WO2008017874A1 - Interactive electronic system and method for a plurality of users - Google Patents

Abstract

The present invention provides an interactive system and method of operating such a system for a plurality of users. The system includes a local controller (10) operable to receive user input data and associated timestamps from at least one keypad (18), broadcasting means for broadcasting data to the local controller (10), and a central controller (16) for processing data. The local controller (10) is in communication with the central controller (16) such that it can transmit data to the central controller. The local controller (10) is arranged to store information relating to data e.g. inputs and timestamps received from the keypad or keypads (18), and which is to be transmitted to the central controller (16). The stored information is transmitted to the central controller (16) and compared with data actually transmitted to and/or received by the central controller to try to identify whether fraudulent use of the system has occurred. The system may be an interactive television broadcast. A number of additional security measures may be taken.

Description

INTERACTIVE ELECTRONIC SYSTEM AND METHOD FOR A PLURALITY OF USERS

The present invention relates to an interactive electronic system and method of operating ^'an interactive electronic system. More particularly, but not exclusively, the invention relates to an interactive broadcast system, such as an interactive television broadcast system, for a plurality of users, and method of operating such a system. The present invention is particularly, although not exclusively applicable to providing an interactive system which includes security provisions to combat against and/or detect misuse of the system.

Interactive electronic systems for multiple users are known in the art, especially in the fields of live events and interactive broadcasting, allowing users to participate, for example, in votes or quizzes. Typically, such systems are used to enable audience members to participate and interact with a broadcast by allowing users of the system to indicate their preference or response to a question.

In known interactive electronic systems, data is broadcast to a plurality of local controllers from a central control server. Often it is important to know the time at which certain events in the system occur, for" example, the time at which a stimulus, such as a question, to which the users are invited to respond is provided to the users, or the time at which a user provides an input or. response to the stimulus. This may allow the response time of different users to be determined, to decide who has reacted fastest, or provided the first correct response etc. To deliver timed applications it is necessary to provide a local clock signal generator with each local controller. The local controller is then able to deliver the interactive application with reference to the local clock signal of that local controller. It is known to synchronise the local clock signal generator of a local controller with a reference clock signal, such as a master clock signal generated at the central control server. In this way, interactive applications may be performed simultaneously at all local controllers .

However, because the local clock signal generator must be adjustable, there is a possibility that a user of the system may misuse this clock signal adjustment functionality in order to gain an unfair advantage over other users of the interactive system.

For example, a user can adjust the local clock generator of a first local controller such that an interactive application is delivered by the first local controller after it: is delivered by a second local controller. The user can then have more time to respond to the application, or can even view the answers on the second controller and input the correct answers to the first local controller when the application is delivered at the later time. This type of misuse is referred to as an "Inserted Delay Attack" .

A second type of misuse is referred to as a "Spoof Answer Attack" . A spoof answer attack is undertaken when a user tampers with the input/response data to gain an unfair advantage. For example, the users may alter the local clock signal generator such that local timing information provided along with the user input/response indicates that the input/response was provided at an earlier time than it actually was . It is therefore desirable to implement an interactive electronic system for a plurality of users which includes security provisions to combat against and/or detect misuse of the system.

According to first aspect of the invention, there is provided an interactive system for a plurality of users, the system comprising: a local controller operable to receive data from at least one user interface device; broadcasting means for broadcasting data to the local controller; and a central controller for processing data, the local controller being in communication with the central controller such that it can transmit data to the central controller; wherein the local controller comprises means for storing information relating to data to be transmitted from the local controller to the central controller. ^{• •}

According to a further aspect of the invention, there is provided a method of operating an interactive system for a plurality of users, the method comprising: broadcasting data to a local controller operable to receive data from at

^■ least one user interface device; transmitting data from the local controller to the central controller; processing data at the central controller; and storing information relating to the data to be transmitted at the local controller.

In accordance with the invention, therefore, the local controller is arranged to store information relating to data to be transmitted from the local controller to the central controller. In this way, the stored information may be used to determine whether any tampering or other fraudulent use of the data transmitted by the local controller or received by a central controller from the local controller has occurred. For example, the stored information may be compared with data actually transmitted, or received by the central controller to ascertain whether any differences which may be indicative of fraud exist. The stored information provides evidence of the content of the data at a given time prior to, or at transmission, and can therefore be used to uncover fraud which occurs at any subsequent point in the system after the information is stored.

For example, if the local timing information at the local controller is changed, e.g. by modifying the local clock signal generator, the data actually transmitted to and received by the central controller will differ from that which it is (intended) to transmit, and information relating to the data to be transmitted will not match the corresponding information relating to the data actually transmitted and received. Likewise, if the data is tampered with subsequent to its transmission by the local controller, and before it is received by the central controller, information, such as the time at which the data was provided, derived from the data actually received by the central controller may not match the stored information which relates to the information which was e.g. intended to be transmitted.

It will be appreciated that the invention may allow fraudulent tampering of data transmitted from the local controller to the central controller to be detected, whether that tampering occurs before or after transmission of the data, or at various different points within the local controller prior to transmission by storing the information regarding the data to be transmitted at an appropriate time, e.g. prior to a point where fraudulent tampering may occur . The system comprises at least one user interface device. The user interface device is operable to receive a user input and generate data in response to the user- input. The data may be data indicative of the content of the input, and/or information relating the circumstances of the input, e.g. the timing of the input. The user interface device may then transmit the data, e.g. to a local controller and/or central controller. The user interface device may be arranged to receive data from the central controller, and/or local controller. However, in some embodiments the user interface device is a "transmit" only device. In a preferred embodiment, the user interface devices comprise keypads, preferably of a shape and size such that they may be easily held in a user's hand (although this is not essential). Each user interface device may, e.g., comprise one or a plurality of buttons and/or may comprise any suitable interface means such as, purely by way of example, a jog-dial, a touch-screen or a microphone (or a plurality thereof) .

Each user interface device preferably has the capability to generate, store and forward data to a (its respective) local controller in response to user inputs provided to the device (e.g. according to which one of its button is activated by a user) . Preferably, each user interface device also comprises a timer for obtaining information relating to the timing of user inputs. The user interface may be arranged to allow one or more users to use the user interface at a given time. For example, there may be one user interface provided per user, or in other cases, a group of users, e.g. a team, may all be able to use the same user interface device. In some embodiments, four users may use the same user interface device at the same time.

In accordance with the invention, the local controller is operable to receive data from at least one user interface device. The local controller may also be arranged to be able to transmit data to the user interface device. The local controller may be arranged to communicate with one or more user interface devices. These user interface devices may be said to be "associated" with the local controller. The local controller may be associated with a group of user interface devices. In some embodiments, this will be a selected group of the plurality of user interface devices, i.e. not all user interface devices. In some embodiments, communications between the user interface devices and the central controller may then be directed via the local controller associated with that user interface device.

There may be, for example, one local controller per venue to coordinate the inputs received by all user interface devices at the venue. Of course, not all communications between the user interface device and central controller need necessarily be directed via the local controller. In some embodiments, some signals may be transmitted directly from the central controller to the user interface devices " and others via the local controller. The local controller may carry out some processing of signals received from the user interface device, reducing the level of processing required of the user interface devices if desired.

