JP2018101380A - Electronic voting system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To achieve an electronic voting system using a my-number card.SOLUTION: An electronic voting system comprises: a plurality of ATMs(Automatic Teller Machine); a plurality of my-number servers and a plurality of election management servers provided in each autonomous body; and an election information server connected to the plurality of ATMs and the plurality of my-number servers and election management servers. When a voter causes the ATM to read personal information recorded in an IC card of the voter, and then designates a voting destination, the ATM transmits a voting request including the personal information of the voter and the voting destination to the election information server. The election information server which has received the voting request specifies the election management server to which the voting request should be transferred from among the plurality of election management servers on the basis of the personal information included in the voting request, and transfers the voting request to the specified election management server.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an electronic voting system.

  In general, voting in various elections by national and local public bodies is conducted at polling places established in public places such as schools and public halls in each district. Voters vote at the polling place by entering the name of the candidate on the ballot.

  In recent years, however, there are some areas where electronic voting systems using electronic devices are introduced for voting in order to speed up the voting process. There are several types of electronic voting systems, but for example, as described in Patent Document 1, a system using ATM (Automatic Teller Machine) already installed by a financial institution can be considered. ing. By using ATM as a voting terminal, it can be expected to reduce the time and cost for installing and removing the system at each election.

  One of the functions that the electronic voting system should have is a function of confirming whether a person who performs voting is a valid elector. For this purpose, the technique disclosed in Patent Document 1 performs the following procedure. First, before the election is held, an electronic ballot card is sent to each elector by means such as mail. The elector goes to a place such as a bank where an ATM is installed with the electronic voting card, and inserts the electronic voting card into the ATM for authentication when voting.

JP 2012-108646 A

  The electronic voting system disclosed in Patent Document 1 uses existing ATM devices and the like, which can reduce the installation cost of voting equipment, but sends electronic voting cards to each elector before the election. Must. In addition, since this card needs to be sent every election, the cost of distributing the card becomes a problem.

  On the other hand, in recent years, the My Number system has been introduced, and each individual is assigned a unique identification number (My Number). Number cards ”are now distributed. If electronic voting becomes possible using My Number Card, it can be expected that the cost and time required for the election can be further reduced.

  An electronic voting system according to an embodiment of the present invention includes a plurality of ATMs (Automatic Teller Machines), a plurality of My Number servers provided for each local government, a plurality of election management servers, a plurality of ATMs, and a plurality of My Numbers. An election information server connected to the server and the election management server. When the voter makes the ATM read the personal information recorded on the recording medium owned by the voter and recorded personal information, and then designates the vote destination, the ATM will give the voter's personal information and the vote destination. The included voting request is sent to the election information server. The election information server that has received the voting request identifies the election management server to which the voting request is to be transferred from a plurality of election management servers based on the personal information included in the voting request, and designates the specified election management server. Forward the voting request.

  According to the electronic voting system to be disclosed, since it is not necessary to send a card every election, it is possible to reduce expenses and time relating to the election.

It is a block diagram of the electronic voting system which concerns on one Embodiment of this invention. It is a figure which shows the hardware structural example of ATM. It is an example of my number card. It is an example of my number table. It is an example of the election table which an election information server has. It is an example of the district table which an election management server has. It is an example of a candidate table. It is an example of a total table. It is an example of a distribution table and server information. It is a sequence diagram (1) of voting processing. It is a flowchart of an election qualification determination process. It is a sequence diagram (2) of voting processing. It is a sequence diagram (3) of voting processing. It is a flowchart of an election information confirmation process. It is a flowchart of a password verification process. It is a flowchart (1) of a fraud check process. It is a flowchart (2) of a fraud check process. It is an example of the initial screen of ATM. It is an example of the screen for voting. It is an example of a password input screen.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 is a configuration diagram of an electronic voting system in the present embodiment. The electronic voting system has one or more ATMs 1, an election information server 3, an election management server 4, a my number server 5, a biometric authentication server 6, and a fraud detection server 8 installed in a store such as a financial institution or a convenience store.

  The ATM 1 is installed in a store such as a financial institution or a convenience store, and is a device for a user to perform cash deposit and transfer processing. The election information server 3, the election management server 4, the my number server 5, the biometric authentication server 6, and the fraud detection server 8 are general-purpose computers such as a personal computer (PC).

  The ATM 1, the election information server 3, and the fraud detection server 8 are connected by a network (private line) 2 owned by a financial institution or a convenience store. A server 10 possessed by a financial institution is also connected to the network 2. When a user of ATM1 performs a financial transaction such as deposit withdrawal, communication is performed between the ATM1 and the server 10 of the financial institution. This is a known process and is related to this embodiment. In this embodiment, the description is omitted.

  The election information server 3 is also connected to a network 7 connected to a group of computers managed by the local government, such as an election management server 4, a my number server 5, and a biometric authentication server 6.

  The election information server 3 mainly performs a process of distributing the voting process from the ATM 1 to a server managed by each local government. The election management server 4 counts the voting results. The my number server 5 is a server owned by the local government in order to manage personal information (name, address, etc.) of the residents (who have a resident card). A personal number (so-called My Number), which is a unique identification number, is assigned to each resident, and the My Number Server 5 manages the resident personal information in association with the My Number. In addition, a “My Number Card”, which is a card with a recording medium (for example, an IC chip) in which personal information is recorded, is distributed to the desired residents from the government (or each local government). My Number Card is a card as shown in FIG. 3, and residents who own My Number Card can use it for their identification and online application for administrative procedures.

  The biometric authentication server 6 performs biometric authentication processing for a person who performs voting using the ATM 1 (hereinafter referred to as “voter”). The information used in the biometric authentication process may be arbitrary, but information that can be acquired by the biometric authentication device provided in the ATM 1 is used. For example, when the ATM 1 has a finger vein authentication device as a biometric authentication device, the biometric authentication server 6 performs authentication using finger vein information acquired from the biometric authentication device.

