WO2010010564A2 - Electronic voting system - Google Patents

Abstract

Apparatus for electronic voting in a polling station, the apparatus comprising: an authorization verifier, configured to verify at least one portable communication unit provided to a respective voter, is authorized for use in the polling station; a vote caster, in communication with the authorization verifier, operable by the voter, for casting a vote, provided the portable communication unit is verified as authorized for use in the polling station; and a vote communicator, in communication with the vote caster and configured to communicate the vote to the portable communication unit, for recording on the portable communication unit.

Description

ELECTRONIC VOTING SYSTEM

FIELD AND BACKGROUND OF THE INVENTION

The present invention relates to voting systems and, more particularly, but not exclusively, to an apparatus and method for electronic voting in elections.

Voting has been used as an essential feature of democracy since the 6th century BC, when democracy was introduced by the Athenian democracy.

One of the objectives of democratic voting is accuracy. However, count accuracy is difficult because the large number of voters who participate in an election creates variances in ballot output.

Another objective of voting systems is to accurately gauge voter intent. Despite this objective, many factors may lead to situations in which voters are unclear as to what is required of them or unclear in indicating their selections. Such factors include ballot design, cumulative voting, multiple positions available for one office, proximity of candidate names on a ballot, unintentional markings left on a ballot, and misspelling of write-in candidates.

Additionally, voting systems also have to ensure that no voter votes twice and that only authorized voters vote in a particular voting station.

Methods of voting and counting votes have been in use since earliest times. A paper ballot is a widely used voting tool that is usually preprinted with the names of the candidates for a given office. In a paper ballot voting system, the voter chooses a ballot and places the ballot in a ballot box.

Mechanical voting machines are also used. Typically, mechanical voting machines may have levers next to the names of candidates, and counters that increment each time a voter moves a lever to vote for a specific candidate or question.

In another voting system, the voter is given a paper ballot, called a punch card, that contains perforated or otherwise weakened areas. The punch card is inserted into a machine that displays the names of candidates or the questions in a referendum. The alignment of the punch card in the machine is such that when the voter inserts a stylus next to the candidate's name, a piece of paper is punched out. The paper that is removed is called a chad. The hole in the place where the chad once was can be detected by a light sensitive card reader to determine the vote.

In yet another system, the voter is given a paper ballot and the voter is asked to fill in a circle or box associated with the candidate or other ballot question. As in other paper ballot systems, the ballot is placed in a ballot box and is read at a later time. The machine that reads these ballots finds light passing through some circles or boxes and not through others. The presence or absence of a mark in a box or circle indicates the voters' choices. Such systems are called mark-sense systems or, alternatively, optical scan systems. Regardless of the system employed, problems have always existed with such systems. The first and foremost deficiency is count accuracy. When it comes to large numbers of ballots, human readers are often more prone to error.

Mechanical voting machines improve the counting process by creating a tally for each candidate or question that can be recorded by election officials at the end of the election. Although more accurate, faster, and less labor intensive, mechanical voting machines do not leave an audit trail for authorities to follow in times of a recount. Additionally, voters have become disenfranchised by mechanical voting machines since allegations of tampering with the counters are difficult to dismiss and also because the voter has no assurance that his vote was tallied correctly. Another deficiency in current voting systems stems from human error in making a selection. Variances in how voters mark a selection and erase a selection may render paper ballots unclear. Punch card systems attempt to replace human counting and selection entry errors with machine certainty, but create problems unique to punch cards. For example, voters may not force the stylus through with enough force to completely remove the chad. When entered into the counting machine, a partially removed chad may be reinserted into the hole nullifying the voter's intent altogether. Furthermore, a punched punch card cannot be unpunched. An error in making the voter's selection requires the voter to begin the voting process anew. The 2000 U.S. presidential election in Florida demonstrated the fallibility and general unreliability of many deployed voting systems. Accurate, reliable vote reading and tallying systems are crucial for public confidence in election results, which is the ultimate bedrock of the legitimacy of government in a representative democracy. Following the 2000 U.S. presidential election in Florida, US Congress passed a law called the Help America Vote Act, which appropriated $3.8 billion to replace punch- card and lever voting systems with computerized electronic voting systems.

Electronic voting systems have been developed to overcome problems associated with the above-described conventional voting systems and machines. In electronic voting, the voting systems generally involve electronically operated voting machines coupled with a central computer, and as such are capable of performing a variety of functions, such as counting votes for a voting site, counting votes for a particular voting booth, accumulating votes for a plurality of simultaneous elections, etc.

U.S. Patent No. 7,306,148, to Morganstein, filed on November 14, 2002, entitled "Advanced voting system and method", describes a voting system, which includes one or more computing devices. The one or more computing devices display ballot questions to the voter and receive interactive voter selections from the voter. A ballot generator generates a ballot encoding the voter's selection using magnetic ink character recognition (MICR) technology. MICR is a character recognition system that uses special ink and characters. U.S. Patent Application No. 11/162,297, to Anderson et al., filed on

September 6, 2005, entitled "Secure Voting System", discloses a system for controlling voting using a computerized secure voting system that employs a transportable, secure voting module, for storing voting selections and scrambled voter identification. Once voting ends, fuses are blown within the secure voting module for permanently storing the voting selections and scrambled voter identification in a read only mode, which maintains voter anonymity while preventing any further physical writing of votes on the voting module.

International Patent Application No. PCT/US2001/045769, to Chung, filed on

November 1, 2001, entitled "Electronic Voting Apparatus, System and method", describes a voting system utilizing at least two independent means for recording and counting votes, e.g., one associated with the voting apparatus and one separate therefrom. Chung's system may use a voting session identifier to provide transparency of the vote and to maintain the anonymity of votes and voters.

SUMMARY OF THE INVENTION

According to one aspect of the present invention there is provided an apparatus for electronic voting in a polling station, the apparatus comprising an authorization verifier, configured to verify at least one portable communication unit provided to a respective voter, is authorized for use in the polling station, and a vote caster, in communication with the authorization verifier, operable by the voter, for casting a vote, provided the portable communication unit is verified as authorized for use in the polling station.

The apparatus further comprises a vote communicator, in communication with the vote caster and configured to communicate the vote to the portable communication unit, for recording on the portable communication unit

According to a further aspect of the present invention there is provided an apparatus for electronic voting in a polling station, the apparatus comprising an authorization verifier, configured to verify at least one portable communication unit provided to a respective voter, authorized for use in the polling station, and a vote reader, in communication with the authorization verifier, configured to read a vote recorded on the portable communication unit, provided that the portable communication unit is verified as authorized for use in the polling station.

The apparatus further comprises a vote presenter, in communication with the vote reader, configured to present the vote to the voter, thereby allowing the voter to verify that the vote recorded on the communication unit reflects a vote the voter intends to cast. According to yet another aspect of the present invention there is provided an apparatus for electronic voting in a polling station, the apparatus comprising an authorization verifier, configured to verify that at least one portable communication unit provided to a respective voter, authorized for use in the polling station, a vote reader, in communication with the authorization verifier, configured to read votes, each of the votes recorded on a respective one of the portable communication units, provided that the portable communication unit is verified as authorized for use in the polling station, and a vote counter, in communication with the vote reader, configured to count the read votes.

According to a further aspect of the present invention there is provided a portable voting card for electronic voting in a polling station, the card comprising a vote receiver, configured to receive a vote communicated to the card, a storage module, for storing the vote on the card, and a vote recorder, in communication with the vote receiver and the storage module, configured to record the communicated vote on the storage module.

According to a further aspect of the present invention there is provided a portable voting services card for electronic voting in a polling station, the card comprising a mode switcher, operable for switching the card from a voting mode to a counting mode, by inputting a predefined counting code, a vote receiver, in communication with the mode switcher, configured to receive a vote communicated to the card, an encryptor, in communication with the vote receiver, configured to encrypt the received vote, provided that the card is in a voting mode, and a decryptor, in communication with the vote receiver, configured to decrypt the received vote, provided the card is in a counting mode.

According to a further aspect of the present invention there is provided a method for electronic voting in a polling station, the method comprising verifying that a portable communication unit, provided to a respective voter, is authorized for use in the polling station, allowing the voter to cast a vote, provided that the portable communication unit is verified as authorized for use in the polling station, and communicating the cast vote to the portable communication unit, for recording on the portable communication unit. According to a further aspect of the present invention there is provided a method for electronic voting in a polling station, the method comprising verifying that a portable communication unit, provided to a respective voter, is authorized for use in the polling station, reading a vote recorded on the portable communication unit, provided that the portable communication unit is verified as authorized for use in the polling station, and presenting the vote to the voter, thereby allowing the voter to verify that the vote recorded on the communication unit reflects a vote the voter intends to cast. According to a further aspect of the present invention there is provided a method for electronic voting in a polling station, the method comprising verifying that a plurality of portable communication units, each of the communication units provided to a respective voter, are authorized for use in the polling station, reading votes, each one of the votes recorded on a respective one of the portable communication units, provided that the portable communication unit is verified as authorized for use in the polling station, and counting the read votes.

According to a further aspect of the present invention there is provided a method for electronic voting in a polling station, the method comprising authorizing a plurality of portable communication units for use in the polling station, providing the communication units to voters, each one of the units provided to a respective voter, allowing the voter to cast a vote, using the communication unit, recording the cast vote on the communication unit, and counting the votes recorded on the communication units.

