Disclosing EBIs

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Tue May 04 2004 - 12:37:23 CDT

On May 4, 2004, at 1:13 PM, Alan Dechert wrote:
>> (1) Voter takes compact digital camera into voting booth
>> (2) Voter takes picture of paper ballot before leaving booth
>> (3a) Voter walks over to ballot box and deposits ballot ; or
>> (3b) Voter walks to poll worker and says "this is a spoiled ballot"
>> (and presumably then casts a new one)
>> (4) Voter shows Coercer the snapshot
> This is not quite what I was talking about. We reached a dead end on
> this
> discussion some months ago and maybe I should not have brought it up
> just
> now. I was talking about copies of *voted ballots*. If the EBIs of
> voted
> ballots were published on the Internet a spoiled ballot would not show
> up as
> a voted ballot.

When I joined this project, my initial sentiment was strongly that
proper transparency would involve disclosing EBIs/REBIs after
completion of an election (we didn't yet have those acronyms, but the

However, I since came to realize--coming out of discussion here--that
we REALLY cannot publish raw EBIs. Such publication enables an attack
similar to that Teresa Hommel recently described: Trojan votes. There
are many ways a complete cast ballot can contain voter identifying
information (special write-ins, special orders on ranked preferences,
patterns in judicial retention votes). A vote coercer/buyer can
require a voter add the identifying information along with casting the
desired vote on a "major" contest.

It -might- still be allowable to publish information about votes beyond
their simple precinct aggregation. I'm not sure. For example, if each
contest is separated out into non-correlated files, that might suffice
to eliminate the voter identification. I'm not sure if doing this is
actually worthwhile, beyond the inevitable tallies. But maybe.

Within the limit of what we can publish, I am pretty confident that any
"receipt" system we contemplate will be identical to the digital camera
system I describe from a security perspective. The camera is used as a
somewhat tongue-in-cheek illustration, but it really amounts to the
same thing as a hypothetical "non-official ballot printer" or the like.
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon May 31 23:17:10 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:15 CDT