Summary

  • Ballot secrecy means election records must not reveal an identifiable member's candidate selections. It does not require secrecy about voter eligibility, corporate authority, proxy concentration, system controls, incidents, total participation or the basis of certification.
  • RIR elections handle organisational rather than universal-suffrage ballots, but they still need the familiar properties identified by election-security research: confidentiality of selection, access control, data protection, auditability, resilient records, monitoring and independent verification.
  • APNIC records member identity and voting entitlement for audit while declaring ballots confidential; RIPE NCC uses a third-party voting platform and separate access codes; LACNIC provides a voter audit and complaint stage; AFRINIC's 2025 disputes show the cost of incomplete public reconciliation.
  • A two-layer design separates an identified authority ledger from an anonymous ballot domain. A one-way eligibility token permits one valid ballot without allowing routine staff, candidates or the public to join the member to the choice.
  • Public evidence should include rules, eligible totals, configuration and test attestations, role assignments, conflict disclosures, incident summaries, reconciliation, aggregate results and independent certification. Restricted evidence should remain available to an authorised auditor and reviewer under controlled access.

Secrecy protects choice, not administration

The secret ballot exists so a voter can choose without having to prove that choice to an employer, candidate, creditor, government or organiser. It reduces the enforceability of threats and vote purchases. It also protects political autonomy after the election, when a losing side may control institutional resources.

Election administrators sometimes extend this principle far beyond the selection. They decline to disclose who was eligible, how authority was checked, how many proxy appointments one person held, who configured the service or why a credential was rejected. The result is not stronger ballot secrecy. It is an election that cannot be evaluated without trusting the people who ran it.

The boundary can be stated simply. Information that links an identifiable voter to a candidate choice is highly protected. Information needed to prove that only eligible entitlements entered the tally, every accepted entitlement was counted as intended and no one could alter the result should be recorded and, at an appropriate level, disclosed.

Some records sit near the boundary. Participation history reveals that an organisation voted, though not how. In a very small electorate, publishing detailed timing or ballot style can support inference. A list of proxy principals combined with a holder's public campaign may expose likely choices. Good disclosure therefore uses aggregation, delay and access controls rather than a blanket refusal.

The distinction is important for regional Internet registries because members are organisations. A business may have legitimate reasons to keep its participation private; another may demand confirmation that its appointed representative acted. The registry must protect the secret choice while preserving an auditable corporate authority trail.

Public infrastructure is not public ballots. It is a system whose rules, controls and aggregate operation can be examined, with restricted evidence available to independent reviewers. Secrecy belongs to the voter's political decision. It should never become the administrator's general privilege.

Identity and choice must separate deliberately

Every member election begins with identity. The registry needs to know that an organisation is eligible, in good standing where required, and represented by an authorised person. Electronic voting may require an account, multifactor authentication or identity check. A paper election may require a register and credential at the desk.

The ballot should begin only after that identity decision ends. The identified system issues a one-time entitlement or token. The voting service accepts it, records the selection without the member identity and prevents reuse. Reconciliation proves that issued, used, revoked and unused entitlements balance. Routine staff should not possess a table joining tokens back to choices.

This separation is an architectural decision, not a promise in a privacy notice. Logs can quietly defeat it. Exact timestamps, network addresses, unique ballot sequences and browser details may allow two databases to be correlated. Administrators should collect only what security requires, coarsen or separate time where possible and test whether a privileged user could reconstruct votes.

APNIC's online voting terms illustrate the necessary tension. The service records the member, person submitting and number of votes for audit while stating that every ballot is confidential. A robust assessment asks where that identified audit record ends and whether candidate selections remain outside it.

RIPE NCC's voting guide describes a third-party service, a unique link and two codes. The published user journey helps members understand access. Independent assurance should additionally explain separation of identity, code and cast-vote record without exposing security secrets.

No electronic system can rely on the phrase anonymous voting alone. The relevant questions are which records exist, who can access them, how they can be correlated, how long they remain and what an auditor tested. Deliberate separation allows the institution to be strict about eligibility and equally strict about secrecy.

Auditability and secrecy are compatible properties

The National Institute of Standards and Technology's discussion of desirable voting-system properties treats auditability, ballot secrecy, resistance to coercion, usability and accessibility as related design goals. Its security objectives likewise pair evidence-based elections with records that do not reveal an identifiable voter's intent.

That pairing matters because public debate often presents a false choice. Either publish detailed evidence and expose voters, or protect voters and accept a black box. Modern audit design exists precisely to avoid that choice. It verifies process and outcome through records that are independent of the secret association between person and selection.