According to a further aspect of the present invention there is provided an apparatus for electronic voting in a polling station, the apparatus comprising an authorization verifier, configured to verify that a portable communication unit provided to a respective voter is authorized for use in the polling station and is adapted to issue an alert indication in case the communication unit is unauthorized; a vote verifier configured to verify that a vote is recorded on the portable communication unit and is adapted to issue an alert indication in case no vote or more than one vote is recorded on the portable communication unit; and an alert module adapted to issue an alert in response to an alert indication from the authorization verifier and/or from the vote verifier.

In accordance with an embodiment of the invention there is provided a unit communicator adapted to establish a contactless communication link with the portable communication unit.

In accordance with an embodiment of the invention there is provided an apparatus, wherein the unit communicator includes a smart card communication interface adapted to establish a contactless communication link with a smart card.

In accordance with an embodiment of the invention there is provided an apparatus comprising a voting card tester adapted to implement a predefined voting card test routine with respect to the portable communication unit and is adapted to issue an alert indication in case the communication unit is malfunctioned or is tampered with.

In accordance with an embodiment of the invention there is further provided an apparatus wherein the authorization verifier is responsive to detecting on the portable communication device an authorization key specific to the polling station, for verifying that the portable communication unit is authorized for use in the polling station.

In accordance with an embodiment of the invention there is still further provided an apparatus, wherein the authorization verifier is responsive to detecting on the portable communication device an authorization key indicating that the portable communication unit originates from an acceptable source, for verifying that the portable communication unit is authorized for use in the polling station.

In accordance with an embodiment of the invention there is provided an apparatus, wherein the alert module is configured to issue a plurality of different alerts, each one of the plurality of alerts corresponding to a different alert indication.

In accordance with an embodiment of the invention there is further provided an apparatus, wherein the vote verifier is adapted to adapted to determine whether data is stored within a specific location within the portable communication unit designated for storing vote data corresponding to a vote of the respective voter.

In accordance with an embodiment of the invention there is provided an apparatus, wherein the vote verifier is adapted to search within a memory module of the portable communication unit for a certain predefined signature or pattern which corresponds to a vote recoded in said communication unit.

In accordance with an embodiment of the invention there is still further provided an apparatus, wherein the vote verifier avoids or is incapable of reading the actual vote data recorded in the portable communication unit.

In accordance with an embodiment of the invention there is provided an apparatus, wherein the voting card tester is adapted to interrogate different physical locations within a memory module of the portable communication unit where anti- temper data is kept. In accordance with an embodiment of the invention there is provided an apparatus, wherein the voting card tester is adapted to run operability tests on one or more components of the portable communication unit.

In accordance with an embodiment of the invention there is further provided an apparatus, wherein the apparatus is incorporated into a ballot box.

In accordance with an embodiment of the invention there is provided an apparatus, wherein the apparatus is located adjacently to the ballot box slot.

In accordance with an aspect of the invention there is provided a method of electronic voting in a polling station, the method comprising verifying that a portable communication unit provided to a respective voter is authorized for use in the polling station; verifying that a vote is recorded on the portable communication unit; issuing an alert in case the portable communication card is determined to be unauthorized or in case that no vote or more than one vote is detected in the communication unit.

In accordance with an embodiment of the invention there is further provided a method, further comprising establishing a contactless communication link with the portable communication unit.

In accordance with an embodiment of the invention there is still further provided a method, further comprising implementing a predefined voting card test routine with respect to the portable communication, and issuing an alert in case the portable communication unit is determined to be malfunctioned and/or in case a tamper attempt has been detected on the portable communication unit.

Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The materials, methods, and examples provided herein are illustrative only and not intended to be limiting. Implementation of the method and system of the present invention involves performing or completing certain selected tasks or steps manually, automatically, or a combination thereof.

Moreover, according to actual instrumentation and equipment of preferred embodiments of the method and system of the present invention, several selected steps could be implemented by hardware or by software on any operating system of any firmware or a combination thereof. For example, as hardware, selected steps of the invention could be implemented as a chip or a circuit. As software, selected steps of the invention could be implemented as a plurality of software instructions being executed by a computer using any suitable operating system. In any case, selected steps of the method and system of the invention could be described as being performed by a data processor, such as a computing platform for executing a plurality of instructions.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention is herein described, by way of example only, with reference to the accompanying drawings. With specific reference now to the drawings in detail, it is stressed that the particulars shown are by way of example and for purposes of illustrative discussion of the preferred embodiments of the present invention only, and are presented in order to provide what is believed to be the most useful and readily understood description of the principles and conceptual aspects of the invention. The description taken with the drawings makes apparent to those skilled in the art how the several forms of the invention may be embodied in practice.

In the drawings:

Figure 1 is a block diagram illustrating a first apparatus for electronic voting in a polling station, according to an embodiment of the present invention;

Figure 2 is a block diagram illustrating a further apparatus for electronic voting in a polling station, according to an embodiment of the present invention;

Figure 3 is a block diagram illustrating a further apparatus for electronic voting in a polling station, according to an embodiment of the present invention.

Figure 4 is a block diagram illustrating a portable voting card for electronic voting in a polling station, according to an embodiment of the present invention; Figure 5 is a block diagram illustrating a portable voting services card for electronic voting in a polling station, according to an embodiment of the present invention;

Figure 6 is a flowchart illustrating a method of electronic voting in a polling station, according to an embodiment of the present invention; Figure 7 is a flowchart illustrating a further method of electronic voting in a polling station, according to an embodiment of the present invention;

Figure 8 is a flowchart illustrating a further method of electronic voting in a polling station, according to an embodiment of the present invention; Figure 9 is a flowchart illustrating a further method of electronic voting in a polling station, according to an embodiment of the present invention;

Figure 10 is a block diagram illustrating a further apparatus for electronic voting in a polling station, according to an embodiment of the present invention; and

Figure 11 is a flowchart illustrating a method of electronic voting in a polling station according to some embodiments of the invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

The present embodiments comprise an apparatus and method for electronic voting in a polling station. According to an embodiment, each one of voters listed to vote in a specific polling station is provided with a portable communication unit. The portable communication unit may be implemented on a Smart Card, a Personal Digital Assistant (PDA), a Tablet Computer, a Laptop Computer, etc., as known in the art.

A smart card is a pocket-sized card with embedded integrated circuits which can process information. There are two broad categories of smart cards. Memory cards contain only non-volatile memory storage components, and perhaps some specific security logic. Microprocessor cards contain non-volatile memory and microprocessor components. The smart card is typically made of plastic, usually PVC.

A PDA (Personal Digital Assistant) is a small mobile hand-held device that provides computing and information storage and retrieval capabilities for personal or business use, as known in the art.

Optionally, the portable communication unit has a wireless connectivity capacity. The wireless connectivity capacity allows communication with the portable communication unit, without physical connection to the unit. The portable communication unit is authorized for use in the specific polling station, say by storing an authorization key specific to the polling station on the portable communication unit, as described in further detail hereinbelow.

A voter walks into a voting booth in the polling station. In the voting booth, the portable communication unit provided to the user is verified as authorized for use in the polling station. Consequently, the voter is allowed to cast a vote, say using a graphical user interface, as described in further detail hereinbelow.

Then, the vote cast by the voter is communicated to the communication unit provided to the voter, say to a smart card with a wireless connectivity capacity (also referred to hereinbelow as a contacless smart card).

Optionally, the vote is encrypted prior to the vote's communication to the portable communication unit, and communicated in an encrypted form, using one of a variety of encryption methods, as known in the art. The vote received by the communication unit is recorded on the communication unit, as described in further detail hereinbelow.

Optionally, the voter is allowed to verify that the vote recorded on the portable communication unit reflects a vote the voter intends to cast, say using a vote verification booth where the communication unit provided to the voter is verified as authorized for use in the polling station. Upon successful verification of the communication unit as authorized for use in the polling station, the vote recorded on the portal communication unit is read and presented to the voter, thus allowing the voter to verify that the vote reflects the voter's intentions.

Optionally, the votes recorded on the portable communication units (say smart cards) may be counted, provided each vote counted is read from a communication unit authorized for use in the specific polling station, as described in further detail hereinbelow.

The principles and operation of an apparatus and method according to the present invention may be better understood with reference to the drawings and accompanying description. Before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not limited in its application to the details of construction and the arrangement of the components set forth in the following description or illustrated in the drawings.

The invention is capable of other embodiments or of being practiced or carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein is for the purpose of description and should not be regarded as limiting.

Reference is now made to Fig. 1, which is a block diagram illustrating a first apparatus for electronic voting in a polling station, according to an embodiment of the present invention. Optionally, apparatus 1000 is deployed in a voting booth, in the polling station, as described in further detail hereinbelow.

Apparatus 1000 includes an authorization verifier 110.

The authorization verifier 110 verifies that one or more portable communication units, each portable communication unit provided to a voter, is authorized for use in the polling station. Optionally, each portable communication unit may be uniquely associated with a specific voter at least until the vote cast by the specific voter and recorded on the portable communication unit is counted, as described in further detail hereinbelow.

The portable communication unit may be implemented on a Smart Card, a Personal Digital Assistant (PDA), a Tablet Computer, etc., as described in further detail hereinabove.

Optionally, the authorization verifier 110 uses an authorization key specific to the polling station, for verifying that the portable communication unit is authorized for use in the polling station. Optionally, the authorization key is recorded on the portable communication unit, prior to providing the unit to the voter, as described in further detail hereinbelow.

