Methods and systems for automated voting have been the subject of in-depth studies owing to the psychological, human and political implications which are associated therewith and the technical solutions which allow the problems presented thereby to be overcome.
According to a first type of these methods and systems, the identity of the voter casting his vote is manually controlled. This control affords access to the electronic voting system which then simply has to control the routing of an electronic ballot paper in a reliable manner to a vote counting machine.
A first type mentioned above substantially corresponds to that described by U.S. patent application US 2003208395 in which an electronic ballot paper, constituted, for example, by a mini-application (“applet”), is loaded by the voter casting his vote onto his computer, the operations involved in transmitting the electronic ballot paper, verifying the identity of the voter casting his vote and receiving the electronic ballot paper transmitted thereby being carried out by the same server. The authentication method is of the biometric type.
The method and the system described by the above-mentioned patent application allow the implementation of a powerful authentication process for the voter casting his vote, but at the expense of a physical displacement of the voter. Furthermore, the voter casting his vote cannot be certain that his electronic ballot paper has arrived at its destination, that is to say, at the electronic ballot box.
According to a second type, the methods and systems allow a ballot to be organised, carried out and verified using the INTERNET. Generally, the methods and systems use messages transmitted over the INTERNET, these messages which are referred to as mix-net messages being obtained by means of merging or mixing the data.
A process of this type is described, for example, by patent application EP 1 374 188, in which an improved mix-net is produced.
In the above-mentioned systems, if the merging or mixing modules use techniques, such as effective encryption, it is difficult to certify the integrity of the data at the end of processing. If a means for controlling the integrity of the data is introduced, however, the mixture obtained is reversible, which impairs the level of security and confidentiality of the data transmitted.
According to a third type, the methods and systems use dedicated computers which are provided with powerful authentication means and which are interconnected over a virtual network. This last type provides an optimum level of security based on the process for powerful authentication of the voter casting his vote, authentication certificate level 3, the use of private virtual networks, which is very difficult to take control, and voting terminals.
Patent application U.S. 2002 138341 describes a method and a system which are comparable to those of the third type mentioned above, at least with respect to the use of mix-net messages, a powerful authentication process, by certificate X509, which text file contains signed and encrypted information relating to a physical person, the electronic ballot paper further being encrypted by a hybrid encryption system.
The system described in the above-mentioned document further uses a plurality of servers.
However, the above-mentioned system and method do not provide a satisfactory solution with regard to the criterion of confidence in the administrators of these servers.
In the system and method described in this document, the papers signed electronically by the voter casting his vote pass through a first computer which verifies the electronic signature of the voter and replaces it with a specific signature associated with the first computer before transmitting the electronic ballot paper which has been signed again to the electronic ballot box.
However, this first computer which acts as an intermediary for transactions, or as a trusted third party, maintains any scope, before the electronic ballot paper is introduced into the electronic ballot box, or not, for removing anonymity.
Furthermore, the voter casting his vote receives a blank ballot paper and authentication of the identity of the voter is tantamount to authorisation to vote, without any other control. The encrypted electronic ballot paper is linked to the voter casting his vote, at least at the first computer, and is encrypted with a date.
The dated encryption process mentioned above allows protection against copying of electronic ballot papers which have been intercepted in an illicit manner but, on the other hand, carries the risk that significant aggregation may be carried out.
The problems presented by the use of methods and systems for electronic voting over a network applied to the INTERNET by means of the powerful or weak authentication process can be summarised below.
When, for reasons of hardware costs and logistical complexity of organisation of the ballot, the organisers hold electronic voting via the INTERNET with weak authentication, overall they take risks regarding security of the weak system on at least three levels:                The servers may be victims of service denial. Voters may participate, at times involuntarily, if they are victims of computer viruses, in such malfunctions.        Voters casting their votes are themselves obliged to trust the service providers operating the voting computers with regard to both respecting their anonymity and the integrity of the ballot.        Unscrupulous users may use the code placed on their computer in order to help them place their vote but attempt to undermine the credibility of the vote.        
The most basic scheme of the architecture of a system for electronic voting over a network with weak authentication is as follows:                the voter casting his vote is informed of the address of the electronic voting server by any suitable medium (post, e-mail, press . . . );        the voter casting his vote connects, on the day of the vote, from a terminal, of one computer or another, to the voting server using the communicated address for the voting server;        the voting server controls the voting rights of the voter casting his vote, sends a “blank” electronic ballot paper to the voter who fills it in and returns it to the voting server which records or does not record it as a cast vote with the other electronic ballot papers.        
The above scheme sets out the risks which are actually encountered on the following levels:                Anonymity: the voter casting his vote must identify himself for his voting right to be verified. If the communications are intercepted and observed, it is possible to find out whom the voter casting his vote is voting for. Therefore, the communications must be encrypted. In order to produce a degree of confidence in the system, independently of the confidence which the voters may place in the administrator of the system, at least two separate servers must be used, a vote administrative server, in order to control the rights to vote and to authenticate the voter casting his vote, and a vote-counting server in order to count the papers.        
Only collusion between the administrators of the two servers may allow anonymity to be removed. However, it is indicated that the above-mentioned problems are faced by any authority organising a vote, even one in conventional paper form.
Generally, the majority of multi-server systems are configured in such a manner that the various administrators who may or may not be directly connected to the people having an interest in the results of the vote monitor each other.
Secrecy of the result until the end of the ballot:
Even if the communications are encrypted at network level, if the administrator of the vote-counting server is dishonest, he may know the results before the closure of the ballot. Therefore, it is necessary to carry out encryption at the level of the vote counting application with decryption keys which are not revealed until after the closure of the ballot.
Security:
If the server computers are not adequately protected, a malicious intruder may gain access and cause damage.
Integrity:
The risk of an electronic ballot box becoming jammed is high. The power of the computer hardware and software is such that discovery or disclosure of a malfunction allows anyone aware of this to exploit it on a huge scale.
The use of electronic signatures and certificates allows the above-mentioned risk to be overcome.
Some systems which meet the above-mentioned demands have already been proposed. This is particularly the case for PKI infrastructures which support the use of public key cryptography, owing to systems which generate pairs of public/private keys, in order to allow protection of access to the private key, which is secret by definition and which can be used only by the individual, the voter casting his vote, whose identity has been associated with this private key.
Installing a PKI infrastructure on a large scale, since a ballot can include more than thirty million voters, is currently still difficult and providing an adequate number of secured booths involves significant financial costs.
The systems for electronic voting via the INTERNET are intended to simplify the organisation of ballots and reduce costs and therefore cannot readily use infrastructures of this type.
When, on the other hand, the same organisers use an infrastructure which is highly secured, the cost and the complexity of use are even less suitable for trials and then for generalised use.
Only strong political will, a connection with other organisational developments, such as the electronic identity card, and close collaboration between several concerned parties in the relevant country, which allows these infrastructures to be reused in circumstances which are similar to those of a vote but which are not necessarily connected to this type of event, would allow deployment of an infrastructure of this type to be envisaged.
If, in a situation of this type, these organisers use an electronic voting system which is less secure, the risk of losing the confidence of voters is great, which is by no means acceptable owing to the risk of discrediting these organisers or the political establishment for accepting systems of this type.
The object of the present invention is to overcome all of the disadvantages and limitations of the current methods and systems for electronic voting which in particular force the electorate to trust the technical administrators of the vote.
In particular, the subject-matter of the present invention is a method and system for electronic voting over a network whose structure is capable of ensuring that the responsibilities are distributed between a plurality of administrative parties which, unless there is an illicit agreement between them, cannot undermine the integrity of the ballot without the corresponding fraudulent attempts being uncovered.
Furthermore, the object of the present invention is to provide a simple method and system for voting which do not require the use of a complex authentication system but which do, however, have a high degree of security.
The object of the present invention is also to provide a method and a system which allow protection against any attempt to discredit the voting process, by removing any possibility of attempts to submit, under a given identity, an electronic ballot paper which is signed under another identity in an attempt to create discrepancies between the list of the voters who have actually participated in the vote and the list of voters who have signed a control register.
Finally, the subject-matter of the present invention is the use of a method and system for electronic voting which allow the introduction of a process of eligibility for the voter, who has participated in the vote and has therefore actually voted, to sign the electronic electoral register.