Summary

  • Electoral auditability requires proof that each accepted vote came from an eligible member through an authorised representative, not publication of every identity document, email address or ballot choice.
  • Privacy becomes an accountability problem when it is invoked to conceal eligibility rules, related-member control, candidate conflicts, exceptional credential changes or the independent assurance performed on the result.
  • A defensible design separates the membership register, representative authority, voting credentials, encrypted ballots and audit evidence, with purpose limits, short retention periods and logged access for each layer.
  • Members should receive public rules and aggregate findings, while a genuinely independent auditor receives narrowly scoped records sufficient to verify the electorate, credential issuance, ballot integrity and declared conflicts.

The false choice

Election disputes often produce two absolute demands. One side asks for the voter list, ownership records, representative names and enough detail to trace every credential. The other invokes privacy and ballot secrecy, insisting that no meaningful information can be released. Both positions begin from legitimate concerns. Neither offers a sustainable constitution for a member-governed registry.

An association election is not credible merely because software produced a total. Members need assurance that the electorate was defined under the Articles, that credentials went to the right people, that related accounts did not receive rights the rules deny, that proxies were valid and that the count reflected accepted ballots. Those facts require records and review.

At the same time, indiscriminate disclosure creates harm. Membership files may include personal addresses, signatures, corporate extracts, identity documents, direct contact details and information about disputed or sanctioned entities. Publishing those records can expose people to fraud, harassment or political retaliation. It may also breach legal duties and make members less willing to keep data accurate.

Ballot secrecy adds a separate protection. A secret ballot prevents candidates, employers, governments and association officials from verifying how an individual voted. It protects independent judgment and reduces coercion. An audit that reconstructs named choices would damage the election even if every count were mathematically correct.

The design problem is therefore one of separation. Eligibility can be verified without exposing choice. Authority can be checked without publishing identity documents. Common control can be reviewed without releasing a map of every private relationship. Aggregate findings can support public confidence while detailed evidence remains available to a properly constrained auditor.

Privacy and auditability are not opposing values when each is defined accurately. Privacy limits unnecessary collection, access and disclosure. Auditability ensures that authorised reviewers can test important claims against preserved evidence. A system with neither is arbitrary. A system with only one is either opaque or dangerously exposed.

What the election must prove

The starting point is a list of assertions, not a list of documents. First, each voting entitlement must correspond to a member eligible under the governing rules at the relevant cutoff. Second, the person receiving or using the credential must be authorised to act for that member. Third, voting rights attached to multiple accounts or related arrangements must be applied consistently.

Fourth, registration and credential changes must close under published deadlines, subject only to defined exceptions. Fifth, each credential must be usable only as intended and accepted no more often than the voting method permits. Sixth, valid ballots must be included accurately while invalid or late submissions are handled under announced rules.

Seventh, proxies and substitutions must have a traceable authority chain. Eighth, candidates, board members, staff, vendors and auditors must disclose or manage conflicts relevant to election administration. Ninth, the voting system must preserve secrecy so that identity and choice cannot be joined by a single ordinary operator.

Finally, the published result must correspond to the audited tally and the stated voting method. If the election uses preference ranking or another nontrivial count, the implementation and tie rules must be explainable. Members do not need every cryptographic detail to understand the legitimacy claim, but the method cannot be a secret known only to the vendor.

These assertions identify the minimum evidence. A register snapshot supports eligibility. Authority records support representation. A credential issuance log supports uniqueness. An anonymised ballot record and verifiable count support the result. Conflict declarations support independence. No assertion requires posting an applicant's passport or connecting a named voter to a preference.

Defining assertions also disciplines retention. The association should keep what is needed to prove the election, meet legal duties and resolve timely challenges. It should not preserve every intermediate export indefinitely merely because storage is cheap. Auditability depends on curated evidence whose meaning remains clear, not on an uncontrolled warehouse of personal data.

The layers of electoral identity

"Voter identity" is not one fact. At least five identities can be present. The legal member is the person or organisation admitted to the association. The registered contact is the person authorised to maintain membership details. The meeting representative is the person registered to participate. The credential holder is the person or address to which voting access is issued. The beneficial or controlling party may sit behind one or more legal members.

These identities can coincide, but often they do not. A company may appoint an employee to register and an external adviser to attend. A public body may change its representative after an election or ministerial transition. A corporate group may contain several legal members. A natural-person member may act directly. Treating one email field as the whole identity creates both security and governance errors.

