A fundamental tension exists between transparency and privacy in electronic voting. Electoral transparency requires access to primary voter records, so observers can be sure that the election was run appropriately. Ballot privacy---keeping ballot contents separate from information that can identify the voter---is required to prevent coercion and vote-selling. If we discard either transparency or privacy, voting becomes much simpler: without transparency, ballots can be perfectly private; with no privacy requirement, elections can be perfectly transparent. The project aims to reconcile transparency with ballot privacy in electronic voting systems. The project has several goals. The project is identifying legal and technical barriers to increased privacy, both in terms of fundamental limits and limits imposed by technology. The project is also identifying vulnerabilities enabled by the movement for increased electoral transparency, for example the practical risks of identifying ballots using voter marks and paper-fingerprinting. This enables research to design privacy-preserving methods for publishing artifacts of transparency, such as scanned ballot images. The project is examining the loss of ballot privacy intrinsic to various models of post-election audits, where the trend has been toward greater disclosure of records, which may implicate issues of ballot privacy. The project is creating process models of post-election audits to identify and compare ballot privacy leakage and developing methods to better determine how many ballots are truly in an audit batch, a crucial but overlooked element of the mathematics in post-election audits.
Reconciling Post-Election Auditing with the Secret Ballot