I noticed that the private keys for signing and encryption for previous SecurePoll dumps were accessible to everyone via the dump feature.
This was previously mentioned in public at T204190#5389157 but I want to note that exposure of private keys was not intentional.
The vote records encrypted by these keys are anonymized by the UI, and anonymized plaintext ballot dumps were already made available for most elections. So there is limited impact for user privacy. That's why I'm not making this a security task.
Encryption of vote records is mostly supposed to be a protection against vote-buying, since we provide the vote record as a receipt to users. If vote records can be decrypted then a user can prove who they voted for, and a third party can verify that the user did not change their vote before the end of the election by confirming that the vote record appears in the dump.
Signing keys are an integrity feature intended to protect voters against alteration of vote records after their votes were cast.
I temporarily enabled the voter-privacy property on all prior elections on votewiki, and I'll submit a patch which removes keys from the dump.