+

WO1996002044A9 - Systeme informatise d'enregistrement de votes a distance - Google Patents

Systeme informatise d'enregistrement de votes a distance

Info

Publication number
WO1996002044A9
WO1996002044A9 PCT/US1995/008267 US9508267W WO9602044A9 WO 1996002044 A9 WO1996002044 A9 WO 1996002044A9 US 9508267 W US9508267 W US 9508267W WO 9602044 A9 WO9602044 A9 WO 9602044A9
Authority
WO
WIPO (PCT)
Prior art keywords
data
voter
voting
precinct
event
Prior art date
Application number
PCT/US1995/008267
Other languages
English (en)
Other versions
WO1996002044A1 (fr
Filing date
Publication date
Application filed filed Critical
Priority to AU31251/95A priority Critical patent/AU3125195A/en
Publication of WO1996002044A1 publication Critical patent/WO1996002044A1/fr
Publication of WO1996002044A9 publication Critical patent/WO1996002044A9/fr

Links

Definitions

  • This invention relates to automated and/or electronic voting systems used for conducting public elections.
  • a single- use design is disclosed in which certain components are manufactured specifically for use in one election.
  • a system is also disclosed that provides a voter interface allowing votes to be cast, recorded, and tabulated in a secure manner using logical functions to automate the process.
  • Remote recording is also used to facilitate the rapid, centralized collection of votes.
  • the above system performs the above-mentioned functions while maintaining voter anonymity.
  • Wise et al. U.S. Patent No. 5,218,528, disclose a system which "integrates the stages of registering and certifying voters and collecting their votes". They further disclose the incorporation of an "interactive graphic interface for vote entry". This type of system takes advantage of existing technology and provides some desirable attributes. However, such a design adds greatly to the system's complexity and cost. In addition, the implementation described does not provide for operation in some states where a "full face ballot" must be used. (The term “full face ballot” describes a ballot in which all candidates for all electoral races must be presented to the voter at once. At the present time, some states require this type of ballot.) Additionally, the Wise et al.
  • the "Key Card” is returned by the voter and the vote data is then recorded from the "Key Card” .
  • the information in the Anno et al. key card creates undue complexity in the voting process by requiring an added level of supervision.
  • the designs disclosed in Wise et al., supra, and Webb, U.S. Patent No. 4,774,655 relate to the capacity of available technology to perform voting tabulation.
  • the prior designs do not relate to an in-depth scientific analysis of the requirements of public officials, public law, and the provisions necessary for fair, accurate, and secure voting.
  • a means to subsequently verify the system's operation through use of an audit trail with individual voter records or a data difference resolution methodology is lacking.
  • Prior art systems do not provide for a defined audit trail for the complete operational cycle during an election.
  • the prior art also fails to provide for specifically defined security processes and events that would make security breeches detectable.
  • the prior art does not provide for the collection of individual voter records recounting the actual ballots cast.
  • the present invention provides a remote electronic voting system which provides improvement over the prior art by simplifying the hardware and software.
  • the present invention is flexible and adaptable (1) through the availability of a single- use design (2) by incorporating defined security protection through both detection and inherent design and (3) by integrating and networking hierarchical systems at the precinct, city/county and/or state levels. Centralized hierarchical control and remote vote recording with secure collection are also provided. A process of immediate election certification by comparison and verification of redundantly recorded data is also provided. Time tagged data and a specific voter record are utilized as disclosed herein. The development and collection of a full audit trail for post election certification is also defined. A methodology of supplying machinery for public elections by defining a single use "kit" concept for certain system elements is disclosed to thereby reduce costs and afford system security.
  • the security key card is only used to convey the authority of the card holder to vote. It is (1) issued when the voter's registration is verified, (2) contains a unique code electronically written on a magnetic strip, (3) can only be used one, and (4) is disposable after use. It contains no control data, no election data, nor does it record any vote data. In this case, the prior art is improved by specific simplification of the electronic security key card.
  • This invention also includes an audit trail and an individual voter record which are specifically defined. Methods employed in this invention, as disclosed, reveal how this critical data is used to assure system integrity and accuracy.
  • Specific data processing techniques are used to produce specifically defined data storage information which is stored with the actual data. These processing techniques produce a storage data header; a digital description of the data,* multiple check sums of the stored data and its associated header; and data word parity (a digital description of whether the data word is even or odd) . This data storage information ensures that the stored data is true. However, should an error be detected, the error can be corrected through "detect and correct" processing incorporated within the system.
  • the methodology of processing and storing the critical data of the present system incorporates redundant memories as a defense against catastrophic failures, loss, and/or damage of the transportable memory devices.
  • the present system consists of a precinct level system, a city or county level system, and a state level system.
  • the basic system or "precinct system” is a single-use system and is composed of "1 through n" electronic ballots connected to and controlled by a central precinct processor.
  • the precinct system is further connected, controlled, and monitored by other hierarchical systems which may be located at the city/county and/or state levels.
  • Security of the electronic ballot is controlled by a disposable electronic security key card which is provided to each voter.
  • each voter may gain access to the electronic ballot and cast votes for each electoral race presented.
  • Each security card contains a unique, system- generated access number that can be used only once. This system number is encoded as magnetic information on the security key card. With the present system, the voter may retain the security key card after voting or dispose of it at the polling place.
  • Control of the electronic ballot(s) is provided by a central precinct processor.
  • the central precinct processor communicates with the electronic ballot through electronic interface circuit (s) .
  • Logical input channels and logical output channels (LIC/LOC) contained with the electronic interface circuits, read the votes cast by the voter.
  • the LIC/LOC circuits also control indicators on the electronic ballot to confirm the vote selected.
  • the precinct processor records the votes cast in an individual electronic voter record and resets the electronic ballot.
  • the electronic voter record is then used to accurately secure vote tallies and recounts.
  • the electronic record is a true record of the votes cast by an individual voter.
  • the central precinct processor system provides for precinct operator interface and precinct control of the system.
  • the operator can run tests, monitor various system functions, and utilize built in test functions to troubleshoot and repair system and component failures and to also detect security compromises.
  • the central precinct processor also performs communication functions with higher level systems if the installation is so configured. Higher level communication functions may include (1) centralized start and stop commands, (2) system monitoring, (3) data collection, and (4) on-line certification processes. All communications are via encrypted data transmission.
  • This invention incorporates (1) a single-use precinct system and associated electronic ballots, (2) a higher level city, county, and/or state level data collection system, (3) a maintenance monitoring facility, (4) associated security provisions, (5) processing to control system functions, (6) a defined audit trail, (7) a defined electronic voter record, (8) system self diagnostics, (9) specific operator displays and displayed data, and (10) processes by which the system is designed manufactured, shipped, installed, and operated. Also included is (1) the method of kit component collection, (2) the delivery of the kit, and (3) the secure handling of sensitive components through the "chain-of-custody" process.
  • the present invention provides an automated voting system that utilizes electronic components with logical processes and specific security method to provide cost effective, secure collection of votes cast in public elections.
  • the present invention also provides automated vote tabulation and is also adaptable to the specific needs and laws of the jurisdiction in which the system is being used.
  • Figure 1 is a Voting System Block Diagram showing a Functional Allocation of each voting level.
  • Figure 2 is a Precinct System Diagram.
  • Figure 3 is a City/County Block Diagram, showing a Remote Recording Electronic (RRE) Configuration.
  • Figure 4 is a State Block Diagram Remote Recording electronic (RRE) Configuration.
  • Figure 5 is a Secure Single-Use Voting System Method.
  • Figure 6 is a Critical Data Processing and Method showing a critical data element and header.
  • Figure 7 is a Test Valid Critical Data Store Method.
  • Figure 8 is a Detect and Correct Process Method.
  • Figure 9 is an Audit Trail Processing Functional Block Diagra .
  • Figure 9a is an Audit log Post Election Processing Verification Report.
  • Figure 10 is an Electronic Voter Record and Vote Tally Processing Functions and Method.
  • Figure 11 is a Security Processing Functional Block Diagram.
  • Figure 12 is a Statistical Processing Functional Block Diagram.
  • Figure 13 is an On-Line Maintenance and Monitoring Process Functional Block Diagram.
  • Figure 14 is a diagram of a Display Format.
  • Figure 15 is a diagram of Typical System Display.
  • Figure 16 is a Precinct Hierarchical Display Structure.
  • Figure 17 is a City/County Hierarchical Display Structure.
  • Figure 18 is a State Hierarchical Display Structure.
  • Figure 19 is a System Start Up Screen.
  • Figure 20 is a System Pre-test.
  • Figure 21 is a Ready-to-Vote Display.
  • Figure 22 is a Precinct Status Display.
  • Figure 23 is a Precinct Statistics Display.
  • Figure 24 is a Help Status Display.
  • Figure 25 is a City/County Status Display.
  • Figure 26 is a City County Statistics Display.
  • Figure 27 is a Select Precinct Display.
  • Figure 28 is a County Status Display.
  • Figure 29 is a District Based Statistics Display.
  • Figure 30 shows Common Logical Processing Functions.
  • Figure 31 is a flow chart of Self-Validation Logical Processing.
  • Figure 32 is a flow chart of Audit Trail Processing.
  • Figure 33 is a diagram of a Typical Electronic Ballot Layout.
  • Figure 34 is a diagram of a Rhode Island Sample Ballot.
  • Figure 35 is a diagram of a Split Ballot.
  • Figure 36 is a diagram of a Split Ballot with Common Referendum Issues.
  • Figure 37 is a diagram of a Split Precinct Ballot Configuration.
  • Figure 38 is a diagram of a Split Precinct System Configuration.
  • Figure 39 is a Multi-Vote Race Ballot with Vote Counter.
  • Figure 40 is a Multi-Vote Race with Multi-Votes Per Candidate Allowed.
  • Figure 41 is a Central Precinct Processor Functional Block Diagram.
  • Figure 42 is a flow chart of a Stand-Alone Precinct Test Function.
  • Figure 43 is a flow chart of a Build Valid Precinct.
  • Figure 44 is a flow chart of a Start Audit Log.
  • Figure 45 is a flow chart of Run Communications.
  • Figure 46 is a flow chart of an Establish and Test Communication.
  • Figure 47 is a flow chart of a Run Memory Test.
  • Figure 48 is a flow chart of Test Key Card Writers.
  • Figure 49 is a flow chart of a Test Electronic Ballot.
  • Figure 50 is a flow chart of a Vote Precinct.
  • Figure 51 is a flow chart of an Initialize and Verify System.
  • Figure 52 is a Ready-to-Vote diagram.
  • Figure 53 is a flow chart of a Run Vote.
