(19) United States
`(12) Patent Application Publication (io) Pub. No.: US 2002/0078358 A l
`Jun. 20,2002
`Neff et al.
`(43) Pub. Date:
`
`US 20020078358A1
`
`(54) ELECTRONIC VOTING SYSTEM
`
`Related U.S. Application Data
`
`(76)
`
`Inventors: C. Andrew Neff, Bellevue, WA (US);
`Janies M. Adler, Redmond, WA (US);
`Randolph A. Bentson, Seattle, WA
`(US); Andrew C. Berg, Kirkland, WA
`(US); John H. Hornbaker III, Seattle,
`WA (US); Leonard C. Janke, Bellevue,
`WA (US); Janies R. McCann III,
`Seattle, WA (US); Eric A. Peterson,
`Bothell, WA (US)
`
`Correspondence Address:
`PERKINS COIE LLP
`PATENT-SEA
`P.O. BOX 1247
`SEATTLE, WA 98111-1247 (US)
`
`(21) Appl. No.:
`
`09/989,989
`
`(22) Filed:
`
`Nov. 21, 2001
`
`' Electio n O ffices
`
`(63) Continuation-in-part of application No. 09/534,836,
`filed on Mar. 24, 2000. Continuation-in-part of appli­
`cation No. 09/535,927, filed on Mar. 24, 2000. Non­
`provisional of provisional application No. 60/252,
`762, filed on Nov. 22, 2000.
`
`(30)
`
`Foreign Application Priority Data
`
`Mar. 24, 2000
`
`(US)....................................US00/07986
`
`Publication Classification
`
`lilt. Cl.7 ................................................... 11041. 9/00
`(51)
`(52) U.S. Cl..............................................................713/176
`
`ABSTRACT
`(57)
`A facility for conducting an election is described. The
`facility establishes a public key infrastructure for use in the
`election. The facility then employs the established key
`infrastructure in the operation of a voting site.
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 1
`
`

`

`Patent Application Publication
`
`Jun. 20,2002 Sheet 1 of 14
`
`US 2002/0078358 A1
`
`Fig-1
`
`Admin & Results
`Eleciton Config,
`
`Election Offices
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 2
`
`

`

`Patent Application Publication
`
`Jun. 20, 2002 Sheet 2 of 14
`
`US 2002/0078358 A1
`
`Fig. 2
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 3
`
`

`

`Patent Application Publication
`
`Jun. 20,2002 Sheet 3 of 14
`
`US 2002/0078358 A1
`
`Fig. 3
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 4
`
`

`

`Patent Application Publication
`
`Jun. 20, 2002 Sheet 4 of 14
`
`US 2002/0078358 A1
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 5
`
`

`

`Patent Application Publication
`
`Jun. 20, 2002 Sheet 5 of 14
`
`US 2002/0078358 A1
`
`500
`
`Fig. 5
`
`Touch the NEXT button to place your first vote.
`
`Do not type in the name of a candidate whose name already appears on the ballot for that office!
`
`name of the WRITE-IN candidate using the onscreen keyboard and then touch the ENTER button.
`the ballot, touch the box to the left of the words WRITE-IN and a keyboard is displayed. Type the
`INSTRUCTIONS FOR A WRITE-IN VOTE: To write in the name of a candidate not displayed on
`
`to the previous one.
`Touch the NEXT or BACK buttons at the top of the screen to advance to the next question or return
`
`another box to make a new selection.
`If you want to change your vote, touch the box again to clear your selection. You can then touch
`
`of your choice.
`INSTRUCTIONS FORA VOTE: Vote by touching the box to the left to the candidate or measure
`
`King County, Washington
`OFFICIAL BALLOT
`
`General Election
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 6
`
`

