[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secret ballot and the Colorado constitution

To: cvv-discuss@xxxxxxxxxxxxxxxxx
Subject: Re: Secret ballot and the Colorado constitution
From: Paul E Condon <pecondon@xxxxxxxxxxxxxxxx>
Date: Mon, 27 Feb 2006 13:16:30 -0700
Delivered-to: mailing list cvv-discuss@coloradovoter.net
In-reply-to: <Pine.LNX.4.63.0602271200490.10950@utopia.booyaka.com>
List-help: <mailto:cvv-discuss-help@coloradovoter.net>
List-post: <mailto:cvv-discuss@coloradovoter.net>
List-subscribe: <mailto:cvv-discuss-subscribe@coloradovoter.net>
List-unsubscribe: <mailto:cvv-discuss-unsubscribe@coloradovoter.net>
Mailing-list: contact cvv-discuss-help@coloradovoter.net; run by ezmlm
References: <NHBBLNCPANIKJINCJHAPCEJICJAA.someguy@paultiger.com> <20060221181424.GB8816@big> <Pine.LNX.4.63.0602271200490.10950@utopia.booyaka.com>
User-agent: Mutt/1.5.9i

On Mon, Feb 27, 2006 at 12:53:09PM -0700, Paul Walmsley wrote:
> On Tue, 21 Feb 2006, Paul E Condon wrote:
> 
> >So, my question: could random unique identifiers satisfy the techy 
> >system developers? And, just as important, would random unique 
> >identifiers satify your concerns about voter privacy? Please, no flip 
> >answer.  Think about it.
> >
> >Others, please also express opinions on this issue, but if your beef is
> >with computers per se, don't pretend it is a response to this post.
> 
> Hi Paul C.,
> 
> [ These thoughts below assume that the ID number, once applied, is 
> permanently attached to the ballot.  Some voting systems use ID numbers on 
> removable stubs, which are detached by the voter and separately deposited 
> when the ballot is cast in the ballot box.  This is a different type of 
> system, to which these comments don't apply. ]
> 
> ...
> 
> To preserve ballot secrecy, it must be impossible for the voting system, 
> or anyone involved with it, to associate a ballot (or ballot ID number) 
> with the identity of a particular voter with a high degree of probability.
> 
> In the voting systems with ID numbers that I've seen, this issue seems to 
> turn less upon whether the ID numbers have a predictable sequence, and 
> more upon _when_ the ID number is actually applied to the ballot.
> 
> If at any point, someone or something has the opportunity to associate a 
> ballot's ID number with the identity of the voter who cast it or who will 
> cast it, then the system fails the ballot secrecy test. Even if the system 
> does not actually store the association, if it has the ability to do so at 
> some point, by my reckoning, the system still fails.  This is because the 
> voter has no way of knowing whether their identity really was or 
> wasn't associated with their choices.
> 
> As an example, the system that Boulder used in the 2004 general election 
> failed this test, at least for early voting.  The voter's identity was 
> used to print a serialized early voting ballot.  It was technically 
> possible for the software component of the voting system to record who it 
> assigned a particular ballot ID number to.  Similarly, it was possible for 
> election workers that staffed that desk to record the same mapping.  I 
> doubt that either the software or the people did this, but of course, we 
> have no way of knowing for certain.  In such a system, it would not matter 
> whether the ballot IDs were in a easily predictable sequence, or a 
> sequence that was difficult to predict.  That would have no impact on the 
> system's ability to associate the voter's identity with their votes.
> 
> On the other hand, if the ballot ID number had been applied to the ballot 
> _after_ any association between the voter and the ballot had been 
> destroyed -- say, at the point when the ballots were scanned and 
> interpreted -- then it seems to me that voter secrecy would have been 
> preserved.  The device assigning the ID numbers would have no way of 
> linking the ballot with the voter.
> 
> Again, the issue of whether the ID numbers were applied in sequence or not 
> seems to me to be mostly orthogonal to the vote secrecy issue.  In some 
> cases, it might be useful to print an ID number that is not easily 
> predictable, if the jurisdiction plans to release a ballot interpretation 
> report to the public.  This would make it even more difficult to 
> deanonymize the ballots in a situation where someone recorded video of the 
> voters leaving a particular polling place.  But I think that in situations 
> where this is considered to be a problem, a better alternative would be to 
> lightly shuffle the order in which the ballots were fed into the scanner.
> 
> 
> - Paul

I had been thinking, rather narrowly, on only the situation of
pre-printed ballots that are handed to voters by judges in a precinct
voting place. Your comment points to the value of a print head in the
scanner at the ballot processing stage. If each ballot is marked at
the time it is scanned, that mark can be used to ensure that ballots
are not double counted. But it plays hob with reprocessing ballots
that will need to be done because of computer malfunction.

Putting the scanners in the polling place could spoil your good idea.
If the ballot is scanned and marked while the voter is in a vacinity
there is still an opportunity for learning the association of vote
with voter.

-- 
Paul E Condon           
pecondon@xxxxxxxxxxxxxxxx

Follow-Ups:
- RE: Secret ballot and the Colorado constitution
  - From: Some Guy

References:
- RE: Secret ballot and the Colorado constitution
  - From: Some Guy
- Re: Secret ballot and the Colorado constitution
  - From: Paul E Condon
- Re: Secret ballot and the Colorado constitution
  - From: Paul Walmsley

Prev by Date: Re: Secret ballot and the Colorado constitution
Next by Date: Re: Bev Harris and Sequoia
Previous by thread: Re: Secret ballot and the Colorado constitution
Next by thread: RE: Secret ballot and the Colorado constitution
Index(es):
- Date
- Thread