Fog Creek Software
Discussion Board




Democratic Administration

Looking for feedback on an idea...

I am developing a website for a non-technical, loosely organized group.  I do not want to create an admin account for performing administration functions, since there is no single person that would want the duties of the admin.  I also do not want to assign user rights based on username, since someone would have to administer the user rights.

To that end, I am considering eliminating the concept of an admin user in favor of a "democratic administration" policy.

<idea>
Functions that would normally require someone to log in as the admin (delete user, shutdown website, etc.) will now be performed through an Admin page, which is accessible by anyone with a login to the website.  The catch, however, is that TWO users must act together to perform the admin function.  In other words, Tom requests that Bill's account be revoked.  Charles then accesses the admin page and confirms the deletion.  Bill's account is then deleted.

I would also require that users have a certain level of "seniority" (time-based) before they can submit actions on the Admin page.  This would keep someone from registering two usernames and then wreaking havoc via the Admin page.
</idea>

On the surface, I don't see any major flaws with this design.

What have I not thought of?

Russell Thackston
Tuesday, February 10, 2004

Two 1337 haxors who join, wait a month, and delete everyone's account?

Wait, make that one 1337 haxor with two accounts.

www.MarkTAW.com
Tuesday, February 10, 2004

Granted.  Any thoughts on how this could be avoided?

Russell Thackston
Tuesday, February 10, 2004

If it's democratic administration, shouldn't the users be able to vote in the admins?  After a certain period of time, a member automatically becomes eligible to be voted in.  Only members in good standing are allowed to vote, and only one vote per IP address.

Nick
Tuesday, February 10, 2004

I don't think anything like this ever works in practice. Essentially, you're trying to quantify "trust". Anyone who performs an administrative action needs to be trusted, so you want some way for the computer to figure out whether you can trust someone. This is not an easy question.

Somewhere along the line, you need to involve people in the process. One way to do this is through "approval" votes: people who are already approved can vote to approve other people for admin access. Once a person gets some number of votes, he becomes approved. It's just having your existing users vouch for someone's character. This makes it a lot more difficult for mister leetspeak to get several accounts approved by the voters.

The problem is that this makes an implied clique out of your membership, and votes may be given or withheld for odd reasons. Perfectly trustworthy people who don't happen to agree with your membership's views on some political issue may never get approved, and complete losers who *do* happen to agree may get approved in no time at all.

I'm really of the opinion that authority should be delegated manually, not by any automated process or community consensus, and regulated strictly by the opinions of *selected* individuals that can *definitely* be trusted.

Caliban Tiresias Darklock
Tuesday, February 10, 2004

What is the user base? Mature proffessionals? Or anyone? If the former the intial set of users can be added by you and then "admin" modules may be accessed through a separate authenticated page by anyone in that set. To make it more controlled you could also rotate the users on a monthly/weekly basis as the administrator.

Indian Developer in India
Tuesday, February 10, 2004

The user base for the website *is* a clique.  The membership is not open to anyone.

Russell Thackston
Tuesday, February 10, 2004

> The membership is not open to anyone.

Wow, that IS a small group.

If your membership can be trusted, you don't need democracy. You can just let them all be admins.

Caliban Tiresias Darklock
Tuesday, February 10, 2004

did you try a wiki?

Prakash S
Tuesday, February 10, 2004

Oops!  I meant to save:

"The membership is not open to *just* anyone."

Russell Thackston
Tuesday, February 10, 2004

Oops!  I meant to *say*:

"The membership is not open to *just* anyone."



(Damn!  I need to take a typing class or something...)

Russell Thackston
Tuesday, February 10, 2004

First objection: If you trust someone enough to be an admin then you must trust them to not attempt to subvert the system!  The idea that you trust someone enough to make them admin, but mistrust them enough that you want someone else to review their decision indicates to me that you don't trust anyone enough to actually be a responsible admin.  Only give admin rights to people you COMPLETELY trust. 

Second objection:  The hypothetical mechanism which enforces the policy "two admins must agree on any action" must itself be administrable.  What stops a hostile admin from simply switching off this subsystem?  There has to be a "real" admin there somewhere to set up the system and change it.

Third objection: Such a system would require extremely careful implementation.  Designing a secure authentication and authorization system is one of the hardest tasks you can undertake in software development, and should only be undertaken by experienced professionals.  Do not roll your own security systems -- you will produce an insecure system.

Fourth objection: the strength of a security system must be proportional to the value of the assets it protects.  It makes no sense to install a $10000 alarm system to protect a $500 television.  What valuable assets are you protecting?  Launching nuclear missiles requires at least three people -- two operators to turn the keys and the president to provide the launch codes.  This prevents accidents and unauthorized launches.  What are you doing that is so important that you need a custom security system to protect it?  How much time and effort is it going to take to produce such a system?

Fifth objection: what the heck are these "non technical" people doing deleting other users anyway? 

Sixth objection: As Churchill observed, democracy is the worst form of government except for all the others we've tried.  Computer administration should be based on practicalities, not on dogma.  Democracy is a system for determining _policies_ that affect a _large_ number of people.  It really doesn't work so well when the number of people is small.  Someone owns the underlying hardware -- they get to be dictator for life.

Eric Lippert
Tuesday, February 10, 2004

I agree that the two user agreement system has too many faults to make it work effectively. 

Perhaps you could try an approach similar to a wiki.  Allow everyone to do pretty much any standard operation, but allow those operations to be undoable.  Also, you may want to record who did which operations for accoutability.  Therefore, anything that can be broken can be fixed.

However, I would imagine operations such as deleting accounts would not be the kind of thing just any user should be allowed to do. 