For an RIR, auditability means more than recounting candidate totals. The auditor should be able to confirm the eligible member population, authorised representatives, one entitlement per applicable right, correct voting weight, successful prevention of duplicates, accurate configuration, complete incident handling and mathematically consistent tally. None requires publishing a member's candidate choices.

Secrecy also has to survive the audit. An auditor should receive only the minimum identified data needed for each test. Where the full authority ledger is necessary, candidate selections should remain in another controlled domain. Reports should aggregate small groups. Audit work papers need retention and deletion rules.

Evidence can be cryptographic, documentary, procedural or physical. One should not assume a technical proof solves corporate authority or that signed minutes prove software behaved correctly. Independent verification draws from several records with different failure modes.

The institution should state its trust model. Which actors could alter eligibility? Who could change ballot configuration? Who holds decryption or tally authority? Can any one person perform a critical operation? NIST's older transmission requirements, for example, include two-person authorisation for critical vote processing over public networks. The specific control may vary, but concentration of privilege must be visible.

Auditability does not weaken secrecy. Properly designed, it supplies the evidence that secrecy was preserved while the outcome remained correct.

The authority ledger should be inspectable

Before any secret ballot exists, there is an authority ledger. It contains eligible members, voting weights, designated contacts, proxies, status changes and issued entitlements. Errors here can exclude a lawful voter or admit an unauthorised one. The ledger is therefore part of the election, not ordinary member administration temporarily reused.

Public access need not expose personal telephone numbers, identity documents or account details. The institution can publish the rules, total eligible organisations, categories of exclusion, provisional register at an appropriate organisational level and a correction mechanism. Each member should privately see its own status and representative.

LACNIC's extraordinary 2026 election calendar published a voter registry and allowed complaints long before voting. That sequence distributes error detection. A member can identify omission while correction remains possible. The Electoral Commission becomes accountable for responses before the ballot opens.

AFRINIC's replacement 2025 election also used provisional and final voter-register stages. This was an important improvement after disputes around the June election. Yet publication alone is limited public evidence if the criteria, change log or reasons for exclusion remain unclear. A final register should be accompanied by totals showing additions, removals and corrections from the provisional version.

The auditor needs the full restricted ledger, including authority evidence, timestamps and staff actions. Sampling should test whether the registered corporate officer had power to designate, whether revocations were applied, whether one natural person controlled several organisations and whether late changes followed common rules.

Candidates should not receive private member contact data simply because they contest the election. They may receive aggregate electorate information and any public organisational register authorised by the governing rules. Campaign access and audit access are different purposes.

An inspectable authority ledger gives members confidence that the secret ballot begins from a lawful electorate. Without it, a perfect voting service can faithfully count the wrong voters.

Configuration is a public-interest record

Electronic ballots contain consequential settings: candidate names and order, seats, maximum selections, voting weights, abstention options, opening and closing times, tie rules and treatment of partial ballots. A configuration error can alter every vote while leaving the software technically secure.

The approved ballot specification should be signed off before opening by at least two authorised officials and, ideally, an independent election officer. Candidates can confirm spelling, eligibility and seat assignment without seeing security credentials. A sample ballot should be published early enough to correct errors.

Pre-election testing should include ordinary and edge cases: one selection, maximum selections, attempted overvote, abstention, weighted entitlement, revoked token, duplicate use, time-zone boundary and interruption. The report can state tests and results without disclosing exploitable details. Hashes or signed attestations can identify the exact approved configuration.

Changes after testing require a new version, reason, approval and retest. Silent correction is unacceptable because it destroys the link between assurance and the live ballot. If voting has begun, the independent officer must determine whether the change affects already cast ballots and whether reopening or rerun is necessary.

Candidate order deserves explicit policy. Alphabetical, randomised or rotated order can be defensible if announced and applied consistently. An administrator should not choose placement informally after seeing the field. The same applies to biographies, photographs and links.

Closing time belongs to configuration too. The public notice, portal countdown and provider clock must agree. Any extension must change all three and preserve a record. Support staff should not have hidden ability to accept selected ballots after close.

Publishing configuration evidence does not tell anyone how members voted. It shows what question the system actually asked. In an accountable election, the public result must be traceable to a publicly authorised ballot definition.

Role separation is more valuable than assurances

An election involves member-services staff, an election committee, candidates, a board or receiver, legal advisers, a technology provider, tellers and an auditor. Trust improves when no one actor controls eligibility, ballot setup, tally and complaint resolution.

Role separation should be published before the contest. Member services can maintain contact records but should not decide candidate disputes. The election committee can supervise eligibility and procedure but should not alter secret tallies. The provider can operate the service but should not certify its own compliance. The reviewer should not report to a candidate or official whose act is challenged.

Conflicts need individual disclosure. A committee member may work for a member organisation, know a candidate or have participated in a dispute. Conflict does not always require exclusion; recusal can be sufficient. The record should state the relationship, decision and substitute.

Candidates and incumbent directors should not hold administrative privileges. Staff who campaign should be removed from election duties, and rules should define whether campaigning is permitted at all in an official capacity. Provider personnel with production access should be identified to the auditor and subject to change logging.

Two-person control is useful for critical acts: opening or closing the ballot outside the automatic schedule, changing configuration, exporting a tally, decrypting results and handling physical ballot containers. It limits error as well as misconduct. The evidence is a signed or cryptographically recorded action by both roles.

Public assurance that everyone acted professionally cannot replace this design. Good people make mistakes and institutions later face disputes. Separation protects officials by making unsupported allegations less plausible. It also allows an investigation to identify which domain could have failed.

The public need not know personal security details. It should know the offices, responsibilities, conflicts, approvals and independent checks. Secret ballots are strongest when authority around them is visibly divided.

Incidents should be public without becoming accusations

Every election has anomalies: bounced messages, failed authentication, a questioned authority document, an outage, a voter claiming non-receipt or a candidate disputing a rule. Concealing them invites rumours; publishing unverified allegations can damage people and the election.

An incident register offers a middle path. Each entry records time, category, affected stage, preservation action, decision-maker, status and remedy. Public versions aggregate or redact identity. Serious incidents receive a fuller report after facts are established.

Materiality should guide response. A failed email corrected before voting may require no effect on results. A credential admitted for one member needs a validity decision and, if already used, a privacy-preserving way to assess impact. A service outage affecting many voters may justify extension. A configuration defect touching every ballot may require a rerun regardless of margin.

AFRINIC's June 2025 election was suspended after disputes about authority documents and later annulled. Official communications referred particularly to Powers of Attorney and an investigation but did not initially publish a complete count of questioned credentials, associated ballots and seat-level materiality. The absence of reconciliation allowed competing narratives to occupy the gap.

Public incident reporting should distinguish allegation, verified fact, finding and remedy. Police investigation of possible forgery is different from an election official's interpretation of an announced form. A court's power is different from a teller's. Combining them under the word irregularity obscures responsibility.

Preservation comes before rhetoric. Secure the instrument, authority record, access log, ballot status, witness note and relevant communications. Do not link a secret selection unless a lawful exceptional process requires it and safeguards exist. Notify the affected member and reviewer.

An election earns trust not by claiming zero incidents but by showing that incidents could be detected, bounded and resolved under known rules.

Reconciliation proves completeness without revealing choices

At close, totals should connect the authority ledger to the tally. Begin with eligible members and voting weight. Show registered representatives, validated proxies, entitlements issued, revoked entitlements, used entitlements, unused entitlements, rejected attempts and accepted ballots. Then show valid, blank or abstaining, and invalid ballots under the rules.

The equations should balance. If 1,000 entitlements were active and 600 ballots were accepted, 400 should be demonstrably unused or otherwise accounted for. Weighted systems need both member and vote-unit totals. Multi-seat elections should explain why total candidate marks differ from ballots.

APNIC publishes a vote-verification page with receipt numbers for submitted votes under its online terms. LACNIC gives voters an audit interval after provisional results. These mechanisms let entities confirm inclusion without disclosing selection. Receipt design must resist coercion: it can prove participation or inclusion, not candidate choice.

Reconciliation should be completed before certification and reviewed independently. Differences may be innocent, such as a revoked entitlement still counted in an issuance export. They must nevertheless be resolved. An unexplained difference larger than a decisive margin is plainly material; a smaller difference may still reveal a control failure requiring correction.

The public report can provide totals and method. The auditor receives detailed identifiers to test uniqueness. Candidates may observe defined stages or receive the signed report, but should not inspect personal credentials or vote-level records without authority.

Paper elections use the same logic: ballots printed, issued, spoiled, unused, cast and counted; seals applied and broken; boxes transferred. Electronic terminology should not obscure that equivalent custody exists in logs, keys and exports.

Reconciliation is the bridge between a secret set of choices and a public result. Without it, the result is merely a number asserted by the operator. With it, members can see that the number arose from the authorised electorate even though no one can see how each member chose.

