Voting Privacy

Direct link to this page:
Share Button


Latest News

This project relates to the issue of Voting Privacy, while also encouraging transparency of the results so the public can easily check them. This topic is primarily focused on traditional voting systems and is not specific to e-voting or other electronic voting proposals.

Frequently, election officials suggest that certain reports, such as "Cast Vote Records" (CVR) or ballot images cannot be provided due to "voter privacy", "voting secrecy", or one of many other similar terms. The voting application is difficult because on the one hand the voter must be fully identified and validated, but then later, the votes of that voter must become disconnected from the voter, and it should be infeasible to pair up the voter with that voter's votes. Thus, the terms:

  • ballot anonymity - a given ballot should be anonymous, should not have voter-identifying marks which the voter can prove to someone else.

Why is this desired? There are really two different motivations:
  • To make it feasible for a citizen to vote for an unpopular option without fear of retribution or repercussions.
  • To makt is infeasible for a citizen to "sell" their vote, or otherwise prove to another entity how they voted, for cash or any other reason.


Scholarly articles

  • Voter Privacy in the age of Big Data - (PAYWALL)
  • Verifying privacy-type properties of electronic voting protocols -
    • Abstract: Electronic voting promises the possibility of a convenient, efficient and secure facility for recording and tallying votes in an election. Recently highlighted inadequacies of implemented systems have demonstrated the importance of formally verifying the underlying voting protocols. We study three privacy-type properties of electronic voting protocols: in increasing order of strength, they are vote-privacy, receipt-freeness and coercion-resistance. We use the applied pi calculus, a formalism well adapted to modelling such protocols, which has the advantages of being based on well-understood concepts. The privacy-type properties are expressed using observational equivalence and we show in accordance with intuition that coercion-resistance implies receipt-freeness, which implies vote-privacy. We illustrate our definitions on three electronic voting protocols from the literature. Ideally, these three properties should hold even if the election officials are corrupt. However, protocols that were designed to satisfy receipt-freeness or coercion-resistance may not do so in the presence of corrupt officials. Our model and definitions allow us to specify and easily change which authorities are supposed to be trustworthy.
  • Privacy and verifiability in voting systems: Methods, developments and trends --
    • One of the most challenging aspects in computer-supported voting is to combine the apparently conflicting requirements of privacy and verifiability. On the one hand, privacy requires that a vote cannot be traced back from the result to a voter, while on the other hand, verifiability states that a voter can trace the effect of her vote on the result. This can be addressed using various privacy-enabling cryptographic primitives which also offer verifiability.

Proposed Legislation


Q: Is there some reason to believe that a cast vote record contains enough information to identify a particular voter such that releasing the CVR as a public record would violate a voter's right to a secret ballot?

A: There is a chance that if a voter is in a small group, lets say in the Peace and Freedom party, and they have a special ballot that only that voter received in a precinct or other group, then yes, it would be possible to identify a voter like that with a detailed CVR and information about voters. But if a voter is in the general population and does not associate with a small group, then it is not possible, as long as the groups are larger than say 30 in a group, because it is unlikely that all will vote the same way. Election officials are supposed to make sure precincts have sufficient voters in them. If you have a precinct with only one voter, then of course we can tell how that voter voted.

There is a district I have heard about (in another state) that has a huge prison, where no one can vote. But those people are still counted for representation. One other guy lives there. He is the only voter. He is also in the house of representatives, and he votes for himself. Obviously, we know how he votes even if we view the totals for the district not broken down at all. So releasing the cast vote record does not provide any additional information than can be determined from the normal reports in that case.

There is a game being played by election officials in some areas to create very many ballot styles, to result in maximal redaction and minimal transparency. A ballot style is needed to determine which contests are on the ballot. If you live in a certain area, then you will have potentially dozens of different districts with different boundaries. School district, water board, hospital board, fire board, city council district, federal house rep., state assembly, state senate, county commissioners, etc. Ideally, each precinct is not split. But sometimes they are. In any case you then have small groups, usually called precincts, that are not split. There can be a few of these per district. But a given precinct may have a unique combination of those districts. Then it needs to be a separate style. Then there can be party, language and sheets. We want election officials to have as few as possible ballot styles. That way, they will have a lot of voters in each one, and there is no fear of loss of privacy.

What they do a lot is to have a separately identified style for each precinct, party, split, even though there is not a need for that many styles. As an example in Florida, we have been processing the ballots from Collier County. In the primary, there were 5 styles. One with DEM presidential contest, one with REP presidential contest, one with DEM pres + Naples city contests, REP + Naples city contests, and one nonpartisan ballot with Naples city contests only. But the ballots are still also identified by precinct. This is something that is a problem with maintaining privacy. Campaigns want precinct information, i.e. how the entire precinct is likely to vote, so they can target them for campaigning. If this was dispensed with, then we would need only the styles based on the contests and not the precincts.