  • Figure 54 is a flow chart of a Record Vote.
  • Figure 55 is a flow chart of a Validate Key Card.
  • Figure 56 is a flow chart of Run Ballot n.
  • Figure 57 is a flow chart of Compile Vote Records.
  • Figure 58 is a flow chart of an End Vote.
  • Figure 59 is a flow chart of a Certify Vote.
  • Figure 60 is a flow chart of a Run Certification Processing.
  • Figure 61 is a flow chart of an End Precinct.
  • Figure 62 is a flow chart of Statistics Processing.
  • Figure 63 is a flow chart of a City/County/State Control Processing Functions.
  • Figure 64 is a flow chart of a Pre-Election Test Function.
  • Figure 65 is a flow chart of a Verify Storage and Set Precinct I/O.
  • Figure 66 is a flow chart of Set Up Precincts and I/O Channels.
  • Figure 67 is a flow chart of Process Secure Communications.
  • Figure 68 is a flow chart of Open Communications.
  • Figure 69 is a flow chart of Collect Pre-Test Data.
  • Figure 70 is a flow chart of a Certify Pre-Test.
  • Figure 71 is a flow chart of an Open Polls Command.
  • Figure 72 is a flow chart of City/County and State Data Collection Processing.
  • Figure 73 is a flow chart of Run Secure Communications.
  • Figure 74 is a flow chart of Validate Precinct diagram.
  • Figure 75 is a flow chart of Collect Vote Data diagram.
  • Figure 76 is a flow chart of Certify Election diagram.
  • Figure 77 is a flow chart of Display Election Returns.
  • Figure 78 is a flow chart of Shutdown Election.
  • Figure 79 is a flow chart of a City/County Off-Line Data Processing Functional Block.
  • FIG. 1 Voting System Block Diagram and Functional Allocation, is a block diagram that discloses the overall system architecture by identifying the system's major components and their major functions.
  • the system functions include: vote collection, data processing and recording, display processing, system control, and other functions.
  • Figure 1 shows an implementation of the complete system as installed.
  • Hierarchical control and recording capabilities from central state locations and monitoring facilities provide centralized operational and maintenance support. The system is organized from the lowest level element, the precinct system, through the state level.
  • the precinct level is a fully operational, stand alone, direct recording electronic (DRE) voting system.
  • the DRE voting system contains a central processor electronically interfaced to "1 through n" electronic ballots, as shown in Figure 2, Precinct System Diagram.
  • the Precinct System Diagram of Figure 2 shows a dedicated voting system of single use design; i.e., it is intended for use in only one election, after which it is disposed. If the precinct system(s) are connected to a city/county control collection system, the system together is then defined as a Remote Recording Electronic (RRE) voting system as shown in Figure 1.
  • RRE Remote Recording Electronic
  • the functions performed by the city/county and state processors are dependent on the laws of the jurisdiction.
  • the functions may vary from simple on-line vote collection and performance monitoring to full control of lower level precinct processing.
  • Control functions such as start vote, stop vote, time synchronization and other functions are provided. These functions may be changed, added, or deleted to allow the system to be adapted to the specific voting laws of the community.
  • Figure 3 shows the City/County system in a Remote Recording Electronic (RRE) Configuration.
  • RRE Remote Recording Electronic
  • Figure 4 shows a State System block diagram in the RRE Configuration. Its range of functions are dependent upon the jurisdiction of use. For example, some systems do not require state level tabulation. Accordingly, a state level processor may not be required. However, those states which desire a state level processor can choose the same range of control options available to the city/county processors. As shown in Figures 3 and 4, those communities using a centralized city/county and/or state processor can opt for electronic information release. Data release options may include on-line statistical data collected throughout the voting period to final election results. Data releases may include a variety of outlets including the news media, various party headquarters, and/or other interested parties.
  • Security of the system is afforded by a number of features including: data encryption as shown in Figure 1; security key access to the electronic ballot as shown in Figure 2; software self-validation; system handling methodology as shown in Figure 5 and the Secure Single-Use Voting Method System.
  • kits An important aspect of this invention is the design of the dedicated precinct system as a "kit" intended for a single-use.
  • the "kit” design relates to a method of providing voting system equipment for a dedicated single-use purpose.
  • the kit design allows all components of the precinct system, as shown in Figure 2, to be common with the exception of the electronic ballots and the computer program which are tailored for each precinct and election.
  • kit design allows all components for all precincts to be centrally pre-positioned prior to an election.
  • kit individual components of the voting system are packaged together and prepared for shipping to the system point of use, i.e., the precinct.
  • the kit Upon arrival at the point of use, the kit is assembled and the full precinct system is ready for the election. After use, the system is disposed of.
  • the specific methodology is graphically depicted in Figure 5.
  • the inventor(s) have determined cost savings and enhanced security is afforded by the method and the design. Specifically, the following attributes are realized.
  • the kit design allows centralized warehousing of component parts. Packaging of the kit is performed at shipping time by collecting the system components. The kit is shipped directly to its point of use just prior to the election and assembled. This method yields savings in system assembly, labor, storage, and shipping costs.
  • system components may be disposed of. It has been determined that equipment handling, storage, maintenance, and reprogramming may, depending upon economic circumstances, be greater than the cost of simply replacing the equipment with new equipment on a per election basis.
  • kit components are collected randomly and then packaged as kits. Since there is no way of knowing where any specific component will actually be used, tampering with a particular component could not affect a specific election result.
  • the warehousing method, collection of the kit component parts, and shipping directly to the point of-use is a "chain-of- custody" procedure, as shown in Figure 5. This precludes the chance of the election equipment being available to unauthorized personnel or potential tamperers.
  • Specific kit components that must be protected are the electronic memory media containing the operational software and the memory where the vote data will be recorded. These components are shipped separately to election officials. The memories are sealed at the time of manufacture and later opened. Only the election officials or the election judges at the precinct may open the memories at the precinct from the sealed package.
  • Operational and processing advances include: a. critical data processing and methods; b. a defined audit trail; c. a defined individual voter record; d. defined security processes and operator notification alerts; e. statistical data collection and real time display; f. continuous system diagnostic processing; and g. defined displays.
  • the critical data collected, processed, and saved or stored during use of the system is the audit trail and the individual voter record data. When combined, it may be determined that the system was properly functioning at the time a vote was cast and that the vote data is, in truth, what the voter actually selected. The accuracy of this data must be guaranteed and provable to be correc . This is fundamental to the integrity of the system. Prior art systems have attempted to achieve guaranteed, provable data through redundant memory system data storage. However, redundant data storage alone, without a definitive process to define how differing data is resolved, cannot be proven to be true or accurate. Multiple memory systems are provided, as shown in Figures 2, 3 and 4, as a defense against catastrophic failure, accidental loss, and/or damage of the memory devices. Accuracy and integrity of the data is assured through the use of data processing techniques that produce specifically defined storage information for the vote and audit trail data.
  • Critical Data Processing-Method these processing technigues produce a Critical Data Element for either a voter record or for an audit trail record (audit log record) .
  • the raw data contained within the critical data element will vary in form and content when used as the voter record or the audit trail record. Accordingly, the Data Type, as shown in Figure 6, will indicate the type of information present in the Critical Data Element.
  • the Critical Data Process is used to add information to the raw (unprocessed) information for each record.
  • the information added to each record includes: a Critical Data Header; a Data Checksum; and a Data Element Checksum.
  • a Critical Data Header includes the above-mentioned Data Type which is a digital description of the data type stored.
  • a Time Tag, Number of Words, and word parity information is also included in the Critical Data Header, as described below, which indicates the number of bits in the Critical Data Header.
  • Figure 6 also shows the processing performed to produce the critical data header and multiple check sums.
  • the critical data process When the critical data process is performed to produce a record from the raw data, it first tests and sets a parity bit for each 8 bit byte of the raw data element. The raw data is then referred to as Record Unique Data. The process then continues and builds the Critical Data Header.
  • the Critical Data Header consists of the Data Type identifier; a Time Tag which is the current real time of the system (a unique number for each Critical Data Element) ,* and a Header checksum.
  • the Header Checksum is a numerical addition of the data in the header with any overflow being ignored.
  • a second checksum, Data Checksum is built on the Record Unique Data and utilizes the same process.
  • the Data Checksum is a numerical addition of all bits in the Record Unique Data with any overflow being ignored.
  • the Record Unique Data is simply the raw data which has been processed for parity information as described below in reference to Figure 7.
  • the final step in the critical data process is to build a third checksum, Critical Data Element Checksum, for the entire Critical Data Element.
  • the Critical Data Element Checksum is a numbered addition of all bits contained within the Critical Data Element.
  • the Critical Data Element checksum is a unique number which incorporates the information from the time tagged number of words.
  • Test Valid Critical Data Store Method illustrates the use of verification data produced by these processing methods to read and verify the critical data.
  • Each process that reads, stores or otherwise utilizes the critical data within the Critical Data Element checks the verification data record prior to performing any other process. This ensures that the information is correct.
  • the Test Valid Critical Data Store process verifies the integrity of the Critical Data Element by regenerating the checksums contained with the Critical Data Element and comparing the result to the checksums generated and stored by the Critical Data Process of Figure 6. If the checksums are equal, the data is valid and the process is complete. Additionally, the integrity of the information has been verified to be correct. However, if the checksums are not equal, a Detect and Correct process, as outlined below in reference to Figure 8, is performed to find and correct the incorrect data.
  • Figure 8 Detect and Correct Process Method, shows the processing method performed to correct stored data errors.
  • each checksum is tested to identify which part of the critical data element is incorrect.
  • each checksum including the Header Checksum, the Data Checksum and the Critical Data Element Checksum is recalculated and compared with the stored value in the Critical Data Element. An incorrect match will indicate which portion of the Critical Data Element is in error.
  • the repair process is shown by the Test Valid Critical Data Store of Figure 7.
  • the stored information is read.