Seeker
Tuesday, February 10, 2004

Hmm. Administrators are voted in by a majority. The majority has to be of "legal age" in order to vote - i.e. have had their account for a while and meet a certain minimum of activity.

Administrators are "god" but any other administrator can undo any action, and all changes are logged and emailed to everyone on a daily basis.

Not a democracy, but a republic.

Administrators are sworn in for life, unless somehow voted off, and represent 10-15% of the population, or however many are deemed necessary to keep things runnning - i.e. Admins choose when voting should be opened based on their workload.

Or maybe they just appoint new admins directly based on trust. (This is probably the best choice)

Next on Server Island, can Krista keep her Admin rights, or will she be voted off?

www.MarkTAW.com
Tuesday, February 10, 2004

First, administrators must be voted in and approved by at least one other administrator.  (First admin is manually created, either hand-picked or voted in.)

Second, any admin action is appealable and repealable.  Meaning the user can beg for the action to be undone.  You pick the appeal process -- there are a gazillion options here.  (An easy one: a simple majority of voting users votes "repeal" over "sustain".)

Third, any system you come up with can be gimmicked, so you *will* need a "God Admin" who can perform un-repealable actions.

Should be working
Tuesday, February 10, 2004

> Third, any system you come up with can be gimmicked, so you *will* need a "God Admin" who can perform un-repealable actions. <

Oh yeah, that was an assumption that was in my head but never made it onto "paper."

www.MarkTAW.com
Tuesday, February 10, 2004

Users should be able to *ignore* accounts, not delete them.

Alex.ro
Tuesday, February 10, 2004

You had better patent that idea quickly or someone else will.


Tuesday, February 10, 2004

I believe PerlMonks (www.perlmonks.org) has a somewhat similar admin design, at least for certain areas. Monks (members) with a certain amount of experience (reputation) are allowed to mark nodes for "consideration". Another sufficiently experienced monk can take nodes under consideration and do things to them (like delete them). I think the action thus requires two independent users, both of whom have reasonable standing in the community.

I'm sure I've gotten some of the details wrong here, but might be worth checking out.

John C.
Tuesday, February 10, 2004

::cough cough wiki cough::.

Its no use.  No one listens to us youngins Prak.

vince
Tuesday, February 10, 2004

I'm still stuck on the concept of not trusting the admin (who's a member of this highly elite clique). I'd have to guess Thieves' Guild? Assassins?

All members are admins. All admin actions are logged. If you're worried about someone editing the *logs* give it up now.

(note that the idea of making logs that can't be edited is an interesting challenge - Each log entry includes a hash of the log data and the timestamp of the previous log entry. A smart front end can validate every entry in chain sequence)

Philo

Philo
Tuesday, February 10, 2004

So what's to stop someone from editing every single entry before the one you want to edit ... reconstruct the whole chain?

You can always "log" to a dotmatrix printer one line at a time.  That, too, is tamperable.  But it's harder...

Michael Kale
Tuesday, February 10, 2004

Adjusts frayed thinking cap........

All "insert " kind of operations are executed immediately...on a first to the post basis with a monthly "quota" for each person on how many they can submit

All delete/modify operations are delayed by x days and are put on a queue which is visible to all and which as a special case can be deleted (though not modified) or accepted by anyone. 

After X days if the total votes for deletion are more than that for acceptance do not run the operation or else run it.

Code Monkey
Tuesday, February 10, 2004

a real story for philo on not trusting the admin:

an enthusiast web site, running for a few years. one guy runs the place for several years, while the remaining founder mostly stays hands off. the two get into a disagreement. second guy removes admin privilidges of founder. founder still owns domains, yanks the entire site (changes the nameserver to something else), second guy has to get a new domain to keep the site going and somehow publicize it.

today both sites are alive and active, but what a mess that was.

mb
Tuesday, February 10, 2004

But what if you had nefarious Republican moles who infiltrated the group just to undermine or even _destroy_ the Democratic Administration? [Foreboding da-da-dum music plays in background]

Seriously, though, if the content of this site isn't critical enough that you feel you need a single admin and the membership isn't expansive, then go ahead and try it.  It may be a good social experiment.  Report back when it succeeds or goes awry.

Nick
Wednesday, February 11, 2004

In general you've described a wiki.

However, you do realise that the permissions revoking thingy at that start is a dead ringer for "ostracism" in the classical Athenian democracy.  In that case there was an appeal procedure but it took place with the appealant on a small island in the habour which technically wasn't part of Athens (returning to Athens being an automatic death sentence).

So- have you thought out the appeals procedure?

a cynic writes...
Wednesday, February 11, 2004

You might also want to google for "web of trust".  There is at least one proposal out there for a trust based admin system.

a cynic writes...
Wednesday, February 11, 2004

You could put money into it.

5000 members.. submits $2 each into communal chest a year for administrative compensation.

Administrators or groups of administrators who are voted in and operates properly and haven't been impeached receive monetary or honorary perks. You'll still get bad admins, but they don't get anything out of it beyond that.

Milestones can be reached, so you are paid on a quarterly basis. The encouragement builds confidence, self-confidence, and loyalty for the administrators--who are probably giving more than they are receiving.

Li-fan Chen
Wednesday, February 11, 2004

Implement backups combined with auditing and a rollback functionality. 

That way, if anything gets messed up, (A) it's visible who made the changes and (B) the site can be easily rolled back to a previous state.

A bit analagous to how some of the Wiki's work.  (except the rollback is done by an administrator).

Voice of Rationality
Wednesday, February 11, 2004

*  Recent Topics

*  Fog Creek Home