WO2002045396A2 - Secure telephone polling - Google Patents

Secure telephone polling Download PDF

Info

Publication number
WO2002045396A2
WO2002045396A2 PCT/GB2001/005224 GB0105224W WO0245396A2 WO 2002045396 A2 WO2002045396 A2 WO 2002045396A2 GB 0105224 W GB0105224 W GB 0105224W WO 0245396 A2 WO0245396 A2 WO 0245396A2
Authority
WO
WIPO (PCT)
Prior art keywords
correspondent
service provider
database
personal
data
Prior art date
Application number
PCT/GB2001/005224
Other languages
French (fr)
Other versions
WO2002045396A3 (en
Inventor
Anthony Crabbe
Pamela Molyneux
Hugh Molyneux
Peter Crabbe
Original Assignee
CRABBE, Cherry, Thelma
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CRABBE, Cherry, Thelma filed Critical CRABBE, Cherry, Thelma
Priority to AU2002228147A priority Critical patent/AU2002228147A1/en
Publication of WO2002045396A2 publication Critical patent/WO2002045396A2/en
Publication of WO2002045396A3 publication Critical patent/WO2002045396A3/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C13/00Voting apparatus
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/42Systems providing special services or facilities to subscribers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/42Systems providing special services or facilities to subscribers
    • H04M3/487Arrangements for providing information services, e.g. recorded voice services or time announcements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2203/00Aspects of automatic or semi-automatic exchanges
    • H04M2203/10Aspects of automatic or semi-automatic exchanges related to the purpose or context of the telephonic communication
    • H04M2203/1041Televoting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/42Systems providing special services or facilities to subscribers
    • H04M3/42008Systems for anonymous communication between parties, e.g. by use of disposal contact identifiers

Definitions

  • the organisation of polls may take three forms. They solicit votes in order to: a) Confer a mandate upon selected representatives of the participating electorate. b) Confer an honor upon selected individuals. c) Register opinion about selected issues.
  • the organisation of a mandatory poll needs to protect both the privacy of individual voters and the poll against fraudulent or malicious individuals.
  • the present invention is concerned primarily with enabling private polls of the type a) above to be conducted by telephone calls, but may also have application in the cases of b) and c). Principles of the present invention may also be applied more generally in cases where an individual is required to identify themselves through entry of Personal Identification Numbers (PINs).
  • PINs Personal Identification Numbers
  • a feature of the present invention is that it can, in principle, all be operated by telephone, using a single call session to authenticate the caller and thereafter, to conduct a given poll. This feature is made possible by requiring the caller only to confirm personal data that is already pre-stored in existing public or commercial records.
  • the present invention requires the caller to enter only fragments of the identifiers held in the pre-stored records, for example, the first six digits of an eight digit PIN.
  • This use of identifier fragments allows the poll organiser a very high degree of certainty that a caller could not accidentally enter data matching their personal identifiers held in the pre-stored records.
  • the use of identifier fragments entered on a telephone keypad also means that the caller need never give their name, address, or full PIN, which prevents anyone obtaining the poll organiser's records discovering the actual identity of the caller. Yet, the same data is sufficient to pinpoint a valid caller's postal area.
  • Voter registration is the preliminary step to that of voting.
  • registration could be included as part of each voting event, or in a second embodiment, registration could be a one-off event that registered a caller as a voter for subsequent telephone voting in polls arranged by the same organisers.
  • data about the prospective voter should be obtained from at least two, or more, independent public record sets, or databases.
  • independent public record sets, or databases For open balloting, such as raising a petition by telephone, it may be acceptable to register a signatory with data drawn from just one database. If the signatory voluntarily provides their personal telephone number, then independent monitors can validate the petition's authenticity by calling back a given sample of signatories.
  • the present invention addresses these secret ballot requirements in the following ways:
  • the voter only supplies a fragment of any given ID they have, for example, only the 6 digits of their 3 letter 6 digit UK National Insurance no. This prevents anyone with access to either the poll organiser's database, or the voter's telephone calls, from gaining enough information to consult other record sets in order to find out the voter' s name.
  • the data fragmentation described in 2 above also means that the owners of public records can supply their records to a poll organiser, in a way that never breaches their Data Privacy obligations to individual citizens.
  • the record owners may further secure their data from a poll organiser by "locking" the display mode of their computer database files, so that for instance, all file data is displayed in password format, ****.
  • Proprietary software applications like Microsoft Access enable owners to set this type of data protection so that only users with the owner's password can change the file design.
  • the present invention does not allow either the poll organisers, or telephone eavesdroppers, to deduce the voter's name or address.
  • the present system cannot prevent a) above if it is achieved by means such as mail interception, or disclosure by the voter, which is also a problem with other secure systems, such as credit cards and electoral registration.
  • the present invention could make use of voice "signatures" if required. These voice entries could be recorded as WAV files, for instance. In the event of a fraud investigation the WAV files could be matched with recordings made by suspects. 5.
  • the telephonic system linking the caller to the poll organiser via the telephone carrier is shown schematically in Figure 1.
  • the poll organiser's telephone exchange system calls are relayed to a series of voice response interfaces, each linked to a personal computer, with each said computer being linked to a main server, in which the poll organisers keep their master database.
  • voice may refer either to a human operator or a set of pre-recorded voice messages.
  • the master database holds pre-stored personal identification data supplied by two record set holders who are independent of each other and do not share data. Callers are prompted to enter their details using either speech or the telephone keypad.
  • Speech entries are recognised and processed either by a human operator or by voice recognition software installed on the controlling computer for the response interface. Hie communication between the response interfaces and computers would be managed by existing software, such as British Telecommunication's Meridian application, ranning on personal or main frame computers, linked either to an automated, or operator controlled telephone exchange. The sequence of registration procedures is then shown schematically in Figure 2.
  • the poll organiser asks the caller to enter at least two individual ID numbers, a and c, where a is an element of a personal data set .1, stored in Database 1 and c is an element of a personal data set j p2, stored in Database 2.
  • Database 1 is owned by the Department of Social Security, an organisation which does not share any of its record data with the National Health Service, the owners of Database 2. Nor do the said owners share information through any intermediary such as the said poll organiser, because the said owners only supply the said poll organiser with fragments of the said sets lumber and p2.
  • the said poll organiser can match the said caller's entries a and c by finding a common factor, the said caller's postcode, in the intersection of sets pi and /?2.
  • the general principle illustrated here is that the caller's personal data set ⁇ p ⁇ , can only qualify for inclusion in the registry of valid voters ⁇ V ⁇ held in the poll organiser's master database, if it satisfies the following general criterion:
  • the total number n, of 6 digit sequences taken from an NHS ID can only be 1 million. So potentially, at least 40 of the 40 million UK electors ⁇ V ⁇ , share the same 6 digit sequence for either an NI or NHS no. By coincidence, there may also be another 40 electors sharing one of the million or so valid UK Postcodes, ⁇ R ⁇ .
  • the security set-up of the present invention is then, based on a statistical notion of certainty.
  • the use of PIN fragments helps to disguise the voter's identity.
  • the criteria for relatmg the said PIN fragments give a very high level of confidence that they identify the same voter - and that the high odds against the registration of rogue voters effectively prevents them from participating in telephone polls.
  • Figure 5 shows a database set-up for the above embodiment. Callers enter the first six digits of their NHS number and the six digits of their NI number. For the purposes of example, the second columns of the NHS and NI data records are shown "unhidden". However, in practice, both these columns would be displayed in password format, as illustrated in Figure 5, and the design of the tables be "locked” in that view by the owner's choice of a 20 digit security password. The two query tables could also be locked in the same way, which still allows the database user to view the necessary query data.
  • PIN numbers are automatically assigned to every caller as their data is entered on the table called "Caller" in this example.
  • the PINs will comprise of much longer digit sequences than those shown in the example.
  • Each data field in the "Caller" table is set to reject duplicate data entries, so that each record of each call in which the caller seeks registration is unique and any caller entering the same identification details more than once cannot be registered more than once.
  • caller 1 has entered erroneous information for their NI number and Caller 5 for their NHS number. Only callers listed in the "Match Postcodes" query will have their PIN numbers validated for use in the next phase, that of voting.
  • FIG. 6 schematically shows the processes in the preferred embodiment that enable callers who have successfully registered themselves to cast their votes in a subsequent telephone poll.
  • the said callers are guided through a menu of options, from which they may then make a selection by keying in the item numbers on their telephone keypad.
  • data fields are set to reject duplicate voter details and thus to prevent the same caller voting more than once. 10.
  • the voting options are defined on a table "Options for Election 001 and all votes cast by registered callers are entered on a form linked to a table, "Votes for Election 001.
  • a sub-programme embedded in the form matches the caller's entries with the register of users and will not open the choice box in event of mismatches, which in turn, prevents the call from being recorded as an entry on the master database.
  • the votes cast can then be counted and correlated with specific geographical areas by matching the individual votes with postcodes, as in the kind of crosstab query illustrated. 11.
  • Figure 2 shows that the information given by callers during the voting process does allow the poll organisers to correlate the following personal information about the caller:
  • the present system does not allow the said the poll organisers, or eavesdroppers to deduce the voter's individual identity, nor their name and individual address. So the present system provides a very high level of guarantee that the caller is the person who is described by public identification systems, and the system also secures the voter's right to anonymity. Only someone with legal authority to search all the databases used in the present system could reverse the odds to match the data with a particular individual. However, data protection legislation may allow the said poll organisers to supply to third parties, trend details abstracted from the above information, such as votes cast by geographic region.
  • Voter's check on how their vote has been recorded A fiirther benefit of the present invention over traditional voting systems is that voters can, if they wish, call the poll organisers to verify how their vote was recorded in a given poll. This they may do by calling another service, which operates as shown in the schematic of Figure 8.
  • the voter dials the service number for the poll they wish to check and logs on by entering their registration PIN.
  • the computer interface then automatically uses that PIN to searches the data table "Voter Cross Check" illustrated in Figure 8, matches the PIN with the vote option number and the name of that option.
  • the option name is then announced by voice to the caller, via the response interface system.

Abstract

Many automated systems already exist that allow voters to review options and cast votes using normal telephones. A secure telephone polling system enables users to vote anonymously from poll organisers and eavesdroppers, whilst still allowing authorised investigators to check that only legitimate voters have participated in the poll. The method by which a voter preserves his anonymity is to submit to the organisers, only parts of the symbol sequences that comprise his existing personal identification codes, such as his National Insurance number. A poll organiser requires two or more trusted third parties to provide only the same partial codes related to a single personal detail, such as a home postal code. When the organiser successfully matches two or more code entries to a single personal detail, this gives a very high probability that the person entering the codes is the same person fully recorded on the third party's original databases.

Description

SECURE TELEPHONE POLLING
BACKGROUND
In general, the organisation of polls may take three forms. They solicit votes in order to: a) Confer a mandate upon selected representatives of the participating electorate. b) Confer an honour upon selected individuals. c) Register opinion about selected issues.
The organisation of a mandatory poll needs to protect both the privacy of individual voters and the poll against fraudulent or malicious individuals. The present invention is concerned primarily with enabling private polls of the type a) above to be conducted by telephone calls, but may also have application in the cases of b) and c). Principles of the present invention may also be applied more generally in cases where an individual is required to identify themselves through entry of Personal Identification Numbers (PINs).
1. Prior Art
There are numerous systems designed to handle telephone polls of types b) and c) above. In respect of a) above, patent searching reveals that existing solutions for validating a caller's subscription to a telephone service fall into three main categories: 1. Those that use telephone peripherals, such as a telephone card reader, which requires the caller to identify himself by use of a card issued by the service provider (US5412727, US4995081, WO96/02044)
2. Those that build recognition hardware into the telephone system, e.g. an identity chip on the caller's home telephone set, or a system that recognises the telephone set from which a call is being made (WO97/04602A2, US5838774, JP9081821A, JP8137969A,
JP8044919A, WO99/26396)
3. Those that request the caller to enter PINs on the telephone keypad and match those PINs with pre-stored data about the caller (WO97/46031A1, US5689247, US5528670, US5311594, US3644675). The present system falls under this category.
Pilot tests for political telephone voting have been run in the USA and Canada in the 1970's and 80 's.1 The systems used there still relied upon elements of non-telephonic activity, such as postal correspondence. A feature of the present invention is that it can, in principle, all be operated by telephone, using a single call session to authenticate the caller and thereafter, to conduct a given poll. This feature is made possible by requiring the caller only to confirm personal data that is already pre-stored in existing public or commercial records.
To safeguard both the voter's privacy and anonymity, the present invention requires the caller to enter only fragments of the identifiers held in the pre-stored records, for example, the first six digits of an eight digit PIN. This use of identifier fragments allows the poll organiser a very high degree of certainty that a caller could not accidentally enter data matching their personal identifiers held in the pre-stored records. The use of identifier fragments entered on a telephone keypad also means that the caller need never give their name, address, or full PIN, which prevents anyone obtaining the poll organiser's records discovering the actual identity of the caller. Yet, the same data is sufficient to pinpoint a valid caller's postal area. The means by which the present invention achieves these said features, are now described by a combination of working principles and embodiments. DESCRIPTION
1. Voter registration
Voter registration is the preliminary step to that of voting. In the preferred embodiment of the present invention, registration could be included as part of each voting event, or in a second embodiment, registration could be a one-off event that registered a caller as a voter for subsequent telephone voting in polls arranged by the same organisers.
2. Data Sources For secret balloting, data about the prospective voter should be obtained from at least two, or more, independent public record sets, or databases. For open balloting, such as raising a petition by telephone, it may be acceptable to register a signatory with data drawn from just one database. If the signatory voluntarily provides their personal telephone number, then independent monitors can validate the petition's authenticity by calling back a given sample of signatories.
3. Secret balloting and data protection
For secret balloting, the following requirements are essential: 1. Only the voter knows what choice he or she has made.
2. The voter's personal details are neither shared nor disclosed in a manner contrary to data protection laws
The present invention addresses these secret ballot requirements in the following ways:
3. The voter never supplies their name, or address.
4. The voter only supplies a fragment of any given ID they have, for example, only the 6 digits of their 3 letter 6 digit UK National Insurance no. This prevents anyone with access to either the poll organiser's database, or the voter's telephone calls, from gaining enough information to consult other record sets in order to find out the voter' s name.
5. The data fragmentation described in 2 above also means that the owners of public records can supply their records to a poll organiser, in a way that never breaches their Data Privacy obligations to individual citizens. The record owners may further secure their data from a poll organiser by "locking" the display mode of their computer database files, so that for instance, all file data is displayed in password format, ****. Proprietary software applications like Microsoft Access enable owners to set this type of data protection so that only users with the owner's password can change the file design.
4. Fraudulent voting and misuse of data It is desirable to protect against the following polling abuses:
1. Fraudulent acquisition of another person' s identity numbers.
2. Eavesdropping, such as telephone tapping.
3. Unauthorised use or distribution of individual records by the database holder.
The present invention does not allow either the poll organisers, or telephone eavesdroppers, to deduce the voter's name or address. However, the present system cannot prevent a) above if it is achieved by means such as mail interception, or disclosure by the voter, which is also a problem with other secure systems, such as credit cards and electoral registration. The present invention could make use of voice "signatures" if required. These voice entries could be recorded as WAV files, for instance. In the event of a fraud investigation the WAV files could be matched with recordings made by suspects. 5. Data Entry
The data entry and system responses for the prefeixed embodiment of the present invention are now described by example. The telephonic system linking the caller to the poll organiser via the telephone carrier is shown schematically in Figure 1. At the poll organiser's telephone exchange system, calls are relayed to a series of voice response interfaces, each linked to a personal computer, with each said computer being linked to a main server, in which the poll organisers keep their master database. The term "voice" may refer either to a human operator or a set of pre-recorded voice messages. The master database holds pre-stored personal identification data supplied by two record set holders who are independent of each other and do not share data. Callers are prompted to enter their details using either speech or the telephone keypad. Speech entries are recognised and processed either by a human operator or by voice recognition software installed on the controlling computer for the response interface. Hie communication between the response interfaces and computers would be managed by existing software, such as British Telecommunication's Meridian application, ranning on personal or main frame computers, linked either to an automated, or operator controlled telephone exchange. The sequence of registration procedures is then shown schematically in Figure 2.
6. Data Matching In the following example, the poll organiser asks the caller to enter at least two individual ID numbers, a and c, where a is an element of a personal data set .1, stored in Database 1 and c is an element of a personal data setjp2, stored in Database 2. Database 1 is owned by the Department of Social Security, an organisation which does not share any of its record data with the National Health Service, the owners of Database 2. Nor do the said owners share information through any intermediary such as the said poll organiser, because the said owners only supply the said poll organiser with fragments of the said sets jpl and p2.
Figure imgf000004_0001
As shown in the Venn diagram in Figure 4, the said poll organiser can match the said caller's entries a and c by finding a common factor, the said caller's postcode, in the intersection of sets pi and /?2. The general principle illustrated here is that the caller's personal data set {p}, can only qualify for inclusion in the registry of valid voters {V} held in the poll organiser's master database, if it satisfies the following general criterion:
For all {p} ≡ {(a,b),(c,d)}, { .} is amember of {V} if and only if b = d and a ≠ c≠ b (1)
In this example, the total number n, of 6 digit sequences taken from an NHS ID, can only be 1 million. So potentially, at least 40 of the 40 million UK electors {V}, share the same 6 digit sequence for either an NI or NHS no. By coincidence, there may also be another 40 electors sharing one of the million or so valid UK Postcodes, {R}.2 However, the odds against finding at random in { V), a pair of NT & NHS 6 digit sequences (a, c) that both correspond to the same post code b = d, are l/[(V/n )/V\ [(V/n2)/V {(V/P)IF = 1/(40/4x107)(40/4xl07)(40/106) = 2.5 x 1018 to 1 (2)
Since there are 40 million pairs of NHS and NI that do satisfy equation (1) above, then a rogue caller entering two 6 digit numbers at random has the following odds of getting his or her entry registered: 1 in (2.5 x 1018)/(4 x 107) = 1 in 6.25 x 1010 (3)
The security set-up of the present invention is then, based on a statistical notion of certainty. On the one hand, the use of PIN fragments helps to disguise the voter's identity. On the other hand, the criteria for relatmg the said PIN fragments give a very high level of confidence that they identify the same voter - and that the high odds against the registration of rogue voters effectively prevents them from participating in telephone polls.
7. Prior preparation of record sets To safeguard against freak duplications in originating databases, it is necessary to search the said databases for duplicate values before using them for registration purposes. Before use, these said databases are filtered by date of birth, to remove all individuals under the voting age. Finally, each PIN is stripped down to 6 digits by removing the unwanted letters or digits in the manner illustrated in Figure 4. The removal of letters from the required data entry has the benefit of making data entry by telephone much easier for the caller.
8. Embodiment of a database set-up
Figure 5 shows a database set-up for the above embodiment. Callers enter the first six digits of their NHS number and the six digits of their NI number. For the purposes of example, the second columns of the NHS and NI data records are shown "unhidden". However, in practice, both these columns would be displayed in password format, as illustrated in Figure 5, and the design of the tables be "locked" in that view by the owner's choice of a 20 digit security password. The two query tables could also be locked in the same way, which still allows the database user to view the necessary query data.
PIN numbers are automatically assigned to every caller as their data is entered on the table called "Caller" in this example. In practice, the PINs will comprise of much longer digit sequences than those shown in the example. Each data field in the "Caller" table is set to reject duplicate data entries, so that each record of each call in which the caller seeks registration is unique and any caller entering the same identification details more than once cannot be registered more than once. In the example shown in Figure 5, caller 1 has entered erroneous information for their NI number and Caller 5 for their NHS number. Only callers listed in the "Match Postcodes" query will have their PIN numbers validated for use in the next phase, that of voting.
9. The voting process
This is the second of two processes, wherein registered callers can cast their votes in a poll. Figure 6 schematically shows the processes in the preferred embodiment that enable callers who have successfully registered themselves to cast their votes in a subsequent telephone poll. The said callers are guided through a menu of options, from which they may then make a selection by keying in the item numbers on their telephone keypad. As for the registration database, data fields are set to reject duplicate voter details and thus to prevent the same caller voting more than once. 10. Data Matching
As shown in the example database, illustrated in Figure 7, the voting options are defined on a table "Options for Election 001 and all votes cast by registered callers are entered on a form linked to a table, "Votes for Election 001. A sub-programme embedded in the form matches the caller's entries with the register of users and will not open the choice box in event of mismatches, which in turn, prevents the call from being recorded as an entry on the master database. The votes cast can then be counted and correlated with specific geographical areas by matching the individual votes with postcodes, as in the kind of crosstab query illustrated. 11. Data Privacy and Security
Figure 2 shows that the information given by callers during the voting process does allow the poll organisers to correlate the following personal information about the caller:
(1st 6 of 10 digits of NHS no.) + (Postcode) + (Option choice). But once again, the present system does not allow the said the poll organisers, or eavesdroppers to deduce the voter's individual identity, nor their name and individual address. So the present system provides a very high level of guarantee that the caller is the person who is described by public identification systems, and the system also secures the voter's right to anonymity. Only someone with legal authority to search all the databases used in the present system could reverse the odds to match the data with a particular individual. However, data protection legislation may allow the said poll organisers to supply to third parties, trend details abstracted from the above information, such as votes cast by geographic region.
12. Voter's check on how their vote has been recorded A fiirther benefit of the present invention over traditional voting systems is that voters can, if they wish, call the poll organisers to verify how their vote was recorded in a given poll. This they may do by calling another service, which operates as shown in the schematic of Figure 8. The voter dials the service number for the poll they wish to check and logs on by entering their registration PIN. The computer interface then automatically uses that PIN to searches the data table "Voter Cross Check" illustrated in Figure 8, matches the PIN with the vote option number and the name of that option. The option name is then announced by voice to the caller, via the response interface system.

Claims

What is claimed is: 1. A system for a service provider to authorise a correspondent to be a legitimate user of the service without recording the personal identity of the said correspondent, wherein: a) the said provider records, on a database, the identification codes of any potential correspondent in a one-to-one relationship with at least one of the said correspondent's personal details, such as his home postal code b) a said correspondent enters onto the said database, only parts of the full sequences of symbols that comprise his said identification codes, such as the first six digits of an eight digit sequence c) the said provider authorises a said correspondent as a service user on the condition that two or more of the said correspondent's partial identification code entries match the same said personal detail that is related to each said personal identification code on the said database d) the said provider offers services such as voting to said correspondents who have entered said partial sequences of identification codes that satisfy the said condition for matching the said individual records on the said database.
2. The method according to claim 1 whereby the said service provider may authorise the said correspondent as a legitimate user of the said service, on the condition that one or more of the said correspondent's identification code entries match with the identification codes that already exist in a said one-to-one correspondence with the said correspondent's personal details on the said database.
3. The apparatus of claim 1, wherein the said service provider records data about said correspondents on a computer, using existing software that can automate actions and responses to and from the computer, including those said actions necessary for maintaining a telecommunication dialogue with the said correspondent.
4. The apparatus of claim 1, wherein a said correspondent enters his said personal identification symbols onto a computer database from a location remote from the said computer, by using a computer peripheral device such as a keyboard or a telephone.
5. The apparatus of claim 1, wherein the said service provider may use telecommunication devices such as telephone handsets, to present a spoken or printed menu of choice options to a correspondent who is authorised on the said service provider's database by the matching of said identification codes with said personal details.
6. The apparatus of the preceding claims, where a said correspondent may use the said peripheral devices to enter his choices of said options presented by the said service provider onto the said service provider's computer database.
7. A method where the said service provider may use computer database software to relate a number of said correspondent choice selections to the said correspondents' personal details, in order to produce summary information lists, such as those relating all the entries of one particular choice to one particular postal district.
8. A method wherein the said service provider obtains the data about said users from third parties who do not share their complete data with any other parties, who provide the said service provider only with parts of the said data, such as six of eight symbols from the said user's personal identification codes, and who provide identification codes that are related only to a user's postal code, not to his name or address.
9. A method where the said service provider cannot learn the full identity of a said correspondent who has been authorised by the methods according to the preceding claims, but can only identify the said correspondent as an anonymous person who has overcome high statistical odds against entering at random, one or more said partial identification codes that correspond with personal details supplied by the said independent third part data owners.
10. The method according to claim 9, where the said odds against random symbol entries matching said personal details increase with the number of symbols comprising a said personal identification code and comprising a said personal detail, such as a postcode.
11. The method according to claim 9, where the said odds against random symbol entries matching said personal details increases with the number of said third party databases stored by the said provider and therefore, the number of said partial identification code sequences that must be entered by the said correspondent.
12. A method where an authorised investigative agency may take the said service provider's database records and relate them back to the records of the said third party data suppliers to establish with a statistical probability that a particular person was the correspondent who entered a particular choice onto the said service provider's database.
13. A method wherein the said service provider may record the choices made by a correspondent and relate the said choice to the said correspondent's data set on a said database, in order that the said correspondent can use again the service described in the preceding claims, to check which choices have been related to his data set on the said database.
14. The apparatus of claim 13, where the said service provider may use computer software to record user choices and enable any said user to check the said records by using computer peripheral devices as described in the preceding claims.
15. A system as claimed in any preceding claim for a user to correspond with a remote service provider and to choose service options, such as voting for a political candidate, without disclosing their full identity to the said service provider.
16. A telecommunication voting system substantially as herein described and illustrated in the accompanying figures and diagrams.
PCT/GB2001/005224 2000-11-28 2001-11-27 Secure telephone polling WO2002045396A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2002228147A AU2002228147A1 (en) 2000-11-28 2001-11-27 Secure telephone polling

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0028940A GB2374446B (en) 2000-11-28 2000-11-28 Secure telephone polling
GB0028940.5 2000-11-28

Publications (2)

Publication Number Publication Date
WO2002045396A2 true WO2002045396A2 (en) 2002-06-06
WO2002045396A3 WO2002045396A3 (en) 2002-09-06

Family

ID=9903992

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2001/005224 WO2002045396A2 (en) 2000-11-28 2001-11-27 Secure telephone polling

Country Status (3)

Country Link
AU (1) AU2002228147A1 (en)
GB (1) GB2374446B (en)
WO (1) WO2002045396A2 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005048201A1 (en) * 2003-11-12 2005-05-26 David Parkinson Howcroft Surveying system
US20170085550A1 (en) * 2015-09-17 2017-03-23 Global Mobile, LLC Mobile voting and voting verification system and method
US10187372B2 (en) * 2015-09-17 2019-01-22 Global Mobile, LLC Mobile voting and voting verification system and method
US10848476B2 (en) * 2015-09-17 2020-11-24 Global Mobile, LLC Mobile voting and voting verification system and method
US20210051017A1 (en) * 2015-09-17 2021-02-18 Global Mobile, LLC Mobile voting and voting verification system and method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4317957A (en) * 1980-03-10 1982-03-02 Marvin Sendrow System for authenticating users and devices in on-line transaction networks
US5400248A (en) * 1993-09-15 1995-03-21 John D. Chisholm Computer network based conditional voting system
US6021200A (en) * 1995-09-15 2000-02-01 Thomson Multimedia S.A. System for the anonymous counting of information items for statistical purposes, especially in respect of operations in electronic voting or in periodic surveys of consumption
WO2000021041A1 (en) * 1998-10-06 2000-04-13 Chavez Robert M Digital elections network system with online voting and polling

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4752676A (en) * 1985-12-12 1988-06-21 Common Bond Associates Reliable secure, updatable "cash" card system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4317957A (en) * 1980-03-10 1982-03-02 Marvin Sendrow System for authenticating users and devices in on-line transaction networks
US5400248A (en) * 1993-09-15 1995-03-21 John D. Chisholm Computer network based conditional voting system
US6021200A (en) * 1995-09-15 2000-02-01 Thomson Multimedia S.A. System for the anonymous counting of information items for statistical purposes, especially in respect of operations in electronic voting or in periodic surveys of consumption
WO2000021041A1 (en) * 1998-10-06 2000-04-13 Chavez Robert M Digital elections network system with online voting and polling

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005048201A1 (en) * 2003-11-12 2005-05-26 David Parkinson Howcroft Surveying system
US20170085550A1 (en) * 2015-09-17 2017-03-23 Global Mobile, LLC Mobile voting and voting verification system and method
US10027647B2 (en) * 2015-09-17 2018-07-17 Global Mobile, LLC Mobile voting and voting verification system and method
US10187372B2 (en) * 2015-09-17 2019-01-22 Global Mobile, LLC Mobile voting and voting verification system and method
US10848476B2 (en) * 2015-09-17 2020-11-24 Global Mobile, LLC Mobile voting and voting verification system and method
US20210051017A1 (en) * 2015-09-17 2021-02-18 Global Mobile, LLC Mobile voting and voting verification system and method
US11575516B2 (en) * 2015-09-17 2023-02-07 Global Mobile, LLC Mobile voting and voting verification system and method

Also Published As

Publication number Publication date
GB2374446B (en) 2004-07-21
GB2374446A (en) 2002-10-16
GB0028940D0 (en) 2001-01-10
WO2002045396A3 (en) 2002-09-06
AU2002228147A1 (en) 2002-06-11

Similar Documents

Publication Publication Date Title
US8060918B2 (en) Method and system for verifying identity
US8738921B2 (en) System and method for authenticating a person's identity using a trusted entity
US7702918B2 (en) Distributed network system using biometric authentication access
US8103246B2 (en) Systems and methods for remote user authentication
US7383572B2 (en) Use of public switched telephone network for authentication and authorization in on-line transactions
US7725732B1 (en) Object authentication system
EP1721256B1 (en) Use of public switched telephone network for capturing electronic signatures in on-line transactions
US10783733B2 (en) Electronic voting system and control method
EP3455998A1 (en) Identity authentication and information exchange system and method
US20060173792A1 (en) System and method for verifying the age and identity of individuals and limiting their access to appropriate material
US20060106605A1 (en) Biometric record management
US20060239513A1 (en) Privacy protected cooperation network
EP1564619A1 (en) Biometric access control using a mobile telephone terminal
GB2401745A (en) Controlling access to a secure computer system
US20200242229A1 (en) System and method for biometric electronic voting
US20140244510A1 (en) Privacy protection system and method
WO2002045396A2 (en) Secure telephone polling
US20030142800A1 (en) Method and system for voting by telephone
US20070067330A1 (en) Security method for verifying and tracking service personnel
US6590966B2 (en) Interactive voting method
US20060070119A1 (en) Internet voting
EP3629308A1 (en) Improved system and method for electronic voting
EP3249850B1 (en) Device and method for transmitting non-identifying personal information
Averin et al. Review of e-voting systems based on blockchain technology
WO2022097028A1 (en) Device and method for registering a user

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AU BR CA CN ID IN JP MX PH PL RU US

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP