Safevote, Inc. (TM)
The Leader in Voting Technology

Product Areas
Private Elections
Public Elections

Reliability in Voting
Voting Requirements
Fail-Safe Voter Privacy
Contra Costa County
Ballot Survey
Witness Voting System

Available by request:
US Public Elections
US Private Elections

Free Services
The Bell Newsletter
Free Small Elections


Legal Statement
Privacy Statement

This page shares the progress achieved by Team Safevote since 1999, as well as reported in other work worldwide, in areas of Internet security, privacy, cryptography, voting protocols, electronic and online elections. Team Safevote is led by Ed Gerck, Ph.D., Chief Scientist and CEO.


In 2000, Gerck proposed a novel scientific vision and mathematical theory of voting in "real-world" scenarios (i.e., including faults and attacks) as a "non-classical" communication process, albeit deterministic in principle. This mathematical theory of voting was further discussed and expanded in the various works cited here. Safevote has been implementing the mathematical theory of voting since 1999, with paper ballot voting as well as with precinct-based electronic voting (paperless and with paper ballots), and online voting, in the US and worldwide.

The theory is technologically neutral and can be applied to paper, electronic and network (Internet) voting. The theory is also optimal in the sense that it defines the voting results in terms of a measurement process with an error (e.g., caused by faults and attacks) that can be reduced to a number as close to zero as desired, and can be mathematically shown to lead to accurate, reliable, and trustworthy results without eliminating the secret ballot or exposing how a particular individual voted. The theory also applies to other areas, such as collaborative decision-making (social networks) and resource allocation, with or without using private communication sources (in voting terms, a secret ballot).


Science and Technology

  • 1. The Witness-Voting System, by Ed Gerck, invited opening chapter in "Towards Trustworthy Elections, New Directions in Electronic Voting", published by Springer Verlag. Chaum, David, et. al. (Ed.), (c) 2010, pages 1-36. ISBN-10: 1-4020-7301-1.

    Voting is a challenging problem, a problem that even school children can understand but that is made harder to solve than conventional cyber-security and ecommerce by requirements for public verifiability and ballot secrecy.

    We present a comprehensive theory of voting, viewed for the first time as a non-classical communication process, even though the results are expected to be deterministic. We consider both passive and active attacks and, for additional fairness assurances, further requirements including that the system must work as desired without insight or ingenuity (i.e., without relying on human input) while it must be fully auditable by a diversity of machines and humans.

    Among the many novel and strong results gained from our approach, we show how any type of voting can be as secure as desired while assuring that ballots and voters are unlinkable. The secret ballot is, therefore, not the reason for the failures that we observe in all actual voting systems, so far.

    In fact, when ballots and voters are unlinkable, voters can be both strongly anonymous ballot-wise and strongly identified as eligible voters.

    Further, in implementation terms, we show that paper-based voting faces unfavorable scaling with increasing number of voters, while paperless electronic voting and networked voting (networked machines, not necessarily using the Internet) are easier to secure in large scale. The latter being easier to secure than voting with isolated machines.

    And, contrary to ecommerce technology and what is currently feared with Internet voting, voters do not need to give up the right to vote anonymously in order to prevent voter fraud.

    Book reference and Purchase » | Request chapter reprint (subject to review) »
  • 2. Private, Secure And Auditable Internet Voting, a comprehensive, technical chapter authored by Ed Gerck, in the book "Secure Electronic Voting", published by Kluwer/Spring. Gritzalis, Dimitris (Ed.), (c) 2003, pages 165-179. ISBN-10: 1-4020-7301-1.

    In electronic voting, some advocate printing a paper copy of the ballot, which the voter can see and verify that it is identical to the ballot she intended to cast, and then sending the paper copy to ballot box A while an electronic copy of that same ballot is sent to ballot box B. Such a suggestion is oftentimes advanced as the sine qua non solution to voting reliability in electronic voting.

