About Our Technology
Voting is a good model for an unbiased cooperative process. In
particular, public-sector voting needs to satisfy a number of
conditions for fairness, usually including:
- anonymous (to avoid several problems, including collusion),
- secret (no one knows the result before the election ends),
- correct (all properly cast votes must be counted; not
properly cast votes must not be counted),
- honest (no one can vote twice or change the vote of another),
- complete (all voters must be able to verify either their
participation or absence).
Election integrity depends on the election process being
secret, correct, honest and complete. One of the difficulties solved by
Safevote's technology is to assure voter privacy (anonymity) while also
assuring election integrity. The two requirements are frequently
treated as antinomies in voting.
Rather than weaken voter privacy to assure election integrity,
the Safevote solution realizes that voter privacy needs more than just voter anonymity.
Voter anonymity is not enough in voting. A stronger condition, called unlinkability, is needed
for voting -- as first publicly proposed by Dr. Ed Gerck of Safevote in January
2000 at the Brookings Institute symposium "The Future of Internet
Voting", in Washington, D.C., and heartily accepted by the
participants, including the well-known US election expert Roy Saltman.
Dr. Gerck also explained, contradicting the panel's opinion until
that point, that voter privacy and election integrity
cannot be assured simply by using encryption (SSL) and other security
strategies that are successful in e-commerce; in plain
terms, the lessons from dot-com that were mentioned before in the symposium do not
carry over to voting because of fundamental differences.
The following quote is from a Brookings transcript of the
Symposium (with context notes added within square brackets, for
My name is Ed Gerck. As a Ph.D. in mathematical
science I agree
entirely that [you could say] technology has all the answers, and that
is perhaps a
very faithful answer [from this panel, so far]. However, thinking about
the study of Professor
Dave Denning of Cornell in the psychology department, he correlated
lack of knowledge with confidence. And he arrived at a conclusion this
week that the less we know the more confident we are. Ignorance is
So I want to start from this point and say that, yes, we talked a lot
about politics and the political aspects of voting, because that's
where the main competence is about of the folks of this conference. I
would like to bring about the technical aspects. My question, if we can
do e-commerce using the Internet, if we can already use that for cyber
shopping, if we can use the Internet for online trading, for online
banking, if we can use the Internet for tax returns, as you just heard,
why can't we use the Internet for elections? If we can use the Internet
for proxy [private] voting, why can't we use it for [public] voting?
The answer is NO, and that is so because it's different.
In elections, you must have a
"Chinese wall" between the voter and the ballot. If I get the vote I
don't know who the voter is, if I get the voter I don't know what the
vote is. And that doesn't happen in e-commerce. In e-commerce I have a
traceable credit card. I have a traceable name, I have an address for
delivery. Anything that's bought must be delivered. I have a pattern of
buying, if you go to Amazon.com, they will suggest the next book to you
if you want, based on what you bought. They may know a lot more about
you than you think they know.
And so there is a basic difference between e-commerce and Internet
voting, which must not be ignored, otherwise ignorance is bliss, we
don't see it.
In e-commerce there must be no privacy, the merchant must
know who I am, my credit card must be valid. There are laws against
[fraud in] this. So there is a basic divide here, which you need to
take into account. There is a paradigm shift, there is a very strong
technological point which those on the political side don't see,
because that's natural. And there is a very strong political side that
us, on the technological side don't see. For us, yes, voter
participation is very good, or don't we all care if voter participation
So the point that I wanted to make is that it [Internet voting] is not as easy [as in
e-commerce], because it's a fundamentally different problem. The
solution is not the same, what we have today [for e-commerce] does not
transpose, and the solution, the final comment, the solution that we
have today for e-commerce is not cryptography, is insurance, for 20
percent of fraud that is the Internet fraud in credit cards. And how is
that paid? By us, cardholders, we socialize the cost. Imagine telling,
yes, you were elected president, but you know, there was a fraud, here
is our insurance policy. You collect your million dollars, next time
play again. You know, we cannot socialize fraud in elections. We cannot
accept 20 percent of fraud paid for by insurance, which is what happens
today. We did solve the e-commerce security problem, by putting in
insurance. We can not solve it that way [for elections].
Dr. Gerck's unlinkability condition (the "Chinese wall"
in the Brookings Symposium) states that no one should be able to link
any voter with any of the votes cast, and vice-versa. In an election,
if we know the voter (e.g., in voter registration) we cannot know the
vote that was cast by that voter; if we know a vote (e.g., in tallying)
that was cast, we cannot know the voter who cast it. In safevoting,
thus, even though both the voter and the vote must be and are
well-known at different stages of the election process (i.e., voters
must not be anonymous), no one is able to link votes with voters. The
election results are anonymous even though all voters are identified
(as they must be for election integrity).
The question of trust needs to be addressed directly in any online or digital
method, specially for voting. We all know that it takes time and effort to destroy or change a large number
of paper records, while it only takes the click of a mouse to change or erase an entire
Understanding what we trust, and how, is also important to verify what may break that trust and
what are the consequences. Risk considerations cannot even be made before we consider what
we trust -- risk is that which breaks trust. Auditing also
depends on qualifying what is trusted, to what extent, and how that trust can be verified.
How can we trust bytes? How can we trust anything digital?
To answer these
questions, Safevote uses a model of trust first published by Dr. Ed Gerck during
public discussions in 1997, in the Meta-Certificate Group --
today available at the MCWG site.
In simple terms, trust is understood as qualified reliance on information. An
assertion of trust cannot be based on the record itself, but on information
from other information channels. Gerck considers trust not as an emotion or feeling,
which would be hard to quantify and use, but as something essentially communicable.
In Information Theory terms, trust is defined using the concept of communication,
formally, as: trust is that which is essential to a communication channel, but
cannot be transferred using that channel.
This definition of trust provides a framework for understanding
human trust (as expected fulfillment of behavior) and for bridging trust
between humans and machines (as qualified information based on factors
independent of that information). The original reference is
Toward Real-World Models of Trust:
Reliance on Received Information. See also "Trust Points" by E. Gerck in "Digital
Certificates: Applied Internet Security" by Jalal Feghhi, Jalil Feghhi
and Peter Williams, Addison-Wesley, ISBN 0-20-130980-7, pages 194-195,
1998 and additional references in the Center >>