This page shares the progress
achieved by Team Safevote since 1999, as well as reported in other work worldwide, in areas of Internet security, privacy, cryptography, voting protocols, electronic and online elections.
Team Safevote is led by Ed Gerck, Ph.D., Chief Scientist and CEO.
In 2000, Gerck proposed a novel scientific vision and mathematical theory of voting in "real-world"
scenarios (i.e., including faults and attacks) as a "non-classical" communication
process, albeit deterministic in principle. This mathematical theory of voting was further discussed and
expanded in the various works cited here. Safevote has been implementing the mathematical
theory of voting since 1999, with paper ballot voting as well as with precinct-based electronic
voting (paperless and with paper ballots), and online voting, in the US and worldwide.
The theory is technologically neutral and can be applied to paper, electronic and network (Internet)
voting. The theory is also optimal in the sense that it defines the voting
results in terms of a measurement process with an error (e.g., caused by faults and attacks)
that can be reduced to a number as close to zero as desired, and can be mathematically shown
to lead to accurate, reliable, and trustworthy results without eliminating the secret ballot or
exposing how a particular individual voted. The theory also applies to other areas, such as
collaborative decision-making (social networks) and resource allocation, with or without using
private communication sources (in voting terms, a secret ballot).
NOTICES: DISCLAIMER» | COPYRIGHT»
Science and Technology
Papers, Reports, Books and Slides
- 1. The Witness-Voting System, by Ed Gerck, invited
opening chapter in "Towards Trustworthy Elections, New Directions in Electronic Voting",
published by Springer Verlag. Chaum, David, et. al. (Ed.), (c) 2010, pages 1-36. ISBN-10:
Voting is a challenging problem, a problem that even school
children can understand but that is made harder to solve than conventional cyber-security and ecommerce
by requirements for public verifiability and ballot secrecy.
We present a comprehensive
theory of voting, viewed for the first time as a non-classical communication process,
even though the results are expected to be deterministic. We consider both passive and active
attacks and, for additional fairness assurances, further requirements including that the system
must work as desired without insight or ingenuity (i.e., without relying on human input) while
it must be fully auditable by a diversity of machines and humans.
Among the many novel
and strong results gained from our approach, we show how any type of voting can be as secure as
desired while assuring that ballots and voters are unlinkable. The secret ballot is, therefore,
not the reason for the failures that we observe in all actual voting systems, so far.
In fact, when ballots and voters are unlinkable, voters can be both strongly
anonymous ballot-wise and strongly identified as eligible voters.
Further, in implementation terms, we show that paper-based voting faces unfavorable scaling
with increasing number of voters, while paperless electronic voting and networked voting
(networked machines, not necessarily using the Internet) are easier to secure in large scale.
The latter being easier to secure than voting with isolated machines.
And, contrary to ecommerce technology and what is currently feared with Internet voting, voters do not need to give up the right to
vote anonymously in order to prevent voter fraud.
Book reference and Purchase
» | Request chapter reprint (subject to review) »
Private, Secure And Auditable Internet Voting, a comprehensive, technical chapter authored
by Ed Gerck, in the book "Secure Electronic Voting", published by Kluwer/Spring. Gritzalis,
Dimitris (Ed.), (c) 2003, pages 165-179. ISBN-10: 1-4020-7301-1.
In electronic voting,
some advocate printing a paper copy of the ballot, which the voter can see and verify that it
is identical to the ballot she intended to cast, and then sending the paper copy to ballot box
A while an electronic copy of that same ballot is sent to ballot box B. Such a suggestion is
oftentimes advanced as the sine qua non solution to voting reliability in electronic
However, this suggestion is ineffective because in the event of two conflicting
outputs from each trusted system, the decision of which one "is correct" must be made outside
the system and a priori. It also presents opportunities for fraud (e.g.,someone can
change and/or delete some paper ballots after the election in order to cast doubt on the
integrity of the entire election) and attacks (e.g., a group of voters might agree beforehand
to call out a "discrepancy" after they vote and thereby disrupt an election, which is similar
to a "denial of service" attack online).
In our Information Theory model, what makes
the introduction of a paper ballot special is not the fact that it is paper instead of bits. It
is the fact that the voter is actually casting his vote twice.