The data model should preserve the distinctions. The member record establishes legal standing. An authority record states who may appoint a representative and for what period. Registration records the meeting role. Credential issuance records the destination and status. A separate control review records only the conclusion and evidence needed under any applicable related-member rule.

Role separation makes correction safer. Changing a delivery address need not rewrite the member's legal identity. Revoking a representative need not terminate membership. Updating a corporate extract need not expose prior ballot participation. Each action can be logged against the layer it changes.

It also improves privacy notices. The association can explain why it needs corporate evidence for membership, contact details for administration, authentication data for voting and limited logs for assurance. Members can see which information is mandatory, who receives it and when it is deleted. A single vague statement that data is used for "services" does not support informed trust.

Auditors need a map of these layers. Otherwise they may verify that every credential has an email address while missing that several addresses were controlled by one unauthorised person. Conversely, they may demand excessive identity material because the institution cannot show which narrower field establishes each assertion.

The membership register is not the ballot

An association needs a register of members for legal and administrative reasons. The scope of access to that register follows the governing law, Articles and applicable data-protection obligations. Whatever the access rule, the register should not be treated as a published ballot list by default.

Membership status does not prove that a member registered for a particular meeting, received a credential or cast a vote. A public list that conflates these stages can falsely imply abstention or participation. In sensitive jurisdictions, even revealing that a named representative registered for a controversial election may create risk.

The election needs a dated eligibility snapshot. That snapshot should record the member identifier, entitlement status, relevant account rule, registration status and any resolved exception. Personal contact details can be referenced through controlled identifiers rather than copied into every file. The snapshot should be sealed against later alteration while corrections are recorded as additions with reasons.

Members can receive aggregate statistics from the snapshot: total eligible members, registrations, credentials issued, ballots accepted, late registrations and exceptional changes. Where useful and safe, figures can be divided by broad region or member type. Small cells should be suppressed or combined to avoid identifying individuals through arithmetic.

A candidate may need stronger assurance than the general public but not unrestricted access. Candidate observers can witness defined controls, review redacted exception records and receive the auditor's findings. They should sign confidentiality terms and should never obtain a list that can be used to pressure or profile voters.

The distinction protects democratic participation. The association can prove that the register and electorate reconcile without creating a public attendance dossier. It can also correct the widespread but dangerous assumption that transparency requires naming everyone who did or did not vote.

Common control and coordinated members

Electoral accountability becomes harder when several legal members share ownership, management, funding or representatives. Some structures are ordinary: a corporate group may operate separate networks in different countries, and public agencies may have distinct legal identities. Others may be created or rearranged to maximise influence. Privacy cannot be a blanket reason to ignore the distinction.

The governing rules must first state what matters. Is each legal member entitled to one vote regardless of group ownership? Does one member with several LIR accounts retain one vote? Are proxies limited? Are recent admissions treated differently? An auditor cannot infer a common-control restriction that members never adopted.

Where control affects entitlement, the association should collect the minimum evidence needed to apply that rule. Corporate registers, ownership declarations, authorised-signatory records and sanctions screening may be relevant. The institution should distinguish ownership, operational affiliation, common representation and mere commercial relationship. Sharing a lawyer or upstream provider does not necessarily establish control.

Sensitive ownership information does not have to become public. A qualified reviewer can examine it, record the conclusion, basis, date and confidence, and flag unresolved cases. Public reporting can state how many potential related-member clusters were reviewed, how many entitlements changed and whether any decision was appealed.

Candidates need a channel to raise evidence of undisclosed control. The challenge should identify facts, not rumours about nationality or personal association. A neutral reviewer should test the claim and protect the subject from unnecessary exposure. Frivolous challenges designed to intimidate new members should have consequences under conduct rules.

Symmetry is essential. Corporate groups, state-linked entities, university consortia and nonprofit networks should face the same control test where the constitutional rule applies. Selective scrutiny of politically unpopular sectors would convert an anti-capture safeguard into electoral discrimination.

Representative authority and proxy risk

A legal member can vote only through human action. The association must know that the person registering, appointing a proxy or receiving a credential has authority. This is a narrow proposition, yet weak authority controls can allow former employees, consultants or compromised accounts to speak for a member.