Verification must not become a vote receipt

Voters reasonably want proof that their ballot arrived. A system may provide a receipt number or let the entity check inclusion. The design becomes dangerous if the proof reveals the selected candidate in a way another person can verify.

A coercer who can demand a candidate-specific receipt can enforce threats or payment. A corporate principal can compel a representative to demonstrate obedience. The secret ballot then exists only against outsiders without leverage.

Safe verification usually answers limited questions: the authorised entitlement was used; the submitted encrypted ballot appears in a public set; the tally includes all valid records; or an independent proof verifies computation. It should not enable the voter to reveal a unique plain-text choice.

End-to-end verifiability offers sophisticated approaches, but complexity must be matched to the election. Members need usable instructions, independent implementation review and recovery when verification fails. A feature few voters understand can create false assurance.

Where simpler commercial platforms are used, the registry should state exactly what the receipt proves. “Your vote was recorded” may mean the session completed, not that the final tally included it. The provider and auditor should define stages. Ambiguous success messages are not evidence.

Verification records need privacy review. Publishing all receipt numbers is useful only if they cannot be linked to member identities through issuance order or timestamps. Randomisation, batching and separation can reduce correlation. Small elections may require stronger suppression.

The correct goal is confidence without transferability. The voter can detect omission and seek review, while a third party cannot use the same evidence to learn or enforce the selection. This boundary should be tested explicitly rather than assumed from encryption language.

Public evidence should be layered

Not every election record belongs on a website. A layered disclosure model protects personal data and security while preserving accountability. The public layer should include governing rules, calendar, electorate totals, candidate field, role assignments, conflicts, provider identity, test attestation, incident summary, reconciliation, aggregate results, complaints and certification.

The member layer should show the organisation's eligibility, authorised voter, proxy status, ballot participation status and correction history. It should not display a candidate choice. Access should use the member's normal secure channel.

The auditor layer can include identified authority records, detailed logs, configuration, privileged actions, provider evidence, sampled communications and incident files. Access is limited, recorded and time-bound. The auditor reports findings and limitations publicly.

The adjudicator layer may require additional material for a specific dispute, including personal documents or sealed technical evidence. Parties receive only what fairness requires, with protective orders or confidentiality where appropriate. Candidate curiosity is not a basis for access.

The provider retains security-sensitive materials under contract, but the registry must ensure evidence remains available if the relationship ends. Data location, retention, deletion and breach notice should be agreed before voting.

Layering avoids two common failures. Total publication can expose voters and systems. Total confidentiality can make officials the sole judges of their own performance. Purpose determines access.

The disclosure plan should be approved before data exists. Deciding after a dispute invites selective transparency. Members should know which facts will become public, which personal information is collected and who can inspect restricted records.

Public infrastructure is accountable because evidence moves to the right reviewer, not because every byte is open.

Independent certification needs a reasoned statement

Certification is not a ceremonial signature under a results table. It is the decision that authorised rules were applied, material incidents were resolved and the announced candidates can assume office. The certifier should state the basis.

A reasoned certificate identifies the election, governing instruments, eligible and participating totals, voting period, system or method, reconciliation, audit performed, complaints received, unresolved limitations and final determination. It should state whether results are provisional while challenges remain.

Independence is relative and should be disclosed. An electoral commission appointed by the board may still act independently under a protected mandate. A commercial provider is independent of staff but has an interest in defending its service. An auditor paid by the registry can be credible if selection, scope and reporting rights prevent interference.

The certifier needs access. A role described as observer but denied authority records or provider logs cannot provide strong assurance. The report should state evidence unavailable, tests not performed and reliance on representations. Candour about limits is more valuable than an absolute declaration unsupported by work.

Complaints should be resolved or expressly reserved. If a pending issue cannot alter the outcome, the certifier can explain materiality. If it could, final appointment should wait or a lawful conditional mechanism should apply. The institution should not create urgency by announcing winners before review.

LACNIC's use of provisional results and a later certification date depending on complaints demonstrates the proper sequence. It preserves public information about the count while allowing authorised audit to finish.

Certification converts technical and administrative records into institutional authority. It deserves the same transparency as a board resolution: who decided, under what power, on what evidence and with what limitations.

Vendors do not absorb institutional responsibility

Third-party voting services can improve separation and expertise. APNIC has used BigPulse; RIPE NCC uses Assembly Voting; AFRINIC used external providers in its 2025 elections. A vendor may reduce staff access to selections and supply tested infrastructure.

