Ballot Privacy

By November 27, 2013November 7th, 2020Uncategorized

Victims were told by perpetrators that they were cutting off their hands as punishment for using their hands in the 1996 vote. — “Sierra Leone war amputees learn to vote with their feet”1

“It was a common question in going over the list of voters, ‘Who can influence this man? and Who can lay the screw on that one?'” 2

Ballot privacy is the right to vote without anyone else seeing your choices. Today, we so universally expect the secret ballot that we would be shocked to hear someone claim a right to see how we voted, but lurking quietly under this premise you will find one of the strangest conflicts in modern election administration.

Whereas the principle of ballot secrecy evolved to prevent voter intimidation and vote-selling, in today’s digital and still-dangerous world, ballot privacy is more about data mining, potential intimidation by despots, and international security surveillance. Ballot privacy, increasingly illusory, has evolved into relational databases and coded identifiers, however fashionably explained. These “improvements” are claimed to make voting more convenient and to increase both enfranchisement and participation. We are told to have confidence in these shiny new things.


Underlying human rights:

– Right to freedom;
– Right to choose our representation in government;
– Right to equality: Every person has an equal right to vote; Every vote is entitled to equal weight.

– Right to privacy: Right to be free of search/surveillance without due cause

Ballot privacy rights:

– Right to vote
– Right to vote without intimidation: A bullied vote is not a free choice;
– Right to vote free of bribery: Purchased votes remove ballot equality;
– Right to ballot privacy: Protects from intimidation and bribery;

– Right to see what public representatives are doing: secret ballot not applicable to public representatives’ votes while conducting public business.


In freedom we have nothing more than an ideal unless it is implemented in practice. Freedom, therefore, requires not just the right to choose but the protection of that right, a reality patrol. Reality, in the forms of coercion, extortion, and bribery, has at times become so odious that a special requirement was set forth to protect freedom: the secrecy of the ballot.


Ballot privacy has trended upward since the 1850s when many nations changed election law to protect the secret ballot.3 Election systems are now trending toward database and printing technology embedded with unique identifiers which compromise voter privacy.4 Network transportation routes for online voting can also put ballot privacy at risk. Modern technology vastly increases the speed and scale with which ballot privacy rights can be abused, converting voter ID and ballot identifiers into electronic retrieval systems capable of harvesting hundreds of thousands of records at once.

And here we may be facing the ultimate end game for political privacy, the last conflict in ballot privacy rights, that between voter right to protection of personal privacy and right to vote, and government encroachment on these rights — with or without disclosure of the breach. Modern, subtle erosions of our freedom to choose come not only from electronic ballot tracking, which can be misused, but increasingly include required collection of biometrics like fingerprints and national security-format facial images in order to vote at all5. Mandatory voter biometry forces voters into potential exploitation by data mining companies; the kinds of biometrics being collected are being shared and can be used for surveillance in everyday life. Of course, this data is also spectacularly useful for law enforcement.

While early threats to freedom of choice were somewhat visible, the large-scale threat comes now from insiders who act out of public view to control usage of electronic data. Several governments have signed off on multinational agreements to share data profiles6. In many countries, you now cannot exercise your right to choose representation unless you first submit to biometric profiling. The use of and sharing of this data is typically not disclosed, and when it is, disclosures are not necessarily complete nor truthful. Some have questioned the constitutionality of extorting biometrics in exchange for right to vote7; others question the propriety of forcing voters to subject their vote-by-mail ballot to tracking mechanisms.8

Benefits for ballot tracking and biometric voter ID, though missing the necessary full disclosures, are cited to justify encroachment on privacy. Ballot and vote-tracking mechanisms are said to be needed for convenience voting (like absentee, vote-by-mail, and Internet voting) and to prevent voter fraud (for example, persons who vote early but die before Election Day). Biometrics are rationalized with claims of reduced voter fraud and increased enfranchisement.9


