THE ACCURATE VOTE COUNTING SYSTEM (E-POLLING BOOTH) WITH MAINTAINING THE SECRECY OF THE VOTE AND WITHOUT POSSIBILITY OF FRAUD
INTRODUCTION:
This method resolves the contradiction between the secrecy of voting choice and the strict accounting of the every vote.
If there were not the secrecy of the vote, then numerous already existing strict reporting systems (for example, bank's payments or etc.) could be used for the elections.
Any citizen, listing the symbolic 1 cent payment to the special bank account and getting the receipt about this, thus uses the system in which any fraud impunity virtually impossible (or at least, fraud can not be secret). So even under totalitarian regimes (even in the distant future) the risk of being accused of manipulation with the votes will remain.
But at the same time, any citizen, who carried out his will this way, makes his choice known. The bank account is personal and bank's wirings are fixed. Although formally banking secrecy exists in any reliable bank, it is precisely the violation of this secrecy any citizen is not able to prevent. Especially, in countries where the manipulation of the ballots is regular.
Now, when any Voter comes to the polling station and gets the ballot, he/she does not tell anyone about his/her choice. When he/she enters the polling booth he/she maintains privacy as well. When he/she puts his/her ballot into the ballot box, he/she also does not create the opportunity for getting information about his/her choice for anyone else. But when he/she does the same with the bank's payment his/her choice in favor of someone is fixed. It's trouble point.
Thus, the guaranteed proof of the citizen's will violates the secrecy of this will at the same time. For creating the reliable voting system, it's necessary to resolve this contradiction.
The solution of this contradiction is described below.
Everything about technical solutions and data structure is marked below by yellow color. Almost whole material is dedicated to lowering the risks for voting process. In addition to that, risks of application itself are described in Part 6.
Table of contents:
- Part 1. External accounts
- Part 2. What Voter makes and what is the "Electronic Polling Booth"
- Part 3. After the vote
- Part 4. The counting of votes
- Part 5. About generating a disposable key for accessing the electronic Polling Booth
- Part 6. About the role of the application and about the "honesty of the application" testing of
PART 1. EXTERNAL ACCOUNTS
The following special bank accounts have to be opened:
1.1. The special account of the Election Commission (in the bank of the country where elections are held). This account includes:
- Sub-accounts of every particular Candidate;
- Sub-account "against all";
- Sub-account "I do not vote."
1.2. The special account of every Candidate (in the banks of the country where elections are held, but other than the bank specified in point 1.1.) - for the checking control. This account includes:
- Sub-account of this Candidate;
- Sub-account "against all";
- Sub-account "I do not vote."
1.3. The special account in any foreign bank ("foreign" in relation to the country where elections are held) - for the checking control. This account includes:
- Sub-accounts of every particular Candidate;
- Sub-account "against all";
- Sub-account "I do not vote."
1.4. The account in respectable (with the proven reputation) world payment system (for example, PayPal and others) - for the checking control. This account includes:
- Sub-accounts of every particular Candidate;
- Sub-account "against all";
- Sub-account "I do not vote."
No technical solutions required for anything mentioned in part 1.
PART 2. WHAT VOTER MAKES AND WHAT IS THE "ELECTRONIC POLLING BOOTH"
2.1. The Voter receives disposable key to access the online service "Your electronic polling booth No. __" (no Voter's name). The key may not be associated with any personal information of the Voter. It is generated randomly and the way of getting this key by the legal citizen is described below in the Part 5.
The number of the keys is equal to the number of the Voters in appropriate electoral district and the key gives the opportunity to enter the appropriate "e-polling booth".
Thus, it is known that the Voter who received the key entered into the e-polling booth legally, but it is unknown who exactly entered.
Technically the "e-polling booths" are not a separate systems. Each booth is actually an array of disposable random keys which were specified for appropriate electoral districts. If any Voter has a corresponding key (the random key from an array), then he/she belongs to appropriate electoral district. And his/her legal (but anonymous) voice counted as the vote attributable to this district, no matter in what point of the world the Citizen is located at the time of voting.
