Product Areas
Private Elections
Public Elections
Licensing

Reports
Reliability in Voting
Voting Requirements
Fail-Safe Voter Privacy
Contra Costa County
Ballot Survey
Witness Voting System
E-Government

Available by request:
US Public Elections
US Private Elections

Free Services
The Bell Newsletter
Free Small Elections

Resources
Employment
Press

Legal Statement
Privacy Statement
 
 
 

Private Elections

Public Elections

The products ZMAIL Ballot and Secure Login Ballot are available for Public Elections. They meet or exceed all the usual requirements for voting in the public sector.

Safevote also offers the Witness-Voting System (WVS), to allay concerns of internal fraud in public elections. Without requiring paper and paper costs, the WVS is able to prove to anyone that every vote counts. Paper and other media can also be used.

The WVS verifies whether what the voter sees and confirms on the screen is what is actually recorded and counted. The WVS provides any desired number of independent records, which are readily available to be reviewed by election officials, without ever linking voters to ballots.

The WVS can be securely networked in a precinct, tethering a number of voter stations to a WVS server cluster -- simplifying certification while reducing down time, setup costs and setup time. The precinct voting stations do not have to be online with the Internet for the voter to vote. The ballots cast by voters are encrypted and stored locally, using a "store and forward" mechanism to send them to a set of remote ballot boxes (i.e.,secure servers on the Internet). Without an Internet connection, the WVS works as an electronic voting system, and it can be operated in such mode exclusively. Voters may also use the WVS with a ballot server accessible through the Internet, to participate from home, work, anywhere, anytime.

Example: WVS and Public Election Network.

The figure above shows an example of Safevote's online voting technology for public elections, using the WVS. Safevote creates a Distributed Voting System (DVS) by means of Safevote's security protocol MP (Multi-Party). With the MP protocol, voting is based on the principle that every action needs both a trusted introducer and a trusted witness, creating a multifold of redundant links that add redundancy, increase availability, enforce strict access rules, protect voter privacy, enable auditable ballots, provide single-point-control by the Local Election Official (LEO), while shielding the LEO from the voter authorizations (Credential Creation, Distribution and Management) and ballot processing, reducing the probability of faults and potential partisan conflict of interest situations.

How about protection against hackers? In addition to firewalls, a reverse-proxy configuration, and intrusion detection systems, the core machines are connected via an effectively unknown and changing IP address to the Internet, and then in turn making connections to four, or more, other machines in unknown locations, again with unpublished and changing IP addresses. In a Safevote public attack test, conducted in 2000, attackers could not find the servers even with a hot-line help available. In Safevote's Public Election Network system, including the servers used for online voting, even finding one server to attack becomes extremely difficult, if not impossible.

Can the voter's computer be used for online voting? Some simple-minded arguments consider the voter's computer to be an isolated, easy prey to hackers; hence, impossible to secure. This is not the case for a voter's computer connected to Safevote's Public Election Network system -- the Voter Station in the diagram above. The voter's computer can be protected against hackers by actions taken by the Safevote server itself (including firewall testing, malware and virus scan) directly at the voter's computer, by challenge-response tests done by the Safevote server to detect acceptable behavior, including human response vs. automated response, and by counter-measures required by the Safevote server to be implemented by the voter (see articles in the FAQ "Privacy, Security" category, at the Support Center) prior to voting.

How about voter privacy online? Election integrity? Voters are authenticated by their DVC™ (Digital Vote Certificate, see DVC articles in the FAQ "Election Products" category, at the Support Center) that cannot be linked to the identity of the voters. The DVCs are sent to voters without the LEO authorizing these DVCs to be issued knowing which voter gets which DVC, so that the LEO does not even have to be trusted not to record the correspondence between voters and their DVCs. The LEO also does not have to be trusted not to create spare DVCs, i.e., to create more DVCs than one per voter.

These properties are part of Safevote's design, which enforces key concepts in IT security, including the principles of:

Least Privilege

"Every program and every user of the system should operate using the least set of privileges [providing access to resources and information] necessary to complete the job." Saltzer and Schroeder, in The protection of information in computer systems.

The idea behind the principle is to grant just the least possible amount of privileges to permit a legitimate action, in order to enhance protection of data and functionality from faults and malicious behavior.

Need-To-Know

Need-to-know is one of the most fundamental security principles. The practice of need-to-know limits the damage that can be done by a trusted insider who goes bad. Implementing the need-to-know principle builds a major barrier against insider attacks.

In essence, the principle aims to discourage "browsing" of sensitive material, thereby limiting access (and potential damage) to the smallest possible number of people.

Separation Of Powers

The differentiation between system administrator and security administrator provides an example of separation of powers. Because an all-powerful attacker is hard (or even impossible) to stop, the principle of separation of powers limits the power of each module (user, machine or software) so that no module in the system may perform all the functions.

In a Public-Key Cryptography, system for example, messages may be digitally signed only with the private-key and may be verified only with the public-key.

These principles are enforced with components including the "Privacy Wall", the "Locality (Time and Place) Wall", and the "Audit Wall", shown in the illustration above.

The use of multiple control structures and independent channels of information considerably increases the reliability and trustworthiness of Safevote's Internet and network voting systems, as well as auditing, vote recounting and verifiability of the election. While it may be possible for an attacker to compromise one channel of information at a given time, it is much harder to compromise two or more at the same time.

Please read more about the WVS and the assurances it provides to voters and election officials.

Safevote stands ready to certify and conduct Internet and electronic voting in Public Elections, where accepted. Where the certification of Safevote's system depends on legislation still being discussed, Safevote is able to conduct Public Election Trials.

Trials

If you are interested in discussing a Public Election Trial, please Contact Us for a project evaluation. Public Election Trials can help address security and usability concerns in Internet voting for public elections, allowing open tests for evaluation by all stakeholders.

About Our Technology