At one time votes were cast by voice (the viva voce system). Everyone could see how you voted, resulting in open intimidation and bribery. When a system of unofficial ballots replaced viva voce methods all sorts of people came up their own ballots, handing out made-up ballots and often creating identifiable ballots. Unofficial ballots became a tool of much abuse and elections were not a pretty sight:

Men were marched or carried to the polls … supplied with ballots, and compelled to hold their hands up with their ballots in them so they could easily be watched until the ballots were dropped into the box. … Others who voted against their employers’ wishes lost their jobs.” — USA 10

“… intimidation [was] exercised by landlords on tenants; by employers on the employed; by customers on shopkeepers; by a lawyer on a client;, by a doctor on a patient.” — Ireland 11

“… our elections were exceedingly riotous … I have been in the balcony of an hotel during one of the city elections, when the raging mobs down in the street were so violent that I certainly would not have risked my life to have crossed the street.” — Australia 12

The 1858 Australian Ballot Act tamed elections and its method soon began to spread across the world. The term “Australian ballot system” describes a publicly transparent process with secret ballots; currently, not all elections in Australia use this system. The Australian system offers open scrutiny of voter lists, polls lists and vote counting, while also facilitating ballot privacy. The Australian system can’t be used in vote-by-mail, Internet voting, or vote counts performed exclusively by computers.

What is the Australian Ballot System?

– all ballots prepared by officials;
– only uniform ballots allowed;
– ballots distributed only at polls on Election Day by election officers;
– ballots marked in secret;
– ballots deposited so contents can’t be seen;
– registered voter list publicly available

– many eyes observing the count


Several places have changed parts of the Australian system such that ballot privacy is no longer strictly protected.

Numbering systems

Ballot-and-voter numbering systems emerged in various forms throughout the 1900s. Numbering can, but won’t necessarily, remove ballot privacy. Its purpose is to check (1) number of ballots cast against number of participating voters; and (2) whether ballots are official. Printing ballot numbers on perforated stubs if detached from the ballot can retain safeguards while preserving privacy. If numbered stubs are not detached, or unique ballot numbers are printed onto the ballot in the form of bar codes, data blocs, or non-visible inks, privacy becomes exploitable by vendors and government officials. Even if ballots are sealed away, modern voting machine scanners capture and store each ballot identifier.

The best ballot secrecy protections make it impossible to connect voted ballots to voters. Requiring a court order to match ballot to voter is less protective, and permitting “only” government officials to match vote to voter really isn’t a secret ballot at all.

Computer databases

A database is a computer file that can store and process millions of information pieces. Most powerful of all, “relational databases” — sets of separate data tables that can connect together — are used in many phases of modern elections. Databases handle varied formats like text, numbers, pictures (signatures, fingerprints, even voted ballot images); they can perform calculations, convert bar codes to readable numbers, convert fingerprints and faces to numeric codes, and find record sets based on age, address, race or anything else. Databases can convert information to share it with other files, even if those were created on different software.

Sometimes election officials tell us that tracking data cannot connect voted ballots to voters. This is a parsed truth which conveys a false impression. While it is true that data may be stored in separate tables to keep voter names separate from their votes, simply merging files reconnects ballot to voter. Saying privacy is protected because votes and voters are stored in different tables is like saying no one can wear shoes and socks because shoes are kept in a closet and socks in a drawer. Like shoes and socks, data tables are designed to be put together. Unlike footwear, data can be copied in minutes and shared with friends as quickly as passing out pencils. Databases increase scale of ballot privacy violations by empowering massive, almost instantaneous harvesting of voter choices.


“Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood.”13

Encryption makes it more difficult for the general public to connect ballots to voters, but actually just transfers access from one set of people to another. Encrypted information always has a decryption key. Someone always has that key. Encryption doesn’t really protect information from system administrators or from government intrusions. It may limit who can gain access to the information, but then again, should voters be forced to entrust the privacy of their political choices to those with highest-level access — national security entities, the military, vendors that designed the system, and powerful political authorities?