    However, this suggestion is ineffective because in the event of two conflicting outputs from each trusted system, the decision of which one "is correct" must be made outside the system and a priori. It also presents opportunities for fraud (e.g.,someone can change and/or delete some paper ballots after the election in order to cast doubt on the integrity of the entire election) and attacks (e.g., a group of voters might agree beforehand to call out a "discrepancy" after they vote and thereby disrupt an election, which is similar to a "denial of service" attack online).

    In our Information Theory model, what makes the introduction of a paper ballot special is not the fact that it is paper instead of bits. It is the fact that the voter is actually casting his vote twice.

    Starting from this observation, the paper presents the Distributed Voting System (DVS), as a safe Internet voting system using mesh networks to implement a distributed voting protocol offering, at the same time, privacy, security and auditing, with receipt-freeness and universal verifiability. A demo is available at, developed using open source software. A version suitable for public elections has been developed in Java. The DVS can scale to any number of voters; it has been successfully used in Internet elections with 300,000 registered voters and 92,000 participating voters.
    Book reference and Purchase » | Request chapter reprint (subject to review) »
  • 3. The Business of Electronic Voting panel with Ed Gerck, C. Andrew Neff, Ronald L. Rivest, Aviel D. Rubin, and Moti Yung, p.243-268, Paul F. Syverson (Ed.): Financial Cryptography, 5th International Conference, FC 2001, Grand Cayman, British West Indies, February 19-22, 2002, Proceedings, Lecture Notes in Computer Science 2339 Springer 2002, ISBN 3-540-44079-8.

    In section 5, Ed Gerck presents a set of voting system requirements that are consistent, technologically neutral, can be applied to paper, electronic and network (Internet) voting, and exceed the current requirements for paper-based ballots and electronic voting DRE (Direct Recording Electronic) machines. The requirements are based on the principles of "Information Theory" and of "trust as qualified reliance on information." The principles favoring multiple, independent channels of information over one purportedly "strong" channel. However, adding multiple channels can also decrease reliance if the design principles laid out in these requirements are not followed.

    These Requirements are general principles, valid for any implementation of a "ballot", whether as print marks on paper, pits on a CD-ROM surface, electrons hitting a video screen (electronic ballot), modulated electromagnetic waves, bits in a network protocol or any other form of information transfer to and from the voter (i.e., even without a physical ballot). They also apply to any form of voting, including majority voting and single transferable votes. The Requirements were designed to be independent from one another, and as complete as possible without sacrificing consistency.
    Book reference and Purchase » | Request chapter reprint (subject to review) »
  • 4. Assuring Trust, Privacy and Integrity for Internet Voting, an invited seminar by Ed Gerck, UN International Conference on E-Government for Development, Palermo, Italy, 2002.

    If we can use the Internet to buy software, for online shopping, online banking, to trade stock, for proxy voting in the private sector, for Income Tax returns...Why can't we use it for public elections?

    Public elections are unlike any other type of transactions. Internet voting is not the same as filling-out online forms. Public elections need: secret votes, anonymous votes, to be correct, to be verifiable, to be honest, to be accessible. This is not like: accounting, bank transactions, e-commerce, or other e-government transactions. Voters must not be linkable to votes, and vice-versa. THEN, HOW CAN INTEGRITY BE GUARANTEED?

    We discuss a provable solution with a distributed voting protocol offering, at the same time, privacy, security and auditing, with receipt-freeness and universal verifiability.
    Assuring Trust, Privacy and Integrity for Internet Voting(Seminar slides)» [PDF]
  • 5. The Witness-Voting System (WVS), seminar by Ed Gerck, presented at the Workshop on Trustworthy Elections (WOTE '01), chaired by D. Chaum and R. Rivest, Tomales Bay, California, Aug 27-30, 2001.

    The Witness Voting System is presented for the first time, as a provable, reliable solution for voter-verified electronic voting (DRE), providing integrity and anonymity proofs, and does not require paper ballots. The WVS is able to prove to anyone that every vote counts. Paper and other media can also be used, if desired. The WVS verifies whether what the voter sees and confirms on the screen is what is actually recorded and counted. The WVS provides any desired number of independent records, which are readily available to be reviewed by election officials, without ever linking voters to ballots.

    The WVS is exemplified in various designs, including designs with optical and/or electronic and/or network elements, implementing a distributed voting protocol offering, at the same time, privacy, security and auditing, with receipt-freeness and universal verifiability.
    Witness Voting System (Seminar slides) » [PDF]
  • 6.Voting Systems From Art To Science, seminar by Ed Gerck, presented at the CalTech-MIT Voting Technology Conference 2001 (March 29-31, 2001), Pasadena, Calif.

    This work applies to elections in general and was born out of the desire to create products that would allow modern computer-based technology to truly emulate the secure desirable properties valued in centuries of public voting. In other words, can we use a perfect clerk in elections — one who works obediently with paper and pencil, for as long as is necessary, but without insight or ingenuity?

    That would be a computer, of course, but we also needed a general theory of voting that could take into account both the benefits and shortcomings of using computers as the key element in a voting process. That led us to consider voting as an information transfer process going from the voter (the vote choice) to the ballot box.

    The fundamental problem of voting is stated for the first time and formulated in terms of Shannon's Information Theory. This work then introduces a general model of voting that applies to any voting technology, now and in the future. The method of also printing a paper ballot, used with some DREs to hopefully help prevent fraud and errors, is shown to be indeterminate and open to unmitigated fraud in the paper record itself.

    This work further describes a solution, in terms of Shannon's Information Theory, providing any desired number of independent records, which are readily available to be reviewed by observers, without ever linking voters to ballots.

    This work describes the foundation of Safevote's technology, including the Witness Voting System, detailed elsewhere.
    Voting Systems From Art To Science [PDF]
    Voting Systems From Art To Science (original slides at Caltech/MIT)
  • 7. Contra Costa County Election Report. Final report presented to the California Secretary of State. The Contra Costa Internet Voting Test was performed by Safevote under contract with the California Secretary of State, from October 30th to November 3rd, 2000.
    Contra Costa County Election Report » [PDF]
    Contra Costa County Election Report »
  • 8. E-voting is Not E-commerce, public comment by Ed Gerck, Brookings Institute Symposium "The Future of Internet Voting", January 2000, Washington, D.C.

    According to the mathematical theory of voting proposed by Gerck, published elsewhere, voter anonymity is not enough in voting. A stronger condition, called unlinkability is needed for voting -- and this was first publicly explained by Ed Gerck in the 2000 Brookings Institute Symposium, and then heartily accepted by the panelists and participants.

    Contradicting the panel's opinion until that point, Gerck also commented that voter privacy and election integrity cannot be assured simply by using encryption (SSL) and other security strategies that are successful in e-commerce; in plain terms, the lessons from dot-com that were mentioned before in the symposium do not carry over to voting because of fundamental differences. These differences were explained by Gerck and the quote is available from a Brookings transcript of the Symposium, inlined in the section About Our Technology »
Papers, Reports, Books and Slides

DISCLAIMER: This page and site does not intend to cover all the details of the technologies reported, or all the variants thereof. Its coverage is limited to provide support and references to the work in progress by Safevote, and to unify references, concepts and terminology. No political or country-oriented criticism is to be construed from this site and page, which respects all the apparently divergent efforts found today on the subjects treated. Individuals or organizations are cited as part of the fact-finding work needed for this site and their citation constitutes neither a favorable nor an unfavorable recomendation or endorsement.

COPYRIGHT: Materials in this site and page are copyrighted by their owners. This site page is Safevote Copyright. Permission to copy and publish any material herein is regulated by their respective copyright holders. Materials that are copyrighted by Ed Gerck and Safevote may be copied and published by third parties provided that the source and author are clearly cited. We may be able to provide reprints in PDF for private use at no charge for articles authored by Ed Gerck.

Safevote titles and product names are trademarks of Safevote, Inc. as described in our Legal Statement.