Dr. Walter C. Daugherity: Balancing Ballot Secrecy Versus Transparency

Guest post by Walter C. Daugherity at JoeHoft.com, republished with permission.

Balancing ballot secrecy versus transparency is currently receiving renewed attention, so a timely review of the trade-offs, legal issues, etc., is warranted.

First, it is instructive to review the history of ballot secrecy. Briefly, according to Wikipedia and other sources, open (public) voting has been used for thousands of years, via voice vote, counting raised hands (as in 5ᵗʰ century B.C. Athens) or counting the heads (“polls”) of persons standing (perhaps to prevent counting someone with two hands raised as two votes?), roll-call votes, and so on.

However, ancient Greeks also used secret ballots by privately placing a white pebble in an urn for a “yes” vote or a black pebble for a “no” vote. This is why we say we “cast a ballot,” which literally means “throw a small ball (ballotta in Italian) into the urn,” and also why we say someone was “blackballed” if there was a vote against their joining a fraternity, etc.

The modern paper version of secret ballots is called the “Australian ballot,” since they began adopting it there in 1856. In the United States, statewide voting by secret paper ballot was first adopted by Massachusetts in 1888 and last by South Carolina in 1950. In Texas, Election Code §122.001(a)(1) mandates that “A voting system may not be used in an election unless the system

preserves the secrecy of the ballot.”

The primary reasons for a secret ballot are to protect the voter against coercion, intimidation, blackmail, and the like, and also the temptation to sell one’s vote. (As every holdout juror on an 11-to-1 hung jury can tell you, there can be enormous pressure to change one’s vote.) In 1948 vote buying in all its various forms became a federal crime (18 U.S.C. § 597).

Once a ballot is cast privately, all connection to the voter is broken: when the urn is dumped out and there is a black ball among the balls, no one knows who cast the “no” vote.

Similarly, in most modern voting systems, once the voter has been checked in, all connection to the voter is broken, and there is no personally-identifiable information on the ballot (no name, address, voter ID, etc.).

This break is what enables the switch from secret voting to transparent public counting. As the South Carolina Constitution puts it, “All elections by the people shall be by secret ballot, but the ballots shall not be counted in secret.”

Now consider the various aspects of transparency in counting the privately-cast ballots. The overarching reason for transparency in counting is to ensure that the process is fair and honest, so that citizens can be confident that the election results are accurate and have not been tampered with.

As the Texas Constitution says in Article 6, Section 4, “In all elections by the people, the vote shall be by ballot, and the Legislature shall provide for the numbering of tickets and make such other regulations as may be necessary to detect and punish fraud and preserve the purity of the ballot box; and the Legislature shall provide by law for the registration of all voters.”

This important transparency in counting is carried out by having more than one election officer doing the counting, as well as observers, including representatives of the opposing candidates on the ballot. Having multiple eyes on the process thus helps “to detect and punish fraud and preserve the purity of the ballot box” from the defilement of inaccurate results.

Another vital aspect of transparency is the ability to completely audit an election. This is required by federal law (52 U.S.C. § 21081(a)(2)(A)), which says “The voting system shall produce a record with an audit capacity for such system,” and also by state law. For example, Texas Election Code 122.001(a) mandates that:

“A voting system may not be used in an election unless the system: … (10) is capable of providing records from which the operation of the voting system may be audited.”

Every CPA or financial officer knows what is necessary for a complete and verifiable audit—physical security, inventory, chain of custody, separation of duties, a complete audit trail, and so on.

In everyday language, there must be sufficient data to reconstruct and trace all transactions, in effect to be able to make a “movie” after the fact of everything that happened before, during, and after an election.

Beginning with the Civil Rights Act of 1960 (and fair and honest elections are indeed our foundational civil right on which all other civil rights depend), section 301 explicitly required the preservation of all records relating to any “act requisite to voting”; this is now codified at 52 U.S.C. §§ 20701-20706.

Note that per U.S. Department of Justice Publication “Federal Law Constraints on Post-Election ‘Audits’,” July 28, 2021, the “materials covered by Section 301 extend beyond ‘papers’ to include other ‘records.’

Jurisdictions must therefore also retain and preserve records created in digital or electronic form.” This necessarily includes ballot images, computer hard drives, removable memory cards, surveillance video footage of ballot dropboxes, etc., in addition to physical ballots, outer envelopes and signatures on absentee ballots, and so on.

52 U.S.C. § 21081(a)(2)(B)(i) goes on to say “The voting system shall produce a permanent paper record with a manual audit capacity for such system.”

Following the principles enunciated in the July 28, 2021, DOJ publication just quoted, a searchable electronic form of the “permanent paper record with a manual audit capacity” is also covered.

Since this audit record must be permanent, that supersedes the 22-month retention period. Thus, electronic ballot images, CVR reports, and so forth may not ever be deleted unless, at a minimum, the required “permanent paper record with a manual audit capacity” has been created and maintained.

