune out anything you don’t immediately need .

Meanwhile, Mickey Kaus writes:

Q: What do you get when you combine the Feiler Faster Thesis (voters are comfortable processing info quickly) with the Theory of the Two Electorates (the mass of voters who don’t follow politics are less informed than they used to be and only tune in at the last minute)…

A: You get elections that are a) close but b) might not look close three, two, or even one day before the vote…

In the US primaries, a few people here have commented how badly out a lot of the polling has been. It would be interested to know if the late surges that have been a feature of this race are a result of more people making their minds up later in a way they didn’t used to – which could, in turn, be a result of the way the internet has change the way we think.

If this is what’s happening, it will have implications well beyond the US race; Polling will get less reliable, and politicians who fail to grasp what Google has done to our brains will lose.

How to vote securely over the internet

Guest blogging over at orangebyname, I’ve argued that a lot of aspects of our current democracy – constituencies, representatives, parliaments, etc. are ways of solving 19th Century logistical problems that no longer exist, and we should get rid of them all and just vote for everything over the internet.

What I’ve suggested is just giving everyone a vote on everything, but letting them delegate it to any person or group they want to.

At this point, some people will be wondering whether internet voting doesn’t have a bunch of logistical problems of its own.

Basically, there are three kinds of problems we have to deal with: Usability, security and secrecy.

1) Usability

Most people are increasingly happy using a computer interface, but there are a few who still don’t get it, and don’t particularly want to. We don’t need to worry too much about them because we can make our new system backwards-compatible with the old one; We can setup ballot boxes once every 5 years or so where people who haven’t signed up as online voters can delegate all their votes to an old-fashioned political party.

2) Security

This is a bit harder, because most people’s computers have long-since been owned by Chinese hackers. That said, in most cases people’s home PCs seem to be good enough for online banking and gambling, so we can probably live with it, even if we do end up passing the occasional spammer subsidy law or whatever. In any case, these problems should get better over time as users become increasingly clueful.

3) Secrecy

This is the problem that a lot of people seem to think is effectively unsolvable – but they’re wrong. The aim here is that it should be impractical to bribe or intimidate people into voting the way you want, because it’s impossible to verify how somebody has voted. That way, with the exception of Japanese people, who have wierd ethics, attempting to buy a vote should tip off the voter that you can’t be trusted, so they can just take your money, promise to support you and go and vote for your opponent. Likewise, intimidation is likely to be counter-productive because you just annoy the intimidatee, who’s obviously going to vote for someone else if he’s confident that you’re not going to find out what he did. In both cases, the key to keeping the system fair is to allow voters to lie to everybody else about how they voted.

Until now we’ve done this by having people vote in closed, managed spaces where nobody can see how you’re voting, but people can see whether you’re being observed. This obviously doesn’t work if you’re voting at home using your computer because it would be too expensive to send somebody over to your house to make sure nobody’s watching when you do it.

At this point it’s worth pointing out that the system we have is already full of holes. For one thing, we also allow voting by post or by proxy, where there’s no way to confirm who actually cast the vote; It would be trivial to apply for a postal vote and then sell it to the highest bidder – you could even do this anonymously, so you’d never even know who you were selling it to. Not only that, voting in a closed space is also now subject to a bunch of vulnerabilities that weren’t there when they came up with the system hundreds of years ago. Everyone carries a little camera around with them attached to their phone, and you can even buy tiny concealable cameras that would allow you to video the whole thing to prove to your vote buyer that they’re getting their money’s worth. Within a decade, the biggest headache for polling officials is likely to be getting people to turn off the cameras on their glasses.

With online voting we can solve these problems. But we’ll need people to show up once – only once – in a managed environment like our current voting booths. Except it will be better secured than our current voting booths, because you’ll be able to show up and do this any time you like instead of everyone having to do it on the same day, so it can be staffed and managed by professionals instead of volunteer old ladies. Or we could stick the things in vans and have them drive around the place like mobile libraries or TV detector vans.

Anyhow, all you’ll have to do at these booths is create some accounts with usernames and passwords that you’ll use to do your online voting. Not a single account – several. (Or as many as you like.) Why several? Because only one of them will work – the other two will be dummies. When you use them to vote, the dummy accounts will look exactly like the real ones – but their votes won’t be counted. The only way to tell which account is which will be from inside the secure booth. That way if someone tries to buy your vote, you can log in with one of your dummies, vote the way he’s telling you and take his money. If you like you can log in again later and cast your real vote.

Alternatively, to fully leverage the power of bloody-mindedness when people try to tell you what to do, we could set it up so that you only have a single account, but you get to choose whether its effect is positive or negative. Then if your violent father tries to force you to vote for his local self-appointed Community Leader, you can sit their clicking obediently while actually casting your vote against him. Nah.

Problem solved.

There we have it: Online voting – usable, secret and (mostly) secure. Pity there’s nothing we can do about the spammer subsidies, though.