Method for protecting voter privacy in an open source transparent ballot recording system

Abstract

A method for creating a process of building a robust open source and transparent ballot processing computer system by using distributed and de-centralized ballot recording, by preventing unqualified persons from submitting ballots, by preventing a voter from voting more than once, by allowing a voter to review and change a ballot previously submitted by the voter, by blocking the public from tracing a ballot to a voter, by protecting voter's voting rights from stolen voter identity, by providing processes for processing paper ballots by machines, by providing processes for handling mail-in ballots, by providing processes for online voting.

Claims

1. A method for creating a process of protecting voter privacy in a transparent ballot counting system; said process uses two databases to record voter identity, one database is referred to hereafter as a voter registration database (VRD), the other database is referred to hereafter as a voter account database (VAD); said process uses said VRD to link a voter to her/his personal ID; examples of said personal ID can be social security number, driver license, citizen ID, or any other ID which uniquely identifies a person; said process uses said VAD to perform ballot submissions; said process uses a voter ID in said VRD to identify a voter; said process uses a voter account ID in said VAD to identify a voter; said process uses an encrypted voter ID in said VAD to link said VAD to said VRD.

2. The method of claim 1, further comprising of a process used for encrypting and decrypting voter ID; said process creates a voter account record in said VAD using the voter ID and the user password; said process encrypts the voter ID using the user password as the encryption key for encrypting and decrypting the voter ID; said process saves said encrypted voter ID in the voter account record.

3. The method of claim 1, further comprising of a process used for encrypting and decrypting voter ID; said process creates a voter account record in said VAD using the voter ID and the user password; said process creates a hash of the voter ID and saves it in the voter account record; said process prompts a voter to use password and voter ID to log into the voter's voter account.

4. The method of claim 1, further comprising of a process used for verifying voter qualification; said process allows a voter to log into her/his voter account using said account ID and password; on logging in, said process locates her/his account record and fetches the encrypted voter ID saved in the account record; said process uses the password as the key to decrypt the encrypted voter ID; said process uses the voter ID to locate voter qualifications saved in said VRD; if more than one election should be handled then said process uses an election database to record elections or polls for which ballots will be submitted; said process uses an election ID in said election database to identify each election or poll; if only one election is to be handled then the election database and the election ID mentioned in processes of this invention can be omitted; said process saves election related voter qualifications in said VRD or a database linked to said VRD via voter ID.

5. The method of claim 1, further comprising of a process used for preventing a voter from submitting her/his ballot more than once; said process uses a submission database to record a voter ID with an election ID, and marks whether a voter ID has been used to submit a ballot for an election or poll; on submitting a ballot for a voter, said process saves the voter ID and the election ID in said submission database to mark the ballot submission; before submitting a ballot, said process checks in said submission database using the voter ID and the election ID to verify that the voter ID has not been used for the election ID.

6. The method of claim 1, further comprising of a process used for preventing anyone from tracing a ballot to its voter, except its voter; said process uses a ballot recording database to record submitted ballots, each recorded ballot is linked to a voter account ID.

7. The method of claim 6, further comprising of a process used for changing a ballot by a voter; on logging into a voter account, the voter submits a new ballot; said process verifies that there is a ballot previously submitted using the same account ID; said process marks the previously submitted ballot as being replaced; said process re-generates a ballot submission for the new ballot.

8. The method of claim 6, further comprising of a process used for reviewing ballots by a voter; on logging into a voter account by a voter, said process retrieves those ballots linked to the account ID from said ballot recording database, for the voter to review vote casts contained in those ballots.

9. The method of claim 1, further comprising of a process used for recovering a voter's voting right in the case of voter forgetting voter account ID or password; said process marks in said VRD that existing voter accounts for the voter ID being disabled and a new voter account can be created; the voter re-creates a new voter account in said VAD using the voter ID and a new password and get a new voter account ID.

10. The method of claim 1, further comprising of a process used for recovering a voter's voting right in the case of voter ID stolen; said process marks the stolen voter ID as disabled in said VRD; said process re-generates a new unique voter ID for the voter in said VRD; the voter uses the new voter ID to create a new voter account record in said VAD.

