Secure School Elections — Guide for COMELEC & Election Boards

Why School Election Boards Need a Formal Process

School elections matter more than people think. Student COMELEC (Commission on Elections), election commissions, and election boards carry the responsibility of ensuring every vote counts. Whether you're a university-wide COMELEC in the Philippines, a student election commission in the US, or a club election board anywhere in the world — the principles are the same: secure credentials, transparent counting, and a clear dispute resolution process.

Digital elections introduce powerful efficiencies, but they also raise new questions that election boards need to answer: How do we prevent someone from voting with another student's key? How do we investigate complaints? How do we prove the results are legitimate?

This guide answers all of those questions using real-world election procedures adapted for online voting. If you're new to online voting for schools, start with our general guide to online voting for schools first, then come back here for the operational security details.

Who This Guide Is For

Student COMELEC members (Philippines and beyond)
School election boards and commissions (global)
Student government advisors running formal elections
Campus administrators overseeing SGA elections

Setting Up Your Election Board's Workflow

A well-organized pre-election process is the foundation of a credible result. Here's the recommended workflow for school election boards using an online voting platform like TapVoter.

1. Collect the Official Voter Roll

Request the certified list of eligible voters from the registrar or student affairs office. This is your source of truth. Every voter key you generate will map to a name and school email on this list, which is what makes post-election investigation possible.

2. Import Voters via CSV

Prepare a CSV file with First Name, Last Name, and school email for each eligible voter. Import this into TapVoter's voter management system. Each voter automatically receives a unique 9-character voter key (e.g., A3K-9F2-X7B).

3. Send Voter Keys via Direct Email

Use TapVoter's voter key invitation email feature (Pro) to send each voter their key directly to their school email address. Never distribute voter keys via group chat, bulletin boards, or shared drives.

Direct email distribution is the digital equivalent of mailing ballots to registered addresses. It ensures only the intended voter receives their key.

4. Set Up Named Collab Links

Add your election board members as named collaborators (up to 5 per election). Each collab link is labeled with the person's name and role (e.g., “Maria — COMELEC Vice Chair”). The Activity Log records every action collaborators take — settings changes, voter key generation, election launch — with timestamps and names.

5. Appoint Election Observers

For high-stakes elections with physical voting stations, assign observers who will maintain sign-in ledgers. Brief them on the voter check-in procedure and receipt code logging process described below.

Distributing Voter Keys Securely

How you distribute voter keys determines the security ceiling of your entire election. Here's how the three most common distribution methods compare:

Group Chat

Keys can be screenshotted, forwarded, and copied. No chain of custody. Anyone in the group can see everyone's key.

Not recommended

Printed Handouts

Keys can be photographed or shared. Better than group chat, but still vulnerable to leakage once handed out.

Acceptable for low-stakes

Direct Email

Only the voter sees their key. The school controls the email domain. Compromise requires accessing someone else's email account — an institutional security issue, not an election issue.

Recommended

For formal school elections, always use direct voter key emails. For more on election security fundamentals, see our complete guide to election security.

Running the Election — Observers, Voting Windows, and Oversight

Physical Voting Station Setup

For high-stakes elections (student government president, university-wide votes), setting up a supervised voting station adds an extra layer of accountability:

1Designate a computer lab, library, or classroom as the voting station
2Use Daily Voting Windows to restrict voting to supervised hours (e.g., 8 AM – 5 PM)
3Voter enters the station → shows student ID → opens their voter key email → votes
4Voter shows receipt code to observer → observer logs name, time, and receipt code → voter leaves

Remote Voting

For lower-stakes elections (clubs, honor societies, advisory votes), voters can use their emailed key from any device without an observer present. Security relies on the email credential — suitable when the voter roll is small and trusted.

Collaborator Oversight

With named collab links, your election board members can co-manage the election from the command center. The Activity Log tracks every action they take — if a board member changes a setting or generates new voter keys, it's recorded with their name and a timestamp. Only the main election administrator can view the Activity Log and revoke collaborator access.

Handling Disputes — “I Didn't Vote”

The most common complaint election boards receive is a voter claiming someone else used their key. Here's the step-by-step procedure to investigate and resolve it:

Step 1: Verify the Claim

Check the Voters tab — does the voter's key show as “Voted”?
Export the Voter Keys CSV — check the “Voted At” timestamp. Does the time match a period when the voter claims they weren't present?
If “Require Names” is enabled, compare the entered name with the registered voter name

Step 2: Cross-Reference the Observer Ledger

Check the physical sign-in sheet for the voter's name and receipt code
If the name appears — someone impersonated them in person
If it doesn't — the key was used remotely (email compromise or key leakage)

Step 3: Void the Fraudulent Ballot

Open the Audit Center in the Export tab
Search by the receipt code from the observer's ledger
Void the ballot — it's excluded from results but preserved in the audit trail with a recorded void reason

Step 4: Issue a New Voter Key

Revoke the compromised key from the Voters tab
Generate a new key for the same voter and send it to their school email
The voter can now cast their legitimate ballot

This mirrors real-world provisional ballot processes. In manual elections, when a voter's name is already checked off, they file an affidavit and cast a provisional ballot that's counted after investigation. TapVoter's void-and-reissue workflow is the digital equivalent.