`

`Patent Application Publication
`
`Jun. 20,2002 Sheet 6 of 14
`
`US 2002/0078358 A1
`
`v-611
`
`\
`
`\_610
`
`x-609
`
`x
`
`■625
`
`Socialist Workers
`|___| Margaret Trowe
`James E. Harris/
`
`■
`•—
`
`^-eoe
`
`— Green Party
`
`Winona LaDuke x
`
`r—| Ralph Nader/
`
`dly/
`,rff40^
`
`'
`
`ulfj
`,4k*
`
`-/!#-■
`Vlf/
`A*
`
`■
`
`■'
`
`(*■*'
`
`b0B
`
`\
`
`;
`
`__1 J. Curtis Frazier
`1—| Howard Phillips/
`
`|_
`
`Constitution
`
`|___| NatGoidhaber
`| John Hagelirt/
`
`■—
`
`Natural Law
`
`60^
`
`\
`
`Workers Party
`I Gloria La Riva
`| Monica Moorhead/
`
`■—
`
`1
`
`604
`
`603
`
`\
`
`\
`
`Libertarian
`__| Art Olivier
`1—| Harry Browne/
`
`|_
`
`| George W, Bush/
`
`Republican
`Dick Cheney
`
`■—
`
`^602
`
`v
`
`Democrat
`Joe Ueberman
`
`I
`r—1 Al Gore/
`
`1—| Patrick Buchanan/
`
`Ezola Foster
`
`— Reform
`
`^-605
`v
`
`Socialist
`Mary Cai Hollis
`l—| David Reynolds/
`
`'—601
`
`*
`
`independent
`__| John Adams
`1—| George Washington/
`
`|_
`
`V 600
`
`G^Vote for One
`PRESIDENT/VICE PRESIDENT OF THE UNITED STATES^
`PRESIDENT/V;
`King County General Election
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 7
`
`

`

`Patent Application Publication
`
`Jun. 20, 2002 Sheet 7 of 14
`
`US 2002/0078358 A1
`
`^
`
`________* s
`
`708
`
`__| J. Curtis Frazier v
`1—| Howard Phillips/
`
`|_
`
`Constitution
`
`__| NatGoidhaber
`1—| John Hagelln/
`
`1_
`
`Natural Law
`
`Socialist Workers
`__| Margaret Trowe
`1—| James E. Harris/
`
`1_
`
`Workers Party
`__| Gloria La Riva
`1—| Monica Moorhead/
`
`1_
`
`| Winona LaDuke
`
`|
`_____ Ralph Nader/
`
`Green Party
`
`__| Dick Cheney
`l—- George W. Bush/
`
`|_
`
`Republican
`
`__1 Joe Lie berm an
`1—- Ai Gore/
`
`|_
`
`Democrat
`
`__| Ezola Foster
`1___ Patrick Buchanan/
`
`|_
`
`Reform
`
`|___| Mary Cai Hollis
`1—- David Reynolds/
`
`Socialist
`
`70-1
`
`Independent
`|y | John Adams
`r—Jf George Washington/
`
`HfVote for One
`PRESIDENT/VICE PRESIDENT OF THE UNITED STATES
`King County General Election
`
`Harry Browne/
`
`|
`
`Libertarian
`__| Art Olivier
`
`■—|_
`
`
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 8
`
`

`

`Application Publication
`
`Jun. 20, 2002 Sheet 8 of 14
`
`US 2002/0078358 A1
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 9
`
`

`

`Patent Application Publication
`
`Jun. 20,2002 Sheet 9 of 14
`
`US 2002/0078358 A1
`
`at
`
`f-
`
`?•
`
`lt/ ■
`
`%
`
`|__| Nat Goidhaber
`■—| John Hageiin/
`
`Natural Law
`
`.—. James E. Harris/
`
`Socialist Workers
`_| Margaret Trowe
`
`|_
`
`|__j Ezola Foster
`1__- Patrick Buchanan/
`
`Reform
`
`I^Vote for One
`PRESIDENT /VICE PRESIDENT OF THE UNITED STATES
`King County General Election
`
`^908
`
`Constitution
`
`[in j, Curtis Fraatier x
`
`1# Howard Phillips/
`
`1—| Harry Browne/
`
`Libertarian
`_1 Art Olivier
`
`1_
`
`1—| Monica Moorhead/
`
`Workers Party
`_| Gloria La Riva
`
`|_
`
`Green Party
`Winona LaDuke
`
`|
`
`|
`
`____ Ralph Nader/
`
`Socialist
`
`.—- David Reynolds/
`
`_| Mary Cal Hollis
`
`|_
`
`Republican
`
`- George W, Bush/
`
`_| Dick Cheney
`
`1—
`|_
`
`Democrat
`Joe Lie berman
`
`1—- A! Gore/
`
`|
`
`1
`
`^ 901
`
`| George Washington/
`
`Independent
`_| John Adams
`
`
`
`1—|_
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 10
`
`

