Product Areas
Private Elections
Public Elections
Licensing

Reports
Reliability in Voting
Voting Requirements
Fail-Safe Voter Privacy
Contra Costa County
Ballot Survey
Witness Voting System
E-Government

Available by request:
US Public Elections
US Private Elections

Free Services
Information Center
The Bell Newsletter
Free Small Elections

Resources
Employment
Press

Legal Statement
Privacy Statement
 
 
 

About Our Technology Implementation

The framework for Safevote's technology is discussed in the paper From Voting to Internet Voting by Ed Gerck, published in The Bell, ISSN 1530-048X, May 2000 issue. The paper explains a number of ideas being applied in a system and contract with the California Secretary of State for an actual public shadow election in Contra Costa County in November 2000:

In order to make transactions secure, anonymous and verifiable according to those needs inherent to voting as noted above and contrasted to e-commerce, Safevote has developed a protocol called MP (Multi-Party) with several variants. With the MP protocol, Internet voting is based on the principle that every action needs both a trusted introducer and a trusted witness, creating a multifold of redundant links. An attacker has to cut or compromise a large number of links before the system fails, which allows the probability of failure to be modeled and then fine-tuned by defining the number and nature of the links according to a threat model adequate to each case at hand. This is important because when we are talking about an election or Internet voting in general, fraud cannot be handled in terms of statistical failure covered by insurance. We need a much higher level of assurances and they need to be fail-safe. The paradigm that the weakest link defines the security of a chain of events is not fail-safe and does not suffice for Internet voting.

The MP protocol also provides for a strong separation between identification and authentication -- allowing for built- in voter anonymity and vote secrecy. For example, instead of trusting different servers to hold different parts of the ballot information, which can however be easily reconnected by those persons that manage the servers, the MP protocol builds a mathematical "wall" that cannot be circumvented.

In short, when people think that something cannot be secure because there is always someone who can crack it, they are talking about the "weak link" paradigm. This is a very simple paradigm and is easy to understand. However, the paradigm that the weakest link defines the security of a chain of events is not fail-safe and does not suffice for Internet voting. The MP protocol, where voting is based on the principle that every action needs both a trusted introducer and a trusted witness, creates a multifold of redundant links. While it may be possible for an attacker to compromise one link at a given time, it is much harder to compromise two or more at the same time. The MP protocol adds redundancy, increases availability, enforces strict access rules, protects voter privacy, enables auditable ballots, provides single-point-control by the election officials, while shielding the election officials from the voter authorizations (Credential Creation, Distribution and Management) and ballot processing, reducing the probability of faults and potential partisan conflict of interest situations.

The "wall" that cannot be circumvented, built in critical places by the MP protocol and exemplified by the "Chinese wall" mentioned earlier by Dr. Gerck during the Brookings Institute symposium "The Future of Internet Voting", in Washington, D.C., is the basic difference between the needs of voting and the needs of e-commerce (often ignored even today).

The Contra Costa Report details how the MP protocol was actually applied by Safevote in November 2000. During that time, the California Secretary of State proposed a question, conceptually attacking the "wall" in case of an all-powerful court-order forcing everyone to disclose everything, which was answered by Safevote showing why voter privacy would still prevail with the MP.