The local controller is in communication with a central controller such that it may transmit data to the central controller. The local controller may also be able to receive data from the central controller . The local - controller may be arranged to be in communication with the central controller in any suitable manner or manners, e.g. via wired or wireless links, or via a network connection, such as an internet connection. In some embodiments the local controller may be connected to the central controller by more than one different link e.g. by a network based, link and a different, separate link, such as a broadcast communications link. In embodiments of the invention, the local controller may be located at a first venue. The central controller is preferably remote from the first venue. Data transmitted by the local controller is received by the central controller. The data may be received and, if desired, processed, by a computer system of the central controller. Such processing may include any or all of the steps of accumulating, . counting, deleting, displaying and storing the received data, in its received form, or a form to which it has been converted by the local controller. The central controller may be a central or control server.

The system further comprises broadcasting means for broadcasting data to the local controller. The broadcasting means may, for example, be an antenna. However, any suitable broadcasting means may be used to broadcast data. For example, a cable-based or IP-based broadcast distribution network may be used. 'The broadcast means may broadcast stimuli to which the users are invited to respond, such as questions, or other prompts. The broadcasting means may be located in the same location as the central controller, e.g. a television studio, or remote therefrom. The central controller may comprise the broadcasting means, and the central controller may be arranged to broadcast data to the local controller via a broadcast communication link.

The broadcast data is preferably in the form of a television broadcast, and/or preferably comprises or has the nature of, a television program. It preferably comprises an interactive event, preferably a live interactive event, and preferably includes periodic stimuli, such as questions, to invite responses from users . In a particularly preferred embodiment it comprises an interactive entertainment event or show, such as, and preferably, a quiz or -game. The broadcast data may also comprise other data e.g. relating to user inputs. For example, the data may include information about the winner of the last round of a quiz. Preferably, therefore, the broadcast data is based, at least in part, on user input data received from the local controller (s) . In accordance with the invention, the broadcasting means may broadcast the data at a first venue. The first venue is a location at which more than one user can participate in and/or interact with the broadcast i.e. where a plurality of user interface devices are located. The venue may, for example, be private homes and/or public buildings. In a particularly preferred embodiments, the venue is a public house, bar or casino. The data transmitted by the broadcasting means may be received at a number of different venues, and is supplied in the same form to those different venues. Preferably the broadcasting means broadcasts data to a local controller or local controllers for communication to the users. Preferably the broadcast data is displayed to one or more users of the system. In embodiments the system may comprise a display arranged to display the data broadcast by the broadcasting means to the local controller, and the method may comprise displaying the data provided to the local controller using the display. For example, the system may further comprise a display located at a first venue where the local controller is located. In some embodiments the local controller receives data broadcast by the broadcasting means and feeds the broadcast data to the display means. In embodiments, the broadcast data is displayed in real-time. The broadcast data may include elements which, trigger the display of data separately transmitted from the central controller to the local controller, e.g. to cause the already transmitted data, or parts thereof, to be displayed. In this way, the broadcast data may control the display e.g. timing of other data received from the central controller.

The broadcast data may also comprise data for controlling the local controller or controllers . Such data may not necessarily be transmitted to the user interfaces. For example, in embodiments, the broadcast data comprises a time signal which may be used by the local controller to set a local timing reference signal. The time signal may be a regular signal synchronised with a picture broadcast by the broadcasting means. The time signal may help to reduce to possibility of the local controller clock being tampered with fraudulently, and may reduce the risk of slippage of the clock over time from natural causes, e.g. deficiency in the components of the local controller. The broadcast data may also comprise data instructing the local controller when to be receptive to signals transmitted by the user interfaces'. In some embodiments, the local controller may not permanently be activated to receive signals from the user interfaces, and may be shutdown for periods when no user inputs are expected in order to save energy, or as an additional security feature, to allow unusual user interface activity outside an expected timeframe to be identified. The data may instruct the local controller when to be alert to transmissions from user interfaces. Thus, the method may further comprise the local controller being responsive to transmissions of the or each user interface device only within selected timeframes, preferably set in accordance with broadcast data. This may be a "listening window". The local controller is preferably not receptive to transmissions in a period before or after the timeframe.

The period may be a period between rounds of the quiz, and covers at least the period immediately before and after the period when the local controller is receptive to transmissions. The local controller may be unable to receive transmissions from the user interface devices outside this timeframe, or may be arranged to receive such transmissions, but to take no action, or discard them, as discussed in more detail below.

In some embodiments, the broadcasted data is broadcasted via a broadcast communication link and data is communicated from the central controller to the local controller via a second different communication link. The second communication link may be a network-based communication link. The system may comprise a display for displaying data from the local controller, and the display may be arranged to display both data broadcasted by the broadcasting means and data communicated to the local controller by the central controller.

The users of the system may then view the broadcast data, and provide inputs via the user interface devices in response to the broadcast data. The user interface devices generate data in response to the inputs provided. The data is transmitted to the local controller. Preferably the local controller is arranged to receive data from at least one user interface device relating to an input made by the user in response to the broadcast data. The local controller may then process data received from the user interface devices. Such processing may include any or all of the steps of accumulating, counting, deleting, displaying and storing the received data, in its received form, or a form to which it has been converted by the local controller. However, it is not necessary for the local controller to carry out processing, and all processing may be carried out by the central controller. Processing may be carried out by any combination of the user interface devices, the local controllers or the central controller.

Although it would be possible for the system of the present invention to include a single local controller only, in a particularly preferred embodiment there are plural local controllers, each having access to an appropriate display for displaying the data broadcast and transmitted by the central controller and/or broadcasting means and each being coupled to one or more, and preferably plural, user interface devices .

The local controllers are preferably remote from the central controller and/or are preferably each arranged at locations where users will wish to participate in and interact with the broadcast, such as private homes and/or public buildings. In a particularly preferred embodiment the local controllers are located in public houses, bars and/or casinos.

Each local controller will, in effect, serve a given "venue" . There could, of course, be more than one local controller (and display, etc.) at any given venue, if desired (and the local controllers at a given venue could each have their own individual displays, or share displays, etc., as desired - preferably each local controller has its own individual display) .

In accordance with the invention, the local controller is arranged to transmit data to the central controller, and information relating to the data to be transmitted is stored by the local controller. In preferred embodiments, the local controller comprises a database, and the information is stored in the database. In some embodiments the local controller compiles a log of data transmissions. The information may also be transmitted by the local controller for remote storage. For example, the information may be stored in the local controller memory and also in an archive database.

The information stored will relate to the data in the form to be transmitted at least at the time of storing. The 5 time at which the storing of the data takes place may be chosen as desired to try to ensure that it is likely to be useful in identifying fraud in the context of a particular system. Thus, if in one system it is felt that fraud is most likely to involve changing the clock of a local

10 controller, the information may be stored at a relatively early stage prior to transmission to maximise the chances that the stored information will relate to the "true" data intended to be transmitted, rather than any data which has already been manipulated. For example, information relating

15 to data received from a user interface device may be stored as soon as the data is received.

