The Leader in Voting Technology
|HomeProductsRequest QuoteSupport CenterContact UsElection RequirementsPartnersAbout Us|
Contra Costa County Shadow Election Report
During five days, from October 30th to November 3rd in 2000, Safevote conducted an official public election precinct-based Internet voting test in Contra Costa County, under contract with the Secretary of State of California.
The number of voters who participated in the test, at will, was typical of the number of voters that would usually vote in one precinct in California, with 307 voters using the Safevote system. The test was done at one location using one voting station, which was online with Safevote servers elsewhere. Another voting station was also online but as a back-up.
Safevote used common PCs from a leading manufacturer, provided by Contra Costa County, with Safevote's custom-installed election system software. A LEO (Local Election Official) verified that all PCs and software were working as desired, before the polls opened.
A first station, called the LEO station, was used off-line to generate a DVC™ (Digital Vote Certificate, see DVC articles in the FAQ "Election Products" category, at the Support Center) for each voter, by a LEO. The voter's eligibility was first verified by the LEO. The LEO could not see the DVC that was given to the voter. Once the voter was authorized by the LEO, the voter's ballot style according to district of residence (a total of 280 ballot styles were possible for Contra Costa County), as well as a password chosen by the voter, were used by the Safevote software in the LEO station to generate the DVC. The DVC value was unpredictable and unknown to anyone but the voter; the length of the DVC and the password were enough to thwart any attempt to guess their combined value for the test conditions at hand.
For auditing and tallying authorization purposes, the name of the LEO authorizing the DVC to be issued, as well the ballot style, time, date and other information (but not the DVC value itself), were encrypted and recorded. LEOs could not influence the value of the DVC and could not create more than one DVC per voter. There was no connection whatsoever between the LEO station and the test network with the voting station where the voter would vote. The DVCs were accepted or rejected by the voting station based solely on the DVC's off-line properties as digital certificates, authenticating both the voter and the ballot style that was previously authorized off-line by the LEO for the voter.
To use the system, voters sign onto a voting station using their unique DVCs and passwords, allowing complete voter privacy when voting, and also providing for election integrity. There was no password list or DVC list in the voting station or anywhere else. In the test, 140 different ballot styles were actually assigned to voters based on their addresses in the county, and 100% correctly authenticated during voting. That each voter was using their correct ballot style, could be directly verified by the voter herself, providing an added assurance to the voter that the voter was correctly authenticated by entering their DVC and password. A similar process is used by Safevote also in online voting, to prevent phishing, spoofing and other authentication attacks.
The DVC authenticates not only the eligibility of the voter, thus preventing someone from voting twice, but also defines by cryptographic authentication the ballot style authorized by the LEO for each voter. The DVC also provides other cryptographic proofs in various stages of voter authentication, ballot casting, and auditing. The voter used either a mouse or a touch screen to make selections to vote. The touch screen was, clearly, the best device for voter input, specially for the elderly and computer novice.
The ballots cast by voters were encrypted and digitally certified. The precinct voting station did not have to be online with the Internet for the voter to vote. The encrypted ballots cast by voters were stored locally, using a "store and forward" mechanism to send them to a set of remote ballot boxes (i.e.,secure servers on the Internet). Without an Internet connection, the precinct voting station could work as an electronic voting system, and it could have operated in such mode exclusively. The Safevote precinct network was in "stealth mode" on the Internet: It could "see and talk" but could not be seen by anyone on the Internet -- including attackers. The names of candidates, or issue numbers, were not available in the cast ballots. There is a certified association between a candidate name and a tallied result but, to allay concerns of internal fraud, it only occurs in the Safevote system after all ballots are tallied. The key to decrypt the ballots was also not available in the system -- to obtain it, one would have to first decrypt the audit log for DVC issuance, which would immediately stop the DVC issuance. Tallying was done after the U.S. November 2000 election was officially over in California, as authorized by the Secretary of State. Before this event, the ballots cast could not be opened, read, or tampered with. Even if they would be opened, they could not be tallied to obtain a useful result, as the names of options chosen by voters (actual candidate names and issues) are not recorded in the ballots.
Voters could, and did, verify that their ballots were received at the remote ballot boxes by visiting a Safevote-run Web service with voter lists for cast ballots received (in addition to voter lists for showing up for voting). Verifiability can considerably reduce the probability of undetected fraud. If only a small fraction of voters do verify that their cast ballots were indeed received for tallying, voters in the entire election will benefit because this process reduces the probability of errors and undetected fraud, for example, of ballots being lost.
In the first days of the test, from October 30th to November 1st, the test was dedicated to experiment with the failure modes of the Internet voting system developed by Safevote. Public voting systems need fail-safe assurances and they need to be test crashed in order to see if they indeed are fail-safe. During this initial period, 161 voters cast ballots that were on purpose deleted for testing the failure modes of the system. The presence of these voters, however, was detected by several verification loops built into the system audit, including the public voter list verification service made available on the Internet by Safevote. Contra Costa voters visited the voter list and tested if their participation was recorded, from their computers in homes or offices. Safevote observed thus that voters really care enough to both verify the voter list and notify Safevote about any problem, even though this was a shadow election. This exemplifies that this mechanism can be quite effective to enhance security in a real election. Voter privacy was not compromised by this verification procedure.
From November 2nd to November 3rd, all voted ballots were kept, encrypted, with the assurances aforementioned. Voters could and did verify remotely on the Internet that their ballots were received for tallying. Voter privacy was not compromised by this verification procedure.
During the five days of the test, Safevote also conducted a public attack test, concurrently. This was the first -- and only so far -- time that an Internet voting company made a public invitation to attack their own system.
The Safevote attack challenge was made public on CBS, USA Today, Internet lists and other public media, so that attackers would be motivated to try to attack. No one managed to successfully attack the system, which was on the public Internet for five days and 24-hours per day, in spite of an attack-hotline with phone, email and web-page support, and time-saving hints provided by Safevote. Attackers were also encouraged to submit theoretical attacks on the data structures used, not just the networks. Denial-of-Service attacks were also tried, as reported at the attack web-page. No attack was successful. The Internet access used by Safevote was provided in dial-up and the attack test never put the election office network in Contra Costa County at any risk whatsoever.
Of course, security cannot be proven by any amount of tests. The objective of an attack test such as the one performed by Safevote at Contra Costa County must be to find problems, not to prove that problems do not exist. However, the absence of both theoretically successful attacks as well as practical attacks during an extended period of time in a high-visibility open test with attack assistance and feedback, and the absence of any successful attack in six years of operation with over 100 elections, suggests that the technology used by Safevote does offer a noticeable security increase over a typical e-commerce system.
On November 7th, 2000, the results were audited and tallied after the official election closed. All the results were authorized to be shown by Safevote but not verified by the office of the California Secretary of State. A total of 146 valid ballots were tallied, with 161 test ballots, for a sum of 307 ballots.
Voting test results at Contra Costa County Shadow Election 2000 >>
A Safevote representative personally interviewed the voters at Contra Costa after they voted using the Safevote system and presented a series of questions to them. When asked if Safevote's system was easy to use, all 307 voters answered yes. As voters' time permitted, other questions followed with a pre-defined format and also included room for spontaneous responses. Approximately 200 voters took the time to answer all questions.
Results of the Contra Costa County Ballot Survey >>
Safevote stands ready to certify and conduct Internet and electronic voting in Public Elections, where accepted. Where the certification of Safevote's system depends on legislation still being discussed, Safevote is able to conduct Public Election Trials.If you are interested in setting up a Public Election or Trial, please visit our Public Elections Page >>