In the Collier county there were 62395 votes cast. Although there is a need for only 5 ballot styles, they break them down into the precincts as well. So even on the ballot, you can determine the precinct the ballot is from, the party, and if it is a single nonpartisan or other rare party in that precinct, then just by looking at the ballot style and ballot, you can determine the voter IF you also have the list of voters who actually voted in the election, and that IS available. Anyone or any party can purchase the voter data file which lists all the voters and their voting history, their party affiliation. When buying this list, however, there are restrictions agreed to by the purchaser, and it should be the case that working to figure out how a voter voted should be listed as a use that is not allowed. There are sign-in sheets at the polling place and the list of VBM (absentee) voters is known and available. Thus, with this information, if the election is designed poorly (with lots of styles instead of the only 5 required), and if the CVR breaks it down that way, then indeed you can, for some cases, determine how the voter voted. But that is the case only for very few voters in any election, percentage wise, and usually, it is not important for our needs. I.e. redaction does not hurt us.

And in any precinct or group, if all voters vote for Trump, let's say, then indeed you know how everyone voted in that group -- EVEN WITHOUT HAVING THE CAST VOTE RECORD! The danger exists today, if you have data that is already on the website, in terms of how voters voted. So what they do is suppress the result in those cases when there are fewer than 30 voters in any group.

See the first part of that file.

In precinct 101, one voter voted for Rocky De La Fuente. The total is shown, but they don't show which group it is in. But even if we know the group, we likely can't figure out which voter it is, unless it was the only say REP voter who voted provisionally in precinct 101. So the redaction is really going too far in this report. But for purposes of conducting ballot image audits, I don't care generally about the redactions in the CVR of this kind, for some unpopular candidate. I am interested in the candidate that won and the one that just barely lost. Those are usually never redactable.

The most dangerous situation is regarding BMD voters, ballot marking devices. There were only about 6 BMD voters in the entire election in Collier County, FL. They are on a different ballot and it is obvious when you look at it. If they identify which voters used the BMD then it would be easy to figure out. In CA it is illegal to identify whether a voter is ADA voter, blind, etc. and then likely to use such a BMD device. This is also why our policy (Citizens' Oversight) to move to BMD ballots that look just like traditional hand-marked paper ballots and therefore are not easily distinguishable between a hand-marked and machine-marked ballot.

There is also a argument being made by the E 2 E-V crowd. They want to use electronic voting and encrypt everything, but still be able to add up the votes. They claim that a voter can use "pattern voting" i.e. voting for a certain number of other candidates to identify the ballot. So even though no distinguishing marks are valid in FL, a person could vote in a certain strange pattern and that could conceivably be used to identify the ballot. Not possible in this recent election in Collier County, FL, because there are too few items on the ballot. But if you could identify a number of races people don't care to vote on, and the people vote in an unusual pattern, then indeed it would be possible. But vote selling is illegal and so that is covered. It is not necessary to constrain the CVR to block something that is already illegal. It is illegal to use the voter registration list for commercial activities. That is enough to allow it to be revealed, and it is to anyone who wants to buy it.

So the bottomline is that using the CVR alone, it is not possible to determine how a voter voted because there is no way to identify the voter with that information alone. You have to also have the voter history list. Voters can tell people how they voted, and in some states (not sure about FL) ballot selfies are allowed. Thus, if you don't care about privacy, that is your right. Certainly, if you vote by mail, you could fill it out with your friends and family. If you want to show it to them, then it is your responsibility to deal with that. That is a limited group that receives the information perhaps. Now can it be absolutely proven that no one can figure out how a person votes, I don't think that happens now, even with the reports they already provide.

-- Ray Lutz


%IMAGEGALLERY{titles="off" columns="6" warn="off"}% (Just attach your images to this topic and they will automatically be added to the gallery above!)

Summary of articles submitted (Add | All):

Number of topics: 0

Discussion List

See List Serve for all email discussion lists and to add more.

Project Form edit

Project Name Voting Privacy
Project Description Deals with anonymity of the ballot and allowing voters to vote privately
Project Founder Ray Lutz
Project Curator Ray Lutz
Project Type Issue Oversight
Project Parents Election Integrity
Related Keywords Audit Engine, Easy Voting, Election Audits, Election Equipment, Election Team
Project Status Active
Thumbnail Link
Forum Link
List Serve Topic
Topic revision: r3 - 06 Jul 2020, RaymondLutz
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Cops? Send feedback