Biometrics refers to the identification of humans by their characteristics or traits.14
Biometrics is used in computer science as a form of identification and access control. Common biometric measures used in elections are fingerprints, signatures and facial scans.

Bolivia claims that it vastly improved voter enfranchisement using a nationwide, mandatory fingerprint-and-facial scan voter registration program. The Philippines’ election administration body, Comelec, claims that it cut down the number of registered voters using biometrics, reducing voter fraud. Typically, the corporations involved in handling the databases are not firms domiciled in the nations mandating biometric voter data collection. Multinational agreements exist to share government-collected data, and sometimes data collected by private corporations, creating quite a little jurisdictional stew that is anything but transparent. Exactly who is sharing the data with whom? The United States, for one, refused to answer a Freedom of Information request from the Electronic Privacy Information Center (EPIC), and is being sued over its stony silence on such matters.15 There is no doubt that biometrics affect right to vote when submission to biometric profiling becomes a requirement for voting. Just how biometrics affect ballot privacy is not precisely known, and may be unknowable given the classified nature of international security interagency agreements regarding the data, and the opacity of the voting machine software. Smartmatic, for example, sells both the biometrics system and the electronic voting machines.

Network transportation routes

Online voting sends vote data from one place to another, usually through widely used commercial network routes. Within these routes sit network administrators, state security agencies, and hackers, all of whom have opportunities to breach privacy. Online military voting poses additional risks because it transmits voter data through foreign countries where it could risk revealing military positions.

Globalization and technology have changed the terrain such that secrecy of the ballot can no longer be considered a resolved issue.

* * * * *


Freedom of Information (FOI laws) – allow public access to data held by government, to be received freely or at minimal cost, barring standard exceptions. Also called open records or sunshine laws. Governments are bound by a duty to publish and promote openness. Wikipedia link:

  1. Tim Butcher: “Sierra Leone war amputees learn to vote with their feet”; The Telegraph, (05/14/2002)
  2. Quote of Mr. Terrel of Exeter, 1869 as related in Evans, Eldon Cobb: A History of the Australian Ballot System in the United States (Chapter 1); Chicago, US: The University of Chicago Press (1917)
  3. ibid.
  4. See Vincent Carroll: “Colorado Supreme Court must rescue voting secrecy”; The Denver Post, (08/09/2013)
    Tim Hoover: “Federal judge says no constitutional right to secret ballot in Boulder case”; The Denver Post, (09/21/2012)
  5. See, for example: “Brazil to fully use biometric identification in elections by 201810:06”;, (10/05/2010)
    Gregory Warner: “How Kenya’s High-Tech Voting Nearly Lost The Election”; NPR, (03/09/2013)
  6. Lynch, Jennifer: From Finger Prints to DNA Biometric Data Collection in U.S. Immigrant Communities and Beyond. US: Electronic Frontier Foundation, (05/2012)
  7. For example, V.C.R.A.C Crabbe, a retired Ghanian Supreme Court Judge, has called for a re-examination of requirements for biometric registration on the basis of the constitutionality of requiring biometrics to vote: “Justice Crabbe calls for review of CI 75”; (09/09/2013)
  8. Green Party of San Juan County: “Court Rules Washington State Mail-in Ballot Tracker is Illegal Voting System”; Green Party of San Juan County Press Release, (05 April 2013); Judicial decision:
  9. “Biometric voter list in Bolivia”; NEC (08/20/2010)
  10. United States Forty-sixth Congress, second session. Senate Report 497, from Evans, Eldon Cobb: A History of the Australian Ballot System in the United States (Chapter 1). Chicago, US: The University of Chicago Press (1917)
  11. Statements from Mr. Dowse, the attorney-general for Ireland, as reported in Parliamentary Papers, VIII, p. xvii., ibid.
  12. Francis S. Dutton in his testimony before the Marquis of Hartington committee, Australia, in 1869, ibid.
  15. Dave Neal: “EPIC presses FBI for access to biometric database”; The Inquirer (04/09/2013)



Share This