  The fraud detection server 8 is a server for checking whether fraud is performed when a voter performs a vote using the ATM 1.

  Since the My Number server 5 and the biometric authentication server 6 are provided for each local government, a plurality of My Number servers 5 and biometric authentication servers 6 may exist on the network 7. Further, the election management server 4 is a server that needs to be provided only during a period in which an election is held. Since the election management server 4 is also provided for each local government, a plurality of election management servers 4 may exist on the network 7. However, for example, when elections are held in a plurality of local governments, one election management server 4 may be provided in a plurality of local governments. Therefore, the number of election management servers 4 existing on the network 7 is not necessarily the same as the number of my number servers 5 or biometric authentication servers 6.

  Next, the hardware configuration of the ATM 1 in this embodiment will be described with reference to FIG. The ATM 1 includes a processor (CPU) 11, a memory 12, an I / O interface (I / O I / F) 13, an auxiliary storage device 14, a communication interface (communication I / F) 15, a reading device 16, and a video camera. 17 (hereinafter abbreviated as “camera 17”), a touch screen 18, and a biometric device 19 and other peripheral devices. Peripheral devices such as the auxiliary storage device 14 to the biometric authentication device 19 are connected to the CPU 11 via the I / O interface 13.

  The memory 12 is a device for holding a program and information used when the program is executed, and is configured by a volatile memory such as a DRAM (Dynamic Random Access Memory). The CPU 11 is a component for executing a program stored in the memory 12.

  ATM1 which concerns on a present Example is provided with the function for voting, such as a national election and a local election, in addition to the function with which well-known ATM is provided, such as the deposit and payment function of cash. In ATM1 which concerns on a present Example, these functions are mainly implement | achieved by software (program). Specifically, the CPU 11 executes a program stored in the memory 12 to cause the ATM 1 to realize a cash deposit function and the like, and also causes the ATM 1 to function as a voting device.

  The auxiliary storage device 14 is a non-volatile storage device such as a hard disk drive (HDD), and is a device for storing programs executed by the CPU 11 and various types of information. When the CPU 11 starts executing the program, the program stored in the auxiliary storage device 14 is loaded into the memory 12 and the program loaded on the memory is executed.

  The communication interface 15 is an interface for connecting the ATM 1 to the network 2. When the ATM 1 communicates with each server (election information server 3, my number server 5, etc.) shown in FIG. 1, information is exchanged with each server via the communication interface 15.

  The reading device 16 is a device for reading a card owned by a user of the ATM 1. The card used for ATM1 here is an ATM card (cash card) distributed to each user from a financial institution when the user of ATM1 exchanges with a financial institution such as deposit and withdrawal of cash. Is used. In addition, when a user of ATM1 performs an election vote, a my number card is used. In the present embodiment, unless otherwise specified, these cards are all cards (IC cards) with built-in IC chips, and the reading device 16 is an IC card reader. However, the reading device 16 is not necessarily limited to an IC card reader, and may be any device that can read a medium recorded with personally identifiable information (such as My Number) that is issued to each inhabitant from a local government or the like. Good. For example, in addition to the card as shown in FIG. 3 (or in place of the card), a recording medium (in which personal information is recorded) such as an IC chip that can be attached to a portable communication terminal such as a smartphone is supplied from the local government to each resident. Each resident can use the IC chip by attaching it to a portable communication terminal. In this case, the reading device 16 may be a device that can read information on the IC chip only by holding the portable communication terminal on which the IC chip is mounted, for example.

  The camera 17 is provided in front of the ATM 1 and is used to capture an image (moving image) behind the user of the ATM 1 or the user of the ATM 1. The ATM 1 transmits the captured image of the camera 17 to the fraud detection server 8. A plurality of cameras 17 may be provided in one ATM 1.

  The touch screen 18 is a device for a user of the ATM 1 to input information. The ATM 1 is also a device for displaying necessary information (for example, a screen for instructing input of a personal identification number) to the user.

  The biometric authentication device 19 is a device for acquiring information necessary for so-called biometric authentication from a user of ATM1, for example, reading a fingerprint of the user of ATM1 or reading information of finger veins. The biometric information read by the biometric authentication device 19 is sent to the biometric authentication server 6.

  ATM1 may include devices other than those described above. For example, the ATM 1 may include a printer device that reads a bankbook and prints it on the bankbook. Moreover, you may provide the speaker for telling the instruction | indication with a voice to the user of ATM1. The ATM 1 may include an input device such as a keyboard in addition to the touch screen 18.

  As described above, in this embodiment, the election information server 3, the election management server 4, the my number server 5, the biometric authentication server 6, and the fraud detection server 8 include a general-purpose computer such as a personal computer (PC). It is. For this reason, the hardware configuration of these servers is the same as that of a general-purpose computer, and a description thereof is omitted here. The processes performed by the election information server 3, the election management server 4, the my number server 5, the biometric authentication server 6, and the fraud detection server 8 described below are executed by a processor (CPU) included in these servers. It is realized by doing.

  From here, the management information which each server has is demonstrated. FIG. 4 shows an example of a my number table 500 that the my number server 5 has. In each row (also referred to as a record) of the my number table 500, personal information of each inhabitant (having a resident card) residing in the local government that owns the my number server 5 is recorded.

  The record of the my number table 500 has nine columns as shown in FIG. However, other information may be included in the record of the my number table 500.

  The name 503, the address 504, the date of birth 507, and the age 508 represent the name, address, date of birth, and age of the residents. The foreign language name 505 stores an alphabetical representation of the name of the resident when the resident is not Japanese. On the contrary, when the citizenship of the resident is Japan, no information is stored in the foreign language name 505. My number 501 represents an ID (my number) assigned to a resident. The password 502 is a password (referred to as “My Number Password”) recorded on a My Number card owned by the residents. This password is known in advance by the residents who own the My Number Card.