`

`Patent Application Publication
`
`Jun. 20,2002 Sheet 10 of 14 US 2002/0078358 A1
`
`Rejected
`
`I
`
`I
`
`1002
`
`as provided in Ordinance No. 13931. Should this proposition be:
`and ride facilities, and other congestion relief projects to preserve and enhance Metro Transit services
`ing, but not limited to, bus service, accessible services, vanpool programs, passenger facilities, park
`fund operation, maintenance, and capital needs of King County Metro public transportation, includ­
`and impose an additional sales and use tax of not more than two-tenths of one percent in order to
`portation system sales and use tax proposition. This proposition would authorize King County to fix
`The Metropolitan King County Council has passed Ordinance No. 13931 concerning this public trans
`
`1000
`
`EfVote Approved or Rejected
`PROPOSITION NO. i - TRANSIT AND TRAFFIC CONGESTION RELIEF Q.2<Mi SALES AND USE TAX FUNDING
`King County General Election
`
`.mmmmmm
`
`'mi
`
`'i '* 'fc
`
`mmmm
`
`p
`
`Back
`
`^
`
`Sta.tover
`
`?,
`
`t""
`
`B—
`
`mm
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 11
`
`

`

`Patent Application Publication
`
`Jun. 20,2002 Sheet 11 of 14 US 2002/0078358 A1
`
`as provided in Ordinance No. 13931. Should this proposition be:
`and ride facilities, and other congestion relief projects to preserve and enhance Metro Transit services
`ing, but not limited to, bus service, accessible services, vanpool programs, passenger facilities, park
`fund operation, maintenance, and capital needs of King County Metro public transportation, includ­
`and impose an additional sales and use tax of not more than two-tenths of one percent in order to
`portation system sales and use tax proposition. This proposition would authorize King County to fix
`The Metropolitan King County Council has passed Ordinance No. 13931 concerning this public trans­
`
`[gfVote Approved or Rejected
`PROPOSITION NO, t - TRANSIT AND TRAFFIC CONGESTION RELIEF 0.2*Vb SALES AND USE TAX FUNDING
`King County General Election
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 12
`
`

`

`Patent Application Publication
`
`Jun. 20, 2002 Sheet 12 of 14 US 2002/0078358 A1
`
`'
`
`12
`
`Fig
`
`^ it 4 \,
`
`'' ^
`
`CHANGE j
`
`change *
`
`CHANGE I
`
`1233-/
`
`"^-1232
`
`\-1231
`
`eTno
`
`Proposition No. 2 - Vote Yes or No
`
`1223^
`
`:
`
`X'—1222
`
`\-i221
`
`&fRejected
`
`Proposition No. 1 - Vote Approved or Rejected
`
`1213^/
`
`'Z—1212
`
`l?f Pamela J. Burton
`
`Justice Pos. No. 07 - Vote for One
`
`^-1211
`
`, CHANGE |
`
`1203-/
`
`EfHoward PhiJ!ips/J, c4hisfrazier
`
`..
`
`x
`
`Lit
`
`•
`.
`
`President / Vice President -
`
`Your Choice
`
`Ballot Question
`
`When you are satisfied with your choices, touch 'CAST BALLOT'to submit your ballot.
`You may change any of your choices by touching the 'CHANGE' button next to your incorrect choice.
`PLEASE CONFIRM YOUR CHOICES
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 13
`
`