In other cases, it may be felt that fraud is most likely to occur after transmission of the data, between the local controller and central controller. In these cases,

20 the information relating to the data to be transmitted may be stored at a later stage, even at the point of transmission. Thus, in this case, the information may relate to the data actually transmitted. In some embodiments, the local controller may comprise means for

25 storing information relating to data transmitted from the local controller to the central controller, and the method may comprise the step of storing such information.

The stored information will relate to the data at the time of storage, and thus this is taken to be the data "to

30. be" transmitted, even if, on occasion, the data may have already been tampered with such that it might not be the data intended to be transmitted, but reflects the data that would be transmitted if transmittal occurred at the same time that the information is stored. Even if some

35 manipulation has already occurred, the stored information provides evidence of the state of the data at a particular time, or stage in its passage through the local controller, and may be used to provide a security measure against any further fraud occurring at a subsequent time. Of course, more than one set of information may be stored relating to the data at different times prior to transmission to provide greater security against fraud at different points in the transmission operation.

The information relating to the data to be transmitted may be any suitable information relating to the content of the data to.be transmitted, or, for example, relating to the circumstances surrounding the data, or its acquisition or transmittal to the local controller. In practice, the data to be transmitted may include information relating to the circumstances of its acquisition, or transmittal to the local controller, and thus information relating to the circumstances of the data may also be considered to relate to the content of the data and vice versa. In preferred embodiments, the information is, or includes, timing information, preferably relating to the time at which an input was made at a user interface device, or received by the local controller.

The information^' may be a copy of the data transmitted from the local controller to the central controller. However, it is not necessary that a complete copy of the data to be transmitted be used. The information may be a part of the data transmitted^ The information need not directly include the data or a part of it, but may be indirectly or directly based on the data. For example, the information may be derived from, or using the data, e.g. may be some function of the data. In some embodiments, the information is a checksum derived from the data. The method may therefore comprise performing a checksum on the data to be transmitted, and storing the checksum. Such information is indicative of the content of the data, as the data is used to provide the information. The data to be transmitted to the central controller in relation to which information is stored is preferably data relating to a user input or inputs made at the at least one user interface device from which the local controller receives data e.g. being associated with the local controller. The data may be data received from the user interface device, which may or may not be processed by the local controller, or may be data generated by the local controller in response to data received from the user interface device. In embodiments of the invention, the data received from a user interface device may include information relating to an input made by the .user, e.g. the content of the input and the time at which the input was made, and the local controller may be arranged to transmit this information, or information relating thereto to the central controller. The data transmitted from the user interface devices may comprise details of keypresses made by users via the user interfaces, preferably in conjunction with timing information determined by the user interface device or devices as to when the input was made, e.g. in the form of a timestamp. Preferably the data is data received by the local controller from the user interface device or devices within a timeframe set by the central controller. The timeframe may be a "listening period", in which the local controller has been instructed to be receptive to transmissions from the user interface devices . The local controller is preferably not receptive to transmissions in a period before or after the timeframe. In some embodiments, therefore, the stored information is a log of keypresses and associated timing information received by the local controller from one or more user interface devices. Preferably the stored information relates to data to be transmitted by more than one user interface device associated with the local controller. Of course, the stored information may include any or all of the above types of information. In preferred embodiments the information is information which may be used to compare the stored data to data actually transmitted and/or received by the central controller. This may be useful in establishing whether any fraud has occurred subsequent to storage of the information. In accordance with the invention, the method preferably comprises comparing the stored information with the data actually transmitted to and/or received by the central controller, and the system comprises means for so doing. The step of comparing the stored information may comprise directly or indirectly comparing the stored information to the data actually received by or transmitted to the central controller. This may involve comparing at least a part of the stored information, or information derived therefrom, with corresponding information relating to at least a part of the data transmitted to or received by the central controller, or derived therefrom, or may comprise comparing the stored information with the data itself, or a part thereof. The stored information may be compared to all or a part of the transmitted or received data. For example, the information may be compared to time information contained in the transmitted or received data. In embodiments where the stored information is a copy of the data to be transmitted by the local controller, the stored information may be compared to the whole of the received or transmitted data or a part thereof. In some embodiments, the step of comparing the stored information with the received or transmitted data may comprise determining whether the stored information matches the received or transmitted data, or a part thereof, and/or trying to identify differences between the stored information and the received or transmitted data, or a part thereof. In some embodiments, functions, such as checksums, derived from each of the stored information and transmitted and/or received data may be compared. The comparison step may be carried out by the system, or may be carried out remotely. The comparison step may be carried out by the central controller, or another part of the system, such as the local controller, or a third party. It may be necessary for the stored information and/or the data received by the central controller or transmitted thereto to be transmitted such that it may be used in this way. For example, the stored information may be transmitted to the central controller, or provided thereto in response to a request or interrogation by the central controller, or may be transmitted to a third party.^' A comparison step may not be carried out in relation to every data transmission. In some embodiments, a comparison step may be carried out only when a prize of particularly high value is to be awarded in respect of the data transmitted in relation to the winning entry submitted by a user via their user interface device.

The results of the comparison may be used as desired depending upon the level of security it is desired to provide. In some cases, no action may be taken. For example, action may be taken only in certain cases, or at certain intervals, perhaps to implement a form of random testing. In some embodiments the results of the comparison may be stored for future reference, or use. The results may be stored to provide a log which may be consulted only if necessary, e.g. in the event of a dispute. The results may be transmitted e.g. to another part of the system or another system. For example, the results may be transmitted to another party whose responsibility it is to investigate potential fraud.

The comparing of the information may be used to identify fraudulent users of the system, and in some embodiments, the method may comprise identifying fraudulent users of the system by comparing the stored information to the data transmitted to and/or received by the central controller. In some embodiments, the present invention provides a method of detecting fraudulent users in an interactive system for a plurality of users . It will be appreciated that the references herein to "identifying" fraudulent users do not necessarily require the successful identification of such users, but instead that there is an attempt to try to identify fraudulent users.

In accordance with the invention one or more additional security measures may be taken to further increase the security of the system. Anyone of these additional security measures may be carried out in addition to the storing of information relating to the data to be transmitted, and the additional security measures may be carried out in any combination.

In some embodiments, as described above, the local controller may be arranged to be responsive to data from the user interface devices only within certain selected timeframes . In some embodiments, the method may further comprise the local controller discarding any data received from a user interface device outside a selected timeframe. The timeframe is preferably set by the central controller. For example, as mentioned above, the broadcast data may comprise data instructing the local controller when to be responsive to data from the user interface devices. This may provide a further check to ensure that any time information contained in the data received from the user interface devices is valid.

