Citizen Data Privacy

By Dean

T he public's most frequent concern about privacy in electronic electoral systems lies in their fear that their votes will not be "secret" and can be viewed by anyone else, other than the voters themselves.

Data security has been provided by encryption methods in the past. However, it is ultimately possible for technically savvy personnel who have administrative or root access to the information, to obtain and read the information. Most data base systems in use today, with the exception of Lotus Notes / Domino, rely on information which is stored "in the clear" on the host server's magnetic storage media.

Most of today's encryption algorithms encrypt the information while it is in transit on the Internet, via the TCP/IP SSL layer, and then use private/public encryption keys, such as RSA and others, to decrypt the data once it reaches the client's PC.

Once the data reaches the server, it is stored decrypted on the server's disk or other magnetic media. In particular, the index to the information is always stored unencrypted, to allow for the record pertaining to the citizen profile to be retrieved again.

This loophole allows for the information to be read by anyone who has access to the record. Three levels of access are normally allowed, They are read, read/write, and write. An additional control is placed on new record creation, updates, and deletions. These controls are done by the database management system such as Oracle or DB2 in use at the host server.

In traditional DBMS systems, access is granted to all records in a database to those applications which require the information in order to process it, and to the systems programmers or technical administration staff, who normally have what is called "root" access to all files under their domain.

Citizen Data Security requires that identifying information be totally secure, from any and all applications and technical administrators, other than the person who owns the record, the citizen himself. Only Lotus Notes / Domino has field level encryption, which allows encryption and decryption to be controlled at the field level on the server's storage media.

At Citizen Data Security level, the encryption would happen in reverse. That is, the citizen would have to enter his/her private key in order to encrypt the information at the host server. The citizen's information, including the file key, would be stored encrypted.


A citizen can encrypt his/her information via a private/public key pair, where he retains the private key. It is only upon actual presentation of the private key that the information can be decrypted at the host server. The private key can be provided by the citizen's own smart voter ID card. See the article under An Electronic Democracy for more detailed information.

All application programs, technical staff and even the operating system I/O routines would be unable to decrypt the information, without the citizen's private key being physically presented at the network access point.

Information so encrypted is essentially useless to the host server, because it just a scramble of bits without any meaning, other than to the citizen himself. Citizen Secured Data would never be able to be de-coded, unless the citizen is present at his Network Access Device (NAD), and could be seen in the clear only by him, while at the NAD, using the smart card thumbprint access device.

Such totally secure information could contain the citizen's identifying information, such as his SSA number, name, address and any other identifying particulars.

The primary key to the citizen's record could only be generated by the citizen himself, by using the NAD with this smart card and thumb print identification device. The records would be sorted by encrypted key, but the would be of no use to any application, even to the electoral tabulation system itself.

Citizen Secured records have no decrypted identifying information whatsoever, they have only those data attributes that pertain to the application itself. In the case of a voting record, the only data attributes that could be stored decrypted are those for the vote itself, i.e. the candidate selections, and demographic information which has been politically deemed necessary for the voting tabulation, such as sex or age.

Only the citizen would be able to access his/her record and could then change his vote data or other secure profile information. All other access would be impossible to obtain, even with the highest access level available at the host server.

This Citizen Level Security system would be very useful in other applications where the public deems politically necessary to provide for such a level of privacy, such as the storage of PIN numbers, Identifying information in financial accounts, or records at credit reporting agencies.

If there is a political will, there is a technical way!

Atlanta, GA

November, 27, 2000

print this article send this article to a friend link to this article
Privacy Policy: The Center for Alternative Solutions will not rent, sell, share or disseminate any information about you with other people or non-affiliated companies and organizations. We do not set client side cookies. Our server logs are used only for traffic analysis, and are erased from our server monthly. ©Copyright 1993 - 2007 by Center for Alternative Solutions - Atlanta
The Four Corner Stones:
Cybernetic Democracy • Financial Justice • Ecological Harmony
Peace and Non-Violence
frontpage | headlines | next | deeper | top