Authority should be established through a maintained contact hierarchy, signed appointment, verified corporate channel or another method appropriate to the member's legal form. The rule should account for natural persons, companies, public bodies and organisations in jurisdictions where standard documentation differs. Equivalent assurance matters more than identical paperwork.

Changes close to the election deserve additional review because they can redirect a vote. A new email address, representative substitution or proxy should create a timestamped record of requester, verifier, evidence and reason. The old credential should be revoked before a replacement becomes active. No board candidate or campaign supporter should approve an exceptional change involving a potential voter.

Proxy rules should be explicit about quantity, timing, form and revocation. A proxy holder may lawfully carry several instructions if the Articles permit it, but concentration can create coercion and operational risk. Aggregate disclosure of proxy counts and unusually large holdings allows scrutiny without revealing ballot choices.

The association should avoid collecting voting instructions. A member may tell its proxy how to vote, but the election administrator does not need that content to validate authority. Storing it would weaken secrecy and create an attractive target. The administrator needs to know that the appointment is valid, not the political agreement behind it.

After the election, disputed authority should be reviewed against records fixed before the count. Informal recollection from a senior official is not enough. A clear chain protects the member, representative and result while limiting personal data to evidence of a defined legal act.

Ballot secrecy is a control, not an obstacle

Some demands for auditability assume that a reviewer must connect each member to each choice. That is false. Secret-ballot systems are designed to establish eligibility before separating identity from the vote. The audit should verify that separation rather than defeat it.

At credential issuance, the system can record that an eligible member received one valid means to vote. At ballot submission, it can mark the entitlement as used while transferring the selections into a store that no longer carries the member identity. Cryptographic or organisational controls can make linkage unavailable to any single administrator.

The precise design depends on the voting platform, but the principle is stable: authenticate the voter, anonymise the ballot, protect the ballot box, then tally under observation. Logs should demonstrate state changes without reproducing choices. Administrative interfaces should not display a named ballot merely for convenience.

Secrecy also requires attention to metadata. Submission times, IP addresses, browser fingerprints and rare ranking patterns can permit re-identification even if names are removed. The election should collect only security data justified by a documented threat and restrict access to it. Publication should use aggregates that cannot be matched with public statements.

Members need an assurance that their ballot was included without receiving a transferable receipt that proves the choice to a coercer. A confirmation can show successful acceptance, or a verification mechanism can prove inclusion in an anonymised set. It should not become evidence that can be sold or demanded by an employer.

An auditor may test a sample of credential-to-acceptance transitions and separately recompute the tally from anonymised ballots. The inability to link the two is a sign of sound design, not an audit gap. The critical reconciliation is numerical and procedural: issued, revoked, used, accepted and counted states must balance under the rules.

Candidate conflicts and campaign knowledge

Candidates have a legitimate interest in election integrity and a direct conflict in decisions that could change the electorate. They should help shape general rules well before the contest and receive equal access to published assurance. They should not resolve individual eligibility, credential or privacy disputes during their own campaign.

Incumbent candidates present a special risk because board office may provide access to staff, legal advice or confidential reports. Governance arrangements should ensure that operational election information reaches all candidates on equal terms. Board oversight can be delegated to non-candidates or an independent election function for the relevant period.

Campaigns may lawfully use public member contacts where the rules and data basis permit. Administrative contact data collected for registry service should not automatically become a campaign mailing list. Members should know whether candidates receive any published contact points, on what terms and with what opt-out or purpose restrictions.

Staff and vendors should disclose relationships with candidates, significant member groups and campaign advisers. A conflict does not always require exclusion; it may require recusal, supervision or reassignment. The record should show the measure taken. Generic assurances that everyone acted professionally are too weak after a close result.

Observers nominated by candidates can increase confidence if their access is symmetrical and limited. They may witness sealing of the electorate, test ceremonies, tally verification and exception review. They should not see personal documents or live voting preferences. Their report can note whether controls were followed without becoming a rival source of voter data.

Campaign privacy matters too. Candidates may receive threats or disclose personal details in nomination materials. The association should publish information relevant to fitness, affiliation and conflicts while avoiding unnecessary home addresses, identity numbers or family data. Electoral transparency concerns public responsibility, not total personal exposure.