  The columns of voted 506 and vote date 509 are used when voting is performed using ATM1. When the owner of the My Number Card causes the ATM 1 to read its own My Number Card and vote, the My Number Server 5 displays “○” in each of the columns of the voted 506 and the voting date and time 509 of the My Number Card owner. Record the date and time that the vote was taken.

  Subsequently, management information that the election information server 3 has will be described. FIG. 5 shows an example of the election table 300. The election table 300 is a table that stores information on elections for which electronic voting is possible, and includes columns of an election ID 301, an election name 302, a vote start date and time 303, a vote end date and time 304, and a target election district 305.

  An election name 302 represents an election name, and an election ID 301 is an identification number (referred to as an election ID) assigned to each election. The voting start date / time 303 and the voting end date / time 304 represent the voting period (start date / time and end date / time) of the election shown in the election name 302. The target election district 305 is an identification number of the district where the election shown in the election name 302 is held. The election information server 3 manages each district with a unique identification number (referred to as “election district number”), and the identification number assigned to each district is managed in a district table described later. .

  FIG. 6 shows an example of the district table 310. The district table has columns of an address 311 and an election district number 312, and the election district number of the address recorded in the address 311 is stored in the election district number 312.

  FIG. 7 shows an example of the candidate table 320. The candidate table 320 stores information on candidates for each election. Candidate names 322 and furigana 324 are a candidate's name (kanji) and their kana. The party name 323 stores the name of the party to which the candidate belongs. The election ID 321 is an election ID of an election in which the candidacy is running, and any of the election IDs registered in the election ID 301 of the election table 300 is registered here. The display data 325 is a column in which data displayed on the touch screen 18 of the ATM 1 is stored. For example, a candidate's face image file is stored.

  Elections include elections that select candidates, elections that select political parties (proportional representative elections), and national screening of judges. Therefore, the election information server 3 stores a political party table 330 when a proportional representative election is performed, and stores a judge table 340 when a national examination of a judge is performed. If these multiple elections are held on the same day (or almost the same period), all (or two of these) candidate table 320, party table 330 and judge table 340 are stored in election information server 3. A table may be stored. However, for simplification of description, an example in which only the candidate table 320 among the candidate table 320, the political party table 330, and the judge table 340 is stored in the election information server 3 will be described.

  The person who operates the election (election management committee), when the candidate for the election is confirmed, the operator of the electronic voting system (which is also the administrator of the election information server 3), the election table 300 and the candidate table 320 Information to be stored in (or party table 330, judge table 340) is passed. The operator of the electronic voting system stores information in these tables before the start of the election. The information stored in the district table 310 and the target election district 305 of the election table 300 is determined by the operator of the electronic voting system according to the actual district and stored in these tables.

  FIG. 8 shows an example of a tabulation table that is management information that the election management server 4 has. In FIG. 8, a small constituency count table 400 is a table for counting the number of votes for each candidate, such as a small constituency election. Therefore, in order to record the number of votes obtained for each candidate, columns of candidate name 401, number of votes 402, and electoral district number 403 are provided.

  When the proportional representative election is held, the proportional management table 410 is provided in the election management server 4. The proportional ward count table 410 is a table for counting voting results in the proportional representative election, and has columns of a party name 411 and a vote count 412 in order to record the number of votes for each party. Further, when the national examination of the judge is performed, the election management server 4 is provided with the national examination totaling table 420, and the number of untrusted votes 422 and the confidence rate 423 are managed for each judge name 421.

  FIG. 9 shows an example of the distribution table 350 and server information 360. The election information server 3 has the distribution table 350 and the server information 360. When a voter performs a process such as voting from ATM 1, if there are a plurality of local government's My Number Servers 5 (or election management server 4, biometric authentication server 6), etc., ATM 1 Need to access a server owned by a local government. In the electronic voting system according to the present embodiment, it is assumed that the voter can vote from any ATM in the country. That is, the voter does not necessarily vote using the ATM in the local government (city / town / village) where the voter resides. Therefore, in the electronic voting system according to the present embodiment, the election information server 3 once accepts a request from the ATM 1, and the election information server 3 distributes access to an appropriate local government server. The distribution table 350 and the server information 360 are used at this time.

  The distribution table 350 is a table having columns of a local government ID 351 and a my number list 352. The local government ID 351 is an identification number of the local government, and the my number list 352 is a list of my numbers of residents who belong to the local government ID 351 (having a resident card).

  The server information 360 is a table for managing server information owned by each local government. The server information 360 includes columns of local government ID 361, my number server information 362, biometric authentication server information 363, and election management server information 364. The municipality ID 361 is a column for storing the identification number of the municipality, and the same identification number stored in the municipality ID 351 of the distribution table 350 is stored. The my number server information 362, the biometric authentication server information 363, and the election management server information 364 are the IP addresses of the my number server 5, the biometric authentication server 6, and the election management server 4 that the local government identified by the local government ID 361 has, respectively.

  In the distribution table 350 and the server information 360, necessary information needs to be registered before the election starts. The local government that wants to use the electronic voting system according to the present embodiment provides the administrator of the electronic voting system (which is also the administrator of the election information server 3) to the IP number of the My Number server 5 and the biometric authentication server 6 that the local government has, Then, the IP address of the election management server 4 used in the election is transmitted and registered in the server information 360. In addition, it is necessary to have a list of my numbers of each resident belonging to the local government registered in the distribution table 350. Alternatively, the local government may make the state of the my number server 5 obtain a list of my numbers possessed by the my number server 5 from the election information server 3, and cause the election information server 3 to obtain a list of my numbers. .

  Note that the information stored in the my number server information 362, the biometric authentication server information 363, and the election management server information 364 is not necessarily an IP address. The election information server 3 may be information that can uniquely identify each server.

