Anonymity in Voting Revisited.
ABSTRACT According to international law, anonymity of the voter is a fundamental
precondition for democratic elections. In electronic voting, several
aspects of voter anonymity have been identified. In this paper, we
re-examine anonymity with respect to voting, and generalise existing
notions of anonymity in e-voting. First, we identify and categorise the
types of attack that can be a threat to anonymity of the voter,
including different types of vote buying and coercion. This analysis
leads to a categorisation of anonymity in voting in terms of a) the
strength of the anonymity achieved and b) the extent of interaction
between voter and attacker. Some of the combinations, including weak and
strong receipt-freeness, are formalised in epistemic logic.
- SourceAvailable from: lsv.ens-cachan.fr
Conference Proceeding: A Formalization of Anonymity and Onion Routing.[show abstract] [hide abstract]
ABSTRACT: The use of formal methods to verify security protocols with respect to secrecy and authentication has become standard practice. In contrast, the formalization of other security goals, such as privacy, has received less attention. Due to the increasing importance of privacy in the current society, formal methods will also become indispensable in this area. Therefore, we propose a formal denition of the notion of anonymity in presence of an observing intruder. We validate this def- inition by analyzing a well-known anonymity preserving protocol, viz. onion routing.Computer Security - ESORICS 2004, 9th European Symposium on Research Computer Security, Sophia Antipolis, France, September 13-15, 2004, Proceedings; 01/2004
Chapter: Foundations of Attack Trees[show abstract] [hide abstract]
ABSTRACT: Attack trees have found their way to practice because they have proved to be an intuitive aid in threat analysis. Despite, or perhaps thanks to, their apparent simplicity, they have not yet been provided with an unambiguous semantics. We argue that such a formal interpretation is indispensable to precisely understand how attack trees can be manipulated during construction and analysis. We provide a denotational semantics, based on a mapping to attack suites, which abstracts from the internal structure of an attack tree, we study transformations between attack trees, and we study the attribution and projection of an attack tree. Keywordsattack trees-semantics-threat analysis07/2006: pages 186-198;
Anonymity in voting revisited
Hugo Jonker1,2and Wolter Pieters3,⋆
1Eindhoven University of Technology, The Netherlands
2University of Luxembourg, Luxembourg
Abstract. According to international law, anonymity of the voter is a
fundamental precondition for democratic elections. In electronic voting,
several aspects of voter anonymity have been identified. In this paper,
we re-examine anonymity with respect to voting, and generalise existing
notions of anonymity in e-voting. First, we identify and categorise the
types of attack that can be a threat to anonymity of the voter, including
different types of vote buying and coercion. This analysis leads to a
categorisation of anonymity in voting in terms of a) the strength of the
anonymity achieved and b) the extent of interaction between voter and
attacker. Some of the combinations, including weak and strong receipt-
freeness, are formalised in epistemic logic.
In the field of peer-to-peer (P2P) networks, much effort has been put into for-
malizing the concept of anonymity of messages (e.g. ). Intuitively, anonymity
means that it is impossible to determine who sent which message to whom. De-
pending on the context, different formalizations of the notion of anonymity seem
to be necessary .
The concept of anonymity is also of importance in electronic voting – often,
voters should have the ability to vote without anybody else knowing which op-
tion they voted for (although in some countries, such as the United Kingdom and
New Zealand, this is ultimately not the case). In the electronic voting commu-
nity, the property expressing precisely that is usually called “privacy” instead of
anonymity . In voting, however, enabling privacy is not sufficient, as this does
not prevent vote buying. To prevent vote buying, an election needs to require
privacy – no voter should be able to convince any other party of how she voted.
The concept of receipt-freeness expresses that a voter cannot convince any
other party of how she voted by creating a receipt. The notion has been intro-
duced by , after which various receipt-free voting protocols were proposed,
such as [9,17]. Delaune et al.  provide a definition of receipt-freeness based on
observational equivalence. Independently, Jonker and De Vink  provide an
alternate definition that allows identification of receipts. Juels et al. note in 
⋆Research was carried out partially at Radboud University, Nijmegen, The Nether-
lands, and supported by NWO, the Netherlands Organisation for Scientific Research.
that receipt-freeness is not sufficient to prevent coercion in electronic elections,
and they introduced the notion of coercion-resistance. This broader notion is
again formalized by Delaune et al. in .
