Safevote, Inc. (TM)
The Leader in Voting Technology

Product Areas
Private Elections
Public Elections

Reliability in Voting
Voting Requirements
Fail-Safe Voter Privacy
Contra Costa County
Ballot Survey
Witness Voting System

Available by request:
US Public Elections
US Private Elections

Free Services
The Bell Newsletter
Free Small Elections


Legal Statement
Privacy Statement

Legal Auditing Privacy And Security Election Experience, Qualifications, and Security History

1. Legal

Safevote meets or exceeds all the requirements for legally binding online elections in the private sector. This includes the means to authenticate voters, count ballots properly, and provide for security, auditing and election integrity. Your organization's bylaws should also allow online voting. Many countries have similar requirements for online voting.

Safevote's online election security was qualified by the California Secretary of State for a shadow election conducted in Contra Costa County in November 2000, and also by the Swedish Government's Ministry of Justice Statskontoret for a binding online election conducted in the Student Union at Umeå University in April 2001.

Safevote meets or exceeds the Swedish Government Internet Voting Requirement SOU:2000:125.

Safevote complies with the Voting System Requirements (VSR). The VSR evolved during public discussions at the Internet Voting Technology Alliance (IVTA) in September-November 2000. It recognizes the need for strict voting standards, with a set of 16 requirements that support fail-safe privacy, verifiable security and tamper-proof ballots.

2. Auditing

Typical Election Process
Phases of a typical election process, clockwise from the top.

A typical election process has a number of phases, exemplified above. The phases are not independent, are not all done in sequence, usually overlap in time and responsibility, are not performed in isolation, require cross-certification, and may fail completely due to a single-point failure. In such a scenario, the trustworthiness of each phase, even of each component, is not enough to assure the trustworthiness of the final result. Auditing is important here not only as a final verification (as shown in the diagram above) but also as a phase-by-phase verification of respective inputs and outputs.

With Safevote, trust is verified by auditing at every phase. The entire election is audited before the Safevote election results are sent to the customer. An audit trail is preserved until at least 30 days after the election closes, for all election data, while assuring voter anonymity for the ballots cast and the tally results.

Safevote assures election privacy, security and integrity with a patent-pending, end-to-end ballot control technology including voter registration, ballot distribution, auditing, tallying and reporting.

Safevote's ballot control technology uses the DVC™.

The DVC stands for Digital Voter Certificate. In simple terms, a DVC performs all the functions of a PIN and more, without the shortcomings of PINs (for example, without shared secrets). Safevote assigns to each voter a DVC, which is both improbable to guess and unknown to the customer. According to the election product used, the DVC may or may not be visible to the voter. The DVC may also be mnemonic, making it easier for voters in election models where voters must read and type their DVCs.

The DVC is Safevote's patent pending technology for, without shared secrets, controlling all aspects of the election, including voter access, ballot style, ballot delivery, proof of receipt, tallying, auditing, and reporting.

Safevote audits all voters and ballots cast.

Auditing is integrated with every election phase, even during the election, to prevent and detect faults such as interception, tampering, impersonation, spoofing, denial, replay and eavesdropping of voter information, including authorization codes and ballots. Auditing is done without compromising election privacy or ballot secrecy.

Safevote's ingenious online voting technology makes the entire election process a "closed circle", where everything must be not only verifiable but actually verified, from the initial qualification of information to its final use that must be based on that qualification. The technological assurances are integrated with an additional, human-based, full audit, still preserving voter privacy. Read About Our Technology >>

Safevote takes time, throughout the election, to make sure that not only the election results are correct but also that all inputs leading to that result, voters and ballots, are correct. Voter auditing is complemented by random sample testing, using a small ensemble of voters that is statistically significant to provide high confidence that each voter actually participated. If there is evidence of a problem, the probe can widen and more voters can be contacted, by random or directed choice. Additional information collected without voter intervention or contact, such as the user's computer IP number, may also be used in auditing.

Voter authentication is transparent; at the end of the election, Safevote sends a voter list with all who voted. If the customer desires to be part of the voter authentication process (for example, by using the customer's own login procedure), Safevote auditing helps reduce the customer's risk exposure and conflict of interest questions.

