Re: What is voter anonymity?

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Wed May 05 2004 - 16:26:44 CDT

On May 5, 2004, at 4:34 PM, Alan Dechert wrote:
> I see great benefits to disclosure. The strongest case against
> disclosure was brought out by Doug Jones: Someone could "sign" their
> ballot with, for example, an add combination of yes/no votes to don't
> care judicial retention

Actually, I'm pretty sure I was the first to suggest that attack on
this list. Quite possibly, however, Doug already thought of it before
the list even existed.

In any case, it seems as if I'm not getting my question across. Let me
try again. There are various normative levels around disclosure:

MANDATORY: We must, by law, disclose the total votes cast for each
candidate listed on the ballot, for each precinct. There's no point in
further discussing whether OVC members want to do this, since that's
the law.


PROHIBITED: We must not, by law, disclose how a specific voter, Jane
Doe, voted on a specific contest. Again, there's no point in OVC
discussing whether secret ballots are really desirable politically.
It's the law, and our systems must conform to it.

It's the discretionary region I'm trying to get a better handle on.
For example, I suspect that laws in most jurisdictions fail to
specifically prohibit adding time stamp information to ballots.
Probably the proprietary vendors leak information in this way, along
with all their other flaws.

However, I have identified (and discussed on-list) a direct attack on
disclosed time-stamped ballots: namely, the bad guys might covertly
videotape voters entering a polling place, and later correlate those
tapes with the disclosed time-stamped ballots. I find this attack
sufficiently clear to declare as an OVC *design principle*:

DISCRETIONARY/DESIGN-FLAW: Disclosure of time-stamped EBIs.

Going in the other direction, various member have proposed partial
disclosures of non-mandatory information in order to assist in security
or transparency. For example, Charlie Strauss has proposed that adding
hashed references to prior ballots on the backs of ballots would aid in
detection of ballot tampering. I have a concern that these references
would leak information about ballot sequence in a way that
statistically weakens anonymity. Both concerns are legitimate: we want
to detect tampering, we don't want to weaken anonymity. Whether to do
this needs to be decided in a technical analysis (there may be a way to
address my concern while achieving Charlie's goal). In general:

DISCRETIONARY/DESIGN-GOAL: Disclose information that helps detect
ballot tampering.


Now comes another area of concern, that is really independent of the
above. What is the status of disclosure of voting patterns, assuming
disclosure of those voting patterns do not identify individual voters
(even under an attack like the video-tape mentioned above).

For example, suppose that my local ballot contains two initiatives:
Prop One and Prop Two. Each initiative winds up receiving
approximately 50% of the vote. It doesn't matter for the example
whether either or both pass or fail. It is MANDATORY that we disclose
the number of Yes and No votes for both initiatives, per precinct. But
that mandatory disclosure is consistent with all three of the following
further facts:

  (1) Almost all Prop One voters also vote for Prop Two.
  (2) Almost all Prop One voters vote against Prop Two.
  (3) There is zero correlation between Prop One and Prop Two voting.

We don't know which it is, so far. At this point, it is DISCRETIONARY
to disclose the following:

  - 95% of Prop One voters also voted for Prop Two.

For that matter, within one precinct, the number could easily be 100%.

Now suppose also that I am/was a strong and public advocate of Prop
One. But I do not wish to reveal my vote/opinion on Prop Two. After
disclosure of the above correlation, my neighbors can infer a strong
likelihood about how I voted on Prop Two (or even near-certainty for
the 100% case; though in principle, I cannot be proven to have voted
the way I campaigned).

There is a good argument here that disclosure of discretionary
aggregate data about cast ballots serves to compromise an element of my
anonymity. However, I have conflicting intuitions about whether I have
a write to preserve that element of anonymity, since I *did*, after
all, make public my advocacy on Prop One. I could have decided not to
disclose that voluntarily. And perhaps the electorate as a whole has
certain rights to know about voting patterns in addition to election
results in the most narrow sense. Still, I really didn't want to tell
my neighbors about my vote on Prop Two; and this comes pretty darn
close to doing so.

Yours, David...
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon May 31 23:17:17 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:15 CDT