Given the differences in approachesand in notions, the question arises whether
these notions capture the specific needs for anonymity in voting. The three main
levels of anonymity that have been identified in voting, capture progressively
more strict notions of anonymity. The notion of receipt-freeness was motivated
as necessary to provide secret-ballot elections. If receipts can be obtained, using
a voting booth makes no difference to the secrecy: Votes can be bought, and
voters can be coerced.
To address the question of whether or not the notion of receipt-freeness is
sufficient, we reexamine voter influencing, focusing on vote buying. What is vote
buying, when can an action be called vote buying and when is it an election
promise? As this is, ultimately, a subjective issue, the goal is not to provide a
yes-or-no test. Instead, we aim to arrive at a charactarisation of vote buying /
election promises, which will enable election officials to decide which practices
are allowed and which should be abolished. Based on these findings, we then
reexamine the concept of receipt-freeness and adapt it to encompass uncovered
Distinctions between vote buying and election promises have been investigated
by economists, philosophers and political scientists before.
Van Acker  discusses the relation between the notions of coercion, forced
abstention, randomisation and simulation. However, he includes vote buying in
the concept of coercion.
Kochin and Kochin  discuss the issue of giving benefits to individual voters
versus giving benefits to identifiable groups. They also consider the difference
between benefits offered through the normal processes of government (related
to being elected) versus benefits offered through private arrangements. Thirdly,
they mention that trading votes for or against proposals between parties or
members in parliament is acceptable.
The latter practice is also mentioned by Hasen  and called “legislative
logrolling”. Hasen further differentiates the issues of corporate vote buying, pay-
ments to increase turnout, campaign promises and campaign contributions, and
vote buying in so-called “special district”1elections.
Schaffer  distinguishes between instrumental, normative and coercive com-
pliance in relation to vote buying. Instrumental compliance covers tangible bene-
fits in exchange for votes, normative compliance means voting based on a feeling
of obligation, and coercive compliance denotes voting based on threats. Schaffer
also mentions the possibility that money is offered for not changing voting be-
haviour. In order to check compliance, a buyer may monitor the individual vote,
1“a special purpose unit of government assigned the performance of functions affecting
definable groups of constituents more than other constituents”
monitor the aggregate turnout, prevent people from voting altogether, make the
rewards dependent on his election, make voters believe in his goodness or make
voters feel personally obliged. The applicability of these strategies is dependent
on the mode of compliance the buyer is seeking. From the perspective of voters,
benefits can be received in the form of payment, gift or wage, with different
explicit and implicit meanings in terms of modes of compliance.
From these papers it is clear that what exactly constitutes acceptable influ-
ence and what does not, depends on the type of elections, the society in which
the elections are being held and the participants of the elections. In the end, the
matter is ultimately a subjective one. However, by determining the various char-
acteristics of vote buying, and their respective ranges, it is possible to establish
a pre-election consensus on allowed and disallowed practices. Such a pre-election
consensus enables putting precise requirements on voting systems to support the
one type of behaviour, while preventing the other type.
1.2 Outline of the paper
In Section 2, we identify and categorise the types of attack that can be a threat
to anonymity of the voter, including different types of vote buying and coer-
cion. This analysis leads to a categorisation of anonymity in voting in terms
of a) the strength of the anonymity achieved and b) the extent of interaction
between voter and attacker, which is presented in Section 3. In Section 4, some
of the combinations, including weak and strong receipt-freeness, are formalised
in epistemic logic. The last section presents conclusions and future work.
2 Characteristics of voter influencing
In this section, we investigate the characteristics of voter influencing. The ex-
amples below are used as supporting guidelines throughout the section. These
examples are deliberately without context – in lieu of what was established in
Section 1.1. The reason for this is that the aim is to discover the generic char-
acteristics involved, irrespective of social and electoral context. The examples
are not meant to capture any precise attempt at influencing voters, but rather
they convey a broad idea of a, possibly controversial, attempt at changing the
outcome of an election by targeting the voters.