A minimum-disclosure assurance design

A practical design begins with purpose-bound stores. The membership store holds legal identity, status and service records. The authority store holds representatives and appointment evidence. The election register holds eligibility attributes and status at the cutoff. The credential service knows delivery and use state. The ballot box holds choices without ordinary identity fields. The audit vault preserves signed snapshots, logs and reports.

Access should follow function. Membership staff need legal records but not ballot contents. The election vendor needs validated entitlements but not full due-diligence files. The tally function needs ballots but not contact details. The auditor receives scoped read access to the evidence needed for each assertion. Administrators should not acquire broad access merely because it is technically convenient.

Identifiers can be transformed between stores. A member number need not appear in the ballot box; an election-specific random identifier can support reconciliation. The mapping should be tightly controlled, and if the design does not need a reversible mapping after credential validation, it should not retain one. Technical details should be tested for re-identification risk rather than advertised as anonymous by intuition.

Every export should have an owner, purpose, creation time, access log and deletion date. Spreadsheets copied into email or personal storage defeat the architecture. Sensitive review should occur in a controlled environment with redaction tools and no unrestricted download. Emergency access should be recorded and reviewed.

Retention periods can differ. The membership register persists while membership and legal duties require it. Representative authority records may need a defined historical period. Ballot identity separation should become irreversible as soon as assurance permits. Aggregated results and signed audit reports can remain part of the permanent institutional record.

This design does not promise zero risk. It reduces the number of people and systems that can combine identity, authority and choice. It also makes responsibility visible: a later review can identify who accessed which layer and why. Privacy becomes an engineered property of governance rather than a reason to refuse questions.

Independent audit with a narrow mandate

Independence is not achieved merely by hiring an external firm. The auditor's appointment, payment, scope, expertise, conflicts and reporting rights determine whether members can rely on the work. A vendor that also built the voting system may offer useful technical assurance but should not be the sole judge of its own performance.

The mandate should cover the electorate snapshot, changes after cutoff, credential issuance and revocation, proxy controls, ballot-box integrity, tally reproduction, incident handling and publication reconciliation. It should state which questions fall outside scope. If common control or membership admission is excluded, members must not be told that the audit proved all voters were substantively independent.

Auditors should receive the least personal data compatible with testing each assertion. They may inspect full evidence in a secured setting, select samples using pseudonymous identifiers and record exceptions without retaining source documents. Contract terms should prohibit reuse, require breach notification and set deletion obligations after challenges close.

Selection should avoid political dependence. A non-candidate board committee, member-approved policy or rotating multi-person panel can oversee procurement. Candidates should be able to submit proposed test questions without choosing the answer. Material prior relationships with candidates, board members, staff or the vendor should be disclosed.

The final report needs a public portion substantial enough to support judgment. It should state the rules tested, population and samples, exceptions, unresolved limitations, tally reconciliation and auditor conclusion. A confidential annex can contain details whose disclosure would expose security or personal data. "No issues found" without method or scope is not assurance.

Independence also includes the right to report disagreement. Management should be able to correct factual errors, but not suppress a qualification. Members should know whether the auditor had complete access and whether any requested evidence was unavailable. Transparency about limits is more credible than an absolute certificate.

Exceptions are where privacy can hide power

Most election records are routine. The greatest governance risk often sits in exceptions: a registration accepted after deadline, a credential redirected, a member status restored, an authority document waived or a proxy corrected after ordinary closure. Privacy is necessary around the people involved, but it must not make exceptions invisible.

Each exception should have a published category, factual reason, approving roles, conflict check and timestamp. The underlying personal evidence can remain restricted. The election register should show that a change occurred without revealing more than reviewers need. Repeated use of an "other" category is a warning that the rules are too vague.

Candidates should receive aggregate exception figures before voting closes where feasible and a complete audited summary afterward. A sudden unexplained increase can then be questioned without naming voters. If an exception materially affects the result margin, the auditor should explain its legal and numerical treatment in greater detail.

Consistency review is essential. Comparable requests should receive comparable remedies. If one member can replace a lost credential through a verified call, another should not be rejected solely because staff are unfamiliar with its jurisdiction. A reasoned distinction is legitimate; an undocumented difference is not.

Emergency rules should be adopted in advance. Service outages, conflict, sanctions, natural disasters or vendor failures may justify alternate deadlines or channels. The authority to activate those rules should be separate from campaigns, and the scope should be no broader than the disruption. A post-election report should state what changed.