`

`Patent Application Publication
`
`Jun. 20,2002 Sheet 13 of 14 US 2002/0078358 A1
`
`\-1300
`
`1302
`
`Fig. 23
`
`,,
`
`, ■>
`
`i 5.S i
`
`-1301
`
`anise
`
`CHANGE I !
`
`CHANGE
`
`Cast Ballot
` "> ■» t. -
`
`•
`
`>’
`
`.
`
`>-*,
`/ !
`
`Review Choices
`
`N
`
`’a--'
`
`Proposition No. 2 - Vote Yes
`_
`
`.. t
`
`„
`
`..
`
`after you cast your ballot.
`You cannot make any changes
`
`Proposition No, 1 - Vote App.
`
`Please confirm.
`
`Justice Pos. No. 07 Vote fo
`
`CHANGE
`
`s Frazier
`
`President / Vice President -
`
`:»!>■;
`
`Your Choice
`
`Ballot Question
`
`When you are satisfied with your choices, touch 'CAST BALLOT'to submit your ballot.
`You may change any of your choices by touching the 'CHANGE' button next to your Incorrect choice.
`PLEASE CONFIRM YOUR CHOICES
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 14
`
`

`

`Patent Application Publication
`
`Jun. 20, 2002 Sheet 14 of 14 US 2002/0078358 A1
`
`General Election
`
`King County, Washington
`Thank you for voting in the
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 15
`
`

`

`US 2002/0078358 A1
`
`1
`
`Jun. 20, 2002
`
`ELECTRONIC VOTING SYSTEM
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`[0001] This application claims the benefit of U.S. Provi­
`sional Application No. 60/252,762, filed Nov. 22, 2000, and
`is a continuation-in-part of each of U.S. patent application
`Ser. No. 09/534,836, filed Mar. 24, 2000; U.S. patent appli­
`cation Ser. No. 09/535,927, filed Mar. 24, 2000; and Inter­
`national Patent Application US00/07986, filed Mar. 24,
`2000. Each of these four applications is incorporated by
`reference in its entirety.
`
`TECHNICAL FIELD
`[0002] The present invention is directed to the field of
`electronic polling.
`
`BACKGROUND
`[0003]
`In any election, it is important to accurately cap­
`ture, preserve, and tabulate the intent of the eligible elec­
`torate. In recent elections, the voting systems employed have
`failed to meet these objectives in significant respects.
`[0004]
`In typical modern voting systems, voter intent is
`translated to a binary representation to enable efficient and
`timely tabulation of votes. Paper-based systems, such as
`punch card and optical scanning systems, perform this
`translation in two steps. First, a voter translates his or her
`intent to a paper ballot, such as by punching small holes at
`particular locations on the ballot. Second, the paper ballot is
`digitized, such as with an optical or electrical scanner,
`yielding a binary representation of the voter intent. This
`binary representation is not typically kept for a significant
`period of time, but generally exists long enough to be added
`to a running total kept by the tabulation system.
`[0005]
`It has been recognized that each of these two
`translation steps is subject to error. Typical examples include
`confusing ballot layouts that make it and ballots that may be
`incompletely punched, which make it difficult for voters to
`translate their intention to the paper ballot; scanning inter­
`faces that are subject to misalignment, causing ballots to be
`inaccurately scanned; and translation and conversion pro­
`grams that operate incorrectly or out of sync with the style
`of the paper ballot, causing correctly scanned votes to be
`mistabulated.
`[0006] These potential errors are in fact realized some­
`where in nearly every large-scale election. In response,
`many election officials have gravitated towards retaining the
`representation of that intent that is closest to the original—
`the paper ballots. When questions or issues arise, they turn