Example 1 (handout). At the polling station, I give each voter 100 euros together
with mentioning my candidacy.
Example 2 (theme park). The district with the highest percentage of votes for
me gets a theme park as my first act as elected official.
Example 3 (zalmsnip). If I get elected, everyone gets 100 euros tax refund.
Example 4 (election promise). If I get elected, disabled child prodigies get 100
euros (i.e. children with a physical handicap, who are members of Mensa).
Example 5 (rf). I give 100 euro for anyone voting for the Democratic Party.
Example 6 (non-rf). I give 100 euro for anyone not voting for the Democratic
Example 7 (reimburse). I provide a reimbursement for voters for time away from
The zalmsnip example is based on a tax rebate that occurred in the Nether-
lands in 1998 and 1999. The rf and non-rf examples are inspired by the notion
of receipt-freeness. The reimburse example is inspired by this practice occurring
in the 19th century in the Netherlands.
Note that – as long as there is no request to vote in a specific way – example 1
can be considered legitimate. Examples 3 and 4 are fabrications resembling pos-
sible election promises. Example 2 is dubious; examples 5–7 are outright illegal.
2.1 Legal and illegal influencing
Influencing voters can be done either legally or illegally. To avoid a legal dis-
cussion on what is allowed by which laws, we only focus upon characterising
what is desirable. As established in the introduction, this is a subjective notion.
The aim here is to outline the range of possibilities available, indicate where the
boundary between desirable and undesirable lies and give a supportive reasoning
for where we feel this boundary lies.
Note that, in general, there are two methods to influence a voter’s vote:
coercion where voters are threatened to ensure compliance;
enticement where voters are seduced into compliance.
Whereas persuasion is allowed, buying and coercion are not. Both buying and
coercion require proof of compliance, whereas persuasion does not. Both buying
and persuasion are dependent on voluntary cooperation of the voter, coercion is
Voter influencing can be considered acceptable or unacceptable. What is
considered acceptable depends on culture and the nature of the elections. That
there can exist both acceptable and unacceptable variants of the above two
methods is illustrated by the following list.
– acceptable coercion claiming that all other candidates have significantly worse
plans for the voter
– unacceptable coercion threatening with physical violence in case of non-
– acceptable enticement promising to lower taxes
– unacceptable enticement paying a voter to vote for you
The above list clearly indicates, that there is a distinction between accept-
able influence and unacceptable influence. To establish the characteristics that
together determine the acceptability, we construct an objective tree of voter in-
fluencing in Section 2.2. Objective trees are attack trees (see [19,13]), but focus
upon meeting goals instead of achieving attacks.
Our objective tree deviates slightly from normal attack trees. The purpose
of our tree is to determine characteristics that distinguish acceptable from unac-
ceptable influence. To elucidate these detailed characteristics, details need to be
explicit in the tree. Hence, where normally attributes would be used, we promote
these characteristics to leaves. This makes these characteristics explicit.
2.2 Classifying vote buying
Based on the literature, the examples and the analysis above, the tree in Figure 1
was constructed and dimensions of vote buying were clarified. The main goal in
the tree is to buy a vote, by means of persuasion. The tree is thus from the
perspective of a vote buyer. Where necessary, the range of possible values has
been indicated in the tree (as leaves).
– or reward time
• leaf before vote casting
• and later
∗ or trust required
· leaf rewarding sureness
· leaf consequences of non-reward
· leaf ensurance of compliance
∗ or hand out reward
· leaf after vote casting
· leaf after ballot box closes
· leaf after vote counting
– or type of reward
• leaf money
• leaf goods
• leaf immaterial
– or rewarding conditions
• leaf cast vote
• leaf election win
• leaf unconditional
• leaf complex
– leaf group size of reward receivers
– or proving compliance
• leaf before rewarding
• leaf after rewarding
• leaf not required
– leaf reward related to election
Fig.1. Objective tree for vote buying