Privacy protects the subject of an exception from exposure. It does not protect the decision maker from accountability. That distinction is the heart of minimum-disclosure audit: scrutinise authority and consistency while withholding personal circumstances that add nothing to the legitimacy test.

Public reporting without voter exposure

The public election report should begin with the constitutional facts: eligible members at cutoff, registered voters, credentials issued, revoked and replaced, ballots accepted, invalid or late attempts, proxies, turnout and final results. Definitions should remain consistent across elections so that trends are meaningful.

It should then describe assurance. Who administered the election? Who audited it? What systems and rules were tested? Were there incidents, exceptions, qualifications or unresolved complaints? Did the auditor reproduce the tally? Was access complete? These answers allow members to distinguish a clean election from a merely polished announcement.

Privacy-preserving breakdowns may illuminate access. Region, broad sector, registration channel or first-time participation can be reported where categories are sufficiently large and based on lawful data. The report should avoid cross-tabulations that let readers identify a person by combining small groups.

Publication timing matters. Basic turnout and result information should appear promptly. The fuller audit may follow after review, but the schedule should be announced. If a challenge remains open, the report should state its status and whether the result is certified under the rules.

Historical comparability can reveal anomalies. Sudden changes in registration, proxy concentration, credential replacement or exception rates deserve explanation. They do not prove misconduct. A stable series gives members a factual basis for questions that would otherwise become rumours.

The report should never include a named abstention list or infer political preference from participation metadata. Candidates can thank supporters without receiving proof of how anyone voted. The institution demonstrates accountability by explaining controls and outcomes, not by exposing citizens of its association to campaign surveillance.

Member rights to access, correction and challenge

Members should be able to see their own legal identity, representative authority, registration state and credential status through a secure channel. They should be able to correct inaccuracies before published deadlines and receive confirmation when a change is accepted. This individual visibility prevents many disputes without broad disclosure.

Correction rules need to distinguish clerical data from substantive eligibility. A misspelled name can be fixed without reopening admission. A new legal entity, disputed authority or control relationship may require fuller review. The system should explain the consequence and expected time rather than leaving the member to guess.

An election challenge should identify the rule allegedly breached, supporting facts and requested remedy. Deadlines should be long enough to discover a problem but short enough to preserve evidence and finality. The reviewer should be independent of candidates and the original contested decision.

The subject of a challenge deserves notice and an opportunity to respond where doing so does not compromise security. Confidential evidence may need protected handling. The outcome should give reasons to the parties and a public summary if the issue affects general confidence.

Remedies should be proportionate. A credential error discovered before voting can be corrected. An invalid vote can be excluded if secrecy and rules permit. A systemic failure affecting the result may require a rerun. Not every privacy breach changes the tally, but a serious disclosure can still require notification, containment and governance reform.

Members should also have a route to complain about excessive collection or access. Election integrity cannot justify using identity documents for unrelated analytics or retaining contact lists for campaigns. Accountability runs in both directions: voters must comply with eligibility rules, and the association must honour the limits under which evidence was provided.

Threats that test both values

Credential theft is the obvious threat. An attacker may compromise email, impersonate a representative or exploit a stale contact. Strong authentication, change alerts, revocation and alternate recovery reduce the risk. Recovery must avoid collecting ever more identity data without evaluating whether it actually proves authority.

Insider access is equally important. Staff or vendor personnel may be able to export the electorate, redirect credentials or inspect metadata. Least privilege, dual approval, tamper-evident logs and post-election access review make abuse harder and detectable. Seniority should not provide an unrecorded bypass.

Coercion can come from employers, governments, business partners or candidates. Secret ballots and non-transferable confirmations reduce verifiability. Concentrated proxy arrangements and public voter lists increase it. Conduct rules should prohibit pressure and provide a confidential reporting channel.

Disinformation exploits opacity. A false claim that thousands of ineligible voters were admitted can spread faster than a legal explanation. Prepared aggregate data, an independent auditor and rapid incident communication allow the institution to answer without dumping personal files.

Data breach creates a different legitimacy failure. Exposed identity documents or representative lists can harm members even when the count remains correct. The incident plan should separate election validity from privacy impact, investigate both and avoid minimising one because the other survived.

Finally, overcollection is itself a threat. A system that retains every IP address, device signal, contact history and ownership document creates an irresistible concentration of power. Security should be based on a threat model and necessity, not the belief that more data always produces more assurance.

