During the last couple of decades, we have been introduced to technological innovations and tools that help us deal with daily activities much more easily and effectively. The way we shop and communicate with each other, consume information, travel, and pay bills has changed dramatically since the introduction of the Internet. Notwithstanding these innovations, when it comes to political elections we are stuck with the old-fashioned paper ballot system.

Internet voting would have eliminated problems related to distance and accessibility, allowing every eligible citizen to vote, regardless of their location at the moment. It would have also eliminated long queues and save time at polling stations, which eventually would have caused a meaningful increase in voter turnout. Moreover, Internet voting would have drastically reduced election expenses, which governments could direct toward education or investments in healthcare.

If we look at election procedures through the perspective of the younger generation, the entire process that involves physical voting ballots in school buildings looks unattractive and outdated. How can we expect the youth to show up at voting centers, stay in line for some time, and mark the name of certain politicians or political parties if they do almost everything with the involvement of digital tools?

So, after thinking about the aforementioned positive effects, it is quite logical to ask, “If we trust the Internet when we do money transactions, then what stops us from implementing voting over the Internet?” The answer is pretty obvious when we think deeper about online business and the philosophy of elections.

First, online transactions are not as safe as we think. Well, it is notably safer for consumers, but for merchants and financial institutions that are involved in e-commerce, it is quite risky and they lose billions of dollars every year. The reason why we have the perception that it is safe to spend money online is that these institutions never held consumers responsible for loses, and reimburse clients if losses occur.

Secondly, even though it sounds rational to compare e-commerce with the online voting, the procedures and requirements are significantly different, mainly in issues related to security, anonymity and verifiability.

Security. Losses from online transaction fraud could be acceptable for merchants, if they compare it with their overall profits. It is okay for them to have a few cases of theft amid thousands of transactions. However, it is not an acceptable ratio for elections, given how often candidates win with tiny margins.

Anonymity. It is a vital part of all political elections. Voting should be done anonymously, which prevents voters from being pressured and influenced before, during and after the elections. It turns out that nowadays, it is very difficult to build a system that will satisfy both the security and anonymity requirements of elections. Basically the more secure the system is, the easier it is to figure out who voted for whom.

Verifiability. Although the paper ballots look outdated, they are being used as physical proof that indicates that a “certain number of people in certain district voted for a certain political party or a candidate.” Is there any other way to verify votes after online voting, given that we also need to maintain anonymity of each voter? Experts say, “None so far.”

Essentially, online voting requires technology and security measures that we do not currently possess. But hopefully in the near future innovations that are being developed by businesses will respond to the security, anonymity and verifiability requirements of political elections, which will eventually help democratize the democracy.

Note: There are several countries, including the U.S. and U.K. that have been conducting experiments with online election at the local level. However, so far Estonia (the country where the Skype was built) is the only country that is conducting online voting countrywide. Unfortunately, the experts group that monitors online elections in Estonia found serious problems that basically question the legitimacy of online voting. 

References:

1. De Castella, Tom. “Election 2015: How feasible would it be to introduce online voting?” BBC. April 27, 2015
2. Gross, Doug. “Why can’t Americans vote online?” CNN. November 8, 2011
3. Cameron, Dell. “Online voting is many years away, thanks to widespread security concerns.” The Daily Dot. Jul 13, 2015
4. Duncan, Geoff. “It’s the 21st century! Why aren’t we voting online yet?” Digital Trends. November 5, 2012
5. Charlton, Alistair. “Election 2015: Why can’t we vote online?” International Business Times. April 17, 2015
6. Talbot, David. “Why You Can’t Vote Online. Fundamental security problems aren’t solved, computing experts warn.” MIT Technology Review. November 5, 2012
7. Arthur, Charles. “Estonian e-voting shouldn’t be used in European elections, say security experts.” The Guardian. May 12, 2014
8. Kobie, Nicole. “Why electronic voting isn’t secure – but may be safe enough.” The Guardian. March 30, 2015
9. Jefferson, David. “If I Can Shop and Bank Online, Why Can’t I Vote Online?” Verified Voting.

By: Vugar Salamli


read more

The online world is probably the ultimate place for freedom. You can say pretty much what you want behind a wall of nicknames and/or anonymous posts. This power allowed people to freely expose their ideas and even organize big manifestations against dictatorships.

