Participatory Privacy is the idea that we can run a genuinely stratified Citizen Assemblies process while protecting participants from intrusive, identity-extractive questioning.
Instead of asking people to declare sensitive attributes in plain text, we can use Self-Sovereign Identity with Verifiable Claims and Zero-Knowledge Proof to prove eligibility and demographic fit without exposing the underlying personal data.
A stratified citizen assembly needs a target composition, such as age bands, region, socio-economic indicators, disability status, or other demographic criteria. The traditional way to do this is to ask participants to self-report, store the answers centrally, and then manually balance the group.
This is expensive, error-prone, and socially awkward, especially for attributes that feel intimate or politically charged. It also creates a data-hoarding risk, because once the organiser has the raw data, the organisation becomes a target for leaks, subpoenas, harassment, or mission creep.
With SSI, a participant can hold credentials on their own phone that attest to certain attributes, issued by trusted issuers. These attributes can be sensitive, but they do not need to be revealed as raw values. Using ZKPs, the participant can produce proofs such as “I fall within age band 30–39,” “I am eligible in this region,” or “I satisfy the assembly’s inclusion criteria,” without disclosing their exact birthdate, address, or any more detail than is required. This replaces personal confession with a checkable proof.
The key trick for stratification is that the assembly does not need to know who someone is, or even precisely what they are, in order to place them fairly. The system only needs to know whether adding this person would push the group over a boundary. A participant can submit a proof that they belong to a demographic category, and the selection system can accept or reject them based on current counts, without learning the underlying sensitive attribute. This enables cost-effective privacy-preserving Stratified Sortition that scales beyond small pilot projects.
# Worflow
A practical workflow is that the assembly maintains a public target profile and a live set of category counts. Each applicant presents a bundle of minimal proofs from their phone, one per relevant attribute. The selection mechanism checks the proofs, checks that the person is unique and eligible, and then decides whether the group can accept them without exceeding demographic caps. The participant learns “accepted” or “not accepted,” but the organisers never receive a database of sexual identity, health status, or other intimate labels. The system can still publish an audit trail that the rules were followed, without publishing the people.
Participatory Privacy is not about hiding diversity. It is about making participation safe, dignified, and normal. It removes the ritual humiliation of having to declare sensitive identity categories to strangers in order to be “counted,” while still allowing the assembly to meet fairness goals.
It also reduces corruption risk by making the selection rules verifiable and auditable, while reducing the incentive and ability to collect and weaponise personal data.
# See