Tests before every election

Before registration opens, the association should approve the eligibility date, authority methods, proxy rules, exception categories, audit scope, retention schedule and candidate access rules. Changes after that point should be rare, reasoned and visible. Stable rules prevent privacy judgments from being improvised around particular members.

A rehearsal should test sample members of different legal forms and jurisdictions. It should cover new representatives, revoked contacts, multiple accounts, proxy appointment, credential loss and accessibility needs. The aim is to find unequal burdens before real votes depend on them.

The election team should reconcile the membership register with the election register and document every exclusion. A second reviewer should test a sample and all exceptions. Candidate conflicts should be checked against administrators, vendors and auditors. Access permissions should be reviewed immediately before credentials are issued.

During voting, monitoring should focus on system health, duplicate use attempts, unauthorised changes and threats defined in advance. It should not become political profiling. Any emergency action should preserve an immutable record and receive dual approval.

At close, the ballot box should be sealed, the count reproduced and credential states reconciled. Observers and auditors should record whether procedures were followed. The published total should be generated from the same certified result, not manually retyped without verification.

Afterward, personal data should move into its planned retention state. Temporary exports should be deleted, access removed, incidents reviewed and the assurance report published. Lessons can improve the next election, but retrospective changes must not rewrite the evidence of the one just completed.

The standard of legitimate privacy

Privacy is legitimate when it protects people from unnecessary exposure while leaving institutional power reviewable. It is not legitimate when an official can say "data protection" to avoid explaining who qualified, who approved an exception or whether the tally was independently tested.

Auditability is legitimate when it tests defined electoral assertions with proportionate evidence. It is not legitimate when candidates demand identity documents, ownership dossiers or named participation records in order to map supporters and opponents.

The distinction can be expressed in four questions. What fact must be proved? What is the least data that proves it? Who genuinely needs access? What public conclusion can be released without exposing the subject? If the institution cannot answer all four, its design is either under-audited or overexposed.

Trust then rests on complementary actors. Membership staff maintain accurate legal standing. Election administrators issue and revoke credentials under fixed rules. A voting system separates identity from choice. An auditor tests the joins and separations. Members and candidates receive enough information to challenge power without obtaining tools of coercion.

This structure also protects the association from impossible demands after a close contest. It can produce sealed snapshots, logs, reasons and an independent report rather than asking members to trust recollection. It can refuse invasive disclosure because a credible alternative already exists.

The result is not secrecy. It is disciplined visibility. Rules, totals, exception patterns, audit scope and conclusions are public. Personal evidence is available under controlled review. Ballots remain secret. Access itself is logged and accountable.

Neither a glass electorate nor a black box

A completely transparent electorate would not be democratic in the meaningful sense. If every representative, credential and ballot choice could be traced, powerful organisations could reward compliance and punish dissent. Participation would carry a surveillance cost. Formal transparency would destroy political freedom.

A completely opaque electorate would fail for the opposite reason. Members could not know whether the registry admitted valid voters, multiplied controlled accounts, favoured late substitutions or counted accurately. Ballot secrecy would become a cover for administrative discretion.

The defensible middle is not a vague compromise. It is a specific architecture of purpose limitation, data separation, independent access, aggregate reporting and reasoned challenge. Each layer reveals what another actor needs while withholding what could create abuse.

For the RIPE NCC, the stakes extend beyond one election. A registry asks members and resource holders to maintain accurate records, submit legal evidence and trust shared technical systems. If its own governance treats privacy as concealment or audit as exposure, it weakens the norms on which registration depends.

Members should be able to say three things after a vote: my organisation's authority was recorded correctly; no one can prove how we voted; and an independent reviewer had enough evidence to verify the result. Candidates should be able to challenge exceptions without acquiring a target list. The public should be able to understand the institution's assurance without seeing private files.

That is the legitimacy threshold. Verify eligibility, authority, uniqueness, conflicts and count. Publish the rules, scale, exceptions and conclusion. Restrict personal evidence to accountable reviewers. Break the link between identity and choice. Delete what no longer serves a justified purpose.

Membership privacy and electoral auditability are compatible because they govern different exposures. Privacy protects the voter and member. Audit protects the association from unreviewable power. A mature registry election does both by design, leaving neither a glass electorate nor a black box.

That balance must be demonstrated anew at every election.