`to the paper ballots as the indicator of voter intent. Of
`course, this does nothing to solve the inaccuracies that can
`be introduced in the initial translation of intent to paper, nor
`those that arise from the troubles inherent in interpreting
`fundamentally analog data.
`[0007] Finally, all voting systems must address questions
`regarding the preservation of intent, both before tabulation
`and after the election. Once again, paper based systems rely
`upon retention of the paper ballots themselves to act as the
`paramount indicator of the original voter intent. Of course,
`nothing in paper based systems inherently protects these
`ballots from modification, either inadvertent or intentional.
`
`[0008]
`In view of these shortcomings, improved voting
`systems having any or all of the following characteristics
`would have significant utility: improved accuracy of the
`interface used by the voter to record his/her intent; reduced
`number of separate translations in the path from original
`voter intent to tabulatable data, which in turn reduces the
`number of possible translation errors; enabling the voter to
`verify that the tabulatable form of the ballot does accurately
`reflects his or her intent before it is included in the tally; and
`protection of the stored record of voter intent from modifi­
`cation, both inadvertent and intentional.
`
`BRIEF DESCRIPTION OF DRAWINGS
`[0009] FIG. 1 shows selected components of a typical
`environment in which the facility operates.
`[0010] FIG. 2 is a block diagram showing some of the
`components typically incorporated in at least some of the
`computer systems and other devices on which the facility
`executes.
`[0011] FIG. 3 shows a typical distribution of functional­
`ities of the facility across components in environments in
`which the facility typically operates.
`[0012] FIG. 4 is a data flow diagram showing aspects of
`how ballots are typically processed by the facility.
`[0013] FIG. 5 is a display diagram showing an initial
`instructional display typically displayed by the facility.
`[0014] FIG. 6 is a display diagram showing a sample
`display presented by the facility for selecting a pair of
`candidates in a race for an office.
`[0015] FIG. 7 is a display diagram showing the selection
`of a pair of candidates in a race.
`[0016] FIG. 8 is a display diagram showing a warning
`against selecting more than the maximum number of can­
`didates.
`[0017] FIG. 9 is a display diagram showing the selection
`of a different pair of candidates.
`[0018] FIG. 10 is a display diagram showing a sample
`display presented by the facility for a non-office ballot issue.
`[0019] FIG. 11 is a display diagram showing the selection
`of an answer to a non-office ballot issue.
`[0020] FIG. 12 is a display diagram showing a sample
`confirmation display presented by the facility.
`[0021] FIG. 13 is a display diagram showing the display
`of a confirmation message.
`[0022] FIG. 14 is a display diagram showing a concluding
`message typically displayed by the facility.
`
`DETAILED DESCRIPTION
`[0023] A software facility for conducting an election (“the
`facility”) is provided. Embodiments of the facility use a
`specialized public key infrastructure to authorize poll work­
`ers to in turn authorize eligible voters to vote. Enough
`information is typically maintained for each voted ballot cast
`to trace it to the individual poll worker that authorized the
`voter who cast the ballot, through intermediate election
`officials, up to a single ultimate authority for authorizing
`eligible voters.
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 16
`
`

