Accuracy in the results is an essential characteristic of any electoral process. The vote recount has traditionally been carried out manually, which results in an unwanted delay in publishing the results, and especially a high probability of committing errors in said recount.
The modernization of electoral systems has enabled speeding up the vote recount and the accuracy in the results by means of using electronic voting devices (e.g. electronic voting terminals or vote scanning machines). These devices enable generating an electronic record of the votes, and therefore performing a faster and more reliable electronic recount. They also make it easier to send both the electronic votes and the local results obtained to a central recount system which allows consolidating the results of different electoral colleges or voting channels. However, the current proposals only contemplate protecting the privacy of the votes or results sent by means of encryption. These solutions do not incorporate measures making it easy to audit the integrity of said local recounts or to identify if these results have been endorsed by the authorities responsible for performing said recount. It is therefore impossible to reliably verify if the local recounts received by the consolidation center have been manipulated before being processed by the consolidation center. Additionally these proposals do not take into account the possibility of consolidating results coming from manual recounts, so they cannot be applied to traditional voting settings.
An example of these proposals can be found in patent document U.S. Pat. No. 7,044,375, describing a system in which a consolidation central of the results of a vote is performed, carried out by electronic means. The system has an acquisition and communication device that is responsible for collecting the votes and/or results generated in the local voting and/or recount machines in the voting premises. This data is encrypted and sent from each local premises to a central results consolidation system by means of a communication channel. The central consolidation system receives the data, decrypts and performs the recount. The consolidation system periodically sends the updated results to a results publication system. As mentioned above, this solution does not incorporate measures which allow protecting the integrity of the data sent to the system central. Nor does it incorporate measures which allow verifying if the sent data has been verified by the local electoral process authorities, rather it assumes at all times that the received data is from a reliable source, without validating such source.
Similarly, patent document US20060196939 describes an electronic voting system including a centralized vote recount system. The local results of each electoral premise is encrypted and sent to a centralized recount system. Said transmission can be online or by means of physically transporting the local recount terminal storage devices. The local storage device has a physical interface allowing it to connect to the centralized recount system in order to download and decrypt the local results. The centralized recount system sends the results to a publication system through a communication network, which publication systems is responsible for disclosing the results.
Neither of the two aforementioned cases proposes actions that help to preserve the integrity of the results. Although in both cases the local results are encrypted before being sent to the central server, which protects them during transmission, they do not consider techniques that assure the integrity of the local results before being sent, nor can they assure the integrity of the end result.
Due to the possibility of manipulation of the results, there are methods which seek to verify (or audit) the accuracy in the result of an election by means of parallel records in different storage mediums. One example thereof are systems which print each vote while at the same time recording such vote in an electronic medium.
The main drawback with parallel vote recording systems is that if one of the records is manipulated, it can only be detected by means of an audit. In the event that a discrepancy is detected in the recount of both records, it is impossible to know which of them has been manipulated, and it is therefore impossible to be certain of which is the correct result.
The present invention describes a method for consolidating results of an electoral process in a secure manner. Said method allows consolidating the local results generated in different local premises or even in different electronic voting channels or platforms. Another object of the present invention is to protect the integrity of the local election results, as well as to check the authorship of the election official or officials sending said local results. The present invention further seeks to generate physical records of the local results and to protect their integrity, as well as to check the authorship thereof.