By means of assured, unfettered access to information during the election period, Safevote is also not subject to a "sand box" and has the means to directly and independently verify any information that might compromise election privacy, security or integrity.

3. Privacy And Security

Safevote integrates all services required in an online election, without security gaps. Customers use Safevote to provide a better experience to voters, with less cost and liability.

Safevote adds a useful layer of trust in the election. Safevote shields the customer from the voter authorizations (Credential Creation, Distribution and Management) and ballot processing, reducing customer liability and potential conflict of interest situations, by providing the following main functionality:

1. The customer has no control of and does not even know the voter authorizations, which are provided by unique access codes (DVC™, or Digital Voter Certificate) generated by Safevote. The DVCs are anonymous and improbable to guess. The voters can trust that the ballots collected using such voter authorizations were not cast by the customer, or by compromise of the customer's systems.

Security of the DVC distribution to voters is important for the voter authentication process. DVC distribution is protected by Safevote and, according to customer need, may use different mechanisms, including:

ZSentry Ballot: unique access codes (DVC™) are sent to each eligible voter on behalf of the customer by ZSentry Ballot; voters who do not receive the ZSentry™ Ballot can vote securely with a provisional ballot.

Secure Login Ballot: unique access codes (DVC™) are assigned to each voter upon login at the customer site using the customer's pages and the customer's enterprise database; the voter goes on to vote using Safevote, while keeping all the privacy and security assurances, and audit, of the Safevote process.

Secure Postal Mail: unique access codes (DVC™) are assigned to each voter upon voter registration and, without being known to anyone else, are mechanically inserted and sealed for mailing in postal mail envelopes. A password that is already known by each voter is used to generate the DVCs. The passwords are not included in the envelope with the DVCs. Upon receiving the postal mail, the voter uses the DVC and password to login at a secure site. The voter goes on to vote, while keeping all the privacy and security assurances, and audit, of the Safevote process.

2. The customer cannot decrypt or tally the ballots. The voters can trust that the ballots remain secret during and even after the election is tallied.

3. The customer cannot link the voter authorizations to the voters. The voters can trust that their participation is anonymous.

4. Trust is verified by auditing. Safevote audits all voters and ballots cast.

Safevote ballot authentication methods CF and CL prevent a voter from casting more than one ballot, keeping the rule of "one person, one vote". With CF, only the first ballot is counted. With CL, voters are allowed to vote multiple times but only the last ballot is counted, which is useful to allay concerns of vote-selling and coercion.

4. Election Experience, Qualifications, and Security History

Safevote online election experience begins in the year 2000 and covers a wide range of needs and sizes, from almost 300,000 voters in one election to as few as 31, with over 100 elections worldwide.

During the Contra Costa County shadow election in November 2000, Safevote also conducted a public attack test concurrent with the shadow election test. This was the first -- and only so far -- time that an Internet voting company made a public invitation to attack their own system.

The Safevote attack challenge was made public on CBS, USA Today, Internet lists and other public media, so that attackers would be motivated to try to attack. No one managed to successfully attack the system, which was on the public Internet for five days and 24-hours per day, in spite of an attack-hotline with phone, email and web-page support, and time-saving hints provided by Safevote. Attackers were also encouraged to submit theoretical attacks on the data structures used, not just the networks. Denial-of-Service attacks were also tried, as reported at the attack web-page. No attack was successful. The Internet access used by Safevote was provided in dial-up and the attack test never put the election office network in Contra Costa County at any risk whatsoever.

Of course, security cannot be proven by any amount of tests. The objective of an attack test such as the one performed by Safevote at Contra Costa County must be to find problems, not to prove that problems do not exist. However, the absence of both theoretically successful attacks as well as practical attacks during an extended period of time in a high-visibility open test with attack assistance and feedback, and the absence of any successful attack in six years of operation with over 100 elections, suggests that the technology used by Safevote does offer a noticeable security increase over a typical e-commerce system.

Read more about election requirements and experience in the Information Center >>

Contents of this entire site are © Copyright, Safevote Inc., 2000-2006.
Titles and product names are trademarks of Safevote, Inc. as described in our Legal Statement. ZSentry™ is ™ of NMA, Inc.