Outsourcing does not transfer the registry's constitutional responsibility. The association chooses the provider, configures the ballot, supplies eligibility, communicates with voters and accepts the result. It must understand and audit the service sufficiently to defend those acts.

Contracts should cover confidentiality, data minimisation, privileged access, subcontractors, system changes, incident notice, availability, logs, independent testing, evidence export, retention, deletion and cooperation with challenges. Provider claims of proprietary technology cannot prevent outcome assurance.

The registry should publish the provider name, selection rationale at an appropriate level and assurance obtained. Security-sensitive reports can be summarised. Known limitations should shape the election: if the platform cannot support revocation or strong separation, rules must account for that rather than imply a capability.

Vendor staff conflicts and access matter. Which personnel can view member identities, reset credentials, change configuration or export results? Are critical actions dual-controlled? Are accesses logged and reviewed by someone outside the vendor team?

Continuity plans should address provider failure. The registry needs verified backups of configuration and authority data, a rule for extending voting, and a way to preserve cast ballots without creating duplicates. Switching services mid-election is an extreme act requiring independent direction.

A familiar brand is not public evidence. Vendor involvement is one control in a larger institutional design. Members elect their registry board, not the software company, and the registry remains accountable for every authority it delegates.

Remote voting expands the threat surface and the evidence surface

Electronic access creates risks: account takeover, phishing, malware, denial of service, insider privilege and correlation of identity with choice. It also creates evidence unavailable in an informal paper process: signed configuration, access logs, duplicate prevention, system monitoring and precise reconciliation.

The NIST Election Infrastructure Profile frames election technology through risk management across voter registration and voting systems. RIRs need not copy a national election standard wholesale, but the functions are relevant: identify assets and risks, protect access and data, detect anomalies, respond under defined authority and recover while preserving evidence.

Member accounts deserve stronger protection before the election, not emergency enrolment at opening. Multifactor authentication, contact confirmation and phishing warnings should be routine. Election messages should use predictable domains and let members verify links through the portal.

Monitoring must not become voter surveillance. Security teams can detect repeated failures, impossible access and service attacks without analysing candidate choices. Network addresses and device data should be restricted and retained only as needed. The privacy assessment should explain the balance.

Incident response should preserve secret ballots. Resetting a credential must not reveal or alter a prior vote. Restoring from backup must prevent double counting. Logs should be copied under integrity controls before administrators make changes.

Cybersecurity reports often remain confidential for good reasons. Public summaries can still state threats considered, controls applied, tests completed, incidents detected and residual risk accepted. Silence is not security.

Remote voting can support more rigorous evidence than a paper box observed by a few attendees. Realising that advantage requires designing logs for audit while preventing their use to reconstruct votes.

A two-layer audit model for registry elections

The first layer is authority and operation. It is identified and restricted. It verifies member eligibility, corporate authority, voting weight, proxy concentration, token issuance, access control, configuration, incidents and one-time use. The auditor can trace every entitlement from lawful origin to an anonymous acceptance boundary.

The second layer is ballot and outcome. It is anonymous and independently verifiable. It confirms that accepted ballots were immutable, all were included, tally rules were correct and published totals match the protected records. It does not permit ordinary reversal from ballot to member.

The layers meet through reconciliation, not a permanent identity-choice table. Totals, cryptographic commitments or controlled token checks show that every used entitlement corresponds to one ballot. Exceptions are investigated at the boundary without exposing unaffected choices.

Public reporting mirrors the model. Authority reports disclose electorate totals, validation categories and concentration. Outcome reports disclose turnout, valid ballots, candidate totals and audit result. Incident reports say which layer was affected and whether crossover risk existed.

Governance surrounds both. Published roles define who can access each layer. Conflicts and critical actions are recorded. An independent reviewer hears complaints. Certification states that both layers and their reconciliation passed defined tests.

This model works for paper as well as electronic voting. The authority desk checks the voter and issues a validated paper without recording its mark. The box and count protect anonymous ballots. Issued, spoiled, unused and counted papers reconcile. Technology changes the instruments, not the principle.

The model also clarifies remedies. An isolated authority error may affect one entitlement. A ballot-layer integrity failure may affect the whole tally. A broken link between layers may make scope uncertain. Remedies should follow the affected domain and materiality rather than political pressure.

Two layers make secrecy and accountability allies. Strong authority evidence keeps invalid access out; strong ballot separation keeps valid choices private; independent reconciliation gives the public a reason to trust the result.

