Part VIII — The Digital & Technological Layer
Derived from Axiom 7 (end-to-end verifiability), 9 (resilience), 11 (anti-capture), and the privacy/data rights of §I.3. This is the substrate beneath the whole model. The premise of BIG — "given all technological advances" — lives here, governed by one rule: technology serves the model; it never governs.
VIII.1 Principles for governing technology
Every system in this layer obeys, without exception:
- Open and verifiable — all governing-critical software is open-source, independently auditable, and reproducibly built (§VIII.8). No black box decides anything about a citizen.
- Privacy by design — data minimisation and unlinkability are defaults, not options (§I.3).
- Resilient and offline-capable — graceful degradation and paper fallback are requirements, not extras (Axiom 9).
- No single point of failure — of code, key, vendor, or datacentre.
- Security as a first-class property — assume a nation-state adversary (§VIII.6).
- Human-accountable — technology advises and verifies; humans decide and answer (§V.6).
VIII.2 Secure identity and authentication (the §II.1 architecture, technically)
- Separated architecture: the identity issuer is cryptographically and institutionally separate from every relying system (voting, services), so no party can link a citizen across activities.
- Sybil-resistance is enforced at issuance (one real person → one identity), with independent audit of the issuance process.
- Zero-knowledge eligibility proofs: a citizen proves a predicate ("eligible and not yet voted") without revealing identity; the relying system verifies the proof, stores no link.
- Unlinkable, per-domain credentials prevent cross-domain profiling.
- Citizen-held keys with abuse-resistant, multi-party recovery (no master backdoor; recovery is auditable and requires independent parties).
- Offline credential — a physical token + in-person process granting identical rights (Criterion 12).
VIII.3 End-to-end verifiable voting (E2E-V)
The hardest problem in the model, and the one where honesty matters most. The required properties:
- Cast-as-intended, recorded-as-cast, counted-as-recorded — each independently verifiable.
- Voter-verifiable (the voter can confirm their own vote was included) and universally verifiable (anyone can verify the tally), while remaining a secret ballot.
- Receipt-free / coercion-resistant — a voter cannot prove to a third party how they voted, defeating vote-buying and coercion.
- Software-independent — a result error or fraud is detectable even if the software is buggy or malicious, via the paper record and risk-limiting audits.
- Mandatory paper record retained for every vote; risk-limiting audits mandatory every election (§III.6).
Honest engineering boundary (required by §0.6's "no design that only works in ideal conditions"): remote internet voting at national scale remains an unsolved problem for coercion-resistance and client-side malware. Therefore:
- Primary channel: in-person, verifiable digital + paper, and postal — all E2E-verifiable and paper-backed.
- Remote/online voting: offered only where coercion and malware risks are managed, bounded, and audited; never as the sole channel; never at the cost of the properties above.
- We do not pretend a hard problem is solved. The system is designed to be trustworthy and verifiable, not maximally convenient.
VIII.4 The transparency ledger (technically)
A public record with these properties (specified as properties, not products — no dependence on any single technology or vendor):
- Append-only and tamper-evident — cryptographic integrity (e.g. Merkle-chained entries) so any alteration or deletion is detectable.
- Independently replicated across multiple custodians (incl. the Integrity Assembly, citizen-jury custodians, and public mirrors) so no single party controls history.
- Publicly auditable — open read access; verification tools any citizen can run.
- Privacy-preserving — personal data is never exposed; votes are recorded in aggregate/anonymised, money and decisions in the clear, persons only as the Charter permits.
- Not blockchain-for-its-own-sake — the requirement is integrity + replication + public verifiability; the implementation is chosen on merit and kept open.
VIII.5 AI and computational decision-support (technically)
Implementing §V.6:
- Public algorithm register — every AI/algorithm used in a governing function is listed, with purpose, owner, and audit status.
- Auditable, explainable, bias-tested, reproducible before deployment and continuously after; tested by the Integrity Assembly and citizen juries (§VI.4).
- No autonomous coercive authority — no system may, of itself, deprive a citizen of liberty, money, or rights; a named human decides (§V.6).
- Model/version governance — defined policy for evaluating, testing, and upgrading models; no silent changes to systems that affect citizens.
- Open where possible, with security-justified exceptions independently reviewed.
VIII.6 Cybersecurity and the threat surface
The digital layer is the highest-value target in the country; it is defended accordingly:
- Assume-breach, defence-in-depth architecture; assume a nation-state adversary.
- Formal verification of the most critical components (identity, vote tally, ledger integrity).
- Independent, continuous red-teaming and public bug-bounty; findings logged and fixed.
- Supply-chain security — provenance and reproducible builds for all critical software/hardware (anti-implant).
- Incident response & continuity integrated with Part VII (isolation, fallback to paper/manual, attribution).
VIII.7 Data sovereignty and privacy
- UK sovereign control of critical systems and data; defined residency for sensitive data.
- Data minimisation — collect the least necessary, keep it the shortest time, justify every field.
- No mass surveillance — structurally prevented by the separated, unlinkable identity design (§VIII.2) and enforced by §I.3 rights and §VI.4 oversight.
- Citizen data rights — access, correction, and control, per the Charter.
VIII.8 Open-source and verifiability mandate
- All governing-critical software is open-source and independently auditable. Democracy may not run on code the public cannot inspect (Axiom 7, 11).
- Reproducible builds — the running system provably matches the audited source.
- No vendor lock-in / black-box dependency for any critical function — a private vendor must never be able to hold governance hostage or hide its workings.
VIII.9 Resilience and offline operation (technically)
- Graceful degradation designed and drilled (not assumed) for every critical system.
- Paper and manual fallback for voting, identity, and essential services (§VII.6).
- Distributed, federated architecture — local systems survive a central outage.
- Disaster recovery with geographically dispersed, independent replicas; tested failover.
VIII.10 Failure modes and safeguards
| Failure mode | How it attacks | Safeguard |
|---|---|---|
| Vote malware / coercion | Compromise clients; buy/coerce votes | E2E-V + receipt-freeness + software-independence + paper + RLA (§VIII.3); remote voting bounded |
| Identity database breach | Steal/forge identities; build a surveillance graph | Separated, unlinkable, ZK design — there is no central graph to steal (§VIII.2) |
| Ledger tampering | Rewrite the public record | Tamper-evident + independently replicated across custodians (§VIII.4) |
| AI bias / opacity | Unfair or unaccountable automated outputs | Public register, bias-testing, explainability, no autonomous power (§VIII.5) |
| Nation-state cyber-attack | Disrupt or subvert the digital state | Assume-breach, formal verification, red-teaming, supply-chain security, fallback (§VIII.6, VII.6) |
| Vendor lock-in / black box | Private control of governing code | Open-source + reproducible builds + no critical lock-in (§VIII.8) |
| Surveillance creep | Aggregate data into a profile of citizens | Unlinkable credentials; data minimisation; §I.3 enforced by §VI.4 |
| Tech outage disenfranchises | Outage blocks voting/services | Paper/manual fallback delivering identical rights; distributed architecture (§VIII.9) |
| "Convenient but insecure" | Ship remote e-voting that can be rigged | Honest engineering boundary; verifiability never traded for convenience (§VIII.3) |
Part VIII ends. Next: Part IX — Separation of Powers & Checks, which arranges all these institutions so that no branch — including the new ones — can dominate.