As an additional check, the local controller may check whether timing information of the data received from the user interface devices corresponds to the timeframe within which the local controller is arranged to receive data from the user interface devices. This may be done with reference to the timestamps of the data received. The timing information of the data transmitted by the user interface devices will be defined by the timing means of the user interface devices, which may be set by a timing component of the user interface devices, or in response to a signal from another source. The timing information should confirm that the inputs were submitted within the timeframe in which the local controller is arranged to receive data from the user interface devices. If there is any disparity between the timestamps and the timing of the timeframe, which is reliant on the clock of the local controller, this may be indicative of a problem which may be the result of fraudulent tampering with the timing mechanism of the user interface devices and/or local controller, resulting in a difference in the clocks of the user interface devices and local controller. In some embodiments, the method may further comprise identifying any data received from the user interface device or devices associated with a timing which does not lie within the timeframe in which the local controller is responsive to data transmitted by the user interface devices. The method may comprise discarding such data, or carrying out further investigation if any such data is identified.

In preferred embodiments, the local controller may comprise encryption means for encrypting data transmitted from the local controller to the central controller. The encryption may use any known encryption technique or algorithm suitable for use in the context of the system of the present invention. Preferably the transmitted data is encrypted using at least one secret encryption key that is unique to the local controller. In these embodiments, each local controller may be set up with at least one unique encryption key, for example during manufacture or installation. The encryption key may be stored by the local controller, or, for greater security may be stored remotely from the local controller, such as in a secure "offline" location.

In preferred embodiments, more than one encryption key is associated with each local controller. The keys may tβten have a defined hierarchy for their use. Preferably the encryption means thus uses a plurality of encryption keys and each of the encryption keys has a defined hierarchical level relating to its use by the encryption means . Preferably the keys are associated with different levels of security. Preferably the frequency with which a _,key is used is inversely proportional to the level of security associated with the key. Thus, keys associated with higher security levels may be used progressively less frequently . than those keys associated with lower security levels. For example, three encryption keys may be used wherein a first key at the lowest hierarchical level is for general encryption use, a second key at a middle hierarchical level is used for encryption during a prize verification process, and a third key at a highest hierarchical level is used for encryption if the system is compromised by a fraudulent user. It will be understood the keys of a higher hierarchical level are used less frequently, and therefore 'exposed' to hacking attempts less often than a key of a lower hierarchical level. The handling of and storing of such encryption keys may depend upon the hierarchical level of the key. For example an encryption key of the highest hierarchical level may be stored 'off-line' in a secure location which is separate from the interactive system.

In preferred embodiments, the information relating to the data to be transmitted by the local controller which is stored by the local controller is encrypted. The method therefore preferably further comprises the step of encrypting the stored information relating to the data to be transmitted by the local controller, and the system comprises means for encrypting the data. The encryption may be carried out using any of the methods described above in relation to encrypting the data transmitted by the local controller, e.g. using one or more encryption keys.

In preferred embodiments the local controller comprises security means to control access, preferably physical access, to the local controller, e.g. to secure the local controller against the possibility of a user gaining access to the local controller to modify information stored by or transmitted by the local controller . This may reduce the possibility of a user circumventing the guard against fraud provided by the storing of information relating to data to be transmitted in accordance with the invention by modifying the stored information, or from making changes to the local controller,, such as to its local timer, to modify the data which is actually transmitted. Preferably the security means is means for identifying whether the local controller has been physically tampered with, and may be a physical seal. The method may comprise the step of inspecting a security means to determine whether the local controller has been physically tampered with. This may be carried out as (part of) a step of identifying fraudulent use of the system. Verification that the security means does not show any signs that the local controller has been tampered with, e.g. that it is intact, may provide further confidence that the information stored by the local controller is authentic, i.e. has not been modified in a fraudulent way. In some embodiments a verification step may be performed comprising comparing information stored in the database of the local controller relating to data to be transmitted with data that is actually transmitted to and received by the central controller, and preferably inspecting a physical seal of the local controller. This should be carried out with respect to the local controller associated with the user interface device at which the relevant user input was made.

In some embodiments, the method may comprise removing the local controller from the system to be inspected. The local controller and its performance may then be analysed "offline" to try to detect any fraud, e.g. in an off-site location.

In accordance with the invention, the local controller transmits data to the central controller. The data may be transmitted in response to a command included in the broadcast data. The central controller may process the ^•■ received data. The processing may involve any of the 'steps described above in relation to the processing of data by the user interface device or local controller. In some embodiments, the method may further comprise the central controller using data received from the local controller to derive information relating to a user input or inputs made at one or more of the user interface devices. For example, the central controller may .determine which user answered a question correctly, or provided an input, correct or otherwise in the fastest time at the user interface device. The central controller may store data received from the local controller, or derived from data transmitted thereto. The receiving, storing and processing of the data may be carried out by a computer system of the central controller. To provide an additional security feature, the central controller may be arranged to transmit an acknowledgement message to the local controller in response to data transmitted from the local controller to the central controller, and the method may comprise the central controller transmitting such an acknowledgement message.

The acknowledgement message may include information relating to the data received by the central controller. For example, the information may include the received data or data derived therefrom, or a part of the data or derived data. The information may be a copy of the received data. The information relating to the data may be of any of the forms described above in relation to the stored information relating to the data to be transmitted by the local controller. The information may also comprise information relating to the receipt of the data by the central controller, such as the time at which it was received, or information identifying an address from which it was received.

The central controller may be arranged to encrypt the acknowledgement message using one or more (secret) encryption keys . Encryption may be carried out in any of the manners described above in relation to the data transmitted by the local controller, or the information stored thereby.

The local controller may then use the acknowledgement message to compare the information relating to the data received by the central controller with the data actually transmitted thereto, or the stored information relating to the data to be transmitted. The method may comprise using the acknowledgement message to compare the information relating to the data received by the central controller contained in the acknowledgement message to the data transmitted by the local controller to the central controller, or the stored information relating to the data to be transmitted. In preferred embodiments the acknowledgement message is compared to the stored information relating to data transmitted from the local controller to the central controller. The comparison may be carried out in any suitable manner, and may involve comparing all, or a part, of the stored information, or data derived therefrom, to the data transmitted, or information relating thereto, or any part thereof, or data derived therefrom, in any of the manners described above in relation to using the stored information relating to the data to be transmitted by the local controller with data actually transmitted or received to or by the central controller.

For example, checksums may be calculated. A checksum stored relating to the data to be transmitted by the local controller may be compared with a checksum performed on data received by the central controller e.g. in an acknowledgment message. In some embodiments, the acknowledgement message comprises information relating to the data received by the central controller for determining whether the data received by the central controller matches the data transmitted from the local controller to the central controller, and the method comprises determining whether the data received by the central controller matches the data transmitted from the local controller to the central controller using the information provided in the acknowledgement message. The method may further comprise determining whether fraudulent use has occurred using the acknowledgement message. The local controller may transmit a confirmation message to confirm receipt of the data from the central controller, e.g. the acknowledgement message. The further confirmation message may be transmitted to the central- controller. The confirmation message may comprise information relating to the data received from the central controller. The information may be of the same form as of the information relating to the data received by the central controller which may be transmitted in the acknowledgement message e.g. a copy, part of the data, data derived from the data or part thereof etc. The information may include a time at which the data transmitted by the central controller was received, and/or information relating to whether or not fraudulent use has been detected.