  The above is the information that each server has. ATM1 is a copy of the election table 300 and candidate table 320 (or party table 330, judge table 340) that the election information server 3 has. Are stored in the auxiliary storage device 14. The ATM 1 periodically acquires the election table 300 and the candidate table 320 (or the political party table 330 and the judge table 340) from the election information server 3 and stores them in the auxiliary storage device 14. These pieces of information are used when the ATM 1 creates a voting screen on the touch screen 18. It is not necessary for the ATM 1 to acquire all the information in the election table 300 of the election information server 3, and it is sufficient to acquire at least the election ID 301 and the election name 302.

  From here, the flow of the voting process using ATM1 will be described. FIG. 10 to FIG. 15 are performed in the ATM 1 and each server in the electronic voting system according to this embodiment from when the person who wants to vote (referred to as a voter) starts using the ATM 1 until it is completed. The flow of processing is shown.

  First, the flow when starting the voting process will be described with reference to FIG. In step 1001, ATM1 displays a list of processes that can be performed by ATM1 on the screen of the touch screen 18, and causes the user (voter) of ATM1 to select a process to be performed. FIG. 18 shows an example of an initial screen displayed on the touch screen 18 of the ATM 1 in step 1001. On the initial screen 800, as shown in FIG. 18, buttons such as deposit and transfer are displayed. In addition, in the ATM 1 according to the present embodiment, a voting button 801 is displayed on the initial screen 800 in addition to a button for selecting processing to be performed on a financial institution such as payment or transfer. When the voter touches the voting button 801, the electronic voting system performs the processing after step 1002 (that is, voting processing).

  When a button other than the voting button 801 is touched, the ATM 1 performs processing (payment, withdrawal, transfer, etc.) according to the content of the touched button while communicating with the server 10 of the financial institution. However, since this is the same as the processing performed in the known ATM1, description thereof is omitted in this embodiment.

  After the voter presses the vote button 801, the voter inserts the my number card into the reading device 16 of the ATM1. When the My Number card is inserted, the ATM 1 reads the content recorded on the My Number card using the reading device 16, particularly the My Number (Step 1002).

  Subsequently, in step 1003, the ATM 1 performs biometric authentication processing. For example, when performing finger vein authentication as the biometric authentication process, the ATM 1 displays a screen for instructing the biometric authentication device 19 to hold a finger on the touch screen 18. When the voter holds the finger over the biometric authentication device 19, the ATM 1 captures the finger using the biometric authentication device 19 and extracts a vein pattern. Then, the ATM 1 transmits a biometric inquiry request including the extracted vein pattern and the my number read in step 1002 to the biometric authentication server 6 via the election information server 3.

  The biometric authentication inquiry request is once received by the election information server 3. In step 1004, the election information server 3 specifies the biometric authentication server 6 to which the biometric inquiry request is to be transferred. Specifically, the election information server 3 identifies the line containing the My Number included in the biometric inquiry request in the My Number List 352 field of the distribution table 350, and extracts the local government ID 351 of that line. To do. Subsequently, the election information server 3 specifies a line in the server information 360 where the local government ID 361 is equal to the local government ID extracted from the distribution table 350, and extracts an IP address registered in the biometric authentication server information 363 of that line. Thus, the biometric authentication server 6 (its IP address) to which the biometric authentication inquiry request is to be transferred is specified. After the biometric authentication server 6 to which the biometric inquiry request is to be transferred is specified, the election information server 3 transfers the biometric inquiry request to the specified biometric authentication server 6.

  In step 1005, the biometric authentication server 6 performs an authentication process using the received biometric authentication inquiry request. The biometric authentication server 6 holds each resident's biometric information (for example, finger vein pattern) in association with the resident's My Number, and the combination of the My Number and the biometric information included in the received biometric inquiry request. Are matched with the combination of my number and biometric information held in the biometric authentication server 6 and the result is returned to the election information server 3 (step 1006). If they match, the biometric authentication server 6 returns “authentication successful” to the election information server 3 to allow the ATM 1 to continue the voting process. “Authentication failure” is returned to the election information server 3 to cause the ATM 1 to interrupt the voting process. When the election information server 3 receives a response from the biometric authentication server 6, it returns it to the ATM 1.

  In step 1007, the ATM 1 determines whether or not the response from the biometric authentication server 6 is “authentication successful”. If the authentication is successful, step 1009 is performed next. If the authentication is unsuccessful, the process is terminated (interrupted) (step 1008). At the end of the process, for example, the ATM 1 displays on the touch screen 18 that biometric authentication has failed, returns the My Number card inserted in Step 1002 to the voter, and then touches the initial screen 800 shown in FIG. 18 again. It is displayed on the screen 18.

  In step 1009, ATM 1 transmits an election qualification inquiry request to my number server 5. The election qualification inquiry request is a request for inquiring to the my number server 5 whether the voter is eligible for election (whether the voting condition is satisfied). The election qualification inquiry request transmitted here includes the voter's My Number read in Step 1002. Similarly to step 1003, the election qualification inquiry request is sent to the my number server 5 via the election information server 3.

  In step 1010, the election information server 3 that has received the election qualification inquiry request specifies the My Number server 5 that is the transfer destination of the election qualification inquiry request. Since the identification method of my number server 5 is the same as the method performed in step 1004, description here is omitted. After specifying the my number server 5, the election information server 3 transmits an election qualification inquiry request to the specified my number server 5.

  In step 1011, the my number server 5 that has received the election qualification inquiry request from the election information server 3 determines whether the person (voter) having the my number included in the election qualification inquiry request has the election qualification. The determination result is returned to the ATM 1 via the election information server 3. An example of the determination method in step 1011 will be described with reference to FIG.

  In step 1101, the my number server 5 refers to the my number table 500 and specifies a row in which the same value as the my number included in the received election qualification inquiry request is stored in the my number 501. The information stored in this row is the voter's personal information. My number server 5 extracts information on voted 506, foreign language name 505, and age 508 from the specified line, and whether the voter has voted, whether the nationality is Japan, or the age is 18 Make sure that you are over the age. When determining whether or not the voter's nationality is Japan, the My Number Server 5 refers to the foreign language name 505. If no information is stored in the foreign language name 505, the nationality of the voter is Japan. Is determined.

