The invention disclosed herein relates generally to voting systems, and more particularly to a method and system to authenticate and verify ballots.
In democratic countries, governmental officials are chosen by the citizens in an election. Voting for candidates for public office in the United States is typically performed utilizing mechanical voting machines at predetermined polling places. When potential voters enter the predetermined polling place, voting personnel verify that each voter is properly registered in that voting district and that they have not already voted in that election. Thus, for a voter to cast his vote, he must go to the polling place at which he is registered, typically based on the voter's residence. If an individual is unable to go to the polling place at which he is registered, an absentee ballot can be utilized to allow the individual to cast his vote. There are numerous reasons a person may be unable to attend his registered polling place on an election day, including, for example, business or pleasure travel, attending school in a different location, or military service in a remote location. Typically, the user of an absentee ballot selects his choices on a ballot and returns the ballot to the election officials by mail.
While the use of absentee ballots allows all citizens to participate in the democratic process even if they are unable to attend their specific polling place on the day of the election, there are problems with the use of absentee ballots. A very important criteria of any voting system is the accuracy and security of the ballots to ensure that all ballots comply with applicable election laws. Any ballots that are not in compliance should not be counted, while all ballots that are in compliance should be counted. For example, for absentee ballots to be valid, the ballot must have been created, i.e., completed by the voter, in a timely manner and submitted for return to the election officials. For example, an absentee ballot that is created and/or mailed subsequent to the election day should not be counted.
The current method for ensuring timely completion and submission of absentee ballots relies either on a manually applied stamp indicating the date of completion and/or the United States Post Office (USPS) cancellation mark on the mail piece containing the absentee ballot indicating the date of submission. Neither of these methods, however, is completely verifiable or accurate, and tampering can easily be accomplished. The inability to verify and/or inaccuracy of these conventional methods typically results in numerous absentee ballots being declared invalid, and thus not counting. The adage “every vote counts” was made clear in the last presidential election, in which the voting was very close, and numerous absentee ballots, including ballots from overseas military personnel, were declared invalid due to questions about timely completion and submission. In some cases, it is possible that absentee ballots that were properly created and submitted can still be declared invalid if any questions arise, since as noted above, there is no method for ensuring the timely creation and submission of absentee ballots that is completely verifiable or accurate. If an election is very close, it is especially important that all properly created and submitted votes be counted, including any absentee ballots.
Thus, there exists a need for a method and system that can accurately verify the creation and submission of an absentee ballot.
The present invention alleviates the problems associated with the prior art and provides a method and system for validating the creation and submission of absentee ballots.
In accordance with the present invention, a vote validation system is provided in which an authentication/validation mark is generated and printed on an absentee ballot and/or the envelope that contains the absentee ballot. The validation system includes one or more vote validator devices that generate and print the authentication/validation marks. The authentication/validation marks include information such as, for example, the date and time of printing, an identification and location of the vote validator that generated and printed the mark, a unique identifier of the mark, and a digital signature of the authentication/validation data. The vote validation system can further include a database that stores records related to each of the vote validators in the system, and can optionally maintain audit reports of all authentication/validation marks printed. The vote validation system further includes a verification system for use by election officials. Upon receipt of the absentee ballot by election officials, the authentication/validation marks printed on the absentee ballot and/or envelope containing the ballot can be verified by authenticating the digital signature and verifying the validity of the data in the mark such as, for example, by comparing the data contained in the mark with the data stored in the database maintained by the vote validation system. If the mark is verified, the authenticity and creation/submission dates of the absentee ballot are guaranteed and the absentee ballot can be accepted as a valid absentee ballot for election purposes. The vote validation system of the present invention can significantly reduce the number of absentee ballots declared invalid due to questions about the creation and submission of an absentee ballot.
Therefore, it should now be apparent that the invention substantially achieves all the above aspects and advantages. Additional aspects and advantages of the invention will be set forth in the description that follows, and in part will be obvious from the description, or may be learned by practice of the invention. Moreover, the aspects and advantages of the invention may be realized and obtained by means of the instrumentalities and combinations particularly pointed out in the appended claims.
The accompanying drawings illustrate presently preferred embodiments of the invention, and together with the general description given above and the detailed description given below, serve to explain the principles of the invention. As shown throughout the drawings, like reference numerals designate like or corresponding parts.