The confirmation message may be encrypted in the same manner described above in relation to the data transmitted by the local controller or the acknowledgement message.

In some preferred embodiments, the central controller may request that a local controller associated with a selected user interface device transmit the data received from the selected user interface device, or information relating thereto, to the central controller. Preferably the user interface device is a user interface device at which an input of interest was made by a user, for example the winning input for a given round. The central controller may then compare the data received from the local controller in response to the request with the corresponding data, or information relating thereto, received previously from the local controller e.g. the initial data transmitted from the local controller to the central controller for the purposes of determining a winner. Again, this further data transmission may be encrypted, and authentication carried out between the central controller and local controller.

The central controller may compare the data received in response to the request with the data transmitted earlier. For example, checksums may be performed. Thus, this further comparing step may be used in addition to the comparing of information stored by a local controller relating to data to be transmitted to the local controller with data transmitted to or received by the local controller. While the first information stored by the local controller in accordance with the invention may comprise information relating to data received from more than one user interface device, the further comparison step compares data received by the local controller from a selected user interface or user interface devices, preferably a single user interface device, with the corresponding data received by the central controller.

The user interface device may be arranged to receive data from the central controller and/or the local controller. Preferably the user interface device may receive data transmitted over the network link. In this way, a user may review data relating to previous and/or current interactive broadcasts. This may include data relating to the results of data comparisons made during the security checks. As mentioned above, the information relating to the data to be transmitted may comprise timing information. However, in addition to storing timing information relating to data to be transmitted by the local controller, timing information may be used in other ways to provide a further level of security. The system may compare store timing information relating to the transmission of data at any point e.g. from the user interface device to the local controller or central controller, from the central controller to the local controller, in relation to actual transmissions of data from the local controller to the central controller, from the central controller to the user interface devices, from the broadcasting means to the local controller and/or user interface devices, from the local controller or user interface devices to the broadcasting means, and combinations thereof. Timing information may be compared with corresponding timing information derived in another way, or from another source to try to establish whether any differences exist which might be indicative of fraud. For example, the broadcast time delay or timing of a transmission from a central controller may be used in this way. Timing information may be derived for the same event in more than one different way, and may then be stored, and/or compared. For example, a time of the broadcast delay may be determined with and without using timing information from the local controller. In preferred embodiments, corresponding timing information is derived both with and without using timing information provided by the local controller. The corresponding timing information may then be compared, and any difference may indicate a potential problem with respect to the local controller, which may be subject to alteration of its timing means.

In some embodiments, each local controller maintains a local timing reference signal. The local timing reference signal of each of the local controllers of the system may be synchronized with one another. This may be achieved in any suitable manner. By synchronized it is meant that the time variables are substantially synchronized, or synchronized to the extent required for a given application. They may not in practice always be exactly synchronized. The use of a network timing protector may allow the time variable at each local controller to be synchronized in this way. The time reference signal may be provided to the local controller using the network timing protocol.

In preferred embodiments the local controller uses the broadcast data to obtain timing information for the local controller. In preferred embodiments, the broadcast data includes data for identifying the time at which the data was broadcast and the local controller uses the data for identifying the time at -which the data was broadcast that is included in the broadcast data to determine time information of the local cotnroller. The time information determined by the local controller may be e.g. the timing of user inputs made at the user interface devices and/or the timeframe in which the local controller is arranged to be responsive to data transmitted by the user interface devices. In preferred embodiments, the local controller uses the time • data included in the broadcast to synchronise its own

"local" time to the "broadcast" time. For example, the local controller may use the data to set a local timing signal of the local controller.

Where the broadcast data is of the nature of a television broadcast, the time data is preferably included in the broadcast in the vertical blanking interval (VBI) . part of the broadcast stream. The time data is preferably encoded as a teletext signal in the TV broadcast. In such an arrangement, the time data is preferably embedded in the standard teletext frame structure. Other arrangements would, of course, be possible. For example, time data in the form of text may be added to the broadcast data (from which the time information could then be extracted by a local controller using a suitable Optical Character Recognition (OCR) method) . Alternatively the time data may be in the form of a video watermark or bar code.

In these embodiments, the local controller can extract the time data from the broadcast data in any desired and suitable manner. For example, in the case where that data is embedded in the VBI component of the broadcast data, it can use filter software to extract the VBI component from the broadcast stream and then interpret the data contained therein to derive the time data.

The time data in the broadcast data can be used by a local controller in any desired and suitable manner for the purposes of deriving or determining time information for the local controller.

In other embodiments the central controller comprises a synchronization server for generating a time .reference • signal. The synchronization server may transmit a time reference signal to the or each local controller of the system, preferably via a network -based communications link. In preferred embodiments, there are a plurality of local controllers , and each receives the time reference signal .■ • The time reference signal may be used by the or each local controller to set a local timing reference signal. In this way the local time variable at each of the local controllers may be synchronized. Of course, other synchronization methods may be used, and it is not necessary that the system comprises a synchronization server.

The or each local controller may then store information relating to the local timing reference signal of the local controller. Preferably the method comprises storing information relating to a local timing reference signal, which may be a received signal, at the or each local controller, and the or each local controller is arranged to store such information, for example in a database. The storing of such information may provide an audit trail which can be inspected to determine whether modified or corrupted data has been transmitted to or from a local controller. This may be achieved by comparing the stored information relating to the local time reference signals with information relating to the local time reference signals provided to the local controllers, e.g. by a synchronization server or in the broadcast data. Such information may be stored by the synchronization server. In these embodiments, the or each local controller may be arranged to receive a local timing reference signal from the synchronization server or to receive broadcast data including time data. In some embodiments the system further comprises a synchronization server for generating a time reference signal, the local controller being in communication with the synchronization server to receive the time reference signal from the synchronization server, and the local controller is arranged to store information relating to the received time reference signal. In some embodiments, the broadcasted data comprises information relating to the time at which the data was broadcasted; and the local controller is arranged to selectively transfer data to the central server in response to processing the broadcasted data and the data received from at least one user interface.

The local controller may transmit timing information derived using the local timing reference signal to the central controller. The central controller may use the timing information relating to the user input received from the local controller with other information to check the integrity of the data sent by the local controller, and to try to detect whether any fraud has occurred, such as tampering with the local clock signal of the local controller. In some embodiments, the method comprises comparing timing information received from the local controller and based on the local timing reference signal with other timing information not based on the local timing reference signal. The timing information may be compared with an expected or past value for the timing, or timing information obtained from another source, e.g. from the central controller, broadcasting means and/or user interface device. Timing information received from the local controller which may be used in this way may include a broadcast time delay, or a timing relating to the providing of a user input at a user interface device. In embodiments where the local timing is set using broadcast data, a broadcast delay may be compensated for, avoiding the need to calculate a broadcast delay.

The timing information transmitted by the local controller is preferably encrypted. This may be achieved in any of the ways described above in relation to encryption in other parts of the system, and timing information obtained from another source e.g. external to the local controller.