  • the parity information for a corrupted byte is analyzed.
  • the parity information for each byte of data will identify which byte has the incorrect data.
  • Each possible combination of bits for the incorrect byte is then sequentially generated and added to the other bytes in the record.
  • the checksum is then recalculated and compared with the stored value. This process is repeated until the value of the added bytes equals the checksum.
  • the incorrect byte is then replaced with the "generated" byte to thereby repair the incorrect byte.
  • This process may be used to repair either the Critical Data Header or Record Unique Data.
  • This method assures the accuracy of the critical data elements produced by this invention, the audit trail, and the individual voter record.
  • Audit trail data is critical data and incorporates the critical data process methods previously defined. Event data is produced by each major processing function and a specified data record is also produced that fully describes the event. This data is redundantly stored in multiple data memories.
  • Audit Trail Processing Functional Block Diagram illustrates the production of data by each major processing function and shows the data logged.
  • the data provided is such that the complete operation of the system can be reproduced and the system's operation confirmed.
  • This audit trail and the data included for each audit log entry in the audit trail are defined below:
  • Time of log entry B. Time of event occurrence C. Event category
  • a post election validation process is provided.
  • the specification is that the operation of the system is to be confirmed over a 30 minute time frame from 10:00 a.m. to 10:30 a.m.
  • a specific procedure would read all of the audit log entries that were processed over that time frame and provide a printout of the audit log data.
  • Figure 9a is an illustration of how this printout of the audit log data might look.
  • the present invention defines an individual voter record to ensure secure, accurate and true election results. This is as shown in Figure 10, Electronic Voter Record and Vote Tally Processing Functions and Method.
  • the voter record is an electronic record of the ballot as cast by the voter i.e., a digital record of those votes cast by an individual voter.
  • the individual voter record is an element of the system critical data and uses the critical data processes and methodologies previously defined. It is this record from which the totals of each electoral race are derived.
  • the voter record is the electronic equivalent of a marked paper ballot. Each voter record is saved and can be used for later recounts. It can be printed off-line and manually recounted if necessary.
  • the system does not merely provide vote totals of each race, but rather a complete voter record for each voter from which vote tallies are compiled. Each individual's votes can be clearly understood after the polls are closed. This allows for a meaningful recount and is used to verify that the software logic that correlates the voter's choices to the vote cast is correct. If for any reasons such logic was incorrect, it then could be subsequently corrected and recounted. This is not possible in a system that saves only the total votes cast in each race.
  • a vote tallying process is incorporated in which two or more separate processes tally the votes. These separate processes produce a tally of each race from the voter records. These are then compared, and if equal, would result in a certified election result.
  • the purpose of this method is to ensure that the vote tally process has no logical errors that could cause an incorrect election tally and eliminates human error as a source.
  • the two or more tally procedures would be developed by different persons to ensure that while the tally function is the same, the actual logical processing would be different. This method eliminates the possibility of logical errors going undetected.
  • the vote record process and method provides additional system security since votes are tallied from these records.
  • a system that maintains a running total could be subject to fraud by tampering if the vote totals were adjusted.
  • each vote in each voter record would have to be found and individually adjusted. This is a near impossible task since many copies of each record are maintained throughout the system and each contains unique check sums and parity data as generated by the previously described critical data process and method. Additional protection of the critical vote record data is afforded through the use of separate memory systems and/or devices that contain redundant copies of the voter record and other system critical data.
  • Security Processing Functional Block Diagram depicts the processing defined for the security function and includes the operator's required inputs in response to a security alert. Each occurrence of a detected security breach or suspected security breach is logged in the audit trail and the appropriate operation level (precinct, city, county or State) is required to enter an alert response that becomes part of the operational audit trail.
  • Security breaches are classified as one of three security alert levels:
  • Level 3 ft3.eyts A statistical condition exists that has generated a security alert and must be locally investigated. If a breach is confined, the next high official element is notified. Conditions generating a Level 3 alert are:
  • Each of these security alerts generate immediate operator alarms.
  • the specifics of the security alert are displayed on the system operator's display.
  • FIG. 12 Statistical Processing Function Block Diagram, shows the processing performed by each of the full system hierarchical elements and the statistical information provided at each level. When possible and appropriate, statistical ranges, means, modes, and averages are provided by this function.
  • This on-line real time statistical data accrues to both election officials and the general public alike.
  • Election officials can monitor the election to determine if a precinct is becoming crowded. This may allow them to shift added help from a slow precinct to one that has many voters arriving in a short period.
  • Research has shown that definite community trends exist for preferences to vote before or after work or at other specific times of the day. Assessment of the statistical data can allow officials to tailor precinct voting systems and poll workers support to times that trends indicate are heavy. Public release of this information can also be provided throughout the voting day to allow voters a better choice of when to vote. As a result, a better level of service is provided.
  • “Find and Fix Processing” is a continuous process that "repairs" problems of selected hardware components and logical processes incorporated in the system. These include interface word parity, bit detect, correct circuitry, as well as other processes. Other processes include check sum validation, test words and other continuous monitoring, and diagnostic testing. Fault Detection and Correction performed in these processes are termed “Soft Failures", i.e., a failure that could be corrected by the functions performed by the hardware and software of the system. When fault detection is reported through a scheduled run of the on-line maintenance, it is used to develop a statistical report that can be used to assess the overall "operational health" of the system, e.g., the number of communication line faults detected and corrected. By way of example, a 25 percent communication detect and correct fault rate may prove to be common and acceptable while a 50 percent rate may be determined to be enough degradation to warrant repair procedures.
  • the present invention accounts for hard failures.
  • Hard failures are failures that cannot be fixed through the incorporated process, e.g., a complete loss of communication.
  • the "on-line maintenance monitor function” immediately processes to determine the fault, reports the fault on the system operator's display, and performs processes to localize the failed item.
  • the Find and Fix function of this process determines which component has failed and reports this to the operator via the maintenance monitoring operator display function. This will provide the operator assistance in repairing the system.
  • Periodic fault detection is one of the functions performed by the election operational computer program and includes processes for both hard and soft fault detection and operator notification. Periodic testing includes verification of interfaces, ballot channel testing, communications test messages, and lamp tests.
  • Operator display processing functions include fault display processes, fault alert display processes, specific operator instructions to fix system, and monitoring statistical processing functions.
  • Results of all of these maintenance and monitoring processes are saved as part of the system audit trail.
  • a post election analysis not only can events be verified, but the operational status of the system before, during, and after a particular event can be confirmed.
  • System Displays at all levels of the system are significant to the present invention.
  • the overall format for these displays is shown in Figure 14, Display Format.
  • the purpose of displays is to provide a logical operator interface to allow operational functions to be performed.
  • the displays are specific and logically organized to limit the range of operator actions required to direct the system's operations.
  • the System Display area is common to all displays and is used to display legally required data such as public count and precinct number.
  • the Alert Display area is specifically reserved for operator alerts such as security alert and maintenance alert.
  • the center area of the screen is a Selectable Data Display area. Data displayed in this area is selected by the operator.
  • the Function Key Display area is used to display function key switches that can be accessed from a particular display and are changeable from display to display. These are known as "soft keys” i.e., keys whose functions are changeable by the computer program.
  • the preferred embodiment of this display design incorporates the man-machine interface of the common "point and click" method.
  • the displays may incorporate the use of colors and other features commonly available to enhance the utility of the displays.
  • Color usage in this display may include the following background colors for the "Booth Operational” display. Green: Operational
  • This area is reserved specifically for the operator alert display area as shown in Figure 15.
  • Alerts displayed include the following: A. Securi ty Alerts
  • a voter in booth "n" has requested help.
  • a set of alert control software switches are provided in a fixed area at the bottom of the alert area. Use of these switches are:
  • This area displays data as selected by the system operator.
  • the display function key area is reserved for the display of point and click soft switches, i.e., keys whose functions vary depending upon the display and are defined by the software.
  • Figure 16 Precinct Hierarchical Display Structure, illustrates the hierarchical nature of the display processing organization.
  • the available screens are the start-up screen, pre-test and ready-to-vote screens.
  • Figure 17, City/County Hierarchical Display Structure, and Figure 18, State Hierarchical Display Structure show the display structures at the city/county and state levels.
  • Figures 19 through 29 illustrate various display screens implemented with this specific design. Note that the return key and log entry key are always shown. A gray background behind a key indicates that it is not available for operator entry. Other methods may be used to actually implement this function. The return key is used to return the screen displayed to the next higher level of display as shown in Figure 19. This display design, and the data processed and displayed on these specific screens, are unique attributes and specific improvements of this invention.
  • Logical processing functions are significant to the present invention.
  • a separate stand alone test function is used to verify the full system operation prior to an election.
  • a separate operational election processing function used to actually operate and control the system during the election.
  • a third off-line data processing function is provided.
  • the processing performed by this function provides for a number of post election processes including recount processing, voter record printing and analysis, audit trail review and other processes that may be required by local laws.
