Voter Privacy Modes

Most of the time when we speak of elections, we categorize them by their content. For example, a presidential election, a gubernatorial election, an HOA board election, a senior prom queen election, etc. But another type of property that an election exhibits is based on the importance of keeping the identity of the voter separate from their vote. The primary concern here is voter privacy.

The secret ballot is the most extreme form of this separation of identity from the vote, but that’s not the only type of confidentiality used. In this context, we can think of an election as being run in one of three different voter privacy modes: secret, masked and exposed.


Secret Voting

With a properly implemented secret ballot, it’s impossible to tie the identity of the voter to their vote. This voter privacy mode is labeled "secret".

Secret mode elections follow a zero-trust protocol - they do not require the voter's trust

Secret mode elections require the physical presence of the voter - they cannot be conducted entirely remotely

To date, EIP compliant implementations are the only systems in the world that properly support a secret ballot election

A good example of an election operating in secret mode is any Presidential election.


Identity Masking (Anonymous Voting)

The next level down with a “pretty good” separation of that identity is the mask mode. This type of confidentiality recognizes while it’s technically possible to internally tie the identity of the voter to their vote, this information relationship is available only to a small number of “trusted” individuals or organizations - those that physically operate the election. Further, this trust relationship is often accompanied with a non-disclosure agreement (NDA) with legal consequences for violation.

Here we might issue say a bar code, and everywhere the voter’s identity might be exposed, we use this mask in place of say, their name. To users of the system, voter identity becomes anonymous. And so the identity of the voter is kept from users of an election system, but administrators of that same system - or any other system it communicates with - may have access to this information. This is a very common type of privacy and is used in a large number of systems today. So identity secrecy is not infallible, but it’s good enough for most uses. It’s “pretty good” privacy.

Masked mode elections do NOT follow a zero-trust protocol - they require the voter's trust

Masked mode elections support the physical presence of the voter, but they may also be conducted entirely remotely

An example of an election operating in masked mode might be any election where you don't want other voters to see how you voted, but you might prefer it occur remotely. Maybe voting on an internal company policy or taking an anonymous poll. Masked voting might even be adequate for primary elections if voters aren't as concerned about privacy as in a general election.


Exposing Identity (Public Voting)

The least restrictive voter privacy mode is exposed. A good example of this is a roll call election. Here the voter identity is expected or even required to be revealed. It's also used in elections where nobody really cares about identity exposure either way.

Exposed mode elections do NOT follow a zero-trust protocol - but the voter's trust with respect to privacy is not required because it's irrelevant

Exposed mode elections support the physical presence of the voter, but they can also be conducted entirely remotely

An example of an election operating in exposed mode might be any election requiring voter identity.


Operating EIP in a degraded mode

EIP is designed to support the secret ballot. That doesn’t mean it can’t be used to support these other privacy modes as well, but to do so is operating EIP in a degraded mode with respect to voter privacy. There’s nothing necessarily wrong with that depending on the requirements of the election, but for public sector elections like voting for president, laws and public initiatives, it’s a requirement. The general rule is that any election with the force of law behind it requires a secret ballot. There is no formal term for this type of election but for lack of a better term, we will describe it as a public sector or a general election.

Any election conducted entirely remotely is, by definition, operating in a degraded mode

So in these cases, it's a trade-off between voter privacy and cost or convenience. However, if this mode of operation makes sense to an organization, EIP can facilite these types of elections as well.

None of your personal information is being collected, sold or distributed anywhere