11. The method of claim 1, further comprising of a process used for recovering a voter's voting right in the case of a large number of voter ID reported stolen; said process uses a flag in said VRD and in said VAD to disable stolen voter ID; said process increases the value of said flag in said VRD for all the voter ID's reported stolen; said process allows the voters who reported voter ID stolen to re-create their voter accounts in said VAD; said process sets the flag values of the newly created voter accounts to be the same value of the flag of the records in said VRD; said process detects and disables stolen voter accounts at the time when someone tries to log into a voter account and the flag value of the voter account record in said VAD does not match the flag value of the record in said VRD.

12. A method for creating a process of making a trustable ballot counting system by processing paper ballots by a machine; the said machine is hereafter referred to as ballot-processing machine; said process uses a voter registration database (VRD) and voter ID to identify voters and mark voter qualifications; if more than one election should be handled then said process uses an election database to record elections or polls for which ballots will be submitted; said process uses an election ID in said election database to identify each election or poll; if only one election is to be handled then the election database and the election ID in processes of this invention can be omitted; said process uses a submission database to link a voter ID with an election ID, and marks whether a voter ID has been used to submit a ballot for an election or poll; said process uses a voter account database (VAD) and account ID for a voter to submit ballots; said VAD contains an encryption or a hash of the voter ID; said process uses a ballot recording database to record submitted ballots, each recorded ballot is linked to one voter account ID; said VRD contains voter qualification information indicating whether the voter is qualified to vote for certain elections; said process prints a ballot on paper for a voter with the voter ID and the election ID printed on the paper ballot, and sends the ballot to the voter; the voter makes vote cast on the ballot; the voter mails in the ballot to a vote station or takes the ballot to a vote station; in the vote station the voter or a ballot-handling personal feeds the ballot into said ballot-processing machine; said ballot-processing machine scans the ballot; said process uses the voter ID and the election ID printed on the ballot, to verify, via said VRD, that the voter is qualified to vote; said process uses the voter ID and the election ID to verify, via said submission database, that the voter has not submitted a ballot for the election previously; said process uses the voter ID to create a temporary voter account; said process submits the ballot using the temporary voter account ID, the ballot is saved in said ballot recording database and linked with the temporary voter account ID; said process links the voter ID and the election ID in said submission database to indicate that the voter has submitted a ballot.

13. The method of claim 12, further comprising of a process used for preventing said ballot processing machine from processing a paper ballot if the voter requests that his/her ballots not to be processed by a machine; said process marks in said VRD that a machine can or cannot be used to process his/her ballots; on scanning a paper ballot, said ballot processing machine uses the voter ID to check in said VRD to see if machine-processing is allowed.

14. The method of claim 12, further comprising of a process used for paper ballot users to replace their ballots; said ballot-processing machine prints out the temporary voter account ID and a temporary password, said password is also a key for encrypting the voter ID saved in the temporary voter account, for the voter at the first time the voter feeds a ballot into the ballot-processing machine and successfully recorded the ballot in the ballot recording database; when the voter submits a new ballot again, said process detects via said submission database, by the voter ID and the election ID, that the voter already submitted a ballot previously, and said ballot-processing machine prompts the voter for a voter account ID and password; the voter enters said temporary voter account ID and password; said process locates the ballot using the temporary account ID and the election ID, and marks the ballot as being replaced; said ballot-processing machine submits the new ballot.

Description

BRIEF DESCRIPTION OF DRAWINGS

[0046] FIG. 1 Participating Computers. It shows a typical implementation of this invention. It shows 3 participating computers, which form a distributed and de-centralized ballot recording system. The drawing shows that all participating computers are connected to each other. Using the internet as a mean of connection, a large number of participating computers is possible.

[0047] FIG. 2 Ballot Recording Software Structure. It shows a typical process for creating a distributed ballot recording software installed on one participating computer, implemented by the processes provided by this invention. The ballot recording inputs are entered by human, by computers or by ballot-processing machines. The inputs are used by the request-generator to generate ballot-recording requests and insert into a request queue. The requests are sent out to all participating computers. The request-validation module receives the requests from all participating computers and make validations using vote-rules. The validation results are logged in the request queue and sent to all participating computers.

[0048] FIG. 3 Databases. It shows a typical data flow between databases used in a distributed ballot recording system. The voter registration database is created from the official voter registration system. A voter creates a voter account in the voter account database. A voter logs in to her/his voter account and submit a ballot. The ballot is validated by all the participating computers and recorded in the ballot recording database.

DESCRIPTION OF EMBODIMENTS

[0049] One embodiment of this invention is by creating a distributed and de-centralized ballot recording system. The said distributed ballot recording system consists of a ballot database and a database operation module, a voting-rule module, a ballot request queue, a ballot input module, a request generation module and a request-validation module. The said ballot input module receives one or more ballots to be recorded, from human, from computers or scanned in by a ballot-processing machine. The said request generation module generates a request for these inputs, sends the request to all the participating computers and inserts the request into said ballot request queue as a block chain; said request-validation module validates the ballots in the requests and records the validation results in the ballot database.

[0050] One embodiment of this invention is by creating a block chain for all database writing and modifications; said database operation module handles all the database writing and modifications and uses the block chains to ensure that databases in all participating computers are identical.

[0051] One embodiment of this invention is by creating a voter registration database from an official voter registration system; an example of the official voter registration system can be a county government voter registration system. Said voter registration database copies voter ID from the official voter registration system. The voter ID uniquely identifies a voter; it can be the social security number or other ID which can be used to uniquely identify a voter; the voter ID can be a unique ID not mathematically linked to a personal ID, and only linked to a personal ID via database linking. The voter ID uniquely identifies a voter registration record in said voter registration database. Said voter registration database does not record voter personal information which may involve privacy concerns. Said voter registration record contains a mark indicating whether or not the voter ID is disabled or invalid. Said voter registration record contains a flag for detecting stolen voter ID. Said voter registration database contains marks indicating whether or not a ballot is submitted for an election by a specific voter. Said voter registration database contains marks indicating whether a valid voter account has been created.

[0052] One embodiment of this invention is by creating a voter account database. Said voter account database uses a unique account ID for each account record. Each of said account record is owned by one voter; a hash of a password created by the account owner is saved in the account record; an encryption of the account owner's voter ID is saved in the account record; the account record contains a flag for detecting stolen voter ID; the account record contains a mark indicating whether the account record is created by a ballot-processing machine or by a human.

[0053] One embodiment of this invention is by creating a ballot recording database. Said ballot recording database records each ballot a voter submitted; complete ballot information, including the voter's vote cast, is recorded together with the voter account ID.

[0054] One embodiment of this invention is by using a submission database to prevent multiple ballot counting for one voter; a voter logs into her/his voter account using the account ID and the password; the password is used as the encryption key to decrypt voter ID; the voter ID is used to identify the voter registration record in the voter registration database; said voter registration record indicates whether or not the voter ID is disabled; if the voter ID is disabled then the log in is rejected. Said voter registration record contains a flag; the voter account record also contains a flag; if both flags are not equal then the log in is rejected. Said ballot submission database links a voter ID with an election ID to indicate whether or not for an election the voter has submitted her/his ballot; if the voter has already submitted her/his ballot for the election then a new submission is not allowed.

[0055] One embodiment of this invention is by allowing a voter to change her/his ballot; on logging into her/his voter account, the voter account ID is used to identify the ballots in the ballot recording database; identified ballots are marked as replaced; a new ballot is submitted.

[0056] One embodiment of this invention is by making ballot-processing machines consisting a scanner to read paper ballot, a screen to show information to the voter, an input device for the voter to enter voter ID and other information when needed, and a computer installed with the ballot-counting software made by this invention.

EXAMPLE 1

[0057] Official voter registration Information. The following table lists an example of the official voter registration information maintained by a government office.