  • the post election process is tailored for each jurisdiction.
  • the Self- Validation Function Functions common to all logical processing are The Self- Validation Function and the Audit Trail Function. The incorporation of these functions is shown in Figure 30, Common Logical Processing Functions.
  • the Self-Validation processes are performed at system turn on as part of the system's start-up processing and periodically on a continuous periodic schedule.
  • Audit trail processing functions are performed as scheduled by other systems processing functions.
  • the Self-Validation Function is common to all logical processes utilized and is shown in Figure 31, Self- Validation Function. Its purpose is to ensure that each process may validate itself at run time and prove that it has not been tampered with. Additionally, the Self-Validation process ensures that no data has been lost through any type of failure. Specifically, at the time of manufacture, a check sum is generated and stored with the logical processing command set, i.e., the program. The check sum is an overflow ignored, sequential addition of each command comprising the entire functional process. This number is then added to a security code number to produce a final program check sum.
  • a manually entered security code is entered by the operator. This code is added to the calculated code and checked against the stored checksum to validate that system operation is authorized. Failure of this check would also generate a level 1 alert.
  • the audit trail is a significant improvement in the art and is preferably common to all system processing functions.
  • the processing that generates the audit trail is shown in Figure 32, Audit Trail Processing.
  • the audit trail is developed and recorded by the process Audit Log.
  • the audi t trail will allow every system event to be tracked after the election through off- line processing .
  • the audit trail is a time ordered digital recording of each system event that occurred during the election.
  • a system event includes: (l) system start time, (2) operator commands, (3) test results, (4) start vote, (5) key card number issued, (6) key card number used, (7) electronic ballot input data, (8) voter start vote and stop vote time, and
  • Each major procedure in the present system uses an audit log procedure to schedule an audit record processing function. When combined with the voter records, a complete audit of every precinct event may thereby be reproduced. The operational integrity of the system can also be verified and validated by an analysis of operating historical records contained in the Audit Trail.
  • FIG. 2 Precinct System Diagram, is a block diagram of the single-use precinct system. As shown, its major components consist of: (1) electronic ballots, (2) an electronic ballot interface, (3) a central precinct processor, (4) magnetic key card writers, (5) magnetic key card readers, (6) external communication components, (7) an operator control station, and
  • the separate memory media contains operational logical processing functions and several redundant memories for recording vote data, system operation data, the audit trail and individual voter records.
  • the memory media used for implementation of this invention may be any number of potential media including both volatile and non-volatile media. Examples include flash chips, Programmable Read Only Memory (PROM) , laser discs, or industry standard Personal Computer Memory Card International Association (PCMCIA) technology.
  • PROM Programmable Read Only Memory
  • PCMCIA Personal Computer Memory Card International Association
  • All control and data processing functions of the precinct system are performed by a central precinct processor and its associated logical processing functions. Functions performed include (1) overall operational control, (2) pre-election testing, (3) continuous diagnostic monitoring, (4) security monitoring, (5) electronic ballot control, (6) vote data collection, (7) audit trail data collection, (8) secure data communications, (9) time synchronization, and (10) operator interface display processing functions.
  • the logical processing also builds and stores individual voter records, which are the functional equivalent of a paper ballot and necessary for election certification and recounts.
  • the precinct system is the lowest level of the hierarchical design .
  • the precinct system can be operated as a total stand alone system autonomously operating under its own logical processing control and collecting voter inputs or it may be connected to a higher level system at the city/county and/or state level.
  • Precinct level functions controlled from the higher level system are determined by the community in which the system is being used.
  • a significant feature of this invention is the electronic ballot as shown in Figure 33, Typical Electronic Ballot Layout.
  • the electronic ballots are shown in a single-use designs manufactured specifically for a particular election.
  • a main feature of this method is that the ballot has no restrictions for the design and layout of its face. It is designed new for every election and for each area of use. Thus, it can be tailored to any jurisdiction's unique requirements. It is representative of a "full face ballot”.
  • the technology used for the preferred embodiment of this design is membrane swi tch technology.
  • This technology is flexible and cost effective to implement in a single-use design. This technology may also be replaced as newer technology becomes available at cost and in quantity for future systems.
  • the specific design of the electronic ballot allows for all possibilities of voting including straight party voting, write-in voting and multi-vote races. "Tactile feel " of vote selection is provided by incorporating dome switches on the electronic ballot. Corresponding system vote selection is confirmed by illuminating a light emitting device that indicates the voter's selection (s) on the ballot face. Provisions are also made for wri te-in selection. In the ballot depicted in Figure 33, the write-in provision is provided by an alphabetic keyboard with an associated display.
  • the electronic ballot disclosed herein also provides a significant enhancement in system securi ty.
  • Election data on the ballot is applied at the time of manufacturing. It is therefore physically integral to the ballots' materials and cannot be tampered with. Any attempt to change the data would be immediately detectable by simple visual inspection as attempted tampering would result in obvious damage to the ballot.
  • the single-use design manufactured for only one election, does not have unused switches available to the voter. Such switches could lead to sophisticated tampering through either modification of the computer software to detect an unused switch or by moving the label associated with a given switch. Both unintentional and intentional ballot tampering are eliminated by this method.
  • the final security provision of the electronic ballot is afforded by the chain-of -custody method of handling, as shown on Figure 5, Secure Single Use Voting System Method.
  • the chain of custody method of handling precludes and prevents unauthorized access to the ballot prior to an election.
  • the electronic ballot affords the following specific improvements on the state of the art.
  • the ballot can meet exactly the appearance requirements of the law and is adaptable on a per election basis.
  • Embossed Braille could be incorporated as part of the ballot data.
  • Any number of ballots may be used at the precinct.
  • a write-in ballot is provided.
  • the electronic ballot of this invention affords this function through the use of an alphabet keyboard with a display. Current implementation of this function may use a liquid crystal display.
  • software may be used to read handwriting along with a touch sensitive screen where the voter could actually write in, rather than type-in, the candidate of choice.
  • an electronic security key card contains a unique security code generated by the processing functions of the central precinct processor.
  • the central precinct computer checks to ensure that the code is currently valid. If it is, the ballot displays a "PLEASE VOTE" and the voter can begin making his/her selections. When the voter has completed making all selections, the key card is removed and the computer resets the ballot to quiescence and records the votes.
  • a particular specific improvement of the electronic ballot design is the incorporation of a "HELP" button as shown in Figures 33 and 34.
  • Another improvement of this electronic ballot design over others is its fixed face that does not require voter control, such as paging through a number of interactive displays, to complete the voting. All election information is displayed "full face”. The only voter action required is to depress a button that corresponds to the vote to be cast. Indicator lights, such as LEDs, confirm the selection made. Computer program control of the lights allows vote changes to be made by the voter until voting is complete. Removal of the voter's electronic security key card causes the votes to be recorded.
  • FIG. 33 Another advanced feature of the electronic ballot is the incorporation of a ballot "RESET" button as shown on Figure 33. This allows the voter to reset the entire ballot and start voting again without casting the ballot. Note that the ballot is cast once the electronic security key card is removed which is the last step in the voter's act of voting. This is a useful attribute to the voter and will help minimize voter confusion while in the booth.
  • the method of access to the ballot, the availability of the "HELP” and “RESET” buttons, and the method of casting the ballot by removing the access key card are all included to aid the voter.
  • the system computer program and the single use electronic ballot allow for a wide range of voting options to be employed.
  • Typical Electronic Ballot Layout and Figure 34 Rhode Island Sample Ballot
  • a wide range of candidates, parties, races and referendum issues may be accommodated for a general election.
  • accommodations are made for the selection of write-in votes, straight party voting, and individual candidate voting.
  • Other ballot styles that can be accommodated by this combination of computer program and a single use ballot include the ballot styles used in primary elections. For these elections a jurisdiction may select a number of options as illustrated in Figures 35 through 40.
  • a split ballot as shown in Figure 35; a split ballot with common referendum issues as shown in Figure 36; a split precinct ballot configuration as shown in Figure 37; or separate precinct systems as shown in Figure 38.
  • Voter access to the appropriate side of the split ballot and/or the appropriate ballot of a split precinct is controlled by the issue of a party electronic access key card at the registration table.
  • the computer program used to read the party code only allows votes to be entered on the side of the ballot that corresponds to the voter's registered party.
  • the key card can only be used to cast votes on the appropriate party ballot.
  • the provision for write-in candidates is generally not required for primary elections.
  • a particular election related problem addressed by this invention is the issue of over voting and under voting in multi- vote races where the voter is instructed to "vote for no more than "X" number of the below candidates" .
  • the electronic ballot and its associated computer program totally alleviate the problem of over voting by not allowing the voter to cast votes for more than "X" number candidates.
  • FIG 39 Multi-vote Race Ballot with Vote Counter, illustrates a potential embodiment of this part of the invention. As shown, a counter indicates to the voter the number of votes cast for the multi-vote race.
  • the interface between the electronic ballots and the central precinct computer is provided by interface circuits which provide the logic necessary to read the voter's switch actions, light the associated vote indicator lights, and convert logical data to digital data for interface with the precinct processor.
  • the precinct may contain any number of electronic ballots.
  • the interface circuitry also provides all power required by the electronic ballots. This is an important safety improvement over the prior art. At the ballot, the only electrical current is low voltage direct current (DC) power. Therefore, the risk of accidental shock to a voter is significantly reduced.
