Data Governance, Privacy & Security
Freeze–Vote–Rebuild relies on data: incident reports, voter registration records, audit trails, and reconstruction spending. Data governance determines whether the process is trusted, auditable, and safe.
This chapter defines a practical policy for what data is collected, who can access it, what is published, and how privacy/security risks are managed.
Objectives
- Preserve auditability and credibility of verification and results.
- Protect personal privacy (especially for displaced persons and voters).
- Avoid creating targeting intelligence or operational security failures.
- Enable transparency without undermining safety.
Core Principles
1. Minimum Necessary Data
Collect only what is needed to:
- verify compliance,
- administer the Vote,
- audit reconstruction funds and delivery.
2. Separation of Concerns
Separate:
- Truth systems (ballots, audits, financial ledgers) from
- Reporting systems (dashboards, public summaries).
3. Role-Based Access
Access should be defined by specific roles:
- Monitors/Observers
- Auditors/Inspectors
- Dispute Adjudicators
- Public Transparency Users
- Operators with privileged access
4. Tamper-Evidence and Chain-of-Custody
Sensitive records must have:
- controlled write access,
- immutable logs (or equivalent),
- clear chain-of-custody procedures.
Data Categories and Recommended Handling
A. Freeze Monitoring Data
Includes incident reports, sensor data, and site visit notes.
Publish (Aggregated):
- Incident counts by severity and region.
- Protected infrastructure incidents.
- Corridor uptime summaries.
- Obstruction incidents (with care).
Restrict:
- Exact monitor routes and sensor locations.
- Tactical details that enable targeting.
- Witness identities and sensitive source details.
B. Vote Data
Includes voter roll, registration proofs, ballots/records, and complaints.
Publish (Aggregated):
- Registration and turnout statistics by category (resident/IDP/refugee).
- Observer methodology and findings.
- Audit summaries and dispute outcomes (reasoned, privacy-aware).
Restrict:
- Personally identifiable voter data (PII).
- Individual eligibility proofs.
- Detailed coercion complaint identities and locations if unsafe.
- Sensitive cyber defense details.
C. Reconstruction Data
Includes projects, contracts, vendors, payments, milestones, and audits.
Publish (Default, with security exceptions):
- Project registry and milestones.
- Contract award summaries and values.
- Audit summaries and debarments.
- KPI dashboards (cost/time/quality/integrity).
Restrict:
- Precise security-sensitive site details (if needed).
- Personal data of beneficiaries.
- Details that would enable theft/extortion of goods in transit.
Publication Policy (Recommended)
Adopt a written publication policy specifying:
- What is published and at what frequency.
- Redaction rules and justifications.
- Who approves exceptional redactions.
- How corrections are issued (error policy).
- How disputes about publication are handled.
Default Posture: Publish aggregated results and integrity evidence; restrict tactical or personally identifying details.
Security Controls (Minimum)
- Secure communications for monitors and election workers.
- Access logging and audit trails for sensitive systems.
- Multi-factor authentication (MFA) for privileged accounts.
- Encryption at rest and in transit for sensitive datasets.
- Backup and continuity plans (offline fallbacks).
- Incident response plan for cyber breaches and data leaks.
Privacy Protections (Minimum)
- Data minimization and purpose limitation.
- Clear retention schedule (how long records are kept).
- Anonymization/pseudonymization where feasible.
- Witness and whistleblower protection procedures.
- Strict rules on sharing data across agencies and borders.
Independent Audit Access
To preserve credibility, independent auditors/observers need access to:
- Raw evidence (under secure conditions).
- Logs and chain-of-custody records.
- Methodologies and sampling plans.
- Dispute decision records.
"Audit Room" Model: If needed, use a controlled environment where raw data can be analyzed but not exported, allowing for publishable conclusions without exposing sensitive details.
Would you like me to move on to the Verification-First Gates chapter?