Starting from this
observation, the paper presents the Distributed Voting System (DVS), as a safe Internet voting
system using mesh networks to implement a distributed voting protocol offering, at the same
time, privacy, security and auditing, with receipt-freeness and universal verifiability. A demo
is available at MySafevote.com, developed using open source software. A version suitable for
public elections has been developed in Java. The DVS can scale to any number of voters; it has
been successfully used in Internet elections with 300,000 registered voters and 92,000
Book reference and Purchase » | Request chapter
reprint (subject to review) »
- 3. The
Business of Electronic Voting panel with Ed Gerck, C. Andrew Neff, Ronald L. Rivest, Aviel
D. Rubin, and Moti Yung, p.243-268, Paul F. Syverson (Ed.): Financial Cryptography, 5th
International Conference, FC 2001, Grand Cayman, British West Indies, February 19-22, 2002,
Proceedings, Lecture Notes in Computer Science 2339 Springer 2002, ISBN 3-540-44079-8.
In section 5, Ed Gerck presents a set of voting system requirements that are consistent,
technologically neutral, can be applied to paper, electronic and network (Internet) voting, and
exceed the current requirements for paper-based ballots and electronic voting DRE (Direct
Recording Electronic) machines. The requirements are based on the principles of "Information
Theory" and of "trust as qualified reliance on information." The principles favoring multiple,
independent channels of information over one purportedly "strong" channel. However, adding
multiple channels can also decrease reliance if the design principles laid out in these
requirements are not followed.
These Requirements are general principles, valid for any
implementation of a "ballot", whether as print marks on paper, pits on a CD-ROM surface,
electrons hitting a video screen (electronic ballot), modulated electromagnetic waves, bits in
a network protocol or any other form of information transfer to and from the voter (i.e., even
without a physical ballot). They also apply to any form of voting, including majority voting
and single transferable votes. The Requirements were designed to be independent from one
another, and as complete as possible without sacrificing consistency.
Book reference and
Purchase » | Request chapter reprint (subject to review)
Assuring Trust, Privacy and Integrity for Internet Voting, an invited seminar by Ed
Gerck, UN International Conference on E-Government for Development, Palermo, Italy, 2002.
If we can use the Internet to buy software, for online shopping, online banking, to trade
stock, for proxy voting in the private sector, for Income Tax returns...Why can't we use it for
Public elections are unlike any other type of transactions. Internet
voting is not the same as filling-out online forms. Public elections need: secret votes,
anonymous votes, to be correct, to be verifiable, to be honest, to be accessible. This is not
like: accounting, bank transactions, e-commerce, or other e-government transactions. Voters
must not be linkable to votes, and vice-versa. THEN, HOW CAN INTEGRITY BE GUARANTEED?
discuss a provable solution with a distributed voting protocol offering, at the same time,
privacy, security and auditing, with receipt-freeness and universal verifiability.
Assuring Trust, Privacy and Integrity for Internet
Voting(Seminar slides)» [PDF]
- 5. The
Witness-Voting System (WVS), seminar by Ed Gerck, presented at the Workshop on
Trustworthy Elections (WOTE '01), chaired by D. Chaum and R. Rivest, Tomales Bay,
California, Aug 27-30, 2001.
The Witness Voting System is presented for the
first time, as a provable, reliable solution for voter-verified electronic voting (DRE),
providing integrity and anonymity proofs, and does not require paper ballots. The WVS is
able to prove to anyone that every vote counts. Paper and other media can also be used,
if desired. The WVS verifies whether what the voter sees and confirms on the screen is
what is actually recorded and counted. The WVS provides any desired number of
independent records, which are readily available to be reviewed by election officials,
without ever linking voters to ballots.
The WVS is exemplified in various
designs, including designs with optical and/or electronic and/or network elements,
implementing a distributed voting protocol offering, at the same time, privacy, security
and auditing, with receipt-freeness and universal verifiability.
Witness Voting System (Seminar slides) »
- 6.Voting Systems From Art To Science, seminar by Ed
Gerck, presented at the CalTech-MIT Voting Technology Conference 2001 (March 29-31,
2001), Pasadena, Calif.
This work applies to elections in general and was born out of the desire
to create products that would allow modern computer-based technology to truly emulate the
secure desirable properties valued in centuries of public voting. In other words, can we use a
perfect clerk in elections — one who works obediently with paper and pencil, for as long
as is necessary, but without insight or ingenuity?
That would be a computer, of course,
but we also needed a general theory of voting that could take into account both the benefits and
shortcomings of using computers as the key element in a voting process. That led us to consider
voting as an information transfer process going from the voter (the vote choice) to the ballot box.
The fundamental problem of voting is stated for the
first time and formulated in terms of Shannon's Information Theory. This work then introduces
a general model of voting that applies to any voting technology, now and in the future.
The method of also printing a paper ballot, used with some DREs to hopefully help prevent fraud
and errors, is shown to be indeterminate and open to unmitigated fraud in the paper
This work further describes a solution, in terms of Shannon's
Information Theory, providing any desired number of independent records, which are
readily available to be reviewed by observers, without ever linking voters to ballots.