  • CPP central precinct processor
  • the CPP is afforded tamper resistance, both physically by its inherent design, and methodically through its single-use kit design and chain-of-custody handling.
  • Figure 41 CPP Functional Block Diagram, shows the functions performed by the CPP.
  • the physical manifestation of this invention would presently have these functions performed by a general purpose digital computer and an associated single purpose computer program that contains the processor commands necessary to perform the CPP functions.
  • Physical manifestations of this invention may also use special purpose data processors, integrated circuits, or other technology to perform the logical processing functions allocated to the CPP.
  • the functions performed by the CPP include (1) continuous system testing and performance monitoring, (2) security monitoring, (3) magnetic security key card writing and validating, (4) electronic ballot control, (5) redundant data storage, (6) audit trail processing and storage, (7) voter record processing and storage, (8) operator interface processing, (9) election certification processing, (10) secure communications processing, and (11) statistical dataprocessing.
  • precinct system When the precinct system is interfaced to a higher level city/county and/or state system, it will also perform the communications functions necessary to allow the level of control specified by the user community.
  • the data storage function or memory, the specific design features of this invention, and the methodology of handling the memory medium itself before, during, and after the election are methods implemented to assure the fairness, integrity, accuracy, and tamper resistance of the election data.
  • the test verifies the operation of all system components, including the correct operation of all electronic ballot switches, and confirms that the switch action is associated with the candidate issue shown on the ballot. This data is saved on the test memory medium by audit trail processing. Both the test functional processing and the stored test results are then saved for post election analysis.
  • the operational election functional processing is provided by the system supplier. This function is developed and tested specifically for each individual election and is part of the single-use design of the entire precinct system. Multiple copies or memories bearing duplicate functional processing commands are supplied for each precinct.
  • the final step of the manufacturing process is a comparison of the functional processing commands on each of the memories to ensure that the correct command set is installed and that the commands have been transferred to the memories correctly.
  • the multiple memories are placed in a sealed shipping container for shipment directly to the precinct of use.
  • the sealed container is then opened by election judges at the precinct.
  • a random selection is then made by the election judges and installed in the CPP .
  • a self -validation logical process function When the system is energized, a self -validation logical process function will be performed, as shown in Figure 31, to ensure that the logical processing command set has not been tampered with. A human controlled check will also verify the correct command set is installed. The system will display precinct information on the operator's display. The system operator will then confirm that the displayed precinct information is correct. This methodology assures the correct logical processing functions are in use, and that tampering, changing or failure of the logical processing command set has not occurred. In addition, this methodology it verifies the chain-of-custody from manufacture to use.
  • the electronic security key card system is provided to allow only authorized voter access to the electronic ballot. This precludes the need for a polling official to be stationed at each booth to control ballot access.
  • the logical processing functions of the central precinct processor generates the unique code that is magnetically written onto a magnetic strip of the electronic security key card.
  • the code is generated when a registration worker requests the key card.
  • the logical processing function that writes the code also reads back the code from the card to ensure that the correct code was written on the magnetic strip. The key card is then given to the voter.
  • the voter takes the key card to the voting booth and inserts the key card into the electronic ballot's key card reader.
  • the logical processing function validates the key card as "authorized to vote” and sets the electronic ballot to accept the voter's selections. Once the voter has completed his selections, the key card is removed and the vote is cast and recorded.
  • Two logical processing functions are provided for the precinct system. They are the Stand-Alone Test and the Operational Vote logical processing functions.
  • the purpose of the stand alone pre-election test is to ensure that all system functions, and components are operational. The results of this test are saved.
  • the stand alone test is tailored to suit the actual precinct operational environment. If the precinct is connected to a higher level system, all functions that are specified for higher level communications, as well as control functions, are validated by this test.
  • FIG 42 Stand Alone Precinct Test, depicts the stand alone precinct test using standard structure flow charts. A detailed description of this processing follows.
  • the first processing function performed by the computer program is self-validation. This confirms that no tampering has occurred in the logical processing command set. This process is shown in Figure 15. Processing is then performed to initialize the operator's display and prepare it to receive data. It also establishes the interface processing necessary to receive operator inputs from the operator's keyboard. This processing will also test that the operator's display device and input keyboard are operational.
  • the logical processing function then validates that it is appropriate for the precinct in which it is being used. This requires an operator's input.
  • Detailed processing of the build valid precinct processing is shown on Figure 43, Build Valid Precinct.
  • a primary piece of data input to this process is the system adaptation table. This allows one logical processing function command set to be designed to operate on several differently configured systems and reduces the overall cost of the system.
  • the adaptation table is a run time parameter that directs the processes being performed so that the processing will comply with the specification of the individual system.
  • a typical set of adaptation parameters is shown in the ST ADAPTABLE on Figure 43, Build Valid Precinct. This configuration of the adaptation table describes processing for a fully implemented hierarchically controlled precinct.
  • the adaptation parameters are changed to modify the precinct processing so that such functions are not performed.
  • the build valid precinct processing shown in Figure 43, is processing that asks for the operator to enter the precinct number.
  • the valid precinct number is read from the adaptation parameter table and compared with the operator entered precinct number. If they match, the valid precinct code is set true and stored for use by other processing. System operation then continues.
  • the next process performed is the audit log start up processing. Detailed processing is shown in Figure 44, Start Audit Log, and Figure 16. This process clears and tests its reserved memory area. If it verifies all zeros, the audit log stores all system start up parameters.
  • the communications hardware connection and data processes are validated by the Run Communications procedure shown in Figure 45 and the Test Communication procedure shown in Figure 46. All memories are tested to ensure that data can be read and written into them as shown in Figure 47. Security key card writer/readers are tested as shown on Figure 48. All electronic ballot interface and control functions are tested as shown in Figure 49.
  • Function is to perform functions through its operation that provides for the secure and accurate collection of votes and the tallying of votes for each electoral race.
  • the initialization and verification of the system is performed as shown on Figure 51, Initialize and Verify System.
  • This processing initializes the display console, and validates the precinct as previously described in the stand alone precinct test, as shown in Figure 42. It then reads, verifies, and stores this data in the audit log. The next function zeros all recording memories and verifies the zero recording. This processing also directly tests the memories as well.
  • the initialization processing also establishes communication to the next higher level system if it is specified in the adaptation table.
  • data provided by the precinct processor includes precinct test results, time synchronization, and precinct status.
  • the final processing performed in initialization is a system test.
  • This test is a statistically significant subset of the test performed by the pre-election stand alone test function and verifies that all system components are operational . Test conduct and results are saved in the audit trail and also sent to the next higher level, if it is present.
  • the system begins the "ready to vote" process. This processing is shown in Figure 52, Ready To Vote.
  • the first processing performed displays the current vote count and public count of the system. At this time, these displays should display zero (0) . This processing cycles until real time is greater than or equal to voting start time and the start vote command is set by the system operator as approved by the precinct election judge. See Figure 52.
  • Run Vote The run vote processing is shown in Figure 53, Run Vote.
  • the first processing performed is the "allow interrupts procedure". This procedure allows the system to change from the quiescent stage of "ready to vote” in which all electronic ballot and key card inputs are logically locked out to the operational status of vote.
  • the record votes procedure is depicted in Figure 54, Record Vote. Functional processing is performed to validate the voter's key code. The key code verification is shown on Figure 55, Validate Key Card. This processing function checks the valid code table. If it is valid, the process writes the code in the voter record. If it is not a valid code, security processing is performed and an operator alert display is generated.
  • the second process performed in record vote is "run ballot" and is shown in Figure 56 as “Run Ballot n" .
  • This processing reads the voter's input from the electronic ballot interface buffer. The vote input is then logged.
  • the final process performed by the record vote process is to determine if the cast ballot flag is set. If it is, the critical data process is run to produce the voter record header, checksum, and parity data. The voter record is then stored and validated in the redundant memories.
  • the "compile vote records” process continuously tallies the totals for each candidate and issue. This processing is shown in Figure 57, Compile Vote Records.
  • the final process performed at the precinct is "election certification" as shown in Figure 59, Certify Vote.
  • Selection certification As shown in Figure 59, Certify Vote.
  • the Run Certification Recount Process as shown in Figure 60, is also executed. It is this process which leads to a true election certification at the precinct level.
  • two separate and distinct logical processes are employed to separately recount all the votes.
  • the two separate logical processes are formed by two separate individuals who do not have contact with one another. Each logical process may be realized through two separate computer programs. Due to inherently different styles between different computer programmers, each logical process will be separate and distinct. This procedure also provides an error checking function to ensure programming integrity, i.e., that a logical programming has not occurred.
  • On-line statistics is another advance in this invention.
  • the periodic processing performed by this procedure is shown in Figure 62, Statistics Processing Function.
  • the data produced by the process is useful to both the public and election workers during the voting period and for election officials after the election.
  • Statistics processed and available for display are: A. At the precinct level