TABLE-US-00001 Unique Record ID 234567890 Personal ID 123-45-6789 Name Jane Doe Sex F Birth Date Aug. 21, 1980 Address 123 Main Street, My City, My State, USA Registration Date Aug. 21, 2000

EXAMPLE 2

[0058] Voter registration database. The following table lists an example of the voter registration database.

TABLE-US-00002 Voter ID 123-45-6789 (it is the Personal ID from the official voter registration system, see Example 1) Disabled False (it indicates if this record can be used in voting) Flag 0 (it is a flag for detecting stolen voter ID) Account Creation Indicates whether a valid voter account has been created manually, and other situations Link to elections: Qualifications for individual elections Election ID 1 True Election ID 2 False

EXAMPLE 3

[0059] Voter registration database. The following table lists an example of the voter registration database. Example 2 and Example 3 show two approaches in generating a voter registration database. There can be other approaches differ in the way how a voter registration database links to the official voter registration system. Only one approach should be used when using a ballot recording system made by this invention.

TABLE-US-00003 Voter ID 234567890 (it is the Unique Record ID from the official voter registration system, see Example 1) Disabled False (it indicates if this record can be used in voting) Flag 0 (it is a flag for detecting stolen voter ID) Account Creation Indicates whether a valid voter account has been created manually, and other situations Link to elections: Qualifications for individual elections Election ID 1 True Election ID 2 False

EXAMPLE 4

[0060] Voter account database. The following table lists an example of the voter account database. A voter uses her/his voter ID and chooses a password to create a voter account record. A unique voter account ID is created. The voter should remember her/his voter account ID, password and voter ID so that (s)he may re-use her/his voter account, for example, to change a submitted ballot.

TABLE-US-00004 Voter Account ID This is a unique ID identifying this record Password Hash This is a hash of the password the voter chooses Voter ID Encryption This is an encryption of the Voter ID. See Example 2 and Example 3. The encryption key is the password the voter chooses. Flag 0 (it is a flag for detecting stolen voter ID, see Example 2 and Example 3) Is Temporary False (it is True if the account is created by a ballot reading and processing machine)

EXAMPLE 5

[0061] Ballot Information. The following table lists an example of ballot and vote cast information.

TABLE-US-00005 Election ID WA2023 Election ID WAGovernor2023-Inslee Item 1 Vote Yes Election ID WAGovernor2023-John Item 2 Vote No

EXAMPLE 6

[0062] Ballot submission record. The following table lists an example of recording ballot submission. It is used to prevent multiple ballot submissions by one voter.

TABLE-US-00006 Voter ID it is the Voter ID from the voter registration database, see Example 2 and Example 3 Election ID It is the Election ID from the Ballot Information. See Example 5. Submitted Yes

EXAMPLE 7

[0063] Ballot Information. The following table lists an example of ballot information. Note that the public cannot trace the ballot back to the voter who submitted the ballot. But the voter who submitted the ballot can examine it and make sure that the ballot is recorded correctly.

TABLE-US-00007 Ballot Submission This is a unique ID identifying this submission ID Voter Account ID It is the Voter Account ID from the Voter Account database. See Example 4. Election ID WA2023 Election ID WAGovernor2023-Inslee Item 1 Vote Yes Election ID WAGovernor2023-John Item 2 Vote No

EXAMPLE 8

[0064] Ballot-recording request information. The following table lists information contained in a ballot-recording request.

TABLE-US-00008 Request ID Abcdefghijk123456789 Invoker ID Computer1234567890 Time 2028 Jan. 23 13:10:01 Ballots Ballot 1, Ballot 2, . . . It is a list of ballot submissions, see Example 7 Validations Computer 1 Computer 2 . . . result result . . .

INDUSTRIAL APPLICABILITY

[0065] One area of ballot recording is political elections. State, county and city official elections, senator and president elections, etc., all may benefit from this invention. For example, this invention is applied to most counties individually to get reliable vote results at county level. Then the state level is reliable and thus the country level is reliable.

[0066] Public policy voting may also benefit from this invention.

[0067] Polls is another area that may benefit from this invention.