RE: Anonymity, Secrecy, Privacy

[Michael Zolotarev <michael.zolotarev@baltimore.com>]

Guys, 

Kevin is right when saying that we have a number of different issues to be
considered with regards to anonymity/privacy/secrecy. However, I'd like to
stress it out that in the security reqs proposal I've been only
concentrating on possible implications for the token structures, not for an
election process in general. And I believe that this is what we should be
doing for the moment.

Anonymity:

Considering the structure of a token, be it a ballot or a vote, the issue of
anonymity becomes an issue of protecting the voter's identity if it is
referenced by a vote token.

Which can be achieved by one of the following:

1) Completly anonymous vote. No references to the voter's identity.
2) Anonymity by using ID/Alias. A voter is referenced by some means which
only make sense to the election processing backbone and probably to the
voter himself.
3) Anonymity by encrypting the token, wholly or just the actual part
containing the reference to the voter's identity.

Hence, the requirements I've defined for the tokens structures, stipulating
that it must allow the implementation of (1), (2) and (3) above.

Secrecy: 
I believe that it should be enough to say that a token can be encrypted,
wholly or partially, in order to provide secrecy of the content.

Privacy:
Obviously privacy is a critical issue to consider when talking about
election process in general, as Kevin rightly noted. But I don't think that
privacy issues should have any implication to the tokens.


regards
Michael







> -----Original Message-----
> From: Thom Wysong [mailto:wysong@technodemocracy.org]
> Sent: Monday, 25 June 2001 23:56
> To: election-services@lists.oasis-open.org
> Subject: Anonymity, Secrecy, Privacy
> 
> 
> 
> Kevin,
> 
> This is interesting. I don't think I've heard this 
> distinction before, so 
> let's see if I correctly understand what you are saying 
> (http://lists.oasis-open.org/archives/election-services/200106
/msg00042.html).

(+) For anonymity, there is no link between voter and ballot. Or, if there 
is one at some point in the voting process, it is destroyed before the 
voting process is concluded.

(+) For secrecy, there may or may not be a voter/ballot link. If that link 
exists, however, it is not revealed - thus the ballot remains secret.

(+) For privacy, at a polling place, *who* is voting may be known, but 
*how* they vote is kept private.

You seem to be saying that the important thing is that ballots be kept 
*secret*, regardless of whether or not they are *anonymous*.

IMO, *secrecy* and *privacy* are more or less synonymous when it comes to 
how they're used with regards to electronic voting (ignoring what *privacy* 
means in a physical polling place, since that's beyond our scope).

However, as you seem to suggest, *anonymity* is only one way to implement 
secrecy/privacy.

Any thoughts?

-Thom



This footnote confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.


-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended 
for the addressee(s) only.  If you have received this message in error or 
there are any problems please notify the originator immediately.  The 
unauthorized use, disclosure, copying or alteration of this message is 
strictly forbidden. Baltimore Technologies plc will not be liable for direct, 
special, indirect or consequential damages arising from alteration of the 
contents of this message by a third party or as a result of any virus being 
passed on.

In addition, certain Marketing collateral may be added from time to time to 
promote Baltimore Technologies products, services, Global e-Security or 
appearance at trade shows and conferences.
 
This footnote confirms that this email message has been swept by 
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.