But some people take improper advantage of this freedom. A couple of months ago, Tom Macmaster, a 40-year-old American pretended to be a young Syrian lesbian blogger causing commotion and revolt. Everyday, thousands of people are powerless victims of cyber-bullying. At online market places, such as ebay and Airbnb, fraud is a major problem. Moreover, bad sellers can easily change usernames and start over again. Fake profiles at Facebook and Twitter cause a lot of troubles, as well.

The “real” world has a lot of control systems that mitigate the pitfalls of anonymity. For instance, newspapers are not required to disclosure the name of the article writers, but at least an offended person can easily go to court to seek for reparation on damages caused. Brick and mortar stores cannot quickly change location and names when their reputation is damaged by a fraudulent sale. Our society usually requires proper identification of the parts for most of the interaction that exist.

A “certified online ID” attesting the real name of a user could bring a lot of benefits. At online market places, the benefits are obvious: the risk of reputational bankruptcy would create great incentives to a better behavior, improving the quality of the services, and reducing the cost of transactions. At AirBnB, tenants and hosts would know the real name of each other increasing confidence and decreasing the importance of time-demanding reviews. The same concept is also applicable to ebay. In social networks, the benefits would also be enormous, not only avoiding fake profiles, but also allowing real profiles owners to get their account back in case of stolen passwords. A safer era of internet would begin. It would be a place where people would be more careful before offending or cheating others.

No, I do not think that the online world should migrate right away to a policy of strict identification. If this sort of identification was required since the beginning, the online world and specially the web 2.0 would be much smaller, or would not even exist. New users mobilitilization would have been much harder. However, one day internet usage will stop growing (or at least will grow only with population). Maybe on that day, the damage caused by this “excess” of freedom might overcome the benefits, and society might have to make a tough choice.


read more

PCI Compliance – An Often Forgotten Aspect of Online Business

Generally speaking, the goal of any online business is to make money. To do so effectively often requires the business to accept credit cards. However, when a business signs a merchant agreement with a credit card network they also agree (often unknowingly) to maintain compliance with the Payment Card Industry Data Security Standards (PCI DSS). PCI is an industry group made up of the major credit card companies that regulates the usage of credit cards. They created and enforce the PCI DSS, which is a set of standards aimed at securing customer credit cards against theft and fraud. These standards require any company that processes, stores, or transmits credit cards to maintain a secure environment for these transactions to take place. This includes everything from installing a firewall and anti-virus software to ensuring the doors to the server room are locked at all times.

When most small businesses sign their merchant agreement with a credit card company, they do not read the fine print of the agreement, and do not realize that they must be compliant with PCI DSS. Often the PCI DSS clause is only a sentence or two long and if the business does not have a lawyer who is familiar with this clause, they are likely to miss it. This leads to the unfortunate result that if the business ever suffers a security breach where customer credit card information is lost, and the business is found to be non-compliant with PCI DSS, they are subject to heavy fines. These fines can be anywhere from $1 to $100 per card that is compromised partially due to the fact that it costs the credit card companies up to $25 to replace a lost or stolen card. One of the most costly credit card breaches was that of TJX Companies Inc., the parent company of T.J.Maxx, where over 40 million credit cards were compromised and the total cost of investigation and PCI fines was over $200 million.

For smaller online businesses, it is unlikely that they would lose this many cards and would generally be subject to much lower fines. However, considering how cheap it can be to comply with PCI DSS, it would be foolish to not do so even if the business only processes a few transactions a month. PCI DSS classifies merchants based on the number of transactions they have, and companies with the lowest transaction rates only need to submit a self-assessment questionnaire and have a quarterly vulnerability scan of their environment to maintain compliance. Compared to the potential fines they would face if a breach occurred, maintaining compliance is very cheap.

When forming an online business, founders should be aware of, and maintain compliance with, PCI DSS requirements from the very beginning to avoid massive fines if they are breached. Alternatively, online businesses could consider not handling credit cards at all, and either only accept payment via services such as PayPal, or outsource credit card processing to a third party. Although outsourcing to a third party will result in an additional processing fee on top of the credit card companies’ interchange fee, the business will no longer be subject to PCI fines as they effectively transfer the risk of compromise and the burden of protecting the credit cards to another company. In the end, when an online business makes the decision to accept payment for the goods or services they provide, they must weigh the tradeoffs between the added expense of outsourcing and the added expense of maintaining PCI DSS compliance.

By: Frank Nagle


read more