In describing the present invention, reference is made to the drawings, wherein there is seen in
Vote validator 12a preferably includes a memory 20, a printer 22, an encryption engine 24, a vote accounting system 26, a central processing unit (CPU) 28, an input/output device 30, and a communication system 32. Vote validator 12a can also include a secure real-time date/time clock 34, which provides the date and optionally the time to processor 28. Alternatively, vote validator 12a could communicate with an external clock, such as, for example, via a network, to receive the date and time. Each of the above components communicate via a bus 36. The operation and function of the vote validator 12a is controlled by CPU 28. Memory 20 is preferably a non-volatile memory that stores information utilized by the vote validator 12a, including, for example, identification information, state information, and audit data as described below. Memory 20 further stores a private cryptographic key that can be utilized in the generation of a digital signature. The corresponding public key, utilized to verify the signature generated using the private key, can be obtained in a traceable, verifiable manner to ensure the integrity of the key pair. This can be achieved using any type of well known key management methods, including, for example, standard Public Key Infrastructure (PKI) methods. Printer 22 is preferably a secure printing system that is utilized to print an authentication/validation mark (described below), generated by vote validator 12a, on an absentee ballot and/or an envelope that contains an absentee ballot. Optionally, printer 22 can also print a postage indicium that evidences payment of postage on an envelope. Alternatively, printer 22 could print the authentication/validation mark, and postage indicium, if provided, on a tape or label that is affixed to the absentee ballot and/or envelope containing an absentee ballot. Encryption engine 24 generates a digital signature, using a cryptographic key stored in memory 20, for signing the data contained in the authentication/validation mark. Vote accounting system 26 creates a unique identifier for each authentication/validation mark generated by the vote validator 12a. Preferably, the portions of bus 36 that couple the printer 22, encryption engine 24, and vote accounting system 26 are secure physical links to prevent any tampering with the printing, signing or accounting for authentication/validation marks generated by the vote validator 12a. Alternatively, the links may be secured cryptographically using a secure cryptographic protocol such as, for example, Secure Socket Layer (SSL). Input/output device 30 may be, for example, a keyboard and/or display device that can be utilized by an operator to input information into or retrieve information from the vote validator 12a. Communication system 32 can be any type of conventional communication system, such as, for example, a modem for connection to a telephone system, or other type of network connection, such as, for example, an Internet connection. Communication system 32 allows the vote validator 12a to communicate data to other parts of the system 10 as described below. Preferably, the communications from communication system 32 are encrypted and/or signed to protect the content of the communications.
Optionally, vote validator 12a may include a postage meter 38 for generating postage indicia that evidences payment of postage for the envelope in which an absentee ballot is returned.
Vote validator 12a generates a unique authentication/validation mark (hereinafter referred to as the mark or validation mark) for each absentee ballot and/or envelope processed. A mark is provided on the respective absentee ballot and/or on an envelope in which the absentee ballot will be returned. The mark is printed evidence of authenticity of the ballot. The mark contains information in a machine readable format, and is preferably cryptographically protected. The mark may be formatted as a two dimensional barcode, such as, for example, the well known PDF 417 format from Symbol Technologies Corporation, or any other suitable, sufficiently dense, printed, scanable form of data representation, such as, for example, DataMatrix. The encoded information in the mark preferably includes error correction and/or detection codes.
The information provided in the mark can include, for example, graphics that identify the mark as a vote authentication/validation mark and an identification of the vote validator 12a used to print the mark. This information can be stored, for example, in memory 20 of vote validator 12a. The information included in the mark can further include the unique identifier of the mark generated by the vote accounting system 26. Preferably, the unique identifier is a pseudo-random number that is guaranteed not to repeat. Thus, every mark will be identifiable and no two marks will be exactly the same. Furthermore, the identifier is preferably not based on, or should not disclose, the order in which the ballot was processed, such that it is difficult to determine the identity of the voter based on the order of the processing. In this manner, the secrecy of the ballot can be further protected. The information in the mark preferably further includes the date and optionally the time of processing, as provided by the clock 34, and a digital signature, generated by encryption engine 24, of the data included in the mark. The time of processing, if provided, should be precise enough to guarantee that the ballot was completed as created and/or submitted in a timely manner, but not so precise that it gives the exact order of the processing of the ballot and/or envelope. The information in the mark can also include an identification of the authorized location of the vote validator 12a, or an identification of the local election authority to which the vote validator 12a is assigned. Optionally, the mark may be provide with graphic security properties to make duplication or replication of the mark difficult. Such security properties could include, for example, the use of special inks, watermarks and steganography as described in U.S. Pat. Nos. 6,284,027, 6,70,213, 6,039,257 and 5,693,693, which are hereby incorporated by reference.
