VoteClick
Security measures

Introduction

On this page, we will discuss the various security measures embedded within the VoteClick voting platform to ensure a safe and secure voting experience.

First, we will explain our innovative method for verifying voter identity without the need for codes or passwords. This leads us to discuss how we effectively combat identity theft.

Next, we will address the importance of maintaining vote secrecy and preventing duplicate voting, as these issues are closely related.

Following this, we will explore our strategies for managing fraudulent activities within the system.

Finally, we will highlight the external mechanisms in place, such as firewalls, that are designed to protect against hacker attacks, including DDoS, XSS, and SQL injection.

Voter Identity Verification with a Single Click

Each voter receives a voting invitation that includes a distinct voting link.

This link contains a one-time voting key, unique to each voter.

Upon clicking the link, the key is transmitted to VoteClick, enabling the identification of the voter.

Fingerprint

Combating Identity Theft

Identity theft occurs when an unauthorized individual gains access to a voter's unique voting key.

A malicious party can obtain the key by either guessing or intercepting it.

VoteClick addresses this issue in the following ways:

  1. VoteClick generates keys of sufficient length, resulting in a vast number* of combinations that make guessing virtually impossible.
  2. VoteClick utilizes SSL encryption to protect against unauthorized interception and reading of the key's value.

*There are 6216 combinations, or:
 47,672,401,706,823,533,450,263,330,816

Lock

SSL encryption

Ensuring Secrecy and Preventing Duplicate Voting

The secrecy of the vote and the prevention of duplicate voting are ensured through a single process: the deletion of the voter's voting key immediately after casting their vote.

This measure bolsters the secrecy and reliability of the voting process, instilling confidence in voters that their vote is secure and their identity safeguarded.

The rationale behind this method is outlined as follows:

Ensuring Secrecy

As the voter casts their ballot, their voting key is removed from their voting record, which stores their selections. This ensures secrecy, as it becomes infeasible to associate the voter with their choices.

As we eliminate the voting key in the very operation* that saves their choices, there is no moment, however brief, when the voter's choices can be linked to their identity.

* An exception occurs in meeting votes, where the voting key is deleted only upon the vote's conclusion.

Preventing Duplicate Voting

With the key being deleted, the voter is unable to use it again, effectively thwarting attempts at casting duplicate votes.

Voting key

Measures for Identifying and Thwarting Fraudulent Activities within the System

The system enables observers to detect any nefarious manipulation by voting administrators, using the tools outlined below:

1. Unique Vote Codes to Combat Phishing

Each vote is assigned a unique code, which is displayed in the voting invitations and on the results page.

Voters can verify that they did not participate in a fictitious vote (phishing) by checking if there is a match between the code they received and the one displayed in the results.

2. Real-time Supervision with an Automated Voting Log

The system records every significant action related to the voting process, starting from the moment voting begins. This includes adding, deleting, and editing voters, among other actions.

The log can be viewed by observers, allowing for real-time supervision of the administrators' actions.

3. Detection of Attempts to Falsify Voter Information

The system records the email addresses and phone numbers to which the voting invitations were sent and displays them in the results.

This allows for verification that the voter details have not been falsified.

4. Ensuring the Authenticity of Voting Results

The voting results are presented in two formats:

  • Results can be viewd on the VoteClick website, which automatically ensures their authenticity.
  • Results are also available as downloadable files, that are digitally signed. The signature can be verified using this link, providing assurance that the results are genuine.

Securing with AWS Firewall and CloudFront

To effectively defend against the wide array of web threats that are common in today's digital landscape, VoteClick relies on advanced security tools provided by Amazon Web Services (AWS).

Specifically, we implement protective measures to counter Distributed Denial of Service (DDoS) attacks, as well as cross-site scripting (XSS) attacks and SQL injection attacks.

To achieve this robust protection, VoteClick utilizes two key AWS tools:

  1. CloudFront
  2. Web Application Firewall (WAF)

Additional Safeguards

To further enhance the security of our system, we have incorporated the following protective measures:

  • Every admin login to the system undergoes a two-step verification process, while avoiding cookie-based authentication.
  • Comprehensive logging of all system activities enables prompt identification of any unusual activity.

Moreover, we have established further undisclosed security measures to maintain the highest level of protection.