Is my vote private?

The data printed on the ballot has two parts:

1) A covered plain-text printout of the vote, and,

2) An electronic ballot containing an encryption of the vote.

The covered plain-text ballot is cast into a ballot box, where all ballots mix. The privacy guaranteed here is the same as in paper based voting systems (also called Australian ballot).

The electronic ballot is uploaded encrypted to the ballot tracking web page, and is also given to the voter as a receipt. We use a public key crypto-system. This means that the voting machine can encrypt your vote, but no one can decrypt it without knowing the secret private key of the system. Furthermore, we use a threshold crypto-system. That means that there exists a group of trustees (that should include, e.g., representatives from the government, the various political parties, the judiciary system and human rights organizations) that collectively hold the secret key in such a way that no party can decrypt a message without the help of the others.

Finally, after the elections are over, tallying takes place. The tallying process first shuffles all ballots and then decrypts them. The decryption takes place only after the ballots are shuffled, and therefore no one can link votes in plain text to encrypted ballots that appear on the ballot tracking web page and privacy is preserved.

We remark that the voter makes his/her choices on a touch screen, thus, in essence, revealing his/her choices to the voting machine. This implies that there is no privacy with respect to the voting booth.