Vote validator 12a can also generate audit records or reports for use in evaluating and verifying the proper use of the vote validator 12a. The audit report could include, for example, the identification of the vote validator 12a, the date and time the last audit report was prepared and historical data related to previous audit reports, the date and time of the current report, and state information of the vote validator 12a. Such state information could include, for example, the date of a last physical inspection of the vote validator 12a, authorization information for the vote validator 12a, i.e., the local election authority to which the vote validator 12a is assigned, tamper indication, i.e., if any of the components of the vote validator 12a, especially those coupled by secure links, have been tampered with or attempted to be tampered with, and any previous checks or resets performed on clock 34. The audit report further includes information related to each authentication/validation mark generated during the current reporting period, such as, for example, the unique identification of each of the marks generated. Preferably, the audit reports are signed with a digital signature generated utilizing the private key stored in the memory 20 of vote validator 12a. The audit reports can be transmitted in either a printed form or electronically for use in verifying the operation of the vote validator 12a as described further below.
Referring again to
Database 14 maintains a record 50 for each vote validator based on the data received from each vote validator, such as vote validator 12a, included in the system 10. Each record 50 includes information related to the vote validator. Thus, the record 50 for vote validator 12a may include, for example, an identification of the vote validator 12a, which may be a serial number or the like, the corresponding verification keys used to verify the signature created by the encryption engine 24 of the vote validator 12a, the location of the vote validator 12a, an archive of all the marks previously generated by vote validator 12a that have already been verified (as described below), and an archive of all audit records and reports generated by vote validator 12a.
System 10 further includes a verification system 16. Verification system 16 includes a communication system 62 that allows verification system 16 to communicate with database 14 and obtain information from the database 14. Optionally, verification system 16 may also communicate directly with each vote validator 12a, 12b in the system 10. The communications may be conducted, for example, via a telephone or other data network, and may be wireless. Verification system 16 further includes a scanner 64, a central processing unit (CPU) 66, a management system 68, and a cryptographic verifier 70. Each of the above components communicate via a bus 72. The operation and function of the verification system 16 is controlled by CPU 66. Scanner 64 is utilized to read the mark generated by vote validator 12a that is printed on an absentee ballot and/or envelope containing an absentee ballot. Generally, scanner 64 can be any type of conventional scanner, whether based on laser, CCD or some other technology. Cryptographic verifier 70 authenticates the digital signature, utilizing the corresponding public key to the private key used to generate the signature, of the mark generated by the encryption engine 24 of the vote validator 12a. CPU 66 is further utilized to verify the validity of the data contained within the mark as described below.
Management system 68 provides management functions related to each of the vote validators 12a, 12b within the system 10 and verification of the audit reports, previously described, generated by the vote validators 12a, 12b. For example, when an audit report from vote validator 12a is received by verification system 16, either in printed form or electronically, the verification system 16 obtains the corresponding vote validator record, e.g., record 50, from the database 14. Optionally, error correction can be applied to the audit report to assist in the recovery of information contained therein if necessary. The verification system 16 then verifies the digital signature of the audit report, utilizing the cryptographic verifier 70 as described above, and if the signature is verified, management system 68 will then check the information contained within the audit report against the information contained in the vote validator record 50. In this manner, the operation of the each of the vote validators with the system 10 can be verified to ensure that tampering is not occurring. Such audit reports can be performed at any periodic time intervals desired, such as, for example, daily, weekly or monthly.