The polling station specific authorization key is likely to increase the security of elections process carried out using apparatus 1000 against an attack by a malicious party. The protection against the attack is increased since each polling station is L2009/000725

13 associated with a unique authorization key, and the malicious party has to overcome a different authorization key for each polling station used in the elections.

Optionally, the authorization verifier 110 further uses an authorization key indicating that the portable communication unit originates from an acceptable source, for verifying that the portable communication unit is authorized for use in the polling station. Optionally, the authorization key is a global key provided by a central authority (say a national election committee), and recorded on each portable communication unit authorized for use by the central authority, as described in further detail hereinbelow.

In some embodiments, the apparatus 1000 further includes a unit communicator, in communication with the authorization verifier 110, such as a contactless smart card reader, as known in the art. The unit communicator communicates with the portable communication unit (say a smart card). Through communication with the portable communication unit, the authorization verifier 110 verifies that the authorization key(s) are recorded on the communication unit.

The apparatus 1000 also includes a vote caster 120, in communication with the authorization verifier 110.

The vote caster 120 may be operated by the voter, for casting a vote, provided that the portable communication unit is verified as authorized for use in the polling station and that the portable communication unit is present in the voting booth (i.e. that the unit is accessible by the authorization verifier 110). Optionally, the vote caster 120 further uses a Graphical User Interface (GUI), for allowing the voter to cast a vote. For example, the GUI may be implemented on a touch screen, allowing the voter to select amongst candidate, parties, etc., as known in the art.

Apparatus 1000 further includes a vote communicator 130, in communication with the vote caster 120.

The vote communicator 130 communicates the vote to the portable communication unit, for recording on the portable communication unit, as described in further detail hereinbelow. Optionally, the vote communicator 130 communicates the vote to the portable communication unit, using the unit communicator, as described in further detail hereinabove.

Optionally, use of each of the communication units is limited to a specific user, until the vote cast by the specific voter and recorded on the portable communication unit is counted, as described in further detail hereinbelow.

Optionally, apparatus 1000 also includes an encryptor, in communication with the vote caster.

Optionally, the encryptor encrypts the vote cast by the voter, using a key specific to the polling station, also referred to hereinbelow as a ballot key. The vote communicator 130 communicates the vote as encrypted by the encryptor.

Optionally, the encryptor is implemented on a smart card, say a portable voting services card 5000, as described in further detail hereinbelow.

Optionally, the key specific to the polling station is generated in the polling station, say on a dedicated smart card used as an authorization card. The polling station specific key is copied to the encryptor, as described in further detail hereinbelow.

Optionally, apparatus 1000 also includes a vote recorder, in communication with the vote caster.

Optionally, the apparatus further includes a database dedicated for recording votes, in communication with the vote recorder. The vote recorder records the cast vote on the database. That is to say that the vote may be recorded on the apparatus 1000 as well as on the portable communication unit provided to the user.

Optionally, the vote recorder records the cast vote in an encrypted form, as described in further detail hereinbelow.

Optionally, the vote recorder is implemented on a smart card, such as a portable voting services card 5000, as described in further detail hereinbelow.

Optionally, the vote recorder further prevents recording of more than one vote for a respective communication unit. For example, the vote recorder may use a random number generated on the communication unit, which is unique to the communication unit, for preventing multiple voting with the same communication unit, as described in further detail hereinbelow. Optionally, when the voter attempts to cast a second vote using the same portable communication unit, the voter is warned, and allowed to change the vote recorded earlier for the portable communication unit.

Optionally, apparatus 1000 also includes a vote counter, in communication with the vote caster 120.

The vote counter counts the votes cast by the voters, using the vote caster 120.

Optionally, the vote counter may present the vote count, only if a predefined counting code is input to the apparatus 1000.

For example, the counting code may be issued by a central authority (such as a national elections committee), on an elections' day end, as described in further detail hereinbelow. That is to say, the vote count cannot be presented until the counting code is input.

Optionally, the counting code is a form of a PIN (Personal Identification Number), as known in the art. The PIN (Personal Identification Number) is a short number (say a four-digit number).

The counting code may be generated from a unique number identifying the communication unit (say, the unit's serial number assigned by the factory that manufactures the unit). Optionally, the counting code is generated using key diversification techniques, as known in the art.

Optionally, once the counting code is input, the vote caster 120 stops casting votes, thus preventing further voting.

Optionally, the vote counter is implemented using a smart card (say a voting services card 5000, as described in further detail hereinbelow).

Optionally, the apparatus 1000 is implemented on a standalone computer, i.e. a computer having no connection to any communication network, or other computer, but the portable communication units. Consequently, the apparatus 1000 may be physically isolated from potential interference by a malicious party.

The physical isolation may prevent installation of a malicious computer program (say a program which overrides the cast votes with other values as chosen by the malicious party) on the computer, as physical access to the computer is blocked.

Reference is now made to Fig. 2, which is a block diagram illustrating a further apparatus for electronic voting in a polling station, according to an embodiment of the present invention.

Optionally, apparatus 2000 is deployed in a vote verification booth, in the polling station, as described in further detail hereinbelow.

Apparatus 2000 for electronic voting in a polling station, includes an authorization verifier 210.

The authorization verifier 210 verifies that one or more portable communication unit(s), each portable communication unit provided to a respective voter is authorized for use in the polling station.

The portable communication unit may be implemented on a Smart Card, a Personal Digital Assistant (PDA)₃ etc., as known in the art.

Optionally, the authorization verifier 210 uses an authorization key specific to the polling station, for verifying that the communication unit is authorized for use in the polling station, as described in further detail hereinbelow.

Optionally, the authorization verifier 210 uses an authorization key indicating that the portable communication unit originates from an acceptable source, for verifying that the portable communication unit is authorized for use in the polling station. Optionally, the authorization key is a global key provided by a central authority (say a national elections committee) and recorded on each portable communication unit authorized for use by the central authority, as described in further detail hereinbelow.

Apparatus 2000 further includes a vote reader 220, in communication with the authorization verifier 210. The vote reader 220 reads a vote recorded on the portable communication unit, provided that the portable communication unit is verified as authorized for use in the polling station and the portable communication unit is present in the vote verification booth (i.e. that the unit is accessible by the authorization verifier 210). Optionally, the apparatus 2000 further includes a unit communicator, in communication with the vote reader 220, which communicates with the portable communication unit (say a contactless smart card), as described in further detail hereinabove.

Through communication with the portable communication unit, the vote reader 220 may read the vote recorded on the portable communication unit, say using a wireless connectivity capacity of the communication unit, as described in further detail hereinabove.

Apparatus 2000 also includes a vote presenter 230, in communication with the vote reader 220.

The vote presenter 230 presents the vote to the voter, say using a computer screen. By presenting the vote to the voter, the presenter 230 allows the voter to verify that the vote recorded on the communication unit reflects a vote that the voter intends to cast.

Optionally, use of each of the communication units is limited to a specific voter, until the vote cast by the specific voter and recorded on the portable communication unit is counted, as described in further detail hereinbelow.

Optionally, apparatus 2000 further includes a decryptor, in communication with the vote presenter 230.

The decryptor decrypts the vote read by the vote reader 220, say using the key specific to the polling station, also referred to hereinabove as the ballot key, as described in further detail hereinbelow.

Optionally, the decryptor is implemented on a smart card or a SAM (Secured Authentication Module) card. A SAM card may be a contactless smart cart suitable for decryption and encryption, as known in the art. For example, the decryptor may be implemented on a voting services card 5000 switched to the card's 5000 counting mode, say using a counting code specific to the card's 5000 serial number, as described in further detail hereinbelow.

Optionally, the key specific to the polling station is generated in the polling station, say using a dedicated smart card, and copied to the decryptor.

Optionally, apparatus 2000 is implemented on a standalone computer, i.e. a computer having no connection to any communication network, or other computer, but the portable communication units.

Consequently, the apparatus 2000 may be physically isolated from potential interference by a malicious party, as described in further detail hereinabove.

Reference is now made to Fig. 3, which is a block diagram illustrating a further apparatus for electronic voting in a polling station, according to an embodiment of the present invention.

Apparatus 3000 includes an authorization verifier 310.

The authorization verifier 310 verifies that one or more portable communication units, each portable communication unit provided to a respective voter, is authorized for use in the polling station.

The portable communication unit may be implemented on a Smart Card, or a Personal Digital Assistant (PDA), etc., as known in the art.

Optionally, the authorization verifier 310 uses an authorization key specific to the polling station, for verifying that the communication unit is authorized for use in the polling station, as described in further detail hereinbelow.

Optionally, the authorization verifier 310 uses an authorization key indicating that the portable communication unit originates from an acceptable source, for verifying that the portable communication unit is authorized for use in the polling station. For example, the authorization verifier 310 may use a global key provided by a central authority, and recorded on each portable communication unit authorized for use by the central authority, as described in further detail hereinbelow. Optionally, use of each of the communication units is limited to a specific voter, until the vote cast by the specific voter and recorded on the portable communication unit is counted, as described in further detail hereinbelow.

Apparatus 3000 further includes a vote reader 320, in communication with the authorization verifier 310.

The vote reader 320 reads votes, each of the votes recorded on a specific one of the portable communication units. The vote reader 320 reads the vote only if the portable communication unit that the vote is recorded on, is verified as authorized for use in the polling station, as described in further detail hereinbelow.

Apparatus 3000 further includes a vote counter 330, in communication with the vote reader.

The vote counter 330 counts the votes read from the portable communication units by the vote reader 320.