The Audit Trail — Proving Your Election Was Fair

After the election closes, your board needs to demonstrate that the process was fair. Here are the five pieces of evidence you can export and present to student affairs, a school board, or any oversight body:

1. Voter Keys CSV

Shows every key, who it was assigned to, status (Voted/Unused), Generated At, and Voted At timestamps. Proves which keys were used and when.

2. Audit Log CSV

Every ballot submitted, with receipt code, timestamp, and verification status. Voided ballots are marked clearly with void reason and timestamp.

3. Results CSV

Per-position, per-candidate vote totals that match what's shown on the results page.

4. Activity Log

Every action taken by election board collaborators, with names and timestamps. Proves the board itself acted properly. Visible in the Settings tab to the election owner.

5. Public Transparency Log

Visible to voters on the results page. Shows the election timeline, total ballots, voided count, and cryptographic verification (SHA-256 hashing) for tamper-evident records.

Together, these create a complete chain of evidence. For a deeper dive into audit trail mechanics, see our complete guide to election security.

Receipt Codes — What They Are and Why They Matter

Every voter receives a unique receipt code after casting their ballot. Understanding receipt codes is essential for election boards:

Receipt codes prove a ballot was cast — but they do not reveal what the voter chose
The Audit Center can look up any ballot by receipt code — showing it was counted (or voided)
Receipt codes link a voter's experience to the audit trail — without compromising ballot secrecy
By design, receipt codes cannot be traced back to a voter's identity in the system — the voter table and ballot table have no connecting identifier

Why TapVoter doesn't email receipt codes

Creating a server-side link between a voter's email and their receipt code would enable de-anonymization. The observer-ledger approach keeps the connection in human hands, not in the database. This preserves ballot secrecy while still allowing dispute resolution through the physical sign-in sheet.

Common Scenarios and How to Handle Them

Scenario: A voter says someone else used their key

Procedure: Check Voted At timestamp → cross-reference observer ledger → void fraudulent ballot via Audit Center → issue new voter key via direct email.

Scenario: An election board member makes unauthorized changes

Procedure: Check the Activity Log in Settings → identify the collaborator by name → revoke their collab link → undo changes if needed.

Scenario: A candidate's supporters claim the election was rigged

Procedure: Export all audit data (Results CSV, Audit Log, Voter Keys CSV) → present the transparency log showing the election timeline and total ballots → demonstrate that voided ballots are accounted for.

Scenario: More ballots cast than expected

Procedure: Compare total ballots vs. total voter keys issued. If ballots exceed keys issued, report a system issue to TapVoter. If ballots are within the key count but higher than expected, that's legitimate participation.

Scenario: A voter accidentally closes the browser during voting

Procedure: The voter key is only marked as used when the ballot is actually submitted — not when the page loads. If a voter closes the browser before submitting, their key remains unused and they can simply re-enter it to vote again. No COMELEC intervention is needed.

Checklist for Election Day

Before Voting Opens

Voter roll imported and verified (names + school emails)
Voter keys sent via direct email (not group chat)
Voting station observers briefed and sign-in ledgers prepared
Daily Voting Windows configured (if applicable)
Collaborator collab links created (named, with optional passcodes)
"Require Names" toggled on (recommended for formal elections)
Election scheduled with correct start/end times and timezone

During Voting

Observers logging voter names, times, and receipt codes
Monitor turnout via the Overview tab or Live Election Monitor
Watch for the stale data banner if multiple collaborators are active simultaneously

After Voting Closes

Export all data: Results CSV, Audit Log CSV, Voter Keys CSV
Review Activity Log for any unexpected collaborator actions
Address any disputes using the void-and-reissue procedure
Present results with transparency log link to the student body
Archive all exports for school records

Frequently Asked Questions

Can TapVoter tell me who voted for which candidate?

No. Voter identity and ballot choices are stored in completely separate database tables with no connecting identifier. Not even TapVoter's own administrators can link a voter to their ballot.

What if a voter loses their receipt code?

Receipt codes are shown once after voting and cannot be retrieved by the election administrator. The receipt page prompts voters to copy, email, or download their receipt as a PNG image. Voters should save their receipt code immediately before navigating away.

Can two election board members edit the election at the same time?

Yes. TapVoter detects concurrent edits and shows a warning banner when another collaborator saves changes. Conflicting saves are blocked with a prompt to refresh first, preventing silent overwrites.

Is there a limit on how many voters we can have?

Elections support up to 10,000 voter keys. For most school elections (even university-wide), this is more than sufficient.

How long is election data stored?

Free accounts: 90 days after the election closes. Pro subscribers: data is preserved indefinitely while subscribed. Export your data before the retention period expires.

Do voters need a TapVoter account?

No. Voters only need their unique voter key. No sign-up, no login, no app download — just open the link, enter the key, and vote.