The products ZSentry Ballot and Secure
Login Ballot are available for Public Elections. They meet or exceed all the usual requirements
for voting in the public sector.
Safevote also offers the Witness-Voting System (WVS), to allay concerns of internal fraud
in public elections. Without requiring paper and
paper costs, the WVS is able to prove to anyone that every vote counts. Paper and other
media can also be used.
The WVS verifies whether what the voter sees and confirms
on the screen is what is actually recorded and counted. The WVS provides any
desired number of independent records, which are readily available to be reviewed by
election officials, without ever linking voters to ballots.
The WVS can be securely
networked in a precinct, tethering a number of voter stations to a WVS
server cluster -- simplifying certification while reducing down time,
setup costs and setup time. The precinct voting stations do not have to be online
with the Internet for the voter to vote. The ballots cast by voters are encrypted and stored
locally, using a "store and forward" mechanism to send them to a set of
remote ballot boxes (i.e.,secure servers on the Internet). Without an Internet connection,
the WVS works as an electronic voting system, and it can be operated in such mode exclusively.
Voters may also use the WVS with a ballot server accessible through the Internet, to
participate from home, work, anywhere, anytime.
Example: WVS and Public Election Network.
The figure above shows an example of Safevote's online voting
technology for public elections, using the WVS. Safevote creates a
Distributed Voting System (DVS) by means of Safevote's security protocol MP
(Multi-Party). With the MP protocol, voting is based on the principle
that every action needs both a trusted introducer and a trusted witness,
creating a multifold of redundant links that add redundancy, increase availability,
enforce strict access rules, protect voter privacy, enable auditable ballots,
provide single-point-control by the Local Election Official (LEO),
while shielding the LEO from the voter authorizations (Credential
Creation, Distribution and Management) and ballot processing, reducing
the probability of faults and potential partisan conflict of interest
How about protection against hackers? In addition to firewalls, a reverse-proxy configuration,
and intrusion detection systems, the core machines are connected via an effectively unknown and
changing IP address to the Internet, and then in turn making connections to four,
or more, other machines in unknown locations, again with unpublished and changing IP addresses.
In a Safevote public attack test, conducted in 2000, attackers could
not find the servers even with a hot-line help available. In Safevote's Public Election Network system, including
the servers used for online voting, even finding one server to attack becomes extremely difficult, if
Can the voter's computer be used for online voting? Some simple-minded arguments consider
the voter's computer to be an isolated, easy prey to hackers; hence, impossible to secure. This
is not the case for a voter's computer connected to Safevote's Public Election Network system -- the
Voter Station in the diagram above. The
voter's computer can be protected against hackers by actions taken by the Safevote server itself
(including firewall testing, malware and virus scan) directly at the voter's computer, by challenge-response
tests done by the Safevote server to detect acceptable behavior, including human response vs. automated
response, and by counter-measures required by the Safevote server to be implemented by the voter
(see articles in the FAQ "Privacy, Security" category, at the Support
Center) prior to voting.
How about voter privacy online? Election integrity? Voters are authenticated by their DVC™
(Digital Vote Certificate, see DVC articles in the FAQ "Election Products" category, at the Support Center)
that cannot be linked to the identity of the voters. The DVCs are sent to voters
without the LEO authorizing these DVCs to be issued knowing which voter gets which DVC,
so that the LEO does not even have to be trusted not to record the correspondence between voters and
their DVCs. The LEO also does not have to be trusted not to create spare DVCs, i.e., to create more DVCs
than one per voter.
These properties are part of Safevote's design, which enforces key concepts in IT security,
including the principles of:
and every user of the system should operate using the least set of
privileges [providing access to resources and information] necessary
to complete the job." Saltzer and Schroeder, in The protection
of information in computer systems.
The idea behind the principle
is to grant just the least possible amount of privileges to permit a
legitimate action, in order to enhance protection of data and
functionality from faults and malicious behavior.
one of the most fundamental security principles. The practice of
need-to-know limits the damage that can be done by a trusted insider
who goes bad. Implementing the need-to-know principle builds a major barrier
against insider attacks.
Separation Of Powers
In essence, the principle aims to
discourage "browsing" of sensitive material, thereby limiting access
(and potential damage) to the smallest possible number of people.
between system administrator and security administrator provides an
example of separation of powers. Because an all-powerful attacker is hard
(or even impossible) to stop, the principle of separation of powers limits
the power of each module (user, machine or software) so that no module
in the system may perform all the functions.
In a Public-Key Cryptography,
system for example, messages may be digitally signed only with the private-key and
may be verified only with the public-key.
These principles are enforced with components including the "Privacy Wall",
the "Locality (Time and Place) Wall", and the "Audit Wall", shown in the illustration above.
The use of multiple control structures and independent channels of information considerably
increases the reliability and trustworthiness of Safevote's Internet and network voting systems,
as well as auditing, vote recounting and verifiability of the election. While it may be possible for
an attacker to compromise one channel of information at a given time, it is much harder to
compromise two or more at the same time.
more about the WVS and the assurances it provides to voters and
Safevote stands ready to certify and conduct Internet and electronic voting in
Public Elections, where accepted. Where the certification of Safevote's system depends on legislation still being
discussed, Safevote is able to conduct Public Election Trials.
If you are interested in discussing a Public Election Trial, please Contact Us for a project evaluation. Public
Election Trials can help address security and usability concerns in
Internet voting for public elections, allowing open tests for
evaluation by all stakeholders.
About Our Technology
Read more About Our Technology >>
Internet Voting FAQ >>