Referring now to
Referring now to
Referring now to
Referring now to
Once the corresponding vote validator record 50 has been obtained by the verification system 16, then in step 174 the cryptographic verifier 70 will verify the signature of the mark. Verification of the signature provides assurance that the mark was properly generated by vote validator 12a and is not a counterfeit mark. If the signature is not verified, then in step 178 the ballot will be declared invalid, or alternatively the ballot can be set aside for further inspection. If in step 176 the signature is verified, then in step 180 the data retrieved from the mark is verified by comparing it with the data obtained from the vote validator record 50. Such comparison can be performed, for example by CPU 66. Specifically, the data is compared to determine if the scanned mark is a duplicate mark of one already verified. This is performed, for example, based on the unique identifier generated by the vote accounting system 26 that is included in each mark. Thus, the unique identifier of the scanned mark can be compared against the archive of all marks previously generated by vote validator 12a that have already been verified that is included in the vote validator record 50. Optionally, the unique identifier of the scanned mark can be compared against the audit record from vote validator 12a to ensure that the vote validator 12a previously created the mark.
If in step 182 it is determined that the mark is a duplicate mark or was not properly generated by the vote validator 12a, then in step 184 the ballot will be declared invalid, or alternatively the ballot can be set aside for further inspection. If in step 182 it is determined that the mark is not a duplicate mark and that the mark was properly generated by vote validator 12a, then in step 186 the ballot/envelope is validated, i.e., the date and location of creation and/or submission of the ballot/envelope is verifiable. Accordingly, it can be accurately and indisputably determined, based on the validation of the ballot/envelope, whether or not the creation and/or submission of the ballot/envelope was timely and in compliance with applicable vote creation/submission regulations. In step 188 the vote validator record 50 is updated to include the just verified mark in the archive of all marks previously generated by vote validator 12a that have already been verified.
Thus, according to the present invention, a method and system for validating the creation and submission of absentee ballots is provided. A vote validation system is provided in which an authentication/validation mark is generated and printed on an absentee ballot and/or the envelope that contains the absentee ballot. Upon receipt of the absentee ballot by election officials, the authentication/validation marks printed on the absentee ballot and/or envelope containing the ballot can be verified to ensure the authenticity and creation/submission dates of the absentee ballot. Those skilled in the art will also recognize that various modifications can be made without departing from the spirit of the present invention. For example, envelope 100 could be a window envelope such that the mark on the ballot 90 is visible through the window in the envelope 100. In this manner, only a single mark needs to be generated and placed on the ballot 90. The voter could thus submit the absentee ballot 90 to the remote location in which the vote validator 12a is located. The voting personnel at that location could process the ballot through the vote validator 12a, seal the envelope, have the voter sign the envelope, and then submit the envelope for return to the voter's local election authority. Thus, the single mark provided on the ballot 90 authenticates the date and location of creation and submission of the ballot 90. Of course, this scenario relies on the voting personnel at the remote location to seal and submit the envelope when the ballot 90 was actually completed, and as such is not as secure as if the envelope is processed after being sealed and a mark is provided for the envelope.
While preferred embodiments of the invention have been described and illustrated above, it should be understood that these are exemplary of the invention and are not to be considered as limiting. Additions, deletions, substitutions, and other modifications can be made without departing from the spirit or scope of the present invention. Accordingly, the invention is not to be considered as limited by the foregoing description but is only limited by the scope of the appended claims.
Number | Name | Date | Kind |
---|---|---|---|
4641240 | Boram | Feb 1987 | A |
4717177 | Boram | Jan 1988 | A |
5189288 | Anno et al. | Feb 1993 | A |
5218528 | Wise et al. | Jun 1993 | A |
6009149 | Langsenkamp | Dec 1999 | A |
6250548 | McClure et al. | Jun 2001 | B1 |
6314519 | Davis et al. | Nov 2001 | B1 |
6457643 | Way | Oct 2002 | B1 |
6540138 | Hall et al. | Apr 2003 | B1 |
20010035455 | Davis et al. | Nov 2001 | A1 |
20020019767 | Babbitt et al. | Feb 2002 | A1 |
20020077886 | Chung | Jun 2002 | A1 |
20020128978 | Neff | Sep 2002 | A1 |
20020133396 | Barnhart | Sep 2002 | A1 |
20020138341 | Rodriguez et al. | Sep 2002 | A1 |
20030062411 | Chung et al. | Apr 2003 | A1 |
Number | Date | Country | |
---|---|---|---|
20040128190 A1 | Jul 2004 | US |