On Tue, 21 Feb 2006, Paul E Condon wrote:
So, my question: could random unique identifiers satisfy the techy system developers? And, just as important, would random unique identifiers satify your concerns about voter privacy? Please, no flip answer. Think about it.Others, please also express opinions on this issue, but if your beef is with computers per se, don't pretend it is a response to this post.
Hi Paul C.,[ These thoughts below assume that the ID number, once applied, is permanently attached to the ballot. Some voting systems use ID numbers on removable stubs, which are detached by the voter and separately deposited when the ballot is cast in the ballot box. This is a different type of system, to which these comments don't apply. ]
...To preserve ballot secrecy, it must be impossible for the voting system, or anyone involved with it, to associate a ballot (or ballot ID number) with the identity of a particular voter with a high degree of probability.
In the voting systems with ID numbers that I've seen, this issue seems to turn less upon whether the ID numbers have a predictable sequence, and more upon _when_ the ID number is actually applied to the ballot.
If at any point, someone or something has the opportunity to associate a ballot's ID number with the identity of the voter who cast it or who will cast it, then the system fails the ballot secrecy test. Even if the system does not actually store the association, if it has the ability to do so at some point, by my reckoning, the system still fails. This is because the voter has no way of knowing whether their identity really was or wasn't associated with their choices.
As an example, the system that Boulder used in the 2004 general election failed this test, at least for early voting. The voter's identity was used to print a serialized early voting ballot. It was technically possible for the software component of the voting system to record who it assigned a particular ballot ID number to. Similarly, it was possible for election workers that staffed that desk to record the same mapping. I doubt that either the software or the people did this, but of course, we have no way of knowing for certain. In such a system, it would not matter whether the ballot IDs were in a easily predictable sequence, or a sequence that was difficult to predict. That would have no impact on the system's ability to associate the voter's identity with their votes.
On the other hand, if the ballot ID number had been applied to the ballot _after_ any association between the voter and the ballot had been destroyed -- say, at the point when the ballots were scanned and interpreted -- then it seems to me that voter secrecy would have been preserved. The device assigning the ID numbers would have no way of linking the ballot with the voter.
Again, the issue of whether the ID numbers were applied in sequence or not seems to me to be mostly orthogonal to the vote secrecy issue. In some cases, it might be useful to print an ID number that is not easily predictable, if the jurisdiction plans to release a ballot interpretation report to the public. This would make it even more difficult to deanonymize the ballots in a situation where someone recorded video of the voters leaving a particular polling place. But I think that in situations where this is considered to be a problem, a better alternative would be to lightly shuffle the order in which the ballots were fed into the scanner.
- Paul