Skip to main content

Anonymisation

Anonymisation is the process that permanently separates each submitted ballot from the voter who cast it. It runs automatically when the administrator closes the election, before any trustee is asked to decrypt.

What it does

Each ballot in the system carries a reference linking it to the voter who submitted it — necessary during the voting phase to enforce one-vote-per-voter and to deactivate links after submission. Anonymisation cryptographically destroys this reference for every ballot simultaneously.

After anonymisation:

  • All submitted ballots remain in the system with their vote contents intact
  • The reference linking any ballot to any voter no longer exists
  • No query, database operation, or key can reconstruct who voted for what
  • Trustee decryption reveals vote totals only — never individual attributions

Why it happens before decryption

The ordering is deliberate. Trustees decrypt an anonymized dataset. This means the decrypted results — even in their fully readable form — contain no voter identity information. There is nothing to leak.

If decryption happened before anonymisation, a sufficiently privileged party could potentially correlate decrypted ballots with voter records during the window between the two operations. The Electobox model closes this window entirely.

Irreversibility

Anonymisation is a one-way operation. Electobox does not retain the mapping between voters and ballots after this step completes. There is no administrative function, support escalation, or legal process that can un-anonymise a ballot. This is a deliberate design property, not a limitation.