In preferred embodiments , the local controller receives broadcasted, data, and data from at least one user interface device connected thereto. In embodiments, the local controller is arranged to determine timing information relating to when the data was input to the user interface device, or generated by the user interface device, using the broadcast data and data from the user interface device. For example, in some embodiments, the local controllers increase the value of the local timing reference signal. A program broadcast by the broadcasting means may then be received. The broadcast is made by the broadcasting means at a known time. The broadcast may comprise data providing information relating to the time at which the broadcast was made allowing this timing to be established by the local controller. The local controller may determine a broadcast delay using the known time of broadcast and the local timing reference signal . This may involve determining a difference between the local timing reference signal and the time at which the broadcast was known to have been made. At a later stage, a user may input a response to a stimulus contained in the broadcast to their user interface device, which input may be transmitted to the local controller. The local controller may then determine a time at which the input was made using the broadcast delay, the local timing reference signal and the time at which the broadcast was known to have been made. This time may be transmitted to the central controller and compared to a corresponding time at which the user input was made derived without using the local timing reference signal. Similarly, a value for a broadcast delay determined by the local controller- using the local timing reference signal may be compared to a known value for the delay, e.g. by the central controller. As mentioned above, the determining of a broadcast delay may not be necessary in preferred embodiments where the local timing signal is set using data e.g. a time stamp in the broadcast data. Other security measures may be carried out. For example, authentication may be carried out in relation to the parties involved in the transmission of data between the local controller and the central controller. The local controller may be provided with a local controller identity which may be associated with the identities of one of more user interface devices which transmit data to the local controller. The identity of the user interface device may be authenticated when data is received by the local controller from the user interface device to verify that the user interface device is one associated with that local controller. The authentication may be carried out by the local controller. Similarly, the identity of the local controller may be authenticated by the central controller when data is received from the local controller. The local controller may be required to perform an authentication process in order to transmit data, or may transmit data comprising identity information. The central controller may verify the identity of the user interface device which provided the data to the local controller, and may compare this with the identity of user interface devices known to be associated with the local controller. The local controller may be arranged to check the identity of a user interface device with which it is in i communication, or arranged to be in communication. This may be carried out on a periodic basis, or at certain times, such as when data is received from a user interface device, or randomly. The local controller may then compare the identity of the user interface device detected with that of the user interface devices with which it is associated, or with the previous identity information obtained from the user interface device. Information may be stored associating the identity of a local controller with one or more user interface devices with which it is to communicate for this purpose. Of course, such identity verification may, alternatively, or additionally, be carried out by the central controller. The local controller may also check the operation of one or more user interface devices with which it is arranged to communicate. This may be carried out at any time, in the same manner as verification of the identity of the user interface devices . The local controller may run a program checking the performance of the user interface device, or its response to certain operations which may reveal whether it may have been tampered with. The results of any such verification processes may be stored. They may then be consulted in the event of an investigation, or routinely, by e.g. the central controller, or a third party. In accordance with a further aspect of the invention there is provided an interactive system for a plurality of users, the system comprising: a local controller operable to receive data from at least one user interface; broadcasting means for broadcasting data to the local controller; and a central server for processing data, the local controller being in communication with the central server such that it can transmit data to the central server; wherein the local controller comprises a database for storing information relating to data transmitted from the local controller to the central server, arranged to identify fraudulent users of the system by comparing information stored in the database with data transmitted to the central server. In accordance with yet another aspect of the invention there is provided a method of detecting fraudulent users in an interactive system for a plurality of users, the method comprising: broadcasting data to a local controller operable to receive data from at least one user interface; transmitting data from the local controller to the central server; processing data at the central server; storing information relating to the transmitted data at the local controller,- and identifying fraudulent users of the system by comparing the stored information with the data transmitted to the central server.

The present invention in accordance with these further aspects of the invention may include any or all of the features described in relation to the first, and second aspects of the invention, to the extent that they are not

■ inconsistent therewith.

It will be appreciated that the data transmissions made in accordance with the invention in any of its aspects or embodiments in general may be made wirelessly, or via wired connections, or a combination of wired and wireless connections, using any suitable arrangements for doing so, and may involve any number of intermediate components between the central controller and the local controller (s ).

It will be understood that where not explicitly stated, the present invention in its various aspects extends to a system comprising means for carrying out any of the steps of the method of any of the aspects or embodiments of the invention described, and the method comprises steps for carrying out any of the steps that the system is configured to perform. References to "means for"¹ carrying out a step may be interchanged with references to a "sub-system" for performing those steps . It will be appreciated that various components and elements of the system of the present invention, such as the central controller, local controllers, etc., can be arranged and constructed in any desired and suitable form. Thus they could, for example, comprise single units or systems, such as servers, that are configured to perform all the functions described, or they could comprise a number of different components such as servers, processors, etc., that are each appropriately coupled to each other for carrying out and performing the various functions. Thus, for example, the central controller need not comprise a single device, but could comprise a number of devices that are associated with each other, such as one server for controlling the broadcast data to the local controllers, and another, separate server for coordinating the separate data transmission to the local controller. It would also, e.g., be possible for there to be more than one central controller in the system.

Thus it should be understood that references herein to a "central controller" and a "local controller", etc., are not intended to require a single device that performs all the described functions (although in one embodiment that is the preferred arrangement) , but are also intended to encompass arrangements in which plural separate or different devices or components act together to perform the functions of the necessary "controller", etc.

It would similarly be possible for the various functions of the different components of the system of the present invention to be performed in a distributed form, and with the components not necessarily having to be in the same physical locations, for example.

As will be appreciated by those skilled in the art, all of the aspects and embodiments of the present invention described herein can and preferably do include any one or more or all of the preferred and optional features of the invention described herein, as appropriate.

The present ^■ invention may be used to provide any desired form of interactive broadcast, although as will be appreciated from the above, it is particularly applicable to the provision of interactive entertainment broadcasts, such as quizzes and games.

The methods in accordance with the present invention may be implemented at least partially using software e.g. computer programs . It will thus be seen that when viewed from further aspects the present invention provides computer software specifically adapted to carry out a method or the methods herein described when installed on data processing means, a computer program element comprising computer software code portions for performing a method or the methods herein described when the program element is run on data processing means, and a computer program comprising code means adapted to perform all the steps of a method or of ,the methods herein described when the program is run on a data-processing system.

The invention also extends to a computer software carrier comprising such software which when used to operate a radio system comprising data processing means causes in conjunction with said data processing means said system to carry out the steps of a method or of the methods of the present invention. Such a computer software carrier could be a physical storage medium such as a ROM chip, CD ROM or disk, or could be a signal such as an electronic signal over wires, an optical signal or a radio signal such as to a satellite or the like.

It will further be appreciated that not all steps of the methods of the invention need be carried out by computer software and thus from a further broad aspect the present invention provides computer software and such software installed on a computer software carrier for carrying out at least one of the steps of a method or of the methods set out herein.

The present invention may accordingly suitably be embodied as a computer program product for use with a computer system. Such an implementation may comprise a series of computer readable instructions either fixed on a tangible medium, such as a computer readable medium, for example, diskette, CD-ROM, ROM, or hard disk, or transmittable to a computer system, via a modem or other interface device, over either a tangible medium, including but not limited to optical or analogue communications lines, or intangibly using wireless techniques, including but not limited to microwave, infrared or other transmission techniques . The series of computer readable instructions embodies all or part of the functionality previously described herein.

Those skilled in the art will appreciate that such computer readable instructions can be written in a number of programming languages for use with many computer architectures or operating systems. Further, such instructions may be stored using any memory technology, present or future, including but not limited to, semiconductor, magnetic, or optical, or transmitted using any communications technology, present or future, including but not limited to optical, infrared, or microwave. It is contemplated that such a computer program product may be distributed as a removable medium with accompanying printed or electronic documentation, for example, shrink-wrapped software, pre-loaded with a computer system, for example, on a system ROM or fixed disk, or distributed from a server or electronic bulletin board over a network, for example, the Internet or World Wide Web.

Any of all of the features described above, may where not explicitly stated, babe extended to other or each local controller of a system comprising a plurality of local controllers .

It will be appreciated that in addition to the storing of information relating to data transmitted by the local controller, the method and system of the invention may use any one or ones of the additional security measures described, alone or in any combination. These include the use of encryption, physical seals, acknowledgement messages or timing information.

For a better understanding of the invention, embodiments will now be described, purely by way of example, with reference to the accompanying drawings, in which: Figure 1 shows an electronic system according to a first embodiment of the invention; and

Figure 2 shows an electronic system according to another embodiment of the invention. Like reference numerals refer to like elements throughout .

The term 'user interface' refers to apparatus for receiving a user input comprising at least one input interface, such as a button. Although a user interface is preferably of a shape and size such that it may be easily held in a user's hand, a user interface according to the invention may be of any suitable shape and size. Furthermore, a user interface need not comprise a plurality of buttons but, instead, may comprise any suitable interface means such as, purely by way of example, a jog-dial, a touch-screen or a microphone (or a plurality thereof) .

Referring to Figure 1, an electronic system according to an embodiment of the invention is illustrated. The electronic system comprises a local controller 10 and a display 12 at a first venue 14, and a central server 16 at a location which may be remote from the first venue 14.

The local controller 10 is operable to receive data from first 18, second 20 and third 22 user interfaces, the user interfaces generating data in response to user inputs. Also, the central server 16 is arranged to broadcast data to the local controller 10 via a broadcast communication link 24.

The local controller 10 is arranged to be in communication with the central server 16 via a network 26 (i.e. the internet) so that it can transmit data to the central server 16. Such data may be specific and local to one or more venues or it may be generic .

When data is transmitted to the central server 16 by the local controller 10, information relating to transmitted data is stored within a database (not shown) of the local controller 10. This stored information can then be used for identifying fraudulent users of the system by comparing information stored in the database with data that is actually transmitted to and received by the central server 16. In this way, there is provided a way of identifying whether the data transmitted to the central server 16 by the local controller 10 has been tampered with (or modified in any way) during transit.

Although not essential, to provide additional security against the possibility of a user gaining access to the database and modifying the stored information, the local controller comprises security means for identifying whether the local controller has been physically tampered with, such as a physical seal. Verification that the security means do not show any signs that the local controller has been tampered with provides assurance that the information logged in the database is authentic (i.e. has not been modified in a fraudulent way) .

Thus, for an interactive application that awards a prize of high value (in either economic or other terms) , a verification process can be performed to ensure a user has not misused the system in a fraudulently way. This verification process includes the steps of comparing information stored in the database of the local controllers with data that is actually transmitted to and received by the central server, and inspecting the physical seals of the local controller. In other words, the integrity of the data sent to the central server 16 by the local controller 10 can be assessed. It will therefore be understood that the system uses a combination of data logging and physical security at the local controller 10 to provide protection against fraudulent use of the system.

In an example where the central server 16 operates in conjunction with a television program, the central server 16 is located at a television studio and comprises broadcast means 28 and a computer system 30. The computer system 30 is connected to broadcast means 28 so that it can provide data to the broadcast means 28 for controlling and/or modifying the television program. For example, the computer system may supply questions, or other user stimuli, which are to be superimposed on top of the television program.

Under the control of a director or the computer system 30, the broadcast means 28 consolidates and/or mixes the data with the television program and broadcasts the program via the broadcast communication link 24 to the first venue 14. The venue 14 is a location at which^' more than one user can participate in and/or interact with the broadcast television program, for example a public house.

The local controller 10 receives the broadcast television program and feeds the received broadcast to the display 12 for display. In this way, the program is communicated to the users of the system at the venue 14, the program including a stimulus such as a question or game. In response to the communicated program, the users provide inputs by operating the user interfaces, which in turn generate data in response to user inputs provided. This generated data is transmitted to the local controller 10 and is processed by the local controller 10. Such processing may include any or all of the steps of converting, accumulating, counting, deleting, displaying and storing the received data in either its received form or any other form into which the data may be converted by the local controller 10.

As can be seen from Figure 1, the local controller 10 is also in communication with the central server 16 via the network 26 so that it can transmit and receive data to and from the central server 16. Using this network-based communication link 26, the local controller 10 then transmits some or all of the data relating to the user inputs to the central server 16. This data is received and processed by the computer system 30 of the central controller 16. As above, it is to be appreciated that such processing may include any or all of the steps of converting, accumulating, counting, deleting, displaying and storing the received data in either its received form or any other form into which the data may be converted by the local controller 10.

In addition to transmitting data to the central server 16, the local controller 10 stores information relating to transmitted data within a database (not shown) . In other words, the local controller 10 compiles a log of the data transmissions. This log can then be used to identify if corrupted or modified data has been transmitted to the central server due to a spoof answer attack, for example. Identification of such an attack is achieved by comparing information stored in the database with data that is actually transmitted to and received by the central server 16.

In the example of a user providing inputs in response to questions provided in a television program which was broadcasted by the central server 16, the computer system 30 processes the data relating to the user inputs in order to determine which users answered the questions correctly. Of course, the computer system 30 may also determine further information relating to the user inputs, such as which user answered provided a correct input in the fastest time. Some or all of the processed data may then be stored in the computer system for subsequent use.

Data processed by the computer system 30 is then used in conjunction with the television program. The computer system 30 provides some or all of the processed data to the broadcast means 28 for controlling and/or modifying the television program. For example, in addition to supplying questions to be superimposed on top of the television program, processed data relating to the previous question may also be supplied to the broadcasting means 28 for inclusion within the television program. Such inclusion may be, for example, achieved by modifying the actual television program (i.e. information displayed in the background of studio may be modified) or by superimposing information on top of the television program. The updated television program is then broadcasted via the broadcast communication link 24 to the first venue 14. ^■

Data processed by the computer system 30 may also be transmitted to the local controller 10 at the venue 14 via the network 26. In other words, the computer system 30 may transmit data to the local controller 10 via the network 26 in response to the data transmitted to it from the local controller 10. For example, this processed data may relate to the specific user inputs provided at the venue 14 and therefore provide information customized to the venue 14. However, it is noted that the data transmitted to the local controller 10 may also be related to the state of the current studio activity (i.e. the stage of the game) and may have nothing at all to do with the previous responses from the user interfaces .

For the purpose of providing for yet further security, data transmitted by the computer system 30 to the local controller 10 may comprise an acknowledgement message for acknowledging the receipt of data from the local controller 10. For example, the acknowledgement message may include information relating to the data received by the computer system such as a copy of the received data. It may also include additional information relating to the received data including the time at which it was received and information identifying an address from which it was received. Using this acknowledgement message received from the computer system 30, the local controller 10 can check whether the data received by the computer system 30 matches that which was sent to the computer system 30. If the information contained within the acknowledgement message agrees with the related information stored in the database, it is determined that the data transmitted by the local controller to the computer system 30 was not tampered with during transmission .

Thus, a further message may be transmitted from the local controller 10 to the computer system 30 for the purpose of confirming data has been received from the computer system 30. Again, this confirmation message may contain information relating to the received data, including the time at which it was received and information identifying whether or not a fraudulent user has been detected.

Accordingly, the local controller 10 may be arranged to receive both the television program broadcasted by the broadcasting means 28 and the data transmitted by the computer system 30. In such an arrangement, the local controller 10 then processes the received data and broadcast such that the local controller 10 consolidates and/or mixes the received program and data and feeds the consolidated and/or mixed data to the display 12 for display. Thus, the display 12 ,may display both data broadcasted by the central server 16 via the broadcast link 24 and data transmitted to the local controller 10 from the central server 16 via the network 26. Of course, the processing may not be undertaken immediately upon receipt of the information. Thus, the received data and broadcast may be stored for future interpretation and use.

It can be appreciated that the local controller 10 may produce an interactive program which is customized to the specific venue 14 at which it is located. In such a case, the broadcast program is a global broadcast which is supplied in the same form to any number of venues, whereas the data transmitted to the local controller 10 via the network 26 is specific to the controller 10 to which it is transmitted. Thus by consolidating these two received data signals, the local controller 10 is able to produce a data signal for display which may contain data of a global nature (i.e. data relating to the inputs of all of the users of the interactive system) and data of a local or regional nature (i.e. data relating only to the inputs of users local to the specific local controller) .

Therefore, in an embodiment of the invention which contains more than one venue, each of the venues may display an interactive broadcast which combines a broadcast signal (containing information relating to all of the venues of the system) and a custom transmitted signal (containing information relating to a specific venue and/or venues local to the same) . For example, it is envisaged that economically-linked venues (i.e. pubs in a chain) may receive the same custom transmitted signal, whereas all other venues receive a custom transmitted signal unique to the venue . Returning back to Figure 1, a user terminal 32 is also connected to the central server via the network 26. The user terminal 32 can access the processed and stored data of the computer system 30 and/or the local controller so that it can be retrieved to the user terminal 32 for observation. Using this feature, a user of the user terminal 32 may therefore review data relating to previous and/or current interactive broadcasts. Such data may, for example, relate to the results of the data comparisons made as a part of the security checks. Referring to Figure 2, an electronic system according to another embodiment of the invention is shown. The electronic system comprises a broadcast antenna 34, first 1OA and second 1OB local controllers at first 14A and second venues 14B, respectively, and a central server 36 at a location which may remote from the first 14A and second 14B venues. Although not depicted in Figure 2, the broadcast antenna 34 may be connected to the central server 36 so that it can be operated in conjunction with data provided to it from the central server 36. The first 1OA controller is operable to receive data from first 18A, second 2OA and third 22A user interfaces, the user interfaces generating data in response to user inputs. Similarly, the second 1OB controller is operable to receive data from fourth 18B, fifth 2OA and sixth 22A user interfaces . First 12A and second 12B displays for displaying data are also connected to the first 1OA and second 1OB local controllers, respectively.

Both the first 1OA and second 1OB local controllers are in communication with the central server 38 via the network 26 so that they can transmit and receive data to and from the central server 38. Such data may be specific and- local to one or more venues or it may be generic .

It is noted that, unlike the local controller of the system shown in Figure 1, the first 1OA and second 1OB local controllers of the system shown in Figure 2 also comprise encryption means 44 for encrypting data before it is transmitted to the central server 38. Such encryption may use any known encryption technique or algorithm that is suitable for the requirements of this system. However, it is preferable that the transmitted data is encrypted using a secret encryption key that is unique to the local controller which encrypts the data.

In the preferable embodiment that a secret and unique encryption key is used, each local controller is initialized with at least one secret encryption key (which is unique to the local controller) during the manufacturing or provisioning process. The secret encryption key(s) may be stored within the encryption means 44 of the local controller using suitable storage means such as Non-Volatile Random Access Memory (NVRAM) or Flash Memory.

In an even more preferable embodiment, more than one encryption key is used for each local controller and these keys will have a defined hierarchy for their use. For example, three encryption keys may be used wherein a first key at the lowest hierarchical level is for general encryption use, a second key at a middle hierarchical level is used for encryption during a prize verification process, and a third key at a highest hierarchical level is used for encryption if the system is compromised by a fraudulent user. It will be understood the keys of a higher hierarchical level are used less frequently, and therefore 'exposed' to hacking attempts less often than a key of a lower hierarchical level. The provision of storing such encryption keys will, therefore, be modified according to the hierarchical level of the key, for example an encryption key of the highest hierarchical level may be stored 'offline' in a secure location which is separate from the interactive system.

When encrypted data is transmitted to the central server 38 by the respective local controller, information relating to the transmitted data is stored within a database (not shown) of the local controller. Preferably, this stored information is also encrypted, for example using the same encryption method as that used to encrypt the transmitted data. As with the embodiment of Figure 1, this stored information can then be used for identifying fraudulent users of the system by comparing information stored in the database with data that is actually transmitted to and received by the central server 38.

As before, to provide additional security against the possibility of a user gaining access to the database or the encryption means, the local controllers each comprise at least one physical seal. This physical seal is arranged such that it indicates if the local controller has been physically tampered with. Verification that the physical seal does not show any signs the local controller has been tampered with provides assurance that the information logged in the database is authentic (i.e. has not been modified in a fraudulent way) and that encryptions means have not been compromised. Thus, a verification process can be performed to ensure a user has not misused the system in a fraudulently way. This verification process includes the steps of comparing ■ information stored in the database of the local controllers with data that is actually transmitted to and received by the central server, and inspecting the physical seals of the local controller. In other words, the integrity of encrypted data sent to the central server 38 by a local controller can be assessed.

The central server 38 comprises a synchronization server 40 for generating a time reference signal and a computer system 42 for processing data. Each local controller is therefore in communication with the synchronization server 40 to receive a time reference signal from the synchronization server 40 via the network 26.

The broadcast antenna 34 is arranged to broadcast data to the venues 14A and 14B. Preferably, the data broadcasted by the antenna 10 comprises information for identifying the