Sunday, October 25, 2009

T-Systems Online Voting System: Mistakes and Revisions


The T-Systems Online Voting Project observed mistakes with its architecture of its 2001 voting protocol and has taken steps to revise it. The revision process asks us to consider how online voting systems can be improved to become more secure and democratic.

The 2001 T-Systems Protocol used different servers for online voting registration (called the Validator) and the online ballot box. According to researchers from T-Systems, an implication of this arbitrary divide was “redundant data management” and “inconsistency of communication problems.” But more importantly, we can analyze that the separation of servers tears the voter’s identity apart from the vote (the Validator knows the voter’s identity, but the ballot box does not). Consequently, hackers that tamper with the ballot box can distort votes and election commissioners will have no way to verify where the votes came from; a further implication is that it is virtually impossible to recover voting data in case of attacks. Remarkably, T-Systems evaluated the shortcomings of its voting system and decided to take steps to improve it.

Learning that separation between voter identity and and votes was not feasibly secure, T-Systems opted for a more centralized database called The Bulletin Board. According to T-Systems:

“The Bulletin Board:

· is a consistent data base for all participants

· plays an absolutely passive role and is not able to communicate with the other players.

· It has the function as a placard, because after the election the public has the possibility to check if certain votes are counted and if they are counted in a correct manner.”

Although the addition of the Bulletin Board cannot fully eliminate threats from hackers, its role as a centralized database allows for efficient and complete recovery of voting information. However, we can evaluate that an obvious security oversight is that the Bulletin Board lacks a way to determine when attacks have occurred on its system; election officials will have to constantly check for consistency between voter identity and ballot box information, both of which are contained in the Bulletin Board.

Moreover, the Bulletin Board’s use as a placard imbues the system with a strong sense of vertical accountability since citizens can verify if their votes are actually counted. Because vertical accountability is essential for ensuring that governments adhere to the will of the public, the Bulletin Board is breakthrough technology that strengthens the potential link between online voting and democratic procedure. However, the greater lesson manifested in T-System's production of the Bulletin Board is that it both reflected on its mistakes and took innovative measures to rectify them.

Works Cited:

Diehl, Klaus. Weddeling, Sonia."New Developments in the Voting System and Consequently Implemented Improvements in the Representation of Legal Principles." Online Voting Project. T-Systems. August 2006.


  1. This is an interesting topic, but I found it a bit hard to put into context. It seems like a relatively technical detail about how servers are organized. The description of the bulletin board is interesting but not in enough detail to understand what it does. The fact that it “is not able to communicate with the other players” would make it totally useless unless (as I suspect) the notion of “other players” has a special meaning, not including the things it needs to communicate with. What is a “placard”? Is that a specific technical term in voting systems (I haven’t seen it before)?

    It seems that you have quoted material from the cited place but haven’t really analyzed what it means or put it into understandable context. Sentences like “the Bulletin Board is breakthrough technology that strengthens the potential link between online voting and democratic procedure” feel like promotional material from the company. I’d like more discussion of how this fits into the larger picture and what it really means to the stakeholders (both the public and the election agencies, as well as the provider).

  2. As I understand it, the T-System can separate the voter's ID from his/her vote. Then the authenticity of the voter can be checked against registration roles. Then the memory that this voter voted can be used to stop multiple voting by that voter.

    The vote itself can be stored without the voter's ID, and later tallied.

    These are extremely important functions for successful Internet voting. There are other systems used by various companies that also do these things. E.g., Everyone Counts,

    William J. Kelleher, Ph.D.