This work describes the foundation of Safevote's technology, including the Witness
Voting System, detailed elsewhere.
Voting Systems From Art To Science [PDF]
From Art To Science (original slides at Caltech/MIT)
- 7. Contra Costa
County Election Report. Final report presented to the California Secretary of
State. The Contra Costa Internet Voting Test was performed by Safevote under contract
with the California Secretary of State, from October 30th to November 3rd, 2000.
Contra Costa County
Election Report » [PDF]
Contra Costa County
Election Report »
- 8. E-voting is Not E-commerce, public comment
by Ed Gerck, Brookings Institute Symposium "The Future of Internet Voting", January
2000, Washington, D.C.
According to the mathematical theory of voting proposed
by Gerck, published elsewhere, voter anonymity is not enough in voting. A stronger
condition, called unlinkability is needed for voting -- and this was first publicly
explained by Ed Gerck in the 2000 Brookings Institute Symposium, and then heartily accepted
by the panelists and participants.
Contradicting the panel's opinion until that point,
Gerck also commented that voter privacy and election integrity cannot be assured simply by
using encryption (SSL) and other security strategies that are successful in e-commerce;
in plain terms, the lessons from dot-com that were mentioned before in the symposium do
not carry over to voting because of fundamental differences. These differences were
explained by Gerck and the quote is available from a Brookings transcript of the Symposium,
inlined in the section About Our Technology »
- The Bell
Newsletter on Privacy, Security and Technology in Internet Voting.
Ten-issue archive, from May 2000 to February 2001.
System Requirements (IVTA) This proposal contains strict voting
standards, with a set of 16 requirements that support fail-safe
privacy, verifiable security and tamper-proof ballots. This set of
requirements is technologically neutral and can be applied to paper,
electronic and Internet voting, exceeding the current FEC
requirements for paper-based ballots in the U.S., and also those for
electronic voting DRE (Direct Recording Electronic) machines.
The Internet Voting Technology Alliance. Created in 2000, the IVTA is an open forum
for discussion of the technological issues facing Internet and electronic voting.
The Meta-Certificate Working Group, founded in 1997, quickly grew to participants from 26 countries.
The MCWG led Internet security discussions and contributions, available in the site, currently applied
to Internet standards and practical developments in several work groups and companies worldwide.
- Email-Security Blog
A technical development forum dedicated to a fresh exploration of the Internet email security issues of today.
- Swedish Government Internet Voting Requirement
- Secure Electronic Voting, New Trends, New Threats
of Certification Systems: X.509, CA, PGP and SKIP
Real-World Models of Trust: Reliance on Received Information
on Trusting Trust
die Notwendigkeit genormter kryptographischer Verfahren
Secure Multi-Party Computation
Receipt-Free Voting Based on Homomorphic Encryption
Secure and Optimally Efficient Multi-Authority Election Scheme
to Break and Repair a "Provably Secure" Untraceable Payment System
Untraceable and Fault-tolerant Broadcast and Secret Ballot Election
secret ballot elections with linear work
An Information-Theoretic Model of Voting Systems
Digital Certificates: Applied
Internet Security by J. Feghhi, J. Feghhi and P. Williams,
ISBN 0-20-130980-7, 1998.
Handbook of Applied Cryptography,
by Alfred J. Menezes, Paul C. Van Oorschot (Editor), Scott A. Vanstone
(Editor), CRC Press; ISBN: 0849385237, 1996.
Applied Cryptography: Protocols,
Algorithms, and Source Code in C, by B. Schneier, John Wiley &
ISBN: 0471117099, 1995.
Secrets and Lies : Digital Security
in a Networked World, by B. Schneier, John Wiley & Sons; ISBN:
DISCLAIMER: This page and site does not intend to cover all the details of the technologies
reported, or all the variants thereof. Its coverage is limited to provide support and
references to the work in progress by Safevote, and to unify references, concepts
and terminology. No political or country-oriented criticism is to be construed from this
site and page, which respects all the apparently divergent efforts found today on the subjects
treated. Individuals or organizations are cited as part of the fact-finding work needed
for this site and their citation constitutes neither a favorable nor an unfavorable
recomendation or endorsement.
COPYRIGHT: Materials in this site and page are copyrighted by their owners.
This site page is Safevote Copyright. Permission to copy and publish any material
herein is regulated by their respective copyright holders. Materials that are copyrighted by
Ed Gerck and Safevote may be copied and published by third parties provided that the source and author
are clearly cited. We may be able to provide reprints in PDF for private use at no charge for
articles authored by Ed Gerck.
Safevote titles and product names are trademarks of Safevote, Inc. as described in our Legal Statement.