Freeze–Vote–Rebuild relies on data: incident reports, voter registration records, audit trails, and reconstruction spending. Data governance determines whether the process is trusted, auditable, and safe.
This chapter defines a practical policy for what data is collected, who can access it, what is published, and how privacy/security risks are managed.
Objectives
Preserve auditability and credibility of verification and results.
Protect personal privacy (especially for displaced persons and voters).
Avoid creating targeting intelligence or operational security failures.
Enable transparency without undermining safety.
Core Principles
1. Minimum Necessary Data
Collect only what is needed to:
verify compliance,
administer the Vote,
audit reconstruction funds and delivery.
2. Separation of Concerns
Separate:
Truth systems (ballots, audits, financial ledgers) from
Reporting systems (dashboards, public summaries).
3. Role-Based Access
Access should be defined by specific roles:
Monitors/Observers
Auditors/Inspectors
Dispute Adjudicators
Public Transparency Users
Operators with privileged access
4. Tamper-Evidence and Chain-of-Custody
Sensitive records must have:
controlled write access,
immutable logs (or equivalent),
clear chain-of-custody procedures.
Data Categories and Recommended Handling
A. Freeze Monitoring Data
Includes incident reports, sensor data, and site visit notes.
Publish (Aggregated):
Incident counts by severity and region.
Protected infrastructure incidents.
Corridor uptime summaries.
Obstruction incidents (with care).
Restrict:
Exact monitor routes and sensor locations.
Tactical details that enable targeting.
Witness identities and sensitive source details.
B. Vote Data
Includes voter roll, registration proofs, ballots/records, and complaints.
Publish (Aggregated):
Registration and turnout statistics by category (resident/IDP/refugee).
Observer methodology and findings.
Audit summaries and dispute outcomes (reasoned, privacy-aware).
Restrict:
Personally identifiable voter data (PII).
Individual eligibility proofs.
Detailed coercion complaint identities and locations if unsafe.
Sensitive cyber defense details.
C. Reconstruction Data
Includes projects, contracts, vendors, payments, milestones, and audits.
Publish (Default, with security exceptions):
Project registry and milestones.
Contract award summaries and values.
Audit summaries and debarments.
KPI dashboards (cost/time/quality/integrity).
Restrict:
Precise security-sensitive site details (if needed).
Personal data of beneficiaries.
Details that would enable theft/extortion of goods in transit.
Publication Policy (Recommended)
Adopt a written publication policy specifying:
What is published and at what frequency.
Redaction rules and justifications.
Who approves exceptional redactions.
How corrections are issued (error policy).
How disputes about publication are handled.
Default Posture: Publish aggregated results and integrity evidence; restrict tactical or personally identifying details.
Security Controls (Minimum)
Secure communications for monitors and election workers.
Access logging and audit trails for sensitive systems.
Multi-factor authentication (MFA) for privileged accounts.
Encryption at rest and in transit for sensitive datasets.
Backup and continuity plans (offline fallbacks).
Incident response plan for cyber breaches and data leaks.
Privacy Protections (Minimum)
Data minimization and purpose limitation.
Clear retention schedule (how long records are kept).
Anonymization/pseudonymization where feasible.
Witness and whistleblower protection procedures.
Strict rules on sharing data across agencies and borders.
Independent Audit Access
To preserve credibility, independent auditors/observers need access to:
Raw evidence (under secure conditions).
Logs and chain-of-custody records.
Methodologies and sampling plans.
Dispute decision records.
"Audit Room" Model: If needed, use a controlled environment where raw data can be analyzed but not exported, allowing for publishable conclusions without exposing sensitive details.