  As a result of the confirmation, if it is not voted (step 1102: Yes), the nationality is Japan (step 1103: Yes), and the age is 18 years old or more (step 1104: Yes), the my number server 5 selects the election information. The server 3 is informed that it has the voting qualification (step 1110). On the other hand, if any of the above conditions is not satisfied, the my number server 5 replies to the election information server 3 that there is no voting qualification (election qualification) (step 1120). The election information server 3 that has received a response from the my number server 5 returns the response content to the ATM 1.

  If the response from the my number server 5 is a response indicating that there is a qualification for voting (step 1012: Yes), the ATM 1 next performs election information search processing and voting processing (FIG. 12). On the other hand, if a response indicating that the vote is not qualified is received, ATM1 terminates (suspends) the process (step 1013). The content performed in step 1013 is the same as that in step 1008. That is, ATM1 displays that the voting qualification is not displayed on the touch screen 18, returns the My Number card to the voter, and sets the display content of the touch screen 18 to the initial screen 800.

  The flow of election information search processing and voting processing will be described with reference to FIG. In step 2001, ATM 1 reads the personal information from the my number card and transmits it to the election information server 3. The personal information read here includes at least the address of the owner of the My Number card and My Number. However, other information may be transmitted to the election information server 3. In another embodiment, instead of reading the address from the My Number card in Step 2001, ATM1 reads the address and My Number from the My Number card in Step 1002, and in Step 2001, the information read in Step 1002 is used as the election information. You may make it transmit to the server 3. FIG.

  The election information server 3 that has received the personal information from the ATM 1 searches for information on elections for which the voter can vote (step 2002). The process of step 2002 is shown in FIG. Here, the election information server 3 first refers to the district table 310 and identifies the election district number 312 corresponding to the voter's address. Subsequently, the election information server 3 refers to the election table 300 to confirm whether or not information on elections to be held in the specified election district is registered (step 1501).

  For example, when the election table number 312 to which the voter belongs is “00002” as a result of referring to the district table 310, the election information server 3 identifies the row where the target election district 305 is “00002” among the rows of the election table 300. . Subsequently, the election information server 3 refers to the voting start date and time 303 and the voting end date and time 304 of the specified line, and determines whether the current date and time is a voting period (between the voting start date and time 303 and the voting end date and time 304). Check if it is time. If the current date and time is the voting available period, the election information server 3 returns the election ID 301 of the specified line to the ATM 1 (step 1503). Conversely, if it is not the voting period, the election information server 3 returns to the ATM 1 that it is not the voting period (step 1504). Multiple elections may be held in the election district to which the voter belongs. In that case, the election information server 3 returns a plurality of election IDs 301 to the ATM 1.

  When it is returned from the election information server 3 that the voting period is not possible (step 2003: No), the ATM 1 displays a message indicating that the voting period is not possible on the touch screen 18 and interrupts the processing (step 2005). Similar to step 1008 and the like, in step 2005, the my number card is returned to the voter, and the display content of the touch screen 18 is set to the initial screen 800. Conversely, when the election ID is returned from the election information server 3 (step 2003: Yes), the ATM 1 creates a voting screen based on the sent election ID and displays it on the touch screen 18 (step 2004). .

  An example of the voting screen is shown in FIG. On the voting screen 810, the name of the election and the names of candidates for this election are displayed. Further, as shown in FIG. 19, the face images of the candidates may be displayed. The ATM 1 extracts a line that is equal to the election ID sent to the election ID 321 from the candidate table 320 stored in its auxiliary storage device 14, and information on the line (candidate name 322 and display data). 325) is used to create a voting screen 810.

  A voting screen 810 as shown in FIG. 19 is displayed on the ATM 1 touch screen 18, and the voter makes a vote by touching the name (or image) of the candidate displayed on the voting screen 810. Can do. Note that the screen shown in FIG. 19 is an example of an election for voting on candidates like a small-district constituency election, and in an election for voting on political parties like a proportional representative election, On the touch screen 18, a different screen (a screen for displaying a party name or the like) is displayed.

  In step 2006, the voter uses the voting screen 810 to select a vote candidate. When a candidate is selected by a voter, the ATM 1 temporarily stores the selected candidate name in the memory 12 or the auxiliary storage device 14, and then executes step 2011 (FIG. 13).

  In step 2011, ATM1 performs an authentication process using a password (my number password). The ATM 1 displays on the touch screen 18 a screen (referred to as a password input screen) for instructing input of a my number password, and allows a voter to input the my number password. An example of the password input screen is shown in FIG. The password input screen 820 is a screen on which a software keyboard is displayed in addition to the message “Please enter my number password”. Voters use this software keyboard to enter their My Number password. When the voter inputs the my number password and presses the completion button 821, ATM1 transmits the my number password together with the my number to the my number server 5 (via the election information server 3).

  In step 2012, the election information server 3 transmits the combination of the my number and the my number password received from the ATM 1 to the transfer destination my number server 5. The identification method of my number server 5 here is the same as the method performed in step 1004 or step 1009.

  The my number server 5 that has received the combination of the my number and the my number password from the election information server 3 performs the collation process of the my number password, and returns the collation result to the ATM 1 via the election information server 3 (step 2013). The flow of this collation process will be described with reference to FIG.

  In step 2501, the my number server 5 refers to the my number table 500, and determines whether there is a row in the my number 501 and the password 502 that stores the same received my number and my number password. If there is a line in which the same information as the My Number and My Number Password is stored (Step 2502: Yes), the My Number Server 5 responds to the ATM 1 via the Election Information Server 3 that the password is valid. Then, voting by ATM1 is permitted (step 2503). If there is no row in which the same information as the My Number and My Number Password is stored (Step 2502: Yes), the password is not correct, so the My Number Server 5 responds to that effect and causes the ATM 1 to interrupt the voting process ( Step 2504).