  • Precinct political division statistics including but not limited to: a. Legislative District b. Congressional District c. Council District d. Precinct District B. At the city/county level
  • Precinct System Displays A specific set of operator displays are provided at the precinct for the purpose of operator interface and control. These displays are limited by the display structure as shown in Figure 16.
  • Figure 19, System Start Up Screen, is the precinct start up display which shows each start up operation completed and provides for specific operator inputs. This methodology affords an additional degree of security by requiring an operational code entry. The operational code is provided by the system provider, and is sealed and shipped separately from the software.
  • Figure 23 is the precinct statistics display. The display of the statistical data on line is a significant feature of this invention.
  • Figure 24 depicts the Help Status display.
  • the hierarchical design of this invention allows the option of having a centralized city/county and/or state collection/control element as shown in Figure 1.
  • the amount of centralized collection and control performed by the higher level system elements is specifically determined by the laws of the jurisdiction where the system is being used.
  • the inclusion of the city/county and/or a state processor within this design provides the system's remote recording electronic (RRE) capability.
  • RRE remote recording electronic
  • the specific purpose of the city/county and state system is to provide the functions necessary to allow centralized collection of votes in a real time secure manner and perform automated vote tallying at the city/county and/or state level. To perform this, functions are included for (1) secure communications, (2) data verification, (3) vote compilation, statistical data processing, (4) election certification,
  • the city/county system comprises the next higher collection and control element of the overall system above the precinct system. Some city/county systems will be further linked to the higher state level system as shown in Figure 1.
  • Figure 3 shows the components that comprise the city/county processing system.
  • the city/county processor is a general purpose data processor. It is connected via a network controller or a functionally equivalent device to precincts, the state system if in use, and various public release subscribers through a one way data communications device.
  • the system provides for operator interface through the incorporation of a display, keyboard, and a set of specific data displays for the display structures as defined in Figures 16, 17 and 18.
  • the displays available are limited to data displays only. No control displays are available to the large screen projection display. Therefore, they are a subset of the displays of the city/county status display as shown in Figure 17.
  • Redundant data storage is provided through "n" memory systems.
  • a mail-in vote entry station is provided for the entry of absentee vote data.
  • a physical key switch is also incorporated to allow security for supervisory level actions.
  • This hardware configuration is controlled by the logical processing functions of the city/county processor.
  • the processing functions for the city/county processor include a pre-election test function, an operational election function, and post election processing functions.
  • Data communications between the city/county processor and the precincts are controlled by the city/county processor and a network controller or a functionally equivalent device.
  • the network controller is electrically connected to a modem and a data encryption device. This configuration performs the encrypted data transfer over standard telephone lines as shown in Figure 1. Wireless, optical cable, and other data connections may also be used. Interface to the State level system, Figure 4, is afforded in the same manner.
  • Information generated by the city/county processor for public information release is transmitted to subscribers via a non-encrypted communications functional device.
  • This line is a controlled one direction communication link for the city/county system to the subscriber. The system will only connect to subscribers it has called and it will not receive any data over these lines.
  • the logical processing functions of the city/county processor continuously performs security processing to monitor all exterior conditions.
  • An interface is provided for a mail-in ballot station. This interface allows mail-in votes to be integrated with the data collected from the precincts and automatically counted.
  • a maintenance/monitoring system is provided to allow the system provider to monitor the operating status of all systems in the election. The purpose is to allow for centralized support in the event of a failure at any level of the system. This allows for senior level decisions and failure procedures to be directed and monitored by supervisory level personnel.
  • Post Election Processing Function Control functions performed by the city/county and state processors include (1) time synchronization, (2) communications control, (3) vote authorization, (4) poll opening, (5) poll closing, (6) election certification, (7) election status display, (8) poll restart commands, and (9) maintenance commands. These control functions are changed for each jurisdiction to accommodate local laws and community desires and may be entirely eliminated.
  • the purpose of the pre-election stand-alone test function is to test and verify the complete operation of the entire RRE system prior to the conduct of the election as shown in Figure 64. Processing performed by this function emulates all processes to be performed during the actual election and includes all communications, data verification, data collection and operator processing.
  • the city/county processor collects and records the stand alone precinct test results, their audit trails, and creates and records its own audit trail. These records will form a critical part of the evidence required to validate the system's operation if any challenges should be made to an election result generated by the system.
  • the pre-election test function command set and the data created and processed during the pre-election test are impounded and archived after the test.
  • FIG 64 Pre-Election Test Function
  • Figure 64 depicts the overall pre-election test processing at the city/county level.
  • the first process performed is the self-validation process as shown in Figure 15. If this test passes, then the data storage areas are validated and zeroed to assure that no failed memory locations are present in the data storage area as shown in Figure 65, Verify Storage & Set Precinct VO.
  • Figure 66 Set Up Precincts & VO Channels, communication preprocessing is performed to set up input channels to communicate with valid precincts. Communications processing waits for communications to begin when each precinct calls.
  • Data input to the city/county processor from the precincts is validated and stored in redundant memories as shown in Figure 69, Collect Pre-Test Data.
  • Input data is validated by verifying the precinct data checksum.
  • Pre-test certification is run at the end of the pre-test after all data has been collected as shown in Figure 70, Certify Pre-Test. This process validates that the data received from each precinct agrees with a test script. Certification is good if the received data is in agreement with the scripted data expected.
  • a certification failed process is performed.
  • the specific processing performed by this process is implemented specifically as required by the desires and laws of the jurisdiction of use.
  • the shut down pre-test process closes all in/out channels and brings the system to known quiescence so that power can be turned off. Once this is done all memory media from the system components is removed, sealed and impounded as shown in Figure 5.
  • Operational Election Logical Processing Function The Operational Election Logical Processing Function is used for the conduct of the official election and is shown in Figure 72. After Self-Validation, secure communications processing is performed to establish communication with its connected precincts. When the communications link to the precincts is established, the validate precinct processing shown in Figure 73 is performed.
  • an election pre-test is performed to validate the operation of the RRE system with the operational election software.
  • This pre-election test is a statistically significant subset of the stand alone pre-election test previously described. The results of this test are also certified as described in the stand alone test processing. This process is illustrated in Figure 72. If the Pre-Election Test is successful, the polls are opened as shown on Figure 71, Open Polls Command.
  • Figure 73 Run Secure Communications, shows the processing performed by the secure communications procedure of the city/county processor.
  • the first function performed is the set up of a randomly generated hang-up call-back process as shown in this Figure. This processing determines (1) when the next call to a precinct will be made, (2) whether the call will be initiated by the precinct or the city/county processor and (3) the duration between calls. Security processing is initiated if the time between calls is exceeded or if a connection can not be established.
  • the next process performed by the secure communication procedure is to validate the precinct and confirm its processing status. If the precinct is valid and the precinct is in voting status, a secure communications routine sets up a read vote data command.
  • the collect vote data procedure is shown in Figure 75, Collect Vote Data.
  • the procedure reads the data from the time of last call minus "X" minutes to current time. The data is then retransmitted back to the precinct and verified. If the data is good, the process stores the valid election data. If it is not good, the process will retry three (3) times before activating security processing to determine the cause of the failure.
  • a feature of this invention is the centralized on-line certification capability.
  • the processing required to perform this procedure is shown in Figure 76, Certify Election.
  • the precinct processor performs the precinct level certification.
  • the precinct sends a status of "certification done" to the city/county processor. If the precinct certification is good, the certify election procedure reads in a complete set of vote data and the audit log. A bit- by-bit comparison of the certified precinct data and the data compiled over the course of the election at the city/county level is then made and the entire vote is recounted and compared with the certified precinct tallies. If the status of these comparisons is good, the certification procedure establishes the good election status and displays certification complete.
  • the certification processing is a critical part of this invention.
  • the specifically defined voter record and critical data processing methods of the present invention enable the foregoing process. Local election officials will specify the processing and/or procedures to be performed if on-line certification fails. This will be implemented on a per election, per location basis.
  • Citv/County Displays The city/county displays are similar to the precinct level displays.
  • Figure 25 City/County Status Display, shows the status of the entire city/county system.
  • Figure 26 City/County Statistics Display, shows the county statistics. This selection can include city/county political divisions such as council districts, legislative districts, and others.
  • FIG. 27 Select Precinct Display, allows the operator to select individual precinct data for display. The operator can select either the precinct status or statistics display.
  • the purpose of this function is to provide for access and analysis of the election records saved during the election.
  • Figure 10 shows the functions performed by the off-line post election computer program. The system necessary for this processing is shown in Figure 3. The functions required for post processing will vary from county to county; however, the basic functions provided are: 1.) Review precinct "X" voter records
  • Figure 4 shows the optional state level system of the RRE system. This system configuration and its logical processing functions are the same as those described for the city/county system except that the state system inputs are from connected city/county systems and that the election display and tally functions cover the entire state.

