How Vote Integrity Is Protected
A plain-language explanation of how Assembley keeps an assembly's record tamper-evident — immutable vote records, frozen vote weights, and a hash chain that makes any change detectable.
For a result to be defensible, it isn't enough to record it — you have to be able to show it wasn't changed afterwards. Assembley protects the integrity of every assembly with a few reinforcing mechanisms. This article explains them at a conceptual level, without the cryptography.
Records are immutable
The core principle is that the record of what happened is append-only: votes and the meeting's key events are written once and not edited or deleted afterwards. There is no "edit this vote" path. This removes the most obvious failure mode — a result quietly altered after the meeting — because there's simply no mechanism to alter it.
Vote weight is frozen at the moment of voting
When a voter casts a ballot, the weight that ballot carries is fixed onto it then and there. The tally uses the weight recorded with each vote, never a live lookup. So even if your register is edited later — a voter's capital or class changes — a concluded vote's result does not move, because the weight that counted is preserved on the ballot itself. See How Voting Weight Is Calculated.
A tamper-evident chain
Beyond immutability, the meeting's events are linked together so that any change is detectable. Conceptually, each record carries a fingerprint that depends on the records before it, forming a chain — so altering any single entry would break the chain and be immediately apparent. The votes for each item are summarised into a compact fingerprint of their own. The result is a record that is not just hard to change, but one where changes announce themselves.
You don't need to understand the cryptography to benefit from it: the point is that the evidence package can be independently verified, and verification would fail if anything had been tampered with.
Why this matters
These properties are what turn "we ran a vote" into "we can prove how the vote went". They're aimed squarely at the moments that test a governance process:
- An auditor checking that decisions were taken properly.
- A regulator requesting documentation.
- A shareholder or member disputing a result.
In each case, a tamper-evident, independently verifiable record is far stronger than a number in the minutes. See The Evidence Package Explained.
Integrity and identity together
Integrity protects the record of the votes; identity verification protects who cast them. Both are needed for a defensible result — a perfect record of anonymous votes proves little. See Identity Verification Levels.
Where to go next
See The Evidence Package Explained and How Votes Are Counted.
Related articles
- Identity Verification LevelsHow Assembley verifies voter identity — a one-time email passcode as the baseline, with higher-assurance electronic ID (such as MitID) available as a premium option for high-stakes assemblies.
- The Evidence Package ExplainedWhat the Assembley evidence package contains, the formats it comes in, and why this self-contained, verifiable record is what makes an assembly's result defensible.