On this page, we will discuss the various security measures embedded within the VoteClick voting platform to ensure a safe and secure voting experience.
First, we will explain our innovative method for verifying voter identity without the need for codes or passwords. This leads us to discuss how we effectively combat identity theft.
Next, we will address the importance of maintaining vote secrecy and preventing duplicate voting, as these issues are closely related.
Following this, we will explore our strategies for managing fraudulent activities within the system.
Finally, we will highlight the external mechanisms in place, such as firewalls, that are designed to protect against hacker attacks, including DDoS, XSS, and SQL injection.
Voter Identity Verification with a Single Click
Each voter receives a voting invitation that includes a distinct voting link.
This link contains a one-time voting key, unique to each voter.
Upon clicking the link, the key is transmitted to VoteClick, enabling the identification of the voter.
Combating Identity Theft
Identity theft occurs when an unauthorized individual gains access to a voter's unique voting key.
A malicious party can obtain the key by either guessing or intercepting it.
VoteClick addresses this issue in the following ways:
- VoteClick generates keys of sufficient length, resulting in a vast number* of combinations that make guessing virtually impossible.
- VoteClick utilizes SSL encryption to protect against unauthorized interception and reading of the key's value.
*There are 6216 combinations, or:
Ensuring Secrecy and Preventing Duplicate Voting
The secrecy of the vote and the prevention of duplicate voting are ensured through a single process: the deletion of the voter's voting key immediately after casting their vote.
This measure bolsters the secrecy and reliability of the voting process, instilling confidence in voters that their vote is secure and their identity safeguarded.
The rationale behind this method is outlined as follows:
As the voter casts their ballot, their voting key is removed from their voting record, which stores their selections. This ensures secrecy, as it becomes infeasible to associate the voter with their choices.
As we eliminate the voting key in the very operation* that saves their choices, there is no moment, however brief, when the voter's choices can be linked to their identity.
* An exception occurs in meeting votes, where the voting key is deleted only upon the vote's conclusion.
Preventing Duplicate Voting
With the key being deleted, the voter is unable to use it again, effectively thwarting attempts at casting duplicate votes.
Measures for Identifying and Thwarting Fraudulent Activities within the System
The system enables observers to detect any nefarious manipulation by voting administrators, using the tools outlined below:
1. Unique Vote Codes to Combat Phishing
Each vote is assigned a unique code, which is displayed in the voting invitations and on the results page.
Voters can verify that they did not participate in a fictitious vote (phishing) by checking if there is a match between the code they received and the one displayed in the results.
2. Real-time Supervision with an Automated Voting Log
The system records every significant action related to the voting process, starting from the moment voting begins. This includes adding, deleting, and editing voters, among other actions.
The log can be viewed by observers, allowing for real-time supervision of the administrators' actions.
3. Detection of Attempts to Falsify Voter Information
The system records the email addresses and phone numbers to which the voting invitations were sent and displays them in the results.
This allows for verification that the voter details have not been falsified.
4. Ensuring the Authenticity of Voting Results
The voting results are presented in two formats:
- Results can be viewd on the VoteClick website, which automatically ensures their authenticity.
- Results are also available as downloadable files, that are digitally signed. The signature can be verified using this link, providing assurance that the results are genuine.
Securing with AWS Firewall and CloudFront
To effectively defend against the wide array of web threats that are common in today's digital landscape, VoteClick relies on advanced security tools provided by Amazon Web Services (AWS).
Specifically, we implement protective measures to counter Distributed Denial of Service (DDoS) attacks, as well as cross-site scripting (XSS) attacks and SQL injection attacks.
To achieve this robust protection, VoteClick utilizes two key AWS tools:
To further enhance the security of our system, we have incorporated the following protective measures:
- Every admin login to the system undergoes a two-step verification process, while avoiding cookie-based authentication.
- Comprehensive logging of all system activities enables prompt identification of any unusual activity.
Moreover, we have established further undisclosed security measures to maintain the highest level of protection.