  When the fact that the password is incorrect is returned from the my number server 5 (step 2014: No), the ATM 1 ends (interrupts) the processing. Here, the same processing as step 1008 may be performed. Alternatively, the ATM 1 may display on the touch screen 18 that the input password is not correct, display a screen for allowing the voter to re-enter the My Number password, and execute Step 1011 to Step 2014 again. . On the contrary, when the password is returned from the my number server 5 (step 2014: Yes), step 2015 is performed next.

  In step 2015, ATM1 performs voting. Specifically, the ATM 1 sends a vote request including the voter's My Number and information on the name of the candidate selected by the voter in Step 2006 (or information that can identify the candidate) to the election information server 3. To the election management server 4 via. After the voting request is transmitted, the ATM 1 displays a message indicating that the voting is completed on the touch screen 18 and returns the my number card to the voter, and ends the process (step 2020).

  The election information server 3 that has received the vote request from the ATM 1 in step 2016 identifies the election management server 4 to which the request is transferred, and forwards the vote request to the identified election management server 4. In addition, the election information server 3 registers the fact that the voter's electronic voting is completed in the my number table 500, so that the my number server 5 that manages the personal information of the voter The my number server 5) is specified, and the specified my number server 5 is instructed to record the voter's vote state change request in the my number table 500. The vote state change request includes the voter's My Number. The method for specifying the election management server 4 and the my number server 5 here is the same method as in Step 1009 and Step 2012.

  Upon receiving the voting request, the election management server 4 selects the same row as the candidate name included in the voting request from among the rows of the small constituency count table 400, and sets 1 to the number of votes 402 in that row. Is added. The my number server 5 that has received the vote status change request from the election information server 3 selects a row in the my number table 500 where my number 501 is the same as the my number included in the vote status change request. Then, “◯” is stored in the voted 506 of the row. This completes the electronic voting.

  Next, the fraud check process will be described. At polling places set up in public places such as schools and public halls, witnesses are monitored to check whether the voter is cheating. On the other hand, voting using ATMs is based on the premise that there are no witnesses (it is not practical to place witnesses in all ATMs nationwide). For this reason, there are many possibilities that a voter may be forced to vote unintentionally by being threatened by a third party, or that a voter who is supposed to be confidential may be stolen. In the electronic voting system according to the present embodiment, these problems are solved by the method described below, and it is guaranteed that the voting at the ATM is fair.

  16 and 17 show a flow of fraud check processing performed in the electronic voting system according to the present embodiment. The fraud check process is performed by the fraud detection server 8. The ATM 1 according to the present embodiment uses the camera 17 before the ATM 1 in parallel with the voting process during the voting process described above (while the step 1001 in FIG. 10 to the step 2018 in FIG. 13 is performed). A process of capturing an image of a standing person (a user of the ATM 1 or a person behind the user) and transmitting the captured image to the fraud detection server 8 is always performed. The fraud detection server 8 performs fraud check processing described below based on the captured image transmitted from the ATM 1. For this reason, the fraud detection server 8 includes means (referred to as a person recognition means) for recognizing a person (or a person's face) from the captured image. Since these can be realized by a known technique, detailed description thereof is omitted.

  By using the person recognition means, the fraud detection server 8 determines whether or not a person is reflected in the captured image, how many people are reflected in the captured image, and the direction of the face of the person reflected in the captured image (frontward). Or the like. In this embodiment, it is assumed that the person recognition means is implemented by software (program). That is, the fraud detection server 8 is operated as a person recognition unit by causing the processor of the fraud detection server 8 to execute a program for recognizing a person in the image. However, as another embodiment, the person recognition means may be implemented by hardware.

  In general, a plurality of ATMs are installed side by side in a store of a financial institution. The fraud detection server 8 also acquires a captured image from an ATM camera 17 other than the ATM used by the voter and uses it for fraud check processing.

  The fraud detection server 8 first analyzes the captured image transmitted from the ATM 1 to recognize a person in the captured image, and further determines whether there are a plurality (two or more) persons in the captured image. . If there is only one person in the captured image (step 3001: No), then step 3101 (FIG. 17) is performed. The processing after step 3101 will be described later.

  When two or more persons are present in the captured image (step 3001: Yes), the processing after step 3002 is performed.

  In step 3002, the fraud detection server 8 determines whether or not the distance between a plurality of persons standing in front of the ATM 1 is close based on the captured image (for example, determines whether the distance between the plurality of persons is less than a predetermined value). ). When a plurality of persons are close to each other (step 3002: No), two or more persons (that is, a voter and a person other than the voter) are standing in front of ATM1, and a person other than the voter is a voter. There is a possibility that the voter is forced to vote different from his intention. Therefore, in this case, the fraud detection server 8 instructs the ATM 1 to interrupt the voting process (step 3003). Upon receiving this instruction, the ATM 1 outputs a warning to the touch screen 18 and interrupts the voting process (step 3005). For example, even if a voter has already selected a candidate using the touch screen 18 of ATM 1, the process is interrupted without sending the information of the selected candidate to the election management server 4 or the like.

  In step 3101, the fraud detection server 8 analyzes the captured image obtained from the ATM camera 17 adjacent to the ATM 1 used by the voter (right adjacent and left adjacent) and uses the ATM 1 used by the voter. Determine if there is a person in front of the ATM on the right or left. If there is a person in either of the ATMs adjacent to the ATM 1 used by the voter (step 3101: Yes), the fraud detection server 8 determines whether the ATM in which the person exists is used (step 3102). .

  There may be several ways to determine if ATM is being used. For example, the fraud detection server 8 identifies the orientation of the face of a person standing in front of the ATM from the captured image acquired from the ATM camera 17 where the person exists, and the person faces the voter instead of the front. If it is, it may be determined that ATM is not used.

