Safevote, Inc. (TM)
The Leader in Voting Technology

Product Areas
Private Elections
Public Elections

Reliability in Voting
Voting Requirements
Fail-Safe Voter Privacy
Contra Costa County
Ballot Survey
Witness Voting System

Available by request:
US Public Elections
US Private Elections

Free Services
Information Center
The Bell Newsletter
Free Small Elections


Legal Statement
Privacy Statement

About Our Technology

Voting is a good model for an unbiased cooperative process. In particular, public-sector voting needs to satisfy a number of conditions for fairness, usually including:
- anonymous (to avoid several problems, including collusion),
- secret (no one knows the result before the election ends),
- correct (all properly cast votes must be counted; not properly cast votes must not be counted),
- honest (no one can vote twice or change the vote of another), and
- complete (all voters must be able to verify either their participation or absence).

Election integrity depends on the election process being secret, correct, honest and complete. One of the difficulties solved by Safevote's technology is to assure voter privacy (anonymity) while also assuring election integrity. The two requirements are frequently treated as antinomies in voting.

Rather than weaken voter privacy to assure election integrity, the Safevote solution realizes that voter privacy needs more than just voter anonymity. Voter anonymity is not enough in voting. A stronger condition, called unlinkability, is needed for voting -- as first publicly proposed by Dr. Ed Gerck of Safevote in January 2000 at the Brookings Institute symposium "The Future of Internet Voting", in Washington, D.C., and heartily accepted by the participants, including the well-known US election expert Roy Saltman.

Dr. Gerck also explained, contradicting the panel's opinion until that point, that voter privacy and election integrity cannot be assured simply by using encryption (SSL) and other security strategies that are successful in e-commerce; in plain terms, the lessons from dot-com that were mentioned before in the symposium do not carry over to voting because of fundamental differences.

The following quote is from a Brookings transcript of the Symposium (with context notes added within square brackets, for clarity):

My name is Ed Gerck. As a Ph.D. in mathematical science I agree entirely that [you could say] technology has all the answers, and that is perhaps a very faithful answer [from this panel, so far]. However, thinking about the study of Professor Dave Denning of Cornell in the psychology department, he correlated lack of knowledge with confidence. And he arrived at a conclusion this week that the less we know the more confident we are. Ignorance is bliss.

So I want to start from this point and say that, yes, we talked a lot about politics and the political aspects of voting, because that's where the main competence is about of the folks of this conference. I would like to bring about the technical aspects. My question, if we can do e-commerce using the Internet, if we can already use that for cyber shopping, if we can use the Internet for online trading, for online banking, if we can use the Internet for tax returns, as you just heard, why can't we use the Internet for elections? If we can use the Internet for proxy [private] voting, why can't we use it for [public] voting?

The answer is NO, and that is so because it's different.

In elections, you must have a "Chinese wall" between the voter and the ballot. If I get the vote I don't know who the voter is, if I get the voter I don't know what the vote is. And that doesn't happen in e-commerce. In e-commerce I have a traceable credit card. I have a traceable name, I have an address for delivery. Anything that's bought must be delivered. I have a pattern of buying, if you go to, they will suggest the next book to you if you want, based on what you bought. They may know a lot more about you than you think they know.

And so there is a basic difference between e-commerce and Internet voting, which must not be ignored, otherwise ignorance is bliss, we don't see it.

In e-commerce there must be no privacy, the merchant must know who I am, my credit card must be valid. There are laws against [fraud in] this. So there is a basic divide here, which you need to take into account. There is a paradigm shift, there is a very strong technological point which those on the political side don't see, because that's natural. And there is a very strong political side that us, on the technological side don't see. For us, yes, voter participation is very good, or don't we all care if voter participation may decrease?

So the point that I wanted to make is that it [Internet voting] is not as easy [as in e-commerce], because it's a fundamentally different problem. The solution is not the same, what we have today [for e-commerce] does not transpose, and the solution, the final comment, the solution that we have today for e-commerce is not cryptography, is insurance, for 20 percent of fraud that is the Internet fraud in credit cards. And how is that paid? By us, cardholders, we socialize the cost. Imagine telling, yes, you were elected president, but you know, there was a fraud, here is our insurance policy. You collect your million dollars, next time play again. You know, we cannot socialize fraud in elections. We cannot accept 20 percent of fraud paid for by insurance, which is what happens today. We did solve the e-commerce security problem, by putting in insurance. We can not solve it that way [for elections].

Dr. Gerck's unlinkability condition (the "Chinese wall" mentioned in the Brookings Symposium) states that no one should be able to link any voter with any of the votes cast, and vice-versa. In an election, if we know the voter (e.g., in voter registration) we cannot know the vote that was cast by that voter; if we know a vote (e.g., in tallying) that was cast, we cannot know the voter who cast it. In safevoting, thus, even though both the voter and the vote must be and are well-known at different stages of the election process (i.e., voters must not be anonymous), no one is able to link votes with voters. The election results are anonymous even though all voters are identified (as they must be for election integrity).


The question of trust needs to be addressed directly in any online or digital method, specially for voting. We all know that it takes time and effort to destroy or change a large number of paper records, while it only takes the click of a mouse to change or erase an entire digital file.

Understanding what we trust, and how, is also important to verify what may break that trust and what are the consequences. Risk considerations cannot even be made before we consider what we trust -- risk is that which breaks trust. Auditing also depends on qualifying what is trusted, to what extent, and how that trust can be verified.

How can we trust bytes? How can we trust anything digital?

To answer these questions, Safevote uses a model of trust first published by Dr. Ed Gerck during public discussions in 1997, in the Meta-Certificate Group -- today available at the MCWG site.

In simple terms, trust is understood as qualified reliance on information. An assertion of trust cannot be based on the record itself, but on information from other information channels. Gerck considers trust not as an emotion or feeling, which would be hard to quantify and use, but as something essentially communicable. In Information Theory terms, trust is defined using the concept of communication, formally, as: trust is that which is essential to a communication channel, but cannot be transferred using that channel.

This definition of trust provides a framework for understanding human trust (as expected fulfillment of behavior) and for bridging trust between humans and machines (as qualified information based on factors independent of that information). The original reference is Toward Real-World Models of Trust: Reliance on Received Information. See also "Trust Points" by E. Gerck in "Digital Certificates: Applied Internet Security" by Jalal Feghhi, Jalil Feghhi and Peter Williams, Addison-Wesley, ISBN 0-20-130980-7, pages 194-195, 1998 and additional references in the Center >>

Read more about our technology implementation for Internet voting>>

Contents of this entire site are © Copyright, Safevote Inc., 2000-2006.
Titles and product names are trademarks of Safevote, Inc. as described in our Legal Statement. ZSentry™ is ™ of NMA, Inc.