`

`US 2002/0078358 A1
`
`2
`
`Jun. 20, 2002
`
`[0024] Embodiments of the facility provide a digital user
`interface used by authorized voters to vote a ballot. This
`interface prevents voters from partially marking their
`choices, or otherwise leaving their intent in question. This
`voted ballot is transformed from an initial internal for into an
`external form in which it is transmitted to a voted ballot
`repository, then transformed back into the internal form,
`which is displayed to the voter for confirmation. These steps
`help to ensure that voter intent is accurately represented in
`voted ballots.
`[0025] A single “ballot style” is used to generate blank
`ballots, and accessed by all copies of the program that
`transforms voted ballots between internal and external form.
`In some embodiments, a specialized public key infrastruc­
`ture is used to certify this ballot style for use in the election.
`The ballot style specifies the order of election races on blank
`and voted ballots, as well as the order of candidates. (As
`used herein, “races” include offices for which a human
`candidate is selected, as well as other ballot issues, such as
`referenda. “Candidates” include both human candidates, as
`well as possible responses to other ballot issues, such as
`whether to approve or reject a referendum.) Additionally, all
`copies of the ballot transformation program used in the
`election system are typically certified to be identical. These
`steps help to ensure that voter intent is not corrupted in the
`processing of voted ballots.
`[0026] Embodiments of the facility provide safeguards
`against ballot tampering after ballots are voted. In some
`embodiments, each voted ballot is signed with a private key
`associated with the voter voting the ballot. This signature,
`together with the corresponding public key, establishes that
`the ballot has not been modified since being voted. These
`voter keys are optionally stored on one or more portable
`memory devices possessed by each voter. The voter’s public
`key may be signed with the private key of an election worker
`who verifies that the voter is eligible to vote. Together, this
`information establishes that the voted ballot was voted by an
`eligible voter. In some embodiments, voted ballots are each
`encrypted with an election key, and are decrypted by the
`joint efforts of multiple parties, using a key sharing protocol,
`or other threshold decryption techniques. In some embodi­
`ments, a voting receipt is issued to the voter, which the voter
`or a proxy can use to verify that the ballot voted by the voter
`was received and counted in the election result. Also, some
`embodiments of the facility store voted ballots in random
`positions in a data structure, preventing the voted ballots
`from being associated with particular voters based upon the
`order in which voters voted their ballots.
`[0027] By operating as described, embodiments of the
`facility provide several advantages, including: improving
`the accuracy with which the voter records his or her intent;
`reducing the number of separate translations in the path from
`original voter intent to tabulatable data, and thus reduce the
`number of possible translation errors; enabling the voter to
`verify that the tabulatable form of the ballot does accurately
`reflect his or her intent before it is included in the tally; and
`protecting the stored record of voter intent from modifica­
`tion, both inadvertent and intentional.
`[0028] FIG. 1 shows selected components of a typical
`environment in which the facility operates. Those skilled in
`the art will appreciate that the facility may be employed in
`a wide variety of other environments, including those having
`
`different components. Ballot approval tools 111 are typically
`used by election officials to approve a particular ballot style
`for an election. Election officials typically also use the
`election configuration, administration, and results tools to
`prepare for and oversee an election. These tools communi­
`cate with an election data center 120, and are typically
`located in election offices 110. The election data center 120
`provides data, such as initialization data 131, used at one or
`more poll sites 130. These poll sites may either be physical
`poll sites to which voters physically go in order to vote, or
`may be virtual poll sites accessed by voters remotely. Each
`poll site typically has a poll site server 132 that receives
`initialization data from the election data center. To the poll
`site server are connected one or more poll worker machines
`133 used by poll workers to administer the polling within the
`poll site, including authorizing eligible voters to vote; vote
`clients 134 used by voters to generate voted ballots; and
`receipt stations 135 at which voters may obtain receipts
`evidencing their voting. These receipts 150 may be given to
`the voter in a variety of forms, including on paper or a
`variety of computer-readable portable memory devices. The
`receipts may also be conveyed to the election offices, along
`with certificates, voted ballots, and audit log data 140.
`[0029] FIG. 2 is a block diagram showing some of the
`components typically incorporated in at least some of the
`computer systems and other devices on which the facility
`executes. These computer systems and devices 200 may
`include one or more central processing units (“CPUs”) 201
`for executing computer programs; a computer memory 202
`for storing programs and data while they are being used; a
`persistent storage device 203, such as a hard drive for
`persistently storing programs and data; a computer-readable
`media drive 204, such as a CD-ROM drive, for reading
`programs and data stored on a computer-readable medium;
`and a network connection 205 for connecting the computer
`system to other computer systems, such as via the Internet.
`While computer systems configured as described above are
`preferably used to support the operation of the facility, those
`skilled in the art will appreciate that the facility may be
`implemented using devices of various types and configura­
`tions, and having various components.
`[0030] FIG. 3 shows a typical distribution of functional­
`ities of the facility across components in environments in
`which the facility typically operates. Those skilled in the art
`will appreciate that functionalities of the facility may also be
`distributed in various other manners. A Ballot Collection
`Agency Control Center 300 houses remote data center
`control applications owned/maintained by a ballot collection
`agency. These include a Root Certificate Management Mod­
`ule 301 that provides secure storage and access policies for
`the private signing keys belonging to the Ballot Collection
`Agency, and a Jurisdiction Manager Module 302 comprising
`software for creating and modifying jurisdiction records in
`the Master Database 332, housed in the Data Center 330.
`[0031]
`Installed in Jurisdiction Offices 310 are an Appli­
`ance Hardware Module 311 which comprises critical elec­
`tion creation and management hardware requiring high
`security as well as software necessary to operate the hard­
`ware. This module includes a Client Boot Application 312
`which comprises boot sequence code identical to that run on
`the Vote Client in the poll site, a CD Verification 313 which
`comprises software to verify authenticity of Election Con­
`figuration CD (identical code is typically run in the poll site
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 17
`
`

`

`US 2002/0078358 A1
`
`3
`
`Jun. 20, 2002
`
`to prevent use of counterfeit CD), and a Ballot Approval
`Application 314 which comprises software for final ballot
`style (blank ballot) approval by jurisdiction. The code for
`ballot display used by the Ballot Approval Application 314
`is identical to the code used for display by the Vote Client
`at the poll site. The Ballot Approval Application 314 also
`generates the jurisdiction root signature on all the individual
`ballot styles after ballot style review is completed favorably.
`Also installed in Jurisdiction Offices 310 are one or more
`Windows Machine(s) 320 which run election creation and
`management software that does not have high security
`requirements. This software includes an Administration
`Database 321 which comprises a database maintained by the
`jurisdiction for managing certificates, ballot styles, and
`election results, a Election & Ballot Configuration Applica­
`tion 322 which comprises software for creating precincts
`and ballots, Election, Ballot & Permission Info (XML) 323
`which comprises digital data (and digital signature)—for­
`matted according to specification—encapsulating the final
`state of the Administration Database 321 for election day, a
`Data Uploader 324 which comprises software for transfer­
`ring Election, Ballot & Permission Info (XML) 323 to the
`Ballot Collection Agency Data Center 330 for archive and
`CD production, a Election Results Application 325 which
`comprises software for tabulating, displaying, auditing, and
`archiving election results, Election Results XML 326 which
`comprises digital data—formatted according to specifica­
`tion—encapsulating the final set of election results (or
`tallies), Election Archives 327 which provide long term
`storage of all data necessary to completely re-create election
`tabulation and audit, Printed Ballots 328 which comprise
`optional paper ballots printed from electronic data, and a
`Transcript Verification Application 329 which comprises
`software for verification of the election transcript. This
`application constitutes a complete data audit of election
`integrity. The module checks all signatures and certificate
`chains, decryptions, proofs of validity, ballot style signa­
`tures, etc.
`[0032] A Data Center 330 embodies computing infrastruc­
`ture maintained by Ballot Collection Agency. It includes an
`Election Configuration Engine 331 which comprises soft­
`ware that packages the data received via upload for efficient
`CD production, a Master Database 332 which comprises a
`database for storing jurisdiction information originating
`from the Jurisdiction Manager 302 along with election
`specific information pertaining to audit of the election
`construction process. The latter information originates from
`the Ballot Approval Application 314. (ITiis database is the
`same as database 358.) ITie Data Center 330 further includes
`a Boot Engine 333 which comprises software for managing
`poll site network configuration addresses and other con­
`stants. These constants are needed by the poll site applica­
`tions at initialization, and hence must be supplied on the
`election CD. (Boot Engine 333 is typically the same as Boot
`Engine 359.) The Data Center 330 further includes one or
`more Election Database(s) 334 which comprise databases
`for storing all information essential to election day opera­
`tion, including ballot styles, and complete jurisdiction cer­
`tificate tree (PKI). (Election Database 334 is typically the
`same as Election Database 352.) The Data Center 330
`further includes Certified Software Images 335 which com­
`prise all election related software running in the Data Center
`has been certified and reviewed by an independent testing
`authority, a CD Image Preparation Module 336 which com­
`
`prises software and hardware for creating CD copies that are
`used at the Poll Site during all election operations. These
`CDs include both generic system software and all data that
`is jurisdiction specific, including ballot style and PKI infor­
`mation. The Data Center 330 further includes a Ballot
`Database 337 which comprises a database structure for
`receiving and storing voted ballots. In the Data Center, this
`amounts to an empty copy of a database “template”. The
`structure is necessary for proper initialization of the Poll Site
`Server at election startup. It does not, at this point, contain
`any ballots. The Data Center 330 further includes Audit
`Logs 338 which comprise operational audit data required by
`law. A Poll Site 340 includes one or more Poll Worker
`Station(s) 341 which individually comprise a computer
`operated by a poll worker for the purposes of issuing voter
`certificates and keys, as well as test certificates and keys, one
`or more Vote Station(s) 342 which individually comprise a
`computer for core vote casting interaction. Functions of a
`Vote Station 342 include display of appropriate ballot style,
`user interface for collecting voter choices, confirmation
`screen generation, ballot encoding, ballot encryption, ballot
`signing, and ballot submission. A Poll Site 340 further
`includes one or more Receipt Station(s) 343 which individu­
`ally comprise a computer that receives and verifies the
`voter’s receipt for voting (digitally signed using a private
`key stored only during election hours). This receipt is
`positive confirmation to the voter that his/her ballot was
`successfully added to the ballot box data, and serves also as
`irrefutable proof thereof. The Receipt Station also stores
`multiple copies of the all receipts on redundant storage
`devices. In case the voter does not provide his/her receipt to
`the tabulation process, either personally or by proxy, these
`storage devices still provide protection against ballot loss or
`deletion. A Poll Site 340 further includes a Client Boot
`Application 344 which comprises boot sequence code iden­
`tical to that run in the Jurisdiction Offices to for the Ballot
`Approval Application 314, a Poll Worker Application 345
`which comprises software for generating and signing voter
`keys and certificates. Certificates contain precinct and ballot
`style information in addition to the voter public key. A Poll
`Site 340 further includes a Vote Client Application 346
`which comprises software run on the Vote Station 342,
`implementing all functionality described therein, a Receipt
`Station Application 347 which comprises software run on
`the Receipt Station 343, implementing all functionality
`described therein, a Report Application 348 which com­
`prises software to generate a “state of the ballot box” report.
`This application is Used to verify empty ballot box before
`opening polls. It also can be used for end of day reports for
`multi-day elections. It also can provide for the counting of
`test ballots. A Poll Site 340 further includes a CD Verifica­
`tion Module 349 which comprises software for verifying the
`integrity of the election specific and generic software dis­
`tribution which makes up the entire contents of the election
`CD. This software is run on a Linux computer. A Poll Site
`340 further includes a Poll Site Server 350 which embodies
`software and hardware implementing all functionality asso­
`ciated with the digital ballot box; and in particular embodies
`the ballot box which is able to collect both official ballots
`and test ballots. A Poll Site Server 350 includes a Server
`Install Application 351 which comprises software for con­
`figuring the Poll Site Server with the appropriate initializa­
`tion data, an Election Database 352 which comprises a
`database for storing all information essential to election day
`
`Petitioner's Exhibit
`EXHIBIT 1007 - PAGE 18
`
`

`

`US 2002/0078358 A1
`
`4
`
`Jun. 20, 2002
`
`operation, including ballot styles, and complete jurisdiction
`certificate tree (PKI) (the same as 334), a Vote Engine 353
`which comprises the core software module for receiving and
`integrating all data produced by the Poll Worker Application
`345, the Vote Client Application 346), and the Receipt
`Station Application 346. Most importantly this data includes
`all voter certificates and voted ballots. The Vote Engine 353
`is also responsible for providing the correct ballot style to
`voter based on the voter certificate information contained on
`the voter portable storage device (IButton). A Poll Site
`Server 350 further includes a Report Engine 354 which
`comprises software for generating miscellaneous election
`status and readiness reports, a Ballot Database 355 which
`comprises a database structure for receiving and storing
`voted ballots initialized with the structure in 337, a Tabu­
`lation Process 356 which comprises the vote counting pro­
`cess, a Poll Site Control Application 357 which comprises
`software for high level management of Poll Site Server 350,
`a Master Database 358 which comprises a database for
`storing jurisdiction information originating from the Juris­
`diction Manager Module 302 along with election specific
`information pertaining to audit of the election construction
`process. The latter information originates from the Ballot
`Approval Application 314 (the same as 332). A Poll Site
`Server 350 further includes a Boot Engine 359 which
`comprises software for managing poll site network configu­
`ration addresses and other constants. These are needed by
`the poll site applications at initialization, and hence must be
`supplied on