Elections are used to select representatives in many situations for example members of parliament or congress, local council members and members of a board of directors.

Elections can however place a large burden on resources, financial, human, time etc, and can be inconvenient to the electorate if voters have to disrupt their normal routines or go out of their way to participate. In elections where voting is not compulsory, this inconvenience can lead to voter apathy and low voter participation rates. The present invention seeks to provide a system for conducting an election at greater convenience to voters and at lower cost to administrators.

SUMMARY OF THE INVENTION The invention resides in an online election system including a computer network having a host server and a plurality of user interfaces, said system further including:- a registered voter database accessible by said host server and containing voter identification records for a plurality of registered voters; a voter verification system including means to receive personal identification information provided by a user at a user interface and means to determine if said user is a registered voter by matching said personal information provided by said user to a record contained in said registered voter database; means to display at a user interface election information including a list of election candidates; means by which a registered voter can indicate their vote at the user interface; means by which a registered voter can submit their vote from the user interface to the host server; means to prevent a registered voter from submitting more than one vote;

means for tallying a plurality of votes submitted by a plurality of registered voters; wherein when a vote is received at the host server all voter identification is removed from the vote, the vote is passed to the means for tallying and the registered voter who submitted the vote is flagged as having voted.

In a second aspect, the invention resides in an online election system including a computer network having a host server and a plurality of user interfaces, said system further including:- a registered voter database accessible by said host server and containing voter identification records for a plurality of registered voters; a voter verification system including means to receive personal identification information provided by a user at a user interface and means to determine if said user is a registered voter by matching said personal information provided by said user to a record contained in said registered voter database; means to display at a user interface election information including a list of election candidates; means by which a registered voter can indicate their vote at the user interface; means by which a registered voter can submit their vote from the user interface to the host server; means to prevent a registered voter from submitting more than one vote; means for tallying a plurality of votes submitted by a plurality of registered voters; wherein said system stores submitted votes independently of said voter records such that a voter cannot be correlated to their respective vote.

Preferably communications between the host server and the user interfaces are encrypted.

Preferably the list of candidates displayed at a user interface is determined from one or more details contained in a registered voter's record.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will now be described by way of preferred embodiments intended as non-limiting examples only, and with reference to the accompanying Fig 1 which shows a schematic view of a system according to the invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS Shown schematically in Fig 1 is an online election system 10. The focal point of the system 10 is a host server 12. The host server 12 runs an internet based server application that can be accessed through web-enabled user browsers 13,14.

The host server 12 performs routine server functions and is the interface into multiple data sources 15,16,17,18 storing the information served out to the end user. The data sources include a general database 15, a registered voter database 16, an electoral database 17 and a registered vote database 18, the function of each which will be described individually below. The databases may be of any proprietary relational database type such as the Oracle, Microsoft SQLTM or Sybase X databases.

The general database 15 stores information generic to the on-line election system, such as how to vote information, election rules, voter-registration forms, candidate information etc. The information stored in this database is of low security requirements and can be easily maintained and up-dated without disruption to the other databases.

The registered voter database 16 stores details of registered voters in a defined schema. The schema includes fields for a voter's unique identifier; name; contact details including address and electronic mail address; Personal Identification Number (PIN), password or pass phrase; and vote status. The vote status field is used to indicate whether the voter has submitted a valid vote for a particular election and may consist of a simple value eg. 0 indicating a voter hasn't voted, 1 indicating that they have. Of course the schema may include other fields, for example containing additional security or verification information. The exact nature of the schema will depend on the type of election being conducted. For wide scale government elections

for example, the address fields are important for identifying the electorate that the registered voter belongs to. For smaller scale elections, eg within an organisation, the address fields may not be important, and instead the schema may store for example a voter's membership number for the organisation, which may also form the unique identifier for that voter.

The electoral database 17 stores information specific to the election being conducted such as ballot forms containing a list of candidates. Where there is more than one list of candidates for an election, the electoral database may also contain look-up tables for determining the appropriate list of candidates to be provided to a voter. If the appropriate candidate list is dependant upon one or more details of a registered voter, the look-up tables may equate fields of voter records with candidate lists.

For example, the list of candidates required by a registered voter may be dependent on the electorate of the voter. The voter's electorate may be stored in a field in their respective record in the registered voter database 16, in which case the electoral database 17 will contain a look-up table matching an electorate with a list of candidates for that electorate.

Alternatively, the electorate may be determined from the address field of a registered voter's record in which case the electoral database 17 will contain two look-up tables, the first matching addresses or postcodes with electorates, the second matching electorates with candidate lists. It is possible that one look-up table matching addresses or postcodes with candidate lists be used, however this latter method is not preferred where the databases are to be re-used for subsequent elections, as it requires more intensive maintenance when a list of candidates for an electorate is changed.

For a similar reason, it is preferred that a voter's electorate is determined from their address or postcode rather than being stored directly in the voter records, as changes to the electorate boundaries are more easily accommodated.

The fourth database shown at 18 in Fig 1 is a registered vote database which stores and tallies all validly submitted votes. The registered vote database 18 preferably

contains divisions to facilitate the accurate tallying and reporting of the vote. For example, the vote database may be divided into electorates and the votes may be stored according to the electorate to which they relate. Each division may then be tallied independently to achieve a result for that electorate. Divisions in the vote database assist the speed at which the vote may be tallied and also reduces the storage requirement of the database because, for example, the electorate to which a vote belongs does not have to be stored for each vote.

To establish the registered voter database 16, the system according to the invention includes a registration system. Prior to an election, a user may access the host server 12 through a user interface 13,14 to retrieve an electronic registration form from the general database 15. The user provides the requested information such as name, address and other personal details for example drivers licence number, credit card number etc. and submits it electronically in a known manner to the host server 12.

The information is then retrieved at the host, and a new record is created in the registered voter database for the user based on the details provided. The task of retrieving a user's details and creating a new record may be performed manually by an operator with authorised access to the registered voter database 15, or may be performed automatically through a software application run by the host server. To facilitate automation of the registration process, the host server 12 may be further linked to the databases of other institutions for the purpose of searching those databases and verifying security details provided by a user such as credit card numbers, passport numbers, driver's licence numbers and the like.

Once the voter database is established, it can be re-used for any number of elections.

It will of course be necessary to clear the vote status fields of all voter records once an election is completed and the host server contains an appropriate software application for performing this task.

After a voter record has been created, and all the details provided by the user have been verified, the user then becomes registered as a voter and is issued with a unique identifier assigned by the host server, and other security information such as a

Personal Identification Number (PIN), password or passphrase which may have been chosen by the user when submitting their registration form. The identifier and security details form part of the voter's record in the registered voter database 16.

The unique identifier provides a registered voter with a means of identifying themselves to the host and can be implemented in a variety of ways depending on the security requirements of the election administrator and the method of registering voters. In a most preferred form, upon registration a voter is issued with a uniquely encoded smart card and personal identification number. Identification to the host during an election then requires a card reader attached to the user browser. At present these are available at some office computers and can be provided at specialised online polling booths, but it is anticipated that smart card readers for facilitating on-line transactions will be a part of standard personal computer hardware in the near future, thus the voter's own personal computer will be suitable.

In a simpler form, the registered voter may be issued with a unique identifier which may simply be a number issued sequentially by the host server to sequentially registered voters, that the voter manually enters at the user interface in order to identify themselves to the host server.

When an election is held, all registered voters may submit their vote using the on-line election system of the present invention. To submit their vote, a user first accesses the host server 12 through a user browser 13,14. The host server displays a generic election page from the general database 15 onto the user browser and prompts the user to provide the voter's registration details. The voter identifies themselves to the host by providing their unique identification, for example in one of the ways described above.

The voter also provides further verification details such as a PIN or password to a level dependent on the security levels of the election system. The registered voter database 16 is then searched to locate a record matching all the details provided by the prospective voter.

If no matching record is found, the user is given the option to re-submit their registered details, return to the title page of the election or exit. If the details provided by the user accord with a record in the registered voter database the user is verified as a registered voter and a log-in session with a session identifier is created for that voter.

The voter is then advanced to the next stage of the election procedure. At this point the host server retrieves an appropriate list of candidates from the electoral database 17, and causes the list to be displayed at the registered voter's browser. The list of candidates retrieved from the electoral database 17 may be a standard list for all voters or may be determined using suitable look-up tables stored in the electoral database 17.

In order to determine the list of candidates appropriate for a registered voter, it may be necessary for the host server 12 to access the registered voter's record and equate specific details of the voter with a list of candidates. For example, the voter's address can be used to retrieve the list of candidates for the electorate that the voter belongs to.

With a list of candidates displayed on the user browser, the registered voter is able to indicate their vote in a known manner, for example by selecting their choice of candidate with an attached mouse device of the browser or by touch pad. Depending on the rules of the election the voter may be able to select their most preferred candidate or select candidates in a preferential order. When a voter is satisfied with their vote, a tool can be selected to submit the vote indicated at the user browser to the host server. Once the submit tool is chosen, the vote information indicated by the registered voter is transferred in a known manner using standard protocols from the voter's interface to the host server. To allow the identity of the voter who submitted the vote to be determined by the host server, the vote information may be submitted with the unique identifier of the voter. Alternatively, the voter identity may be determined by the host server from the log-in session identifier. As a first stage of receiving the vote the host server checks the vote status field of the voter's record to ensure that the voter has not previously submitted a vote for the particular election and checks the vote to ensure it has been submitted in an acceptable form. An acceptable form may be that only one candidate has been indicated or that the candidates have

been sequentially numbered to show the preferences of the voter. If a vote is rej ected the voter is informed and allowed to re-cast their vote.

Once the form of a vote has been checked and approved the host server informs the voter that their vote has been successfully submitted, and the voter is then free to terminate the log-in session. The host server then uses either the log-in session identifier or the voter identifier if submitted with the vote, to determine the identity of the voter and update the voter's record to change the value in the vote status field from a 0 to a 1 to indicate that the voter has submitted a valid vote. At the same time, the host server 12 removes all specific voter identification from the vote, including the voter's unique identifier and log-in session identifier, and passes the vote to the registered vote database 18. The vote is then stored in the appropriate division of the registered vote database 18 which may be determined from information passes with the vote by the host server or from information integral with the vote itself. For example, the host server may explicitly tag a vote as belonging to a particular electorate, or the electorate may be implicit in the list of candidates associated with the vote.

At the conclusion of the election, the host server 12 runs a software application to tally all votes stored in the vote database and generate reports based on the result. The tallying system may be adapted to tally the votes according to a preferential or"two party preferred"voting system. Where, after at least a portion of the votes have been tallied, it is not possible for a particular candidate to win, the votes of the voters who indicated that candidate are distributed to the other candidates in accordance with the preferences of those voters. The tallying system may further include a means to assign a weighting to a voter's preferences, as is done in, for example, the Australian Senate Elections. Alternatively the votes may be tallied according to a"first past the post"system wherein the successful candidate is deemed to be the one with the most primary votes out of all candidates. After the vote is tallied a report is generated of the result and made available for viewing on the computer network through the host server.

Once voting in an election has ceased, the election system can be used to determine those registered voter's who voted and those that did not by searching the vote status field of all records in the registered voter database 16. If voting in an election is compulsory, the host server can automatically generate a list of voters who did not participate, and can further generate notices that a fine is payable and issue these notices to non-participating voter's by electronic mail using the mail address in a voter's record.

The general database 15 preferably includes an on-line fine payment form whereby a fined user can pay their fine using the computer network. The voter accesses the payment form through the user browser/host server connection and provides their financial account details, for example their credit card number and expiry date. The election system then retrieves these details and, using a secure electronic link 23 to a financial network 21 through a firewall 22, transfers the amount of the fine from the user's account to one or more financial accounts authorised to receive the fine payments. The voter's account information is then deleted from the election system and the voter's record flagged as having paid the fine. The flag may include a receipt that is issued, preferably electronically, to the user. The fine payment system may be implemented using any appropriate e-commerce engine such as the Transat engine developed by Open Market Inc. Once all fines have been issued and paid, the host server runs an application to reset the vote status fields of all records to a 0 so that the databases are then ready to be used for further elections.

Preferably it is possible to vary the amount or type of information that a user must provide in order to be registered. In this way the election system can be adapted to conduct elections for several different organisations by catering to the particular needs of each organisation.

The election system is most suitably implemented using the world wide web. This allows it to be accessed from most places around the word, including a person's home or office or at a polling booth having online facilities, at a relatively cheap cost. The election can therefore be conducted at minimum inconvenience to voters. The

election system may have a central web site and several mirror sites in order that it can handle the high level of use it could potentially receive during an election. The web site may contain additional links to election related web sites such as those for the candidates.

The information stored in the election system, in particular the registered voter database may be encrypted so that it can be viewed only by persons having the appropriate security clearance. It is also preferable that the user browser be able to support encryption technology to a level depending upon the security requirements of the particular election being conducted. For a government election, it is preferred that the communications between the host server and user browser be protected by 128 bit encryption software or better, running on a public/private key exchange system.

The host server may include a proprietary plug-in encryption system stored in the general database 15 that can be downloaded to a user's browser if the security systems on the browser are inadequate.

The above embodiment has been described with reference to an election conducted over a wide area network such as the internet. Such an application is suitable for conducting large scale elections, for example the election of government officials.

If an election is to be held on a smaller scale, for example within an organisation, the online election system may be implemented on a local area network. In this case the host need only run a local server application with the user browsers forming part of the local internet, that is, they are hard wired into the network. In this situation the optional fine payment system will not be able to be employed without the host server running a software application allowing it to link with a wider network, but for small scale elections, this feature is unlikely to be necessary.

The election system as outlined above is suitable for electing representatives for governments, councils, businesses, societies, etc. The confidentiality of a person's vote is ensured because once a person's vote is submitted, it is stripped of any voter

identification and the vote is stored in a separate unlinked database so that the vote cannot be correlated to the voter who submitted it.

An election conducted on-line can save on resources required for ballot papers, candidate information, how-to-vote cards and the like, all of which can be provided via the computer network. The on-line election system can also save on human resources because there is no need for people to staff polling booths, tally the vote or act as scrutineers. An added advantage is that many sources of human error can be removed.

An on-line election also provides convenience to the electorate because they do not have to attend a polling booth. This is particularly useful for people such as the disabled and their carers, and people who would otherwise have to travel large distances to attend a polling booth. In addition, the current postal vote and absentee systems could be made obsolete because access to the on-line election would merely require a computer with a modem attachment and could occur from almost anywhere worldwide.

While particular embodiments of this invention have been described, it will be evident to those skilled in the art that the present invention may be embodied in other specific forms without departing from the essential characteristics thereof. The present embodiments and examples are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.