Key for accessing "e-polling booth" can be generated using any cryptosystem you find suitable and satisfying security requirements. Key can be presented to the Voter via app (See Part 6). It can also be shown in web browser or provided via download link.
See also in Part 5.
2.2. When the Voter enters (using his/her key) the appropriate "e-polling booth No. _______" via the Internet (and via app - see Part 6 below), the reconciliation takes place. As a result, if the key is valid, a list of Candidates is shown (as well as "Against all" position), if not - the voter sees corresponding message. A unique list of candidates is associated with appropriate array.
That means that voters who got the key from such array, may see the unique list of candidates. It is usefull for local elections, where list of Candidates is unique to each district.
That’s a standard task and doesn’t take too much time to implement.
2.3. Then he/she votes for one of the Candidate from the list or for the position "Against All".
2.4. In time of sending of the vote the cents (money) transfer to the accounts (see point 1) occurs. However, since at that moment the Voter physically did not transfer any cents to the accounts, the "accounts receivable" (IE, "minus cents") transfers to the accounts as debt to bearer.
- "Minus 1 cent" comes to the account of the Central Election Commission. Moreover, because there was a choice, "minus 1 cent" shall be credited to the sub-account of particular Candidate at the Bank of the Central Election Commission.
- "Minus 1 cent" credited the control special account of the particular Candidate which the Citizen voted for.
- "Minus 1 cent" credited the control special account of the foreign bank to the sub-account of this particular Candidate which the Citizen voted for.
- "Minus 1 cent" credited the control special account of respectable world payment system to the sub-account of this particular Candidate which the Citizen voted for.
When voting "against all" transfers occur to the sub-accounts "against all" (to all the accounts).
The payments received not from the Voter, but from the "Аgent e-polling booth No. _______".
The queue of payment messages is formed. After all transactions (and procedures mentioned below) are done, it is impossible to use the same key once again.2.5. Then the Voter gets (on his monitor screen) 4 QR or other type of codes from different recipients (banks) where the encrypted phrase is: "Thank you. This is the legal voice N____ from the "Polling Booth No. _______" for (Name of Candidate)" (Or "Against All").
Reading such data from database, as well as generating QR code are standard tasks and don’t take too much time to implement.
The Voter can keep these codes for himself (herself). Of course, there is no information about the Voter in the codes; such data is not created anywhere and there is no way of obtaining it during the voting. Because as stated above the payments received from the "Аgent e-polling booth No. _______". The codes are shown in the browser ("Tor", for example, for more privacy). So, the secrecy of the will of the Citizen is not violated by anyone. But the Citizen retains his/her codes, and may present them as an evidence (if he/she wants).
This is the essence of the solution of the contradiction between the accuracy of the account and the secrecy of the vote described above.
2.6. Transfers for items 2.4.1. - 2.4.4. physically carried on different sources. Therefore, the Voter receives the code from different institutions mentioned above, so that he/she can verify the correctness of the vote enrollment. For example, readers for these codes can be installed anywhere in various crowded places. So if anybody shows the code to the reader, the text appears: "Thank you. This is the legal voice N____ from the "Polling Booth No. _______" for (Name of Candidate)" (Or "Against All"). Of course, any Voter can also read the data from these codes using his smartphone.
All required methods are already implemented.
2.7. Every electronic "Polling Booth No. _______" has its own "limit" of "minus cents". Thus, extra people will not vote. And "negative excess" (if not all citizens voted) after the expiration of the voting time automatically transferred to all accounts to the sub-account "I don't vote".
See more in part 5
2.8. Broadcast of voting for Observers.
Before the stage of counting of votes they have ability to read and visually compare the following positions:
- "the number of people who received the keys to access the electronic "Polling Booth No. _______" in the context of territories"
- "the number of people entering into the electronic "Polling Booth No. _______" (but not their personal data) in the contexts of territories and booths"
- "the number of people who already voted in the contexts of territories and booths"
- etc
That’s a standard task and doesn’t take too much time to implement.
PART 3. AFTER THE VOTING
3.1. As mentioned above, every electronic "Polling Booth No. _______" has its own "limit" of "minus cents". And all unused negative cents after the expiration of the voting time will transfer automatically to all accounts to the sub-account "I don't vote" by 4 various channels. See more in part 5.
3.2. Thus, the checking of the following positions will be held automatically:
- "total number of voters in the contexts of territories and booths"
- "the number of people who already voted in the contexts of territories and booths"
- "the number of people who didn't vote in the contexts of territories and booths"
That’s a standard task and doesn’t take too much time to implement.
In this case anybody, in principle, cannot know the information about "for whom" any polling station votes for and cannot affect to the result.
PART 4. THE COUNTING OF VOTES
4.1. The counting happens quickly, because it’s purely automatic and manual counting is not involved.
4.2. The "negative sums" on the sub-accounts for all the accounts (item 1.) must match exactly.
4.3. Limits of booths must also match with the sums of all sub-accounts.
4.4. Accounts receivable, resulting in accounts (item 1) is extinguished by Candidate’s election funds. Thus, there is another collation.
4.5. If there are any discrepancies the major investigations will follow.
4.6. Of course, you can use more than 4 operators for counting. Because technically this does not complicate the system, but the likelihood of collusion and fraud reduces drastically.
The essence is:
1) In the process of collecting and counting of the votes the mediators from other (non-electoral) systems are embedded between the election commissions and the e-polling stations (which are represented by distributed arrays of one-time random keys).
These mediators should have strict regard of all transactions (for other reasons than elections!). Such mediators as banks, including foreign ones. But in this case the anonymity of voting is not violated (even increased).
And if such agent "from external system" is missing, then, as mentioned earlier in this article, any automation will only facilitate the process of manipulation. A characteristic example: the 1st and 2nd rounds of presidential elections in Ukraine in 2004, when the Central Election Commission of Ukraine for a few weeks was "configuring the server" for winning candidate Yanukovich. As a consequence of this, the "orange revolution" 2004 happened.
It is impossible to confirm by means of system itself that the specified vote is taken into account properly and at the same time it remains a secret for the system.
Hense any system which is not using an external assistant is not suitable for the voting. By "external" we mean, as mentioned above, the system which is not related to the voting process.
2) The Citizen gets on his/her hands the proof of his/her will, but the external accounting system does not know how this Citizen voted, because the system receives data from the polling booths; but any citizen retains the ability of checking how his vote has been counted.
PART 5. ABOUT GENERATING A DISPOSABLE KEY FOR ACCESSING THE E-POLLING BOOTH
5.1. Upon receipt of the key the Voter can and must be identified. It is appropriate in this stage, since he/she acquires the access to the polling booth, but does not vote yet. So, nobody attempts on his privacy. This procedure is identical to the procedure of obtaining the ballot on the presentation of identity document in an ordinary vote.
5.2. It is necessary that the number of issued keys will be under the guaranteed control, so these keys cannot be distributed with the help of the flash drives (cards, etc.). Because not all voters vote, there will be leftovers that will need to be recalculated and destroyed under the control in the appropriate time. In addition, it will be necessary to monitor how many of them were really made. Moreover, it will be necessary to split the voting day on 2 stages: issuance of keys (and monitoring over the issuance of the keys and over the destruction of residues) and the actual voting. It all is expensive and inconvenient.
5.3. Therefore, it is necessary to get the key in electronic form and - as described above - to get it from an external source having a strict accounting rules for other (non-electoral reasons).
They are created by main electional department in advance. The number of keys is equal to the total number of voters. These keys are distributed randomly among the arrays and these arrays are sent to the banks mentioned above in advance as well as to the bank mentioned bellow.
5.4. At this stage one more bank is necessary (but only 1), this bank is not one of listed above. With the help of a payment transaction (for example, using his bank card or using another payment service, where the Voter is already authorized) any Voter buys the "disposable key" in this bank for 1 cent. And this key comes to him/her via the corresponding application. After the voting, the cent is returned (as it is returned when card checking).
It is a standard procedure that exists in almost any reliable bank.
The Bank has the limit on number of the keys (it is the number of voters). And these random keys are randomly distributed for the polling booths of electoral districts. Since the Voter has registered to receive the key, it is possible to determine his polling station. So, the bank chooses a random key from the specific array of random keys distributed on this district.
Thus, it is known that the Voter who received the key entered into the e-polling booth legally, but it is unknown who exactly entered.
The keys begin to be issued in advance - at least a month before the voting day.
The total number of issued keys is being published regularly. This allows to implement their issuance until the end of the voting. Just when the voting is over, the electronic polling booths will be off.
At the same time it means that keys which were not used until formal end of voting are extinguished and each bank creates a debt for "I do not vote" account. It is a standart banking operation and does not require any additional solutions.
PART 6. ABOUT THE ROLE OF THE APPLICATION AND ABOUT THE "HONESTY OF THE APPLICATION" TESTING OF
6.1. As can be seen from the description, the technical implementation of the project does not pose any difficulty.
In fact, everything consists of already prepared components: the establishment of the bank accounts and sending disposable key for confirming the entry or transaction - everything of this already exists and is a common operation (as well as the inclusion of payments, etc.).
6.2. The application could become the interface between the above procedures. For example, it is obvious that for the Voter it would be more convenient to perform everything of the above, communicating with the one application and not with the 5 banks. The app, besides, will remind to any Voter that it is time to buy his/her disposable key for access to the polling booth (elections not far off), help him/her to obtain the key and will immediately provide the ability to associate the Voter's payment card to send the cent.
The app will also remind Voters that it is the time to vote, will connect any Voter with appropriate polling booth, will transmit his voice in one click independently to 4 recipients, etc.
It's very easy to write an app like this. It is only necessary that the User always had the opportunity to test app's honesty.
During the procedure of obtaining the key for 1 cent, any app will not be able to deceive the User, because it's impossible to send money to another bank and it's impossible not to send it in general so that the User didn't notice it.
It's in principle possible to put another key during the procedure of entrance to the e-polling booth, but, in this case, the User will not enter the booth, thus he immediately will notice the problem. And much of Users if they will have experience of such problem, will immediately send the relevant posts into social networks (including, for example, a special page dedicated to the elections, etc.).
Perhaps the application can technically replace the vote only at the voting stage and send to the banks, for example, the vote for "Johnson", at a time when the Voter sent for “mrs. Lee”.
But any Voter can check this with the help of QR-codes, which are formed on the side of the banks. And, of course, in case of a significant number of such incidents, would be a massive scandal.
As an additional safety measure it's possible to use the technique "the delay of acceptance" and to offer to the Voters the opportunity of further testing for 1 hour (for example) after sending the voice. In this case, the system (on the side of the banks as a general rule) must be set so that the votes are received, but accepted only 1 hour after receiving.
And so, within 1 hour after sending his vote any Voter can (not via the application, but via the browser) go to the appropriate page of any of the participating banks, and (presenting his key) check how vote was processed "in the opinion of this bank" or other banks.
If the bank responds "Thank you. This is the legal voice N 123 from "Polling Booth No. 911" for Johnson", but the Citizen has voted for "Mrs. Lee" (and the same in the other banks), this means the Voter was fooled by the app.
And the Voter has the time to vote again and correctly via the browser (not via app) from the appropriate pages of 4 banks. If the Voter does not perform this check during 1 hour after the sending, his voice is accepted automatically.
There will always be plenty of people interested in testing the app for the elections. And the very fact of checking and openness will add the trust to app.
Published on "Open business techniques and technologies TRIZ-RI" on December 25-th 2015