Optionally, the vote counter 330 is implemented on a smart card, such as a SAM (Secured Authentication Module) card, say a voting services card 5000, as described in further detail hereinbelow. A SAM card is a smart card suitable for decryption and encryption, using one or more encryption techniques, as known in the art.

Optionally, the vote counter 330 also prevents counting of more than one vote for a respective communication unit.

Optionally, the vote counter 330 prevents the counting of more than one vote for a respective communication unit, using a random number generated on the communication unit for uniquely identifying the communication unit, as described in further detail hereinbelow.

Optionally, the vote counter 330 counts the cast votes only upon inputting a predefined counting code to the vote counter. For example, the counting code may be issued by a central authority (such as a national election committee), as described in further detail hereinbelow. That is to say, that no counting of votes is allowed until the counting code is input. Optionally, the counting code is a form of a PIN (Personal Identification Number), as known in the art. The counting code may be generated from a unique number identifying the communication unit (say, the unit's serial number assigned by the factory that manufactures the unit). Optionally, the counting code is generated using key diversification techniques, as known in the art.

Optionally, apparatus 3000 further includes a decryptor, in communication with the vote reader 320.

The decryptor decrypts the vote read by the vote reader 320, say using the key specific to the polling station, also referred to hereinabove as the ballot key, as described in further detail hereinbelow.

Optionally, the decryptor is implemented on a smart card or a SAM (Secured Authentication Module) card, say a voting services card 5000, as described in further detail hereinbelow. A SAM card may be a smart cart suitable for decryption and encryption, as known in the art.

Optionally, the key specific to the polling station is generated in the polling station, say using a dedicated smart card, and copied to the decryptor.

Optionally, the apparatus 3000 is implemented on a standalone computer, i.e. a computer having no connection to any communication network, or other computer, except for the portable communication units. The standalone computer is physically isolated from potential interference by malicious parties, as described in further detail hereinabove.

Reference is now made to Fig. 10, which is a block diagram illustrating a further apparatus for electronic voting in a polling station, according to an embodiment of the present invention.

Optionally, apparatus 1010 is deployed in a ballot box 1020, in the polling station, as described in further detail hereinbelow.

Apparatus 1010 includes an authorization verifier 1012. The authorization verifier 1012 verifies that one or more portable communication units, each portable communication unit provided to a voter, is authorized for use in the polling station. Optionally, each portable communication unit may be uniquely associated with a specific voter at least until the vote cast by the specific voter and recorded on the portable communication unit is counted, as described in further detail hereinbelow.

The portable communication unit may be implemented on a Smart Card, a Personal Digital Assistant (PDA), a Tablet Computer, etc., as described in further detail hereinabove.

Optionally, the authorization verifier 1012 uses an authorization key specific to the polling station, for verifying that the portable communication unit is authorized for use in the polling station.

Optionally, the authorization key is recorded on the portable communication unit, prior to providing the unit to the voter, as described in further detail hereinbelow.

The authorization verifier 1012 is adapted to communicate with the portable communication unit, possibly, wirelessly or through a contactless link, and read the authorization key or keys stored within the portable communication unit for verifying that the portable communication unit is authorized for use in the polling station. The polling station specific authorization key is likely to increase the security of elections carried out using apparatus 1010 against an attack or against fraud attempts by a malicious party. The protection against the attack is increased since each polling station is associated with a unique authorization key, and the malicious party has to overcome a different authorization key for each polling station used in the elections.

Optionally, the authorization verifier 1012 further uses an authorization key indicating that the portable communication unit originates from an acceptable source, for verifying that the portable communication unit is authorized for use in the polling station. Optionally, the authorization key is a global key provided by a central authority (say a national election committee), and recorded on each portable communication unit authorized for use by the central authority, as described in further detail hereinbelow.

The authorization key indicating that the portable communication unit originates from an acceptable source may be provided in addition to the authorization key indicating that the portable communication unit is authorized for use in a specific polling station, and both keys may be used for authorizing a portable communication unit.

The authorization verifier 1012 indicates that portable communication unit is authorized (only) when it is determined according to the authorization key that the portable communication unit originates from an acceptable source and/or when it is determined that the portable communication unit is specifically associated with and is authorized for use in a specific polling station. Otherwise, the authorization verifier 1012 may be configured to issue an indication that the communication unit is not authorized.

Optionally, the apparatus 1010 includes an alert module 1018 which is responsive to an alert being triggered for issuing an alert. The alert module 1018 may be capable of issuing different multiple alerts which correspond to different alert situations (or respective alert indications). The alerts may include visual, audible and/or any another perceptible indication and combinations thereof. The alert may be intended to capture the attention of a voting supervisor or committee. The alert may also indicate to the voting supervisor or committee the circumstances which triggered the altert.

For example, a specific alert may be triggered in response to an indication from the authorization verifier 1012 that a certain portable communication unit is unauthorized. Specifically, by way of example, the alert module 1018 may be configured to issue a specific alert in response to an indication that a portable communication unit is unauthorized for use in the respective polling station. Still further by way of example, the alert module 1018 may be configured to issue a specific alert in response to an indication that a portable communication unit does not originate from an acceptable source. Other types of alerts which may be issued by the alert module 1018 are described below.

In some embodiments, the apparatus 1010 further includes a unit communicator 1013 such as a contactless smart card reader, as known in the art. The unit communicator 1013 communicates with the portable communication unit (say a smart card) via a contactless link using a wireless connectivity capacity of the communication unit, as described in further detail below. The unit communicator 1013 may be operatively connected to the authorization verifier 1012.

For example, the unit communicator 1013 is utilized by the authorization verifier 1012 to communicate with the portable communication unit as part of a verification routine implemented by the authorization verifier 1012 for verifying that the authorization key(s) are recorded on the communication unit.

According to some embodiments, the apparatus 1010 may further include a vote verifier 1014. The vote verifier may be adapted to verify that a vote is recorded on a portable communication unit. The vote verifier 1014 may also utilize the unit communicator 1013.

According to some embodiments, the vote verifier 1014 may be adapted to determine whether (any) data is stored within a certain location (e.g., a specific storage location) within a memory module of the portable communication unit. The location probed by the vote verifier may be designated for storing vote data corresponding to a vote of the respective voter.

In further embodiments, the vote verifier 1014 may be adapted to search within a memory module of the portable communication unit for a certain predefined signature or pattern which represents the respective voter's vote.

In some embodiments, the data representing the respective voter's vote may be encrypted and the vote verifier 1014 may not be able to read the actual vote of the respective voter but only to determine that the vote exists on the portable communication unit or not.

As described herein, vote reading is a restricted activity and certain control measures may be in place to protect the vote data and to strictly control the vote data reading process.

In some embodiments, the vote verifier 1014 may be adapted to verify that there isn't more than one vote recorded on the portable communication units.

In case the vote verifier 1014 determines that vote data on the portable communication unit is invalid, for example because the vote data is missing or because there is more than one vote recorded on the portable communication unit for issuing an invalid vote data indication. According to some embodiments, an invalid vote data indication may cause the alert module 1018 to issue an alert. The alert may be specifically indicative of an invalid vote data. Optionally, a specific alert may be issued in case the indication from the vote verifier 1014 is associated with missing vote data and a different specific alert is issued in case the vote verifier detects two or more votes on the communication unit.

Optionally, the apparatus 1010 includes a voting card tester 1016. The voting card tester 1016 may also utilize the unit communicator 1013. The voting card tester 1016 may implement a predefined voting card test routine with respect to the portable communication unit. In some embodiments, the voting card test routine may include tests which are intended to detect attempts to tamper with the portable communication unit or with the data stored therein.

For example, the voting card test routine may interrogate different physical locations within the memory where anti-temper data is kept, such as a counter of the number of writes performed into the communication unit. Resetting the writes counter may require a specific (confidential) code or an external programmer, for example, a counting code described herein, or in another example the writes counter is reset once the vote has been decrypted.

According to a further example, the voting card test routine may interrogate a communication log for unauthorized communications. Examples of unauthorized communications include, but are not limited to communication with unauthorized communication devices and/or communications at unauthorized times or outside an authorized sequence.

In further embodiments, the voting card test routine may include tests which are intended to verify that the portable communication unit is functioning properly and that there is no malfunction. Such tests may include communication tests (e.g., ping), electrical tests physical integrity tests, storage integrity tests, etc.

In case the voting card tester 1016 determines that a portable communication unit has failed the test routine, for example because a tamper attempt is detected or because the communication unit has been diagnosed as malfunctioned a unit failed indication may be issued by the voting card tester 1016.

According to some embodiments, a unit failed indication may cause the alert module 1018 to issue an alert. Optionally, a different alert is issued for each type of test failure, for example a specific alert is associated with a tamper attempt and a different alert is associated with malfunctioned communication unit.

As is shown in FIG. 10, and according to some embodiments, the vote verifier 1014 may be part of the voting card tester 1016, and the vote verification routine may be part of the general test routine implemented by the voting card tester 1016.

In some embodiments, the voting card test routine may be independent of the authorization routine or according to further embodiments it may be implemented in series with the authorization routine providing that the communication unit is determined to be authorized. In some embodiments, the apparatus 1010 is implemented on or is associated with a standalone computer, i.e. a computer having no connection to any communication network, or other computer, but the portable communication units. Consequently, the apparatus 1010 may be physically isolated from potential interference by a malicious party. According to some embodiments, the apparatus 1010 is incorporated into a ballot box 1020. For example, the apparatus is located adjacently to the ballot box slot 1022. Further by way of example, the location may be selected so that every communication unit dropped through the slot 1022 must go through the apparatus 1010 at least in the sense that the apparatus 1010 can establish communication with the card and complete the authorization and test routines.

According to further embodiments, the location of the slot 1022 and of the apparatus 1010 on (or in) the ballot box 1020 is selected so that there is always a substantial distance between a communication unit being dropped through the slot and into the box 1020 and any of the previously casted communication units. In still further embodiments, the location of the slot 1022 and of the apparatus 1010 on (or in) the ballot box 1020 is at least a few centimeters above and/or away any of the previously casted communication units. Reference is now made to Fig. 4, which is a block diagram illustrating a portable voting card for electronic voting in a polling station, according to an embodiment of the present invention.

The portable voting card 4000 is an implementation of a portable communication unit, according to an embodiment of the present invention.

Optionally, the portable voting card 4000 is implemented on a smart card, which has wireless connectivity capacity (i.e. a contactless smart card).

The portable voting card 4000 includes a vote receiver 410.

The vote receiver 410 receives a vote communicated to the portable voting card, say a vote communicated to the portable voting card by the vote communicator 130, as described in further detail hereinabove.

The portable voting card 4000 further includes a memory 420, say a computer EEPROM (Electrically Erasable Programmable Read-Only Memory) memory, or another non-volatile computer memory, as known in the art. The memory is used for storing the vote on the card.

The portable voting card 4000 further includes a vote recorder 430, in communication with the vote receiver 410 and the memory 420.

The vote recorder 430 records the communicated vote on the memory 420.

Optionally, the vote recorder 430 verifies that the vote received originates from an authorized source, prior to recording the vote on the memory 420. For example, the vote recorder 430 may verify that a party the vote originates from (say apparatus 1000) has a polling station vote recording authorization key, using a challenge-response method, as known in the art. If the party fails to provide a predefined response to the challenge (where the response is indicative of availability of the authorization key, say on a SAM card connected to apparatus 1000), the vote recorder 430 refuses to record the vote, and an appropriate error message is communicated to the party, using the vote receiver 410.

Optionally, the voting card 4000 further includes a random number generator, in communication with the memory 420. The random number generator generates a random number. The random number uniquely identifies the voting card. The random number may be used to prevent counting more than one vote for a specific voting card (i.e. a specific potable communication unit), as described in further detail hereinabove.

Reference is now made to Fig. 5, which is a block diagram illustrating a portable voting services card for electronic voting in a polling station, according to an embodiment of the present invention.

A portable voting services card 5000 may be implemented on a smart card, such as a SAM (Secured Authentication Module) card. A SAM card is a smart cart suitable for decryption and encryption, as known in the art.

The portable voting services card 5000 includes a mode switcher 510.

The voting services card 5000 has two modes: a voting mode and a counting mode. The voting mode is a default mode the card 5000 is initially switched to.

The mode switcher 510 may be operated by a user (say an official person in charge of the polling station), for switching the card from the voting mode to a counting mode. For example, the user may input a counting code predefined and provided by a central authority, for switching the card to the counting mode, as described in further detail hereinbelow.

Optionally, the mode switcher 510 is unidirectional, and cannot switch the card from the counting mode back to the voting mode.

Optionally, the counting code is a form of a PIN (Personal Identification Number), as known in the art.

Optionally, the counting code is generated from a unique number identifying the portable voting services card 5000 (say, the card's serial number, as assigned by the factory that manufactures the card), and is thus generated specifically to that card 5000.

The counting code may be generated using key diversification techniques, as known in the art. The counting code may be generated by a central authority (say a national elections committee) and recorded on the card 5000, as described in further detail hereinbelow.

When a code is input by the user, the mode switcher 510 compares the input code with the counting code stored on the card 5000. If the two codes are identical, the mode switcher 510 switches the card to the counting mode.

For example, a specific voting services card used in the vote verification booth may be switched to the counting mode, say upon inputting of the counting code for the specific card. The specific card's counting code is generated by a central authority (say a national elections committee), and sent to the polling station, say by SMS (Short Messages Service), etc.

The portable voting services card 5000 further includes a vote receiver 520, in communication with the mode switcher 510.

The vote receiver 520 receives a vote communicated to the voting service card 5000.

In a first example, the vote receiver 520 receives a vote cast by a voter, using the vote caster 120 of apparatus 1000, and communicated to the card 5000, for encryption, as described in further detail hereinbelow.

In accordance with a further example, the vote receiver 520 receives an encrypted vote read from a portable communication unit, using the vote reader 220 of apparatus 2000, or the vote reader 320 of apparatus 3000. The encrypted vote is communicated to the card 5000, for decryption, as described in further detail hereinbelow.

The portable voting services card 5000 further includes an encryptor 530, in communication with the vote receiver 520.

The encryptor 530 encrypts the received vote, provided the card is in the voting mode.

Optionally, the encryptor 530 encrypts the vote, using a key specific to the polling station, also referred to hereinabove as the ballot key as described in further detail hereinbelow. Optionally, the ballot key is generated in the polling station, say using a dedicated smart card, and copied to the voting services card. 5000.

The portable voting services card 5000 further includes a decryptor 540, in communication with the vote receiver 520.

The decryptor 540 decrypts the received vote, provided the card is in the counting mode.

Optionally, the decryptor 540 decrypts the vote cast by the voter, using the key specific to the polling station, also referred to hereinabove as the ballot key as described in further detail hereinbelow.

Optionally, the voting services card 5000 further includes a vote recorder, in communication with the vote receiver 520.

The vote recorder records the received vote on the voting services card 5000 (say on a non-volatile computer memory, integrated in a smart card the voting services card 5000 is implemented on), provided the voting services card 5000 is in the voting mode.

Optionally, the voting services card 5000 further includes a vote counter, in communication with the vote receiver 520.

The vote counter counts votes recorded on the voting services card 5000.

Optionally, the vote receiver further outputs the vote as encrypted by the encryptor 530, say by communicating the encrypted vote back to the vote caster 120 of apparatus 1000.

Optionally, the vote receiver further outputs the vote as decrypted by the decryptor 540, say by communicating the decrypted vote back to the vote reader 220 of apparatus 2000, or the vote reader 320 of apparatus 3000.

Reference is now made to Fig. 6, which is a flowchart illustrating a method of electronic voting in a polling station, according to an embodiment of the present invention.

Optionally, the first method for electronic voting in a polling station is used in a voting booth, in the polling station. In one method according to an embodiment of the present invention, there is verified 610 that one or more portable communication units, each portable communication unit provided to a respective voter, is authorized for use in the polling station. Optionally, the unit is verified 610 as authorized by the authorization verifier 110, as described in further detail hereinabove.

Optionally, there is used an authorization key specific to the polling station, for verifying that the communication unit is authorized for use in the polling station, as described in further detail herein.

Optionally, there is used an authorization key indicating that the portable communication unit originates from an acceptable source, for verifying that the portable communication unit is authorized for use in the polling station.

For example, the authorization verifier 110 may use a global key provided by a central authority (say a national election committee), and recorded on each portable communication unit authorized for use by the central authority, as described in further detail herein.

The portable communication unit may be implemented on a Smart Card, a Personal Digital Assistant (PDA), a Tablet Computer, a Laptop Computer, etc., as known in the art.

Next, the voter is allowed 620 to cast a vote, provided the portable communication unit is verified as authorized for use in the polling station, and as long as the communication unit is present in the voting booth. Optionally, the communication unit is verified as authorized using the authorization key specific to the polling station, as described in further detail herein.

The cast vote is communicated 630 to the portable communication unit, for recording on the portable communication unit, as described in further detail herein.

Optionally, use of each of the communication units is limited to a specific voter, until the vote cast by the specific voter and recorded on the portable communication unit is counted, as described in further detail herein.

Optionally, the cast vote is encrypted, say using a key specific to the polling station, and the vote is communicated 630 to the portable communication unit, as encrypted. The key specific to the polling station is also referred to hereinabove as the ballot key.

Optionally, the encryption is carried out using a smart card, say the portable voting services card 5000, as described in further detail hereinabove.

Optionally, once the counting code mentioned above is input, the casting of votes is stopped, and the votes recorded on the portable communication units may be counted, as described in further detail hereinabove.

Reference is now made to Fig. 7, which is a flowchart illustrating a further method of electronic voting in a polling station, according to an embodiment of the present invention.

Optionally, the following method for electronic voting in a polling station is used in a vote verification booth, in the polling station.

According to some embodiments, there is verified 710 that one or more portable communication units, each portable communication unit provided to a respective voter, is authorized for use in the polling station, say by the authorization verifier 210, as described in further detail hereinabove.

The portable communication unit may be implemented on a Smart Card, a Personal Digital Assistant (PDA), a Tablet Computer, etc., as known in the art, as described in further detail hereinabove. Optionally, the verifying 710 that the portable communication unit is authorized for use in the polling station, is carried out using an authorization key specific to the polling station, as described in further detail hereinabove.

Optionally, the verifying 710 that the portable communication unit is authorized for use in the polling station, is carried out using an authorization key indicating that the portable communication unit originates from an acceptable source, as described in further detail hereinabove.

Next, there is read 720 a vote recorded on the portable communication unit, provided that the portable communication unit is verified as authorized for use in the polling station. The read vote is presented 730 to the voter, thereby allowing the voter to verify the vote recorded on the communication unit reflects a vote the voter intends to cast.

Optionally, use of each of the communication units is limited to a specific voter, until the vote cast by the specific voter and recorded on the portable communication unit is counted, as described in further detail hereinbelow.

Optionally, the read vote is decrypted, say using the ballot key, which is a key specific to the polling station, and presented 730 to the voter as decrypted.

Optionally, the decryption is carried out using a smart card, say a portable voting services card 5000, as described in further detail hereinabove.

Reference is now made to Fig. 8, which is a flowchart illustrating a further method of electronic voting in a polling station, according to an embodiment of the present invention.

In a method according to an embodiment of the present invention, there is verified 810 that portable communication units, each portable communication unit provided to a respective voter, are authorized for use in the polling station, say by the authorization verifier 310, as described in further detail hereinabove.

The portable communication unit may be implemented on a Smart Card, a Personal Digital Assistant (PDA), a Laptop Computer, etc., as known in the art. Optionally, the verifying 810 that the portable communication units are authorized for use in the polling station, is carried out using an authorization key specific to the polling station, as described in further detail hereinabove.

Optionally, the verifying 810 that the portable communication units are authorized for use in the polling station, is carried out using an authorization key indicating the portable communication units originate from an acceptable source, as described in further detail hereinabove.

Next, the votes recorded on the units (each votes on specific one of the portable communication units) are read 820, provided the portable communication unit is verified as authorized for use in the polling station. Optionally, each of the read votes is decrypted, using a key specific to the polling station, as described in further detail hereinabove.

Finally, the read votes are counted 830, say by the vote counter 330, as described in further detail hereinabove.

Optionally, use of each of the communication units is limited to a specific voter, until the vote cast by the specific voter and recorded on the portable communication unit is counted, as described in further detail hereinbelow.

Optionally, there is further prevented counting of more than one vote for each specific communication unit, (say using a random number generated on the communication unit for uniquely identifying the communication unit), as described in further detail hereinabove.

Optionally, the read votes may be counted only upon inputting of a predefined counting code.

Optionally, the counting code may be issued by a central authority (such as a national election committee). That is to say that no counting of votes is allowed until the counting code is input.

For example, the central authority may provide a person in charge of the polling station with the counting code for starting the counting 830 of votes. The person in charge of the polling station inputs the counting code to a portable voting services card's 5000 mode switcher 510. The portable voting services card 5000 is dedicated to counting the votes recorded on the portable communication units.

Consequently, the mode switcher 510 switches the card 5000 to the counting mode, and the card 5000 may be used for decrypting and counting the votes recorded on the communication units, as described in further detail hereinabove

Optionally, the counting code is a form of a PIN (Personal Identification Number), as known in the art. The counting code may be generated from a number uniquely identifying the communication unit (say, the unit's serial number assigned by the factory that manufactures the unit). Optionally, the counting code is generated using key diversification techniques, as known in the art. Reference is now made to Fig. 11, which is a flowchart illustrating a method of electronic voting in a polling station, according to an embodiment of the present invention.

Optionally, the first method for electronic voting in a polling station is used in a ballot box, in a polling station.

In one method according to an embodiment of the present invention, a ballot box slot or any other voting card deposit location is monitored for detecting a casting of a portable communication unit into the ballot box (block 1110). For example, the apparatus 1010 described above with reference to Fig. 10 may be used to monitor cast portable communication units. The unit communicator 1013 may sense a portable communication card being cast, for example, when the card is located in vicinity to the ballot box slot, say less than a few centimeters.

A portable communication unit such as the communication unit reference 4000 is described in detail above. In response to detecting a casting of a portable communication unit into the ballot box (block 1110), the portable communication unit is checked to verify that it is authorized (block 1120). For example, an authorization verifier may be used as described in further detail hereinabove. Further by way of example, the authorization verifier 1012 may implement and control a verification routine. Optionally, there is used an authorization key specific to the polling station, for verifying that the communication unit is authorized for use in the polling station, as described in further detail herein.

Optionally, there is used an authorization key indicating that the portable communication unit originates from an acceptable source, for verifying that the portable communication unit is authorized for use in the polling station.

For example, the authorization verifier 1012 may use a global key provided by a central authority (say a national election committee), and recorded on each portable communication unit authorized for use by the central authority, as described in further detail herein. In case the portable communication unit is determined to be unauthorized an alert may be triggered (block 1150). For example, the alert may be issued by an alert module 1018 as described hereinabove.

The portable communication unit may be implemented on a Smart Card, a Personal Digital Assistant (PDA), a Tablet Computer, a Laptop Computer, etc., as known in the art.

Additionally, further in response to detecting a casting of a portable communication into the ballot box (block 1110), the vote on the portable communication unit is checked (block 1130). The vote check routine may be implemented in series with the verification routine or in parallel with the verification routine and contingent upon the portable communication unit being authorized (block

1120). For example, the vote verifier 1014 described above may be used for implementing and controlling a vote check routine. Optional vote checks were discussed above in further detail.

Optionally, the cast vote is encrypted, and cannot be read by the apparatus 1010.

In case the portable communication unit is determined be missing valid vote data (or to include invalid vote data) an alert may be triggered (block 1150). For example, the alert may be issued by an alert module 1018 as described hereinabove.

Optionally, still further in response to detecting a casting of a portable communication into the ballot box (block 1110), the operability and the integrity of the portable communication unit are checked (block 1140), say via a communication unit test routine. By way of example, the communication unit test routine may be implemented by a voting card tester 1016, as was described above. The details of the communication unit test routine were discussed above in detail. In case the portable communication unit is determined to be malfunctioned or if a tamper attempt is detected an alert may be triggered (block 1150).

According to some embodiments if each one of the authorization routine, the vote check routine and the communication unit test routine are concluded successfully, the interaction of the apparatus 1010 with the respective portable communication unit ends and apparatus 1010 awaits for the next portable communication unit that is cast into the ballot box (block 1160).

Reference is now made to Fig. 9, which is a flowchart illustrating a further method for electronic voting in a polling station, according to an embodiment of the present invention.

In an embodiment of a method of electronic voting in a polling station, portable communication units (say voting cards 4000) are authorized 910 for use in the polling station.

Optionally, the communication units are authorized 910 for use in the polling station, using an authorization key specific to the polling station, an authorization key indicating the portable communication units originate from an acceptable source, a combination of the two authorization keys, etc.

Optionally, the communication units are authorized 910 in the polling station, by recording the authorization key specific to the polling station on each communication unit. For example, the authorization key specific to the polling station may be a random number generated on a smart card dedicated for authorizing, say a voting card 4000. The random number uniquely identifies the voting card 4000. The random number is generated by the card's 4000 random number generator, as described in further detail hereinabove. The random number generated on the dedicated voting card 4000 is copied to each of the portable communication units, thus authorizing the communication unit for use in the polling station.

The random number is also copied to the authorization verifiers 110, 210, 310, which may verify that the portable communication unit is authorized for use in the polling station, for example through a challenge-response method, as known in the art.

Optionally, the challenge-response method may be used to check that the authorization key specific to the polling station is recorded on the communication unit. Optionally, the challenge-response method is further used to check that a global key, which indicates that the portable communication units originates from an acceptable source (say, the national elections committee), is also recorded on the portable communication unit. . Optionally, the global key is recorded on the portable communication unit, as a part of a global initialization step, carried out by a central authority in charge of elections (such as a national elections committee), as described in further detail hereinbelow.

The authorized communication units are provided 920 to voters, each one of the units provided to a respective one of the voters.

Optionally, there is further used a registered voter list for the polling station, say a voter list stored on a dedicated database in a polling station. The voter list may be used to ensure that each voter provided with one of the portable communication units is registered to vote in the polling station, and to guarantee that no voter casts a double vote, as described in further detail hereinbelow.

Each voter, provided with one of the communication units, is allowed 930 to cast a vote, using the portable communication unit provided 920 to the voter, and the cast vote is recorded 940 on the portable communication unit.

Optionally, use of each of the communication units is limited to a specific voter, until the vote cast by the specific voter and recorded on the portable communication unit is counted. Optionally, after the voter casts the vote, and the vote is recoded on the portable communication unit, the vote is read and counted 950 from the communication unit, say using apparatus 3000, as described in further detail hereinabove. Then, the vote is erased from the portable communication unit, and the communication unit may be used by another voter. Alternatively, after the voter casts the vote and the vote is recorded on the portable communication unit, the voter returns the communication unit, say by depositing the communication unit in a dedicated ballot box. After all the voters have cast their votes, all the votes recorded on the portable communication units are counted, say using apparatus 3000. That is to say that use of each portable communication unit is limited to a respective voter, until all votes are counted.

Optionally, there is further prevented counting more than a single vote for each respective communication unit, say using a random number generated on the communication unit for uniquely identifying the communication unit, as described in further detail hereinabove.

Optionally, if the communication unit is used by more than one voter before all votes are counted, a new random number is generated each time the communication unit is provided to a new user. The voter is crossed out of the registered voter list (or marked accordingly) for the polling station upon counting his vote, thus preventing the voter from casting more than one vote. However, use of each of the communication units may be limited to a specific voter, until the vote cast by the specific voter is counted, and the new random number is generated.

Optionally, the cast vote is encrypted prior to the recording 940 of the vote on the portable communication unit, using the key specific to the polling station (i.e. the ballot key), as descried in further detail hereinabove.

Optionally, the votes recorded on the portable communication units may be counted only upon inputting of a predefined counting code.

For example, the counting code may be issued by a central authority (such as a national election committee), at an elections day end. That is to say that no counting of votes is allowed until the counting code is input, as described in further detail hereinabove.

Optionally, the counting code is in the form of the PIN (Personal Identification Number) generated and recorded on the voting services card 5000, by the central authority.

A voting services card 500 may be used for implementing the decryptor and counter of apparatus 3000.

Once a counting code identical to the PIN recorded on the card 5000 is input to the card 5000, the mode switcher 510 switches the card 5000 to the counting mode. Consequently, the card 5000 may be used for decrypting and counting the voted recorded on the portable communication units, as described in further detail hereinabove.

Optionally, once the counting code is received, the counting code is further used to block any further vote casting in the polling station. For example, the vote caster 120 of apparatus 1000 may stop casting votes, thus preventing voting after the counting of votes has started, as described in further detail hereinabove.

Optionally, a central authority carries out a global initialization step on portable communication units (say voting cards 4000), and voting services cards 5000 used as parts of the apparatuses 1000, 2000, 3000, as described in further detail hereinabove.

In the global initialization step, there is recorded on the voting card(s) 4000, voting services card(s) 5000, or both, the global key which indicates that the card originates from the central authority (i.e. that the card originates from an acceptable source).

The global initialization step may further include recording the counting code (say a PIN) on the voting services card(s) 5000, where the counting is code hidden or encrypted, thus blocking reading of the counting code from the card 5000.

Optionally, the global initialization step further includes recording on the card a factory serial number unique to the card, an indication of the role of the card, or both.

????A voting card may be a portable communication unit, or an authorization card, as described in further detail hereinabove.

Voting services cards may be used in a voting booth (i.e. as a part of apparatus 1000), used in a vote verification booth (i.e. as a part of apparatus 2000), or as a part of apparatus 3000 (i.e. for decrypting and counting votes read from the communication units).

After the global initialization step, the cards 4000, 5000 may distributed to the polling stations. In the polling stations, the voting cards 400 may be provided to voters, and the voting services cards 5000 may be used for the apparatuses 1000, 2000, and 3000, as described in further detail hereinabove. Optionally, in each polling station, there is carried out a local initialization step, prior to using the voting services cards 5000, and providing the voting cards 4000 (i.e. portable communication units) to voters.

Optionally, in the local initialization step, one of the voting cards 4000 is used as an authorization card specific to the polling station. On the authorization card, there is generated a random number unique to the authorization card. The random number is copied to each one of the mobile communication units (say voter cards 4000), and used as an authorization key for the specific polling station. The random number is also copied to the authorization verifier 110, 210, or 310, thus allowing the verifier to verify that the mobile communication unit is authorized for use in the polling station, through a challenge-response method, as described in further detail hereinabove.

Optionally, the local initialization step further includes switching one of the voting services cards 5000 to the counting mode, say using a counting code (say a PIN) for the specific voting services card 5000. The card 5000 may be used in the vote verification booth, as a part of apparatus 3000, as described in further detail hereinabove.

Optionally, the voting services cards 5000 are initialized in a default mode, i.e. the voting mode, as a part of the global initialization carried out by the central authority. Alternatively, the voting services cards are distributed to the polling stations without a default mode, and set to the voting mode as a part of the local initialization step. However, the switching of a voting services card 5000 to a counting mode is carried out using a counting code specific to the card 5000. The counting mode specific to the card is provided by the central authority, say using SMS (Short Messages Service), by phone, etc., as described in further detail hereinabove.

It is expected that during the life of this patent, many relevant devices and systems will be developed and the scope of the terms herein, particularly of the terms "Smart Card" and "SAM (Secured Authentication Module)", is intended to include all such new technologies a priori.

It is appreciated that certain features of the invention, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable sub-combination.

Although the invention has been described in conjunction with specific embodiments thereof, it is evident that many alternatives, modifications, and variations will be apparent to those skilled in the art. Accordingly, it is intended to embrace all such alternatives, modifications and variations that fall within the spirit and broad scope of the appended claims.

All publications, patents and patent applications mentioned in this specification are herein incorporated in their entirety by reference into the specification, to the same extent as if each individual publication, patent or patent application was specifically and individually indicated to be incorporated herein by reference. In addition, citation or identification of any reference in this application shall not be construed as an admission that such reference is available as prior art to the present invention.

Claims

1. Apparatus for electronic voting in a polling station, the apparatus comprising: an authorization verifier, configured to verify that at least one portable communication unit provided to a respective voter, is authorized for use in the polling station; a vote caster, in communication with said authorization verifier, operable by the voter, for casting a vote, provided the portable communication unit is verified as authorized for use in the polling station; and a vote communicator, in communication with said vote caster and configured to communicate the vote to the portable communication unit, for recording on the portable communication unit.

2. The apparatus of claim 1, wherein use of each of the communication units is is exclusively associated with a specific voter, and the use of the communication is limited to a respective voter.

3. The apparatus of claim 1, wherein the portable communication unit is implemented on a smart card.

4. The apparatus of claim 1, further comprising an encryptor, in communication with said vote caster, configured to encrypt the cast vote using a key specific to the polling station, wherein said vote communicator is further configured to communicate the vote as encrypted by said encryptor.

5. The apparatus of claim 1, further comprising an encryptor, in communication with said vote caster, configured to encrypt the cast vote using a key specific to the polling station, and implemented on a smart card, wherein said vote communicator is further configured to communicate the vote as encrypted by said encryptor.

6. The apparatus of claim 1, wherein said authorization verifier is further configured to use an authorization key specific to the polling station, for verifying that the portable communication unit is authorized for use in the polling station.

7. The apparatus of claim 1, wherein said authorization verifier is further configured to use an authorization key indicating that the portable communication unit originates from an acceptable source, for verifying that the portable communication unit is authorized for use in the polling station.

8. The apparatus of claim 1, further comprising a vote recorder, in communication with said vote caster, configured to record the cast votes.

9. The apparatus of claim 1, further comprising a vote recorder, in communication with said vote caster, configured to record the cast votes, and implemented on a smart card.

10. The apparatus of claim 1, further comprising a vote recorder, in communication with said vote caster, configured to record the cast votes and prevent recording of more than one vote for a respective communication unit.

11. The apparatus of claim 1, further comprising a vote recorder, in communication with said vote caster, configured to record the cast votes and prevent recording of more than one vote for a respective communication unit, using a random number generated on the communication unit for uniquely identifying the communication unit.

12. The apparatus of claim 1, further comprising a vote counter, in communication with said vote caster, configured to count the cast votes.

13. The apparatus of claim 1, further comprising a vote counter, in communication with said vote caster, configured to count the cast votes.

14. The apparatus of claim 13, wherein said vote counter is further configured to present a result of said vote count, provided that a predefined code is input to the apparatus.

15. The apparatus of claim 1, wherein said vote caster is further configured to stop casting votes once a predefined counting code is input to the apparatus.

16. The apparatus of claim 1, implemented on a standalone computer.

17. Apparatus for electronic voting in a polling station, the apparatus comprising: an authorization verifier, configured to verify at least one portable communication unit provided to a respective voter, is authorized for use in the polling station; a vote reader, in communication with said authorization verifier, configured to read a vote recorded on the portable communication unit, provided that the portable communication unit is verified as authorized for use in the polling station; and a vote presenter, in communication with said vote reader, configured to present the vote to the voter, thereby allowing the voter to verify the vote recorded on the communication unit reflects a vote the voter intends to cast.

18. The apparatus of claim 17, wherein use of each of the communication units is limited to a respective voter.

19. The apparatus of claim 17, wherein the portable communication unit is implemented on a smart card.

20. The apparatus of claim 17, further comprising a decryptor, in communication with said vote presenter, configured to decrypt the read vote using a key specific to the polling station.

21. The apparatus of claim 17, further comprising a decryptor, in communication with said vote presenter, implemented on a smart card and configured to decrypt the read vote using a key specific to the polling station.

22. The apparatus of claim 17, wherein said authorization verifier is further configured to use an authorization key specific to the polling station, for verifying that the portable communication unit is authorized for use in the polling station.

23. The apparatus of claim 17, wherein said authorization verifier is further configured to use an authorization key indicating the portable communication unit originates from an acceptable source, for verifying that the portable communication unit is authorized for use in the polling station.

24. The apparatus of claim 17, implemented on a standalone computer.

25. Apparatus for electronic voting in a polling station, the apparatus comprising: an authorization verifier, configured to verify at least one portable communication unit provided to a respective voter, is authorized for use in the polling station; 009/000725

45 a vote reader, in communication with said authorization verifier, configured to read votes, each of the votes recorded on a respective one of the portable communication units, provided that the portable communication unit is verified as authorized for use in the polling station; and a vote counter, in communication with said vote reader, configured to count said read votes.

26. The apparatus of claim 25, wherein use of each one of the communication units is limited to a respective voter.

27. The apparatus of claim 25, wherein the portable communication unit is implemented on a smart card.

28. The apparatus of claim 25, further comprising a decryptor, in communication with said vote reader, configured to decrypt the read vote using a key specific to the polling station.

29. The apparatus of claim 25, further comprising a decryptor, in communication with said vote reader, configured to decrypt the read vote using a key specific to the polling station, implemented on a smart card.

30. The apparatus of claim 25, wherein said authorization verifier is further configured to use an authorization key specific to the polling station, for verifying that the portable communication unit is authorized for use in the polling station.

31. The apparatus of claim 25, wherein said authorization verifier is further configured to use an authorization key indicating that the portable communication unit originates from an acceptable source, for verifying that the portable communication unit is authorized for use in the polling station.

32. The apparatus of claim 25, wherein said vote counter is implemented on a smart card.

33. The apparatus of claim 25, wherein said vote counter is further configured to prevent counting of more than one vote for a respective communication unit.

34. The apparatus of claim 25, wherein said vote counter is further configured to prevent counting of more than one vote for a respective communication unit, using a random number generated on the communication unit for uniquely identifying the communication unit.

35. The apparatus of claim 25, wherein said vote counter is further configured to count the cast votes only upon inputting a predefined counting code to said vote counter.

36. The apparatus of claim 25, implemented on a standalone computer.

37. A portable voting card for electronic voting in a polling station, the card comprising: a vote receiver, configured to receive a vote communicated to the card; a memorystorage module, for storing the vote on the card; and a vote recorder, in communication with said vote receiver and said storage modulememory, configured to record the communicated vote on said storage modulememory.

38. The voting card of claim 37, further comprising a random number generator, in communication with said storage modulememory, configured to generate a random number uniquely identifying the voting card.

39. The voting card of claim 37, wherein said vote recorder is further configured to verify that the received vote originates from an authorized source, prior to the recording of the vote on said storage modulememory.

40. A portable voting services card for electronic voting in a polling station, the card comprising: a mode switcher, operable for switching the card from a voting mode to a counting mode, by inputting a predefined counting code; a vote receiver, in communication with said mode switcher, configured to receive a vote communicated to the card; an encryptor, in communication with said vote receiver, configured to encrypt the received vote, provided the card is in the voting mode; and a decryptor, in communication with said vote receiver, configured to decrypt the received vote, provided that the card is in the counting mode.

41. The voting services card of claim 40, further comprising a vote recorder, in communication with said vote receiver, configured to record the received vote on said card, provided that the card is in the voting mode.

42. The voting services card of claim 40, further comprising a vote counter, in communication with said vote receiver, configured to count votes recorded on the card, provided that the card is in the counting mode.

43. Method for electronic voting in a polling station, the method comprising: verifying that a portable communication unit provided to a respective voter, is authorized for use in the polling station; allowing the voter to cast a vote, provided that the portable communication unit is verified as authorized for use in the polling station; and communicating the cast vote to the portable communication unit, for recording on the portable communication unit.

44. The method of claim 43, wherein use of each of the communication units is exclusively associated with a specific voter and the use of the communication unit is limited to a respective voter.

45. The method of claim 43, wherein the portable communication unit is implemented on a smart card.

46. The method of claim 43, further comprising encrypting the cast vote using a key specific to the polling station, wherein the cast vote is communicated to the portable communication unit as encrypted.

47. The method of claim 43, wherein said verifying that the portable communication unit is authorized for use in the polling station, is carried out using an authorization key specific to the polling station.

48. The method of claim 43, wherein said verifying that the portable communication unit is authorized for use in the polling station, is carried out using an authorization key indicating that the portable communication unit originates from an acceptable source.

49. Method for electronic voting in a polling station, the method comprising: verifying that a portable communication unit provided to a respective voter, is authorized for use in the polling station; reading a vote recorded on the portable communication unit, provided that the portable communication unit is verified as authorized for use in the polling station; and presenting the vote to the voter, thereby allowing the voter to verify that the vote recorded on the communication unit reflects a vote the voter intends to cast.

50. The method of claim 49, wherein use of each of the communication units is limited to a respective voter.

51. The method of claim 49, wherein the portable communication unit is implemented on a smart card.

52. The method of claim 49, further comprising decrypting the read vote using a key specific to the polling station.

53. The method of claim 49, wherein said verifying that the portable communication unit is authorized for use in the polling station, is carried out using an authorization key specific to the polling station.

54. The method of claim 49, wherein said verifying that the portable communication unit is authorized for use in the polling station, is carried out using an authorization key indicating that the portable communication unit originates from an acceptable source.

55. Method for electronic voting in a polling station, the method comprising: verifying that a plurality of portable communication units, each of the communication units provided to a respective voter, are authorized for use in the polling station; reading votes, each one of the votes recorded on a respective one of the portable communication units, provided that the portable communication unit is verified as authorized for use in the polling station; and counting the read votes.

56. The method of claim 55, wherein use of each of the communication units is limited to a respective voter.

57. The method of claim 55, wherein the portable communication unit is implemented on a smart card.

58. The method of claim 55, further comprising decrypting the read vote using a key specific to the polling station.

59. The method of claim 55, wherein said verifying that the portable communication unit is authorized for use in the polling station, is carried out using an authorization key specific to the polling station.

60. The method of claim 55, wherein said verifying that the portable communication unit is authorized for use in the polling station, is carried out using an authorization key indicating that the portable communication unit originates from an acceptable source.

61. The method of claim 55, further comprising preventing counting of more than one vote for a respective communication unit.

62. The method of claim 55, further comprising preventing counting of more than one vote for a respective communication unit, using a random number generated on the communication unit for uniquely identifying the communication unit.

63. The method of claim 55, wherein said counting the read votes is carried out only upon inputting of a predefined counting code.

64. Method for electronic voting in a polling station, the method comprising: authorizing a plurality of portable communication units for use in the polling station; providing the communication units to voters, each one of the units provided to a respective voter; allowing the voter to cast a vote, using said communication unit; recording the cast vote on the communication unit; counting the votes recorded on the communication units.

65. The method of claim 64, wherein use of each of the communication units is limited to a respective voter.

66. The method of claim 64, wherein the portable communication unit is implemented on a smart card.

67. The method of claim 64, further comprising encrypting the cast vote using a key specific to the polling station, prior to said recording the vote on the communication unit.

68. The method of claim 64, wherein said authorizing is carried out using an authorization key specific to the polling station.

69. The method of claim 64, further comprising preventing counting of more than one vote for a respective communication unit.

70. The method of claim 64, further comprising preventing counting of more than one vote for a respective communication unit, using a random number generated on the communication unit for uniquely identifying the communication unit.

71. The method of claim 64, wherein said counting the votes recorded on the communication units is carried out only upon inputting of a predefined counting code.

72. An apparatus for electronic voting in a polling station, the apparatus comprising: an authorization verifier, configured to verify that a portable communication unit provided to a respective voter is authorized for use in the polling station and is adapted to issue an alert indication in case the communication unit is unauthorized; a vote verifier configured to verify that a vote is recorded on said portable communication unit and is adapted to issue an alert indication in case no vote or more than one vote is recorded on the portable communication unit; and an alert module adapted to issue an alert in response to an alert indication from said authorization verifier and/or from said vote verifier.

73. The apparatus according to claim 72, further comprising a unit communicator adapted to establish a contactless communication link with the portable communication unit.

74. The apparatus according to claim 73, wherein said unit communicator includes a smart card communication interface adapted to establish a contactless communication link with a smart card.

75. The apparatus according to any one of claims 12-1 A, further comprising a voting card tester adapted to implement a predefined voting card test routine with respect to the portable communication unit and is adapted to issue an alert indication in case the communication unit is malfunctioned or is tampered with.

76. The apparatus according to any one of claims 72-75, wherein said authorization verifier is responsive to detecting on the portable communication device an authorization key specific to the polling station, for verifying that the portable communication unit is authorized for use in the polling station.

77. The apparatus according to any one of claims 72-76, wherein said authorization verifier is responsive to detecting on the portable communication device an authorization key indicating that the portable communication unit originates from an acceptable source, for verifying that the portable communication unit is authorized for use in the polling station.

78. The apparatus according to any one of claim 72-77, wherein said alert module is configured to issue a plurality of different alerts, each one of the plurality of alerts corresponding to a different alert indication.

79. The apparatus according to any one of claims 72-78, wherein the vote verifier is adapted to adapted to determine whether data is stored within a specific location within the portable communication unit designated for storing vote data corresponding to a vote of the respective voter.

80. The apparatus according to any one of claims 72-79, wherein the vote verifier is adapted to search within a memory module of the portable communication unit for a certain predefined signature or pattern which corresponds to a vote recoded in said communication unit.

81. The apparatus according to any one of claims 79-80, wherein the vote verifier avoids or is incapable of reading the actual vote data recorded in the portable communication unit.

82. The apparatus according to any one of claims 75-81, wherein the voting card tester is adapted to interrogate different physical locations within a memory module of the portable communication unit where anti-temper data is kept.

83. The apparatus according to any one of claims 75-82, wherein the voting card tester is adapted to run operability tests on one or more components of the portable communication unit.

84. The apparatus according to any one of claims 72-83, wherein the apparatus is incorporated into a ballot box.

85. The apparatus according to claim 84, wherein the apparatus is located adjacently to the ballot box slot.

86. A method of electronic voting in a polling station, the method comprising: verifying that a portable communication unit provided to a respective voter is authorized for use in the polling station; verifying that a vote is recorded on the portable communication unit; issuing an alert in case the portable communication card is determined to be unauthorized or in case that no vote or more than one vote is detected in the communication unit.

87. The method according to claim 86, further comprising establishing a contactless communication link with the portable communication unit.

88. The method according to any one of claims 85-86, further comprising implementing a predefined voting card test routine with respect to the portable communication; and issuing an alert in case the portable communication unit is determined to be malfunctioned and/or in case a tamper attempt has been detected on the portable communication unit.

SUBSTITUTE SHEET (RULE U)