Abstract

L'invention se rapporte à un système de vote électronique permettant d'organiser des élections publiques automatisées, sûres et infalsifiables. Ce système de vote permet l'organisation d'élections à différents niveaux, du niveau local aux niveaux étatique et national. Le système de vote est à usage unique, jetable et met en oeuvre des fonctions de commande de traitement logique et de scrutins électroniques. Une carte électronique de contrôle d'accès, à code secret, autorise les électeurs à voter. Les votes sont recueillis et tabulés directement et à distance au moyen d'une commande à distance de type hiérarchique. Le contrôle local et à distance permet d'effectuer des tests, de détecter des défaillances, d'effectuer des réparations, de contrôler et commander des fonctions du système. Ce système permet également de réaliser la validation des élections en mode en ligne et en mode hors ligne. L'enregistrement des vérifications à rebours et l'enregistrement des émargements électeurs autorisent les fonctions de contrôle et peuvent être utilisés pour la collecte et l'affichage en mode en ligne de données statistiques.
PCT/US1995/008267 1994-07-08 1995-07-07 Systeme informatise d'enregistrement de votes a distance WO1996002044A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU31251/95A AU3125195A (en) 1994-07-08 1995-07-07 Remote recording computer voting system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US27206894A 1994-07-08 1994-07-08
US08/272,068 1994-07-08

Publications (2)

Publication Number Publication Date
WO1996002044A1 WO1996002044A1 (fr) 1996-01-25
WO1996002044A9 true WO1996002044A9 (fr) 1996-07-11

Family

ID=23038265

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1995/008267 WO1996002044A1 (fr) 1994-07-08 1995-07-07 Systeme informatise d'enregistrement de votes a distance

Country Status (2)

Country Link
AU (1) AU3125195A (fr)
WO (1) WO1996002044A1 (fr)

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI100842B (fi) * 1995-04-13 1998-02-27 Nokia Telecommunications Oy Puhelinäänestyksen suorittaminen älyverkossa
FI100496B (fi) * 1995-04-13 1997-12-15 Nokia Telecommunications Oy Puhelinäänestyksen suorittaminen älyverkossa
DE19780608D2 (de) * 1996-06-25 1999-05-27 Mitsubishi Int Gmbh Verfahren zum Herstellen einer Funkverbindung
ATE363106T1 (de) * 1997-12-22 2007-06-15 Ian Way Abstimmsytem
JP2000040111A (ja) * 1998-07-22 2000-02-08 Victor Co Of Japan Ltd 電子投票端末装置
RU2144655C1 (ru) * 1998-09-08 2000-01-20 Московский государственный авиационный институт (технический университет) Способ сбора общественного мнения, система для его реализации и абонентское устройство ввода данных
AU6420599A (en) * 1998-10-06 2000-04-26 Robert M. Chavez Digital elections network system with online voting and polling
NL1013859C2 (nl) * 1999-12-15 2001-06-18 Nedap Nv Geautomatiseerde inrichting voor keuze en verdeling van stemmen, waarbij gecumuleerd en gepanacheerd kan worden.
RU2179741C2 (ru) * 2000-01-20 2002-02-20 Общество с ограниченной ответственностью "Аякси" Способ проведения опросов
US7152156B1 (en) * 2000-02-17 2006-12-19 Hart Intercivic, Inc. Secure internet voting system with bootable disk
US7422150B2 (en) 2000-11-20 2008-09-09 Avante International Technology, Inc. Electronic voting apparatus, system and method
US7461787B2 (en) 2000-11-20 2008-12-09 Avante International Technology, Inc. Electronic voting apparatus, system and method
CA2469146A1 (fr) 2000-11-20 2002-09-12 Amerasia International Technology, Inc. Dispositif, systeme et procede pour le scrutin electronique
US20020077885A1 (en) * 2000-12-06 2002-06-20 Jared Karro Electronic voting system
BE1013966A4 (fr) * 2001-02-12 2003-01-14 Nypelseer Wolfowicz Jacqueline Machine a voter qui comptabilise les votes tout en produisant un support materiel pour chaque votant.
US6865543B2 (en) * 2001-03-09 2005-03-08 Truvote, Inc. Vote certification, validation and verification method and apparatus
RU2271574C2 (ru) * 2001-03-24 2006-03-10 Дейтгрити Корпорейшн Проверяемые секретные перетасовывания и их применение при проведении электронного голосования
US7635087B1 (en) 2001-10-01 2009-12-22 Avante International Technology, Inc. Method for processing a machine readable ballot and ballot therefor
US7077313B2 (en) 2001-10-01 2006-07-18 Avante International Technology, Inc. Electronic voting method for optically scanned ballot
RU2212056C1 (ru) * 2001-12-27 2003-09-10 Вешняков Александр Альбертович Способ голосования с использованием электронных бюллетеней
RU2265887C2 (ru) * 2003-03-19 2005-12-10 Открытое акционерное общество "ЛОМО" Способ автоматизированной обработки избирательных бюллетеней и устройство для его осуществления
CN100367290C (zh) * 2004-05-10 2008-02-06 香港理工大学 采用射频鉴别的计算和验证装置及其方法
RU2368010C2 (ru) * 2004-11-29 2009-09-20 Закрытое акционерное общество "Национальная картографическая корпорация" Способ голосования с использованием электронных карт и устройство для его осуществления
RU2006100778A (ru) * 2006-01-17 2007-07-27 Федеральный центр информатизации при Центральной избирательной комиссии Росийской Федерации (RU) Автоматизированная операционно-информационная система сопровождения подготовки и проведения голосования
RU2321893C2 (ru) * 2006-04-07 2008-04-10 Александр Михайлович Зулин Способ проведения тайного голосования
RU2445703C2 (ru) * 2010-05-18 2012-03-20 Общество с ограниченной ответственностью "ИНФОРМАТ" Устройство опроса мнений
US11356267B2 (en) 2020-05-15 2022-06-07 Op Osuuskunta Apparatus, method and software for electronic voting during web conference

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4641241A (en) * 1984-05-08 1987-02-03 R. F. Shoup Corporation Memory cartridge for electronic voting system
US4641240A (en) * 1984-05-18 1987-02-03 R. F. Shoup Corporation Electronic voting machine and system
FI86486C (fi) * 1990-08-27 1992-08-25 Tecnomen Oy Foerfarande foer att arrangera teleroestningen pao ett saekert saett.
US5218528A (en) * 1990-11-06 1993-06-08 Advanced Technological Systems, Inc. Automated voting system
US5189288A (en) * 1991-01-14 1993-02-23 Texas Instruments Incorporated Method and system for automated voting
JP2747171B2 (ja) * 1992-07-06 1998-05-06 株式会社 政治広報センター 選挙端末装置及び投票確定方法

Similar Documents

Publication Publication Date Title
WO1996002044A9 (fr) Systeme informatise d'enregistrement de votes a distance
WO1996002044A1 (fr) Systeme informatise d'enregistrement de votes a distance
EP1450923B1 (fr) Systeme et procede pour le controle de la reglementation
US5189288A (en) Method and system for automated voting
US20050218224A1 (en) Computerized electronic voting system
US3722793A (en) Voting system
US7461787B2 (en) Electronic voting apparatus, system and method
US20020077886A1 (en) Electronic voting apparatus, system and method
US20040060983A1 (en) Direct vote recording system
WO2000013082A9 (fr) Systeme d'enregistrement de vote direct
US3710105A (en) Voting machine and method
US20080277470A1 (en) Voting authentication and administration
US20020128902A1 (en) Voting apparatus and method with certification, validation and verification thereof
US7152792B2 (en) Voting apparatus and method using personal computers
Selker Fixing the vote
RU2290695C1 (ru) Способ и система подготовки и проведения электронного голосования
Williams et al. Implementing voting systems: the Georgia method
WO2010010564A2 (fr) Système de vote électronique
WO2004038632A1 (fr) Systeme electronique de vote informatise
JP2004118829A (ja) 電子投票システム、電子投票の選挙人名簿照合システム、投票案内用はがき、投票カード、投票制御シート、運用管理制御シート、開票・集計管理制御シート、電子投票運用方法、及び電子投票制御コンピュータ
Hite Elections
Faniran et al. Strengthening democratic practice in Nigeria: a case for e-voting
Kassicieh et al. Security, Intgrity And Public Acceptance Of Electronic Voti
Parakh et al. How to improve security in electronic voting?
Cortes DEPARTMIENT OF STATE
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载