  Alternatively, the fraud detection server 8 inquires of an ATM in which a person exists whether an operation has been performed on the ATM within a predetermined time (for example, within 30 seconds) from the current time, and the ATM is used accordingly. It may be determined. In order to determine whether an operation has been performed on the ATM, the fraud detection server 8 may acquire information from the ATM such as whether a cash card or a passbook has been inserted into the ATM or whether the touch screen has been touched. If no operation has been performed on the ATM for a predetermined time or longer, it may be determined that the ATM is not being used.

  Note that the above-described method is an example, and the fraud detection server 8 may determine whether the ATM is in use by using a method other than these methods.

  If it is determined that the ATM in which the person exists is not used (step 3102: No), the person may have forced the voter to vote unintended by the voter, or Since there is a possibility that an act such as stealing the vote destination is performed, the fraud detection server 8 instructs the ATM 1 to interrupt the voting process (step 3111). Step 3111 is the same processing as step 3003. Then, ATM1 instructed to interrupt the voting process performs step 3005 described above to stop the voting process.

  On the other hand, when there is no person in any of the ATMs adjacent to ATM 1 used by the voter (step 3101: No), or when it is determined that an ATM in which a person exists is used (step 3102: Yes). ), The possibility of fraud is low. Therefore, in this case, fraud detection server 8 does not instruct ATM 1 to interrupt the voting process, and returns to step 3001 to continue the fraud detection process.

  In the electronic voting system according to the embodiment of the present invention, as described above, the personal authentication is performed using the My Number card that the voter has in advance. Therefore, it is possible to reduce the labor and cost of distributing a personal identification card at each election.

  Moreover, the server (my number server) which manages personal information including my number is installed for every local government. Many ATMs are also installed in various parts of the country, but the electronic voting system needs to be able to access the appropriate server and perform identity verification and voting even if the voter performs voting from any ATM in the country. It is. In the electronic voting system according to the present embodiment, an election information server for selecting a My Number server for requesting authentication is provided, and if there is a voting processing request from an ATM or an authentication request preceding it, the election information server is appropriate. Distribute requests to servers. Thus, the voter can vote from any ATM in the country.

  In addition, when voting is performed at an ATM in which no witness is present, it is necessary to have a means for preventing fraud. In the electronic voting system according to the present embodiment, the fraud detection server checks whether fraud is performed based on information acquired from a device such as a camera installed in the ATM, and the fraud may be performed. If there is a characteristic, the voting process at the ATM can be promptly stopped.

  As mentioned above, although the Example of this invention was described, these are illustrations for description of this invention, Comprising: It is not the meaning which limits the scope of the present invention only to these Examples. The present invention can be implemented in various other forms. For example, in the embodiment described above, the processing performed by the My Number server 5, the biometric authentication server 6, the election management server 4, the election information server 3, the fraud detection server 8, and the like is executed by a general-purpose computer processor. The example realized by being executed has been described. However, as another embodiment, a part of or all of the election information server 3, the election management server 4, the my number server 5, the biometric authentication server 6, and the fraud detection server 8 is not a general-purpose computer, but dedicated hardware. May be used. Then, part or all of the processing performed in the election information server 3, the election management server 4, the my number server 5, the biometric authentication server 6, and the fraud detection server 8 described above is performed by hardware such as FPGA and ASIC. May be implemented.

  In the electronic voting system according to the embodiment described above, there are My Number Server, Biometric Authentication Server, Election Management Server, Election Information Server, and Fraud Detection Server in addition to ATM. May not be provided. For example, instead of installing a biometric authentication server, a configuration that does not install a biometric authentication server by performing processing performed by the biometric authentication server with a my number server may be employed. Similarly, the function of the fraud detection server may be provided in the election information server, and the fraud check process may be executed by the election information server.

  In the embodiment described above, the fraud check is performed by the fraud detection server. However, the function of the fraud detection server may be provided in each ATM so that the ATM performs the fraud check.

  In the embodiment described above, resident biometric information (such as finger vein vein patterns) is registered in advance in the biometric authentication server, and the biometric information acquired from the biometric authentication device of the ATM is registered in the biometric authentication server. An example in which biometric authentication is performed by collating with existing biometric information has been described. However, as another embodiment, other biometric authentication processing methods may be employed. For example, as shown in FIG. 3, a face photograph of the person (the owner of the my number card) is affixed to the my number card. As another embodiment, a reader having a reading function of a face photograph attached to a card in addition to a reading function of an IC chip is provided as an ATM reading device, and a face image of a voter captured by the camera 17 is provided. A kind of biometric authentication may be performed by collating with the face photo of the My Number card read by the reader. In this case, this verification process may be performed by the biometric authentication server, or the verification process may be performed inside the ATM.

  In the embodiment described above, the election information server 3 identifies the municipality to which the voter belongs based on the distribution table 350, and the ATM of the identified municipality server (my number server or election management server) The request received from was being forwarded. However, the identification method of the local government (the server possessed by) the transfer destination of the request from the ATM is not limited thereto. For example, when the election information server 3 receives a request from an ATM (including the voter's My Number), the local government's My Number Server 5 manages the voter's personal information (My Number, etc.) By inquiring whether the voter belongs to the local government (whether there is a resident's card), the local government to which the request is transferred and the server of the local government may be specified.

  1: ATM, 2: Network, 3: Election information server, 4: Election management server, 5: My number server, 6: Biometric authentication server, 7: Network, 8: Fraud detection server

Claims (13)

A plurality of ATM (Automatic Teller Machine),
A plurality of My Number servers provided for each municipality that manage personal information and passwords of residents of the municipality,
A plurality of election management servers that are provided for each municipality and that count votes;
An election information server connected to the plurality of ATMs and the plurality of my number servers and an election management server;
An electronic voting system comprising:
The ATM has a reading device for reading a recording medium on which voter's personal information is recorded.
The ATM is
Read the personal information recorded on the recording medium possessed by the voter via the reading device,
Request the voter authentication process to the My Number server,
If the authentication process is successful, a vote request including a designated vote destination from the voter and personal information of the voter is sent to the election information server,
The election information server that has received the voting request specifies an election management server to which the voting request is to be transferred from among the plurality of election management servers based on the personal information included in the voting request,
Forward the vote request to the identified election management server;
This is an electronic voting system. The electronic voting system further includes a fraud detection server connected to the ATM,
The ATM has a camera that images a person standing in front of the ATM, and is configured to transmit an image captured by the camera to the fraud detection server during the voter voting process.
The fraud detection server analyzes the captured image to identify the presence or absence of a person in front of the ATM and the distance between each person when there are multiple persons in front of the ATM,
If a plurality of persons are standing in front of the ATM and the distance between the plurality of persons is less than a predetermined value, the ATM is instructed to interrupt the voting process.
The electronic voting system according to claim 1, wherein: The fraud detection server is further configured to acquire and analyze a captured image from a camera included in another ATM installed next to the ATM,
The fraud detection server determines whether a person exists before the another ATM based on the captured image acquired from the other ATM,
If present, determine whether the other ATM is in use,
If the other ATM is not in use, instruct the ATM to interrupt the voting process;
The electronic voting system according to claim 2, wherein: When the ATM requests the voter authentication process from the my number server,
Accepts password input from the voter,
Sending the password together with the personal information to the election information server;
The election information server that received the password is:
Based on the personal information received together with the password, the My Number server managing the voter information from among the plurality of My Number servers is identified,
Transfer the password and personal information to the identified My Number server,
The My Number server that has received the password and personal information is
If the password information of the voter managed by the my number server and the received password do not match, the ATM is instructed to interrupt the voting process.
The electronic voting system according to claim 1, wherein: The electronic voting system has a plurality of biometric authentication servers provided for each municipality,
The ATM has a biometric device that reads the voter's biometric information,
When the ATM reads the voter's biometric information via the biometric authentication device,
Sending a biometric inquiry request including the personal information of the voter and the biometric information to the election information server,
The election information server that has received the biometric inquiry request, the biometrics possessed by the local government of the voter's residence area from among the plurality of biometric authentication servers based on the personal information included in the biometric inquiry request Identify the authentication server,
Transferring the biometric query request to the identified biometric authentication server;
The biometric authentication server that has received the biometric inquiry request, when the biometric information of the voter managed by the biometric authentication server does not match the received biometric information, interrupts the voting process to the ATM. Instruct,
The electronic voting system according to claim 1, wherein: The ATM, after reading the voter's personal information from the voter's IC card, makes an inquiry about the voter's election qualifications to the my number server,
If the voter is not eligible for election, interrupt the voting process;
The electronic voting system according to claim 1, wherein: The ATM is configured to make an inquiry about the voter's election qualification to the my number server by sending a request for election qualification including personal information of the voter to the election information server. ,
The election information server identifies a My Number server owned by a local government in the area where the voter resides from among the plurality of My Number servers based on the personal information included in the election qualification inquiry request. Forwards the election qualification inquiry request to the registered My Number server,
The electronic voting system according to claim 6, wherein: The My Number Server manages information about whether or not the voter has voted together with the personal information,
When the My Number Server receives an inquiry about the election qualification from the ATM,
If the voter has voted, return to the ATM that the voter is not eligible for election;
The electronic voting system according to claim 6, wherein: When the election information server receives the voting request, the election information server identifies a my number server that manages the information of the voter who has issued the voting request from a plurality of the my number servers. Recording information that the voter has voted;
The electronic voting system according to claim 8, wherein: A plurality of ATM (Automatic Teller Machine),
Multiple My Number servers set up by each municipality,
A plurality of biometric authentication servers provided for each municipality;
A plurality of election management servers that are provided for each municipality and that count votes;
An election information server connected to the plurality of ATMs and the plurality of my number servers and an election management server;
A voting method in an electronic voting system having
The ATM is
Reading the personal information recorded on the recording medium of the voter;
Reading the voter's biometric information, and requesting biometric authentication to the biometric authentication server via the election information server;
Inquiring of the voter's election qualifications to the My Number server;
Accepting designation of a vote destination from the voter;
Requesting the My Number server for authentication using a password via the election information server;
Sending a vote request to the election management server via the election information server;
A voting method in an electronic voting system, characterized in that The electronic voting system further includes a fraud detection server connected to the ATM,
The ATM has a camera that images a person standing in front of the ATM;
The voting method further includes:
The ATM transmits the image captured by the camera to a fraud detection server;
The fraud detection server detecting fraud based on the captured image;
Run
The step of detecting the fraud includes
Analyzing the captured image, the presence or absence of a person in front of the ATM, and the step of identifying the distance between each person when there are a plurality of people in front of the ATM;
Determining whether a plurality of persons are standing in front of the ATM;
When a plurality of persons are standing in front of the ATM, determining whether a distance between the plurality of persons is less than a predetermined value;
When the distance between the plurality of persons is less than a predetermined value, instructing the ATM to interrupt the voting process;
The voting method in the electronic voting system according to claim 10, comprising: The fraud detection server is further configured to acquire and analyze a captured image from a camera included in another ATM installed next to the ATM,
The step of detecting the fraud further includes:
The fraud detection server determining whether a person exists before the another ATM based on the captured image acquired from the other ATM;
If present, determining whether the other ATM is in use;
Instructing the ATM to interrupt the voting process if the other ATM is not in use;
The voting method in the electronic voting system according to claim 11, wherein: The vote request includes personal information of the voter and the voter,
Sending the vote request to the election management server,
The election information server that has received the voting request from the ATM,
Identifying an election management server to which the vote request should be transferred from among a plurality of the election management servers based on the personal information included in the vote request;
Forwarding the vote request to the identified election management server;
The voting method in the electronic voting system according to claim 10, comprising: