Safevote, Inc. (TM)
The Leader in Voting Technology

Product Areas
Private Elections
Public Elections

Reliability in Voting
Voting Requirements
Fail-Safe Voter Privacy
Contra Costa County
Ballot Survey
Witness Voting System

Available by request:
US Public Elections
US Private Elections

Free Services
Information Center
The Bell Newsletter
Free Small Elections


Legal Statement
Privacy Statement

About Our Technology

Internet Voting FAQ

Internet voting, also called online voting, is used and is legal in the US for more than ten years, in the private sector. For questions in reference to Internet voting in the private sector, please use our FAQ selector in the Support Center.

How about Internet voting for public elections?

If we can do e-commerce using the Internet, if online shopping is common even for buying cars and homes, if we can use the Internet for online trading, for online banking, if we can use the Internet for tax returns, why can't we use the Internet for public elections? If we can use the Internet for private voting, why can't we use it for public voting?

The quick answer is that "yes, we can". US military personnel and overseas civilians can register to vote and send their absentee ballots by regular email for public elections, for those states that allow it.

This quick answer highlights both the need and the difficulty behind Internet voting for public elections.

Of course, sending voter information and a voted ballot by regular email is like sending them by a postcard. Regular email is like a postcard, open for anyone to read or change. There is no secret or secure ballot when it is sent by regular email. Personal voter information is no longer private.

Can we do Internet voting right?

Yes, we can. First, we need to understand that Internet voting is nothing like e-commerce.

In public elections, we must have what Safevote has called a "Chinese wall" between the voter and the ballot. Even after the ballot is opened, if I see the vote I cannot know who the voter is, if I know the voter I cannot know what the vote is. But that doesn't happen in e-commerce. In e-commerce we have traceable credit cards, traceable names, and an address for delivery. Anything that is bought must be delivered. You have a pattern of buying; if you go to, they will suggest the next book to you based on what you bought before. In e-commerce, a lot is known about you.

Thus, there is a basic difference between e-commerce and Internet voting, which must not be ignored, otherwise because ignorance is bliss, we might be quite happy in using an e-commerce system for voting. It would seem to work, with SSL encryption and authentication.

In e-commerce there must be no privacy, the merchant must know who you are, that your credit card is valid. There are laws against fraud in providing false information in this regard. So there is a basic divide here, which we all need to take into account. There is a paradigm shift, there is a very strong technological point which some may not see at all. Yes, making it easier for the voter is very good, or do not we all care if voter participation may decrease? However, making it easier for the voter must not be done with an e-commerce system used for online voting.

Internet voting and e-commerce are fundamentally different problems. With Internet voting there is a need for a specific protocol that protects both voter privacy and election security. The solution is not the same> What we have today for e-commerce does not transpose.

Furthermore, even if we could transpose the e-commerce solution to online voting, we need to keep in mind that the solution that we have today for e-commerce is not cryptography, it is insurance. The average Internet fraud in credit card transactions is 15 percent. And how is that paid? By us, cardholders, as we socialize the cost. Now, let us imagine saying "yes, you were elected Mr. president-that-was-to-be, but you know, there was a fraud, here is our insurance policy. You collect your million dollars, please play again next time". Of course, we cannot socialize fraud in elections. We cannot accept 15 percent of fraud paid for by insurance, which is what happens today with e-commerce.

Let us make it clear: the e-commerce security problem was solved by banks, but only by adding insurance. It made sense for them in their calculations of risk versus cost. However, it does not make sense in public elections and we can not solve it that way.

In order to do Internet voting right, even though both the voter and the vote must be and are well-known at different stages of the online election process (i.e., voters must not be anonymous), no one should be able to link votes with voters. No one should be able to prove how the voter voted, not even the voter or under a court order, when all parties must cooperate and secrets must be disclosed. The voter must not be linkable to the ballot and vice-versa. Yet, all voters must be identified in the voter list (for election integrity). The election results must be anonymous.

Thus, rather than weaken voter privacy to assure election integrity, the Safevote solution for Internet voting realizes that voter privacy needs more than just voter anonymity. Voter anonymity is not enough in voting. A stronger condition is used by Safevote, called unlinkability. Read more about unlinkability and the Safevote solution >>

More FAQ

How about protection against hackers? In addition to firewalls, a reverse-proxy configuration, and intrusion detection systems, the core machines are connected via an effectively unknown and changing IP address to the Internet, and then in turn making connections to four, or more, other machines in unknown locations, again with unpublished and changing IP addresses. In a Safevote public attack test, conducted in 2000, attackers could not find the servers even with a hot-line help available. In Safevote's Public Election Network system, including the servers used for online voting, even finding one server to attack becomes extremely difficult, if not impossible.

Can the voter's computer be used for online voting? Some simple-minded arguments consider the voter's computer to be an isolated, easy prey to hackers; hence, impossible to secure. This is not the case for a voter's computer connected to Safevote's Public Election Network system -- see the Voter Station in the Safevote's Public Election Network system. The voter's computer can be protected against hackers by actions taken by the Safevote server itself (including firewall testing, malware and virus scan) directly at the voter's computer, by challenge-response tests done by the Safevote server to detect acceptable behavior, including human response vs. automated response, and by counter-measures required by the Safevote server to be implemented by the voter (see articles in the FAQ "Privacy, Security" category, at the Support Center) prior to voting.

How about voter privacy online? Election integrity? Voters are authenticated by their DVC™ (Digital Vote Certificate, see DVC articles in the FAQ "Election Products" category, at the Support Center) that cannot be linked to the identity of the voters. The DVCs are sent to voters without the LEO (Local Election Official) authorizing these DVCs to be issued knowing which voter gets which DVC, so that the LEO does not even have to be trusted not to record the correspondence between voters and their DVCs. The LEO also does not have to be trusted not to create spare DVCs, i.e., to create more DVCs than one per voter. These properties are part of Safevote's design, which enforces key concepts in IT security, including the principles of:

Expand / CollapseLeast Privilege
"Every program and every user of the system should operate using the least set of privileges [providing access to resources and information] necessary to complete the job." Saltzer and Schroeder, in The protection of information in computer systems.

The idea behind the principle is to grant just the least possible amount of privileges to permit a legitimate action, in order to enhance protection of data and functionality from faults and malicious behavior.
Expand / CollapseNeed-To-Know
Need-to-know is one of the most fundamental security principles. The practice of need-to-know limits the damage that can be done by a trusted insider who goes bad. Implementing the need-to-know principle builds a major barrier against insider attacks.

In essence, the principle aims to discourage "browsing" of sensitive material, thereby limiting access (and potential damage) to the smallest possible number of people.
Expand / CollapseSeparation Of Powers
The differentiation between system administrator and security administrator provides an example of separation of powers. Because an all-powerful attacker is hard (or even impossible) to stop, the principle of separation of powers limits the power of each module (user, machine or software) so that no module in the system may perform all the functions.

In a Public-Key Cryptography, system for example, messages may be digitally signed only with the private-key and may be verified only with the public-key.

FAQ from the Support Center

Depends on the legislation that applies to your case. Safevote election process meets or exceeds the same legal requirements that are already in place for electronic voting in public elections.

The Safevote system has also been used in actual elections with multiple-channel voting, when a voter may vote at a precinct, at home or work using the Internet, or by postal mail. In one such case, voters were allowed to vote using all methods, while the ballots were validated by a preference system allowing only one ballot per voter; for example, a ballot cast at a precinct trumped mail or Internet ballots cast by the same voter.
Voters are authenticated by their DVC™ (Digital Vote Certificate, see DVC articles in the FAQ "Election Products" category) that cannot be linked to the identity of the voters. The DVCs are sent to voters without the LEO (Local Election official) authorizing these DVCs to be issued knowing which voter gets which DVC, so that the LEO does not even have to be trusted not to record the correspondence between voters and their DVCs. The LEO also does not have to be trusted not to create spare DVCs, i.e., to create more DVCs than one per voter.
As most security experts will tell you, making the code publicly available for inspection does exactly nothing to make it secure. Ken Thompson's 1984 Turing Award lecture "Reflections On Trusting Trust" (available online in your Information Center) shows why software cannot be trusted by itself. Ed Gerck's 1997 pioneer work on trust "Toward Real-World Models of Trust: Reliance on Received Information" (available online in the Information Center) shows that nothing can be trusted by itself.
Safevote's solution to trustworthy security is the MP protocol, which makes the entire election process a self verified "closed circle", with additional, human-based, full audit. The audit can be provided with as many independent verifiers as desired by using Safevote's Witness-Voting System (WVS), to allay concerns of internal fraud in public elections. Without requiring paper and paper costs, the WVS is able to prove to anyone that every vote counts. Paper and other media can also be used.

The WVS verifies whether what the voter sees and confirms on the screen is what is actually recorded and counted. The WVS provides any desired number of independent records, which are readily available to be reviewed by election officials, without ever linking voters to ballots. The WVS works in precincts as well as online.
When people think that something cannot be secure because there is always someone who can crack it, they are talking about the "weak link" paradigm. This is a very simple paradigm and is easy to understand. Indeed, if the weakest link defines the security of a chain of events, then the resulting system is not fail-safe and would not suffice to reach the level of security that we want for Internet voting.

However, while it may be possible for an attacker to compromise one channel of information at a given time (i.e., one link), it is much harder to compromise two or more at the same time. Thus, Safevote's solution is to use multiple, independent control structures and independent channels of information. This considerably increases the reliability and trustworthiness of Safevote's Internet voting systems, as well as the auditing, vote recounting and verifiability properties of the election.
They are not relevant if the election duration is enough for recovery. We suggest that an online election should run for two weeks. In public elections, absentee ballots are already accepted within a month in some jurisdictions. Please see the FAQ articles in the "Accessibility" category

Contents of this entire site are © Copyright, Safevote Inc., 2000-2006.
Titles and product names are trademarks of Safevote, Inc. as described in our Legal Statement. ZSentry™ is ™ of NMA, Inc.