Small electorates need stronger inference controls

Registry elections are often much smaller than public elections. A result may be reported by region, member tier, voting method or proxy status because those categories matter to governance. Each additional breakdown can make a secret choice easier to infer, particularly where a category contains one or two organisations.

Disclosure should therefore be tested for composition risk. Suppose the public knows that one member in a country voted, that the member appointed a publicly campaigning proxy and that candidate totals changed by a matching weighted amount. None of those facts alone reveals a choice; together they may. Exact timestamps can create the same problem when entities announce when they cast.

The public reporting plan should set minimum cell sizes, combine rare categories and delay sensitive participation detail. Weighted systems require special care because a distinctive entitlement can act like a fingerprint. Receipts should be random and unordered. Incident reports should avoid stating that the sole member in a category supported or rejected an instrument in a way that implies its ballot.

Restricted auditors can still inspect full data. Public aggregation limits inference, not accountability. The auditor confirms regional and tier calculations, checks that suppression was applied consistently and reports whether any official release created a credible route to re-identification.

Candidates also need limits. A campaign may want a list of members who have not voted so it can mobilise turnout. In a small corporate electorate, that information creates pressure and, combined with later reports, can expose political behaviour. If turnout updates are published, they should be broad, scheduled and available to everyone. Individual participation status belongs to the member and election office.

Organisations themselves may announce their choices. Voluntary political speech is different from a system-generated proof. The registry should not design a receipt that lets an employer or organiser compel such disclosure. Nor should it treat a public endorsement as consent to expose the actual ballot.

Inference review is not an argument for publishing nothing. Total silence leaves members unable to test concentration and participation. It is an argument for deliberate statistics: disclose what supports legitimacy, suppress what links an identifiable organisation to a selection, and let an independent reviewer examine the unsuppressed evidence.

Small elections make this boundary more demanding, not less. Their infrastructure must be public enough to verify and private enough that every member can still change its mind inside the ballot without being observed.

Publication should also be cumulative-risk aware. A harmless register released before voting can become identifying when combined later with a detailed incident report and provider timestamps. Someone should review the full planned sequence of disclosures, not approve each item in isolation. When new facts emerge, earlier releases cannot be withdrawn from public memory, so later reporting may need broader aggregation. The certifier can still state that the underlying evidence was inspected and found consistent.

This practice preserves the value of a continuing public account without allowing transparency at one stage to defeat secrecy at another.

The same review should cover information released by contractors and observers. A registry may aggregate carefully while a provider publishes exact service statistics or a witness posts photographs showing who stood at a voting desk. Contracts and observer instructions should define the confidentiality boundary without preventing legitimate reporting. When an accidental disclosure occurs, officials should assess inference risk, notify affected members where necessary and adjust later releases. Ballot secrecy is maintained by the whole election environment, not only by the database holding selections.

Coordinated disclosure control is therefore part of infrastructure accountability rather than a reason to exclude scrutiny.

Publish enough to make trust optional

Members will always place some trust in election officials, providers and auditors. No report lets every voter personally inspect every system. Good governance reduces the amount of blind trust and makes remaining reliance explicit.

Before voting, publish the rules, electorate process, calendar, ballot definition, roles, conflicts, provider, privacy notice, audit plan and complaint route. During voting, publish service status and material incidents without releasing turnout information that could distort campaigning unless the rule authorises it. After close, publish reconciliation, provisional results, audit findings, complaints and reasoned certification.

Give each member private confirmation of eligibility and participation. Give the auditor controlled access to complete evidence. Prevent candidates, staff and vendors from crossing into selection data without lawful extraordinary authority. Record every exceptional access.

AFRINIC's 2025 disputes illustrate why the distinction matters. Secrecy did not require silence about how many authority documents were questioned, how many associated entitlements were issued or why broad annulment was proportionate. Publishing those facts would not have disclosed candidate choices. Their absence made institutional assurance harder.

The principle applies across the RIR system. APNIC's identified audit fields and confidential ballots, RIPE NCC's third-party access procedure, LACNIC's verification interval and public election-security standards all supply workable components. Registries can adapt them to association law and member voting without pretending they administer national elections.

A secret ballot is not a dark room. It is a protected choice moving through a lit institution. The lights should reveal doors, guards, records, transfers, incidents and the authority that declares the outcome. They should never reveal which private mark belonged to which member.

When infrastructure is public in that sense, trust becomes a conclusion supported by evidence rather than a favour administrators ask from the electorate. That is the legitimacy secret voting is meant to serve.