To possess the required “audit capacity,” all data specified by the National Institute of Standards and Technology (NIST) requirements listed at https://doi.org/10.6028/NIST.SP.1500-103 must be included, since the 2002 Help America Vote Act directed NIST to promulgate standards for what must be included in a Cast Vote Record (CVR) report.

In addition to the voter’s selections, this includes, among other things, the BallotStyleID (which identifies the precinct, precinct split, etc.), and the BatchID and BatchSequenceID. These last two fields are crucial to auditing the sequence in which votes were tabulated, which recounts or risk-limiting audits do not check.

This leads to a key example of the need to balance ballot secrecy versus transparency.

In a few rare instances, complete transparency including the BatchID and BatchSequenceID could lead to the identification of the voter who cast a particular ballot.

Example 1: Suppose you were second in line when the polling place opened and recognized the person ahead of you as your neighbor. Then when the official CVR is released you could look up the cast vote record for batch 1, batch sequence 1, and know how your neighbor voted.

To protect against this, all electronic voting machine companies shuffle the records within each batch (of typically 100 ballots) to produce the CVR report.

As a result, all you would know is that your neighbor’s ballot was one of the 100 ballots in batch 1; in other words, you would not know how they voted. This balances the requirement of being auditable (namely, this batch of 100 voters cast these 100 ballots) with the requirement of ballot secrecy and voter privacy (namely, you cannot tell which voter cast which ballot).

Fortunately, shuffling the records within each batch does not destroy the ability to audit the sequence of batches for anomalies (like vote-stuffing) which cannot be detected by recounts or risk-limiting audits; it only makes the resulting graphs coarser without changing the shape of the graphs.

Unfortunately, in a misguided attempt to address this rare example and other similar examples, some counties have illegally shuffled the entire CVR (as Maricopa County, Arizona, did in November 2022) or even deleted the BatchID entirely. Altering or concealing election data like this is a federal crime subject to serious penalties (52 U.S.C. §§ 20702).

It goes without saying that the county (or parish) has no obligation to protect a voter from revealing how they voted, for example by telling a reporter doing exit polls, or by signing an absentee ballot itself (violating the explicit instructions not to make any stray marks on the ballot and only sign the outside affidavit envelope, which is separated from the ballot when it is received by the county).

This is the choice and responsibility of the voter to breach their own privacy. Similarly, the county has no obligation to prevent the unavoidable loss of privacy when logical deduction can reveal how someone voted.

Example 2: Suppose there are 100 votes in a particular race between two candidates, A and B, and the count is 100 for A and 0 for B. Then you know each of the 100 voters voted for candidate A.

This is not a breach of voter privacy, it is a simple logical deduction, and it would be utter nonsense for a county to say in this situation “We can’t release the election results because you could tell how people voted”!

This would also violate another federal law, 52 U.S.C. § 10307, which under “Prohibited Acts” states “No person acting under color of law shall…willfully fail or refuse to tabulate, count, and report” the vote of any person “who is entitled to vote.”

There is, however, one situation which has recently been highlighted by a number of observers where transparency does result in an avoidable loss of voter privacy.

Example 3: In some counties there has been a move to countywide voting, where a voter is not required to vote in their precinct but may vote anywhere.

Suppose a voter lives in the far southeast corner of the county (say precinct 29) but works in the far northwest corner of the county (say precinct 7) and decides to vote there for convenience.

Because of the distance from their home precinct, it may happen that on that day (perhaps an early-voting day) this voter was the only one from that precinct to vote at that distant polling place.

Then the register of voters at precinct 7 for that day would only have one voter from precinct 29 checked in, and the precinct number on the ballot that day would unavoidably identify the voter.

To prevent that, some have proposed deleting the precinct number from the election records, which would be a federal crime, as noted above—much like using a sledgehammer to helpfully kill a mosquito on your friend’s forehead and then going to prison for assault and battery and attempted murder.

The flaw is in the use of countywide voting, which created the vulnerability. The precinct number is part of the federally-required CVR, and is also necessary for auditing (for example, to verify the number of votes in a precinct versus the number of registered voters in that precinct), and thus may not be deleted; otherwise, the voting system would not be completely auditable as required.

So where does that leave us? It boils down to this:

(1) All election data needed for a complete audit must be public and transparent, (2) but other than that, the county should protect voter privacy and ballot secrecy to the greatest extent possible, (3) except when the voter voluntarily divulges their vote. This provides the optimum balance of maximum ballot secrecy, subject to complete auditability.

Photo of author
Jim Hoft is the founder and editor of The Gateway Pundit, one of the top conservative news outlets in America. Jim was awarded the Reed Irvine Accuracy in Media Award in 2013 and is the proud recipient of the Breitbart Award for Excellence in Online Journalism from the Americans for Prosperity Foundation in May 2016. In 2023, The Gateway Pundit received the Most Trusted Print Media Award at the American Liberty Awards.

You can email Jim Hoft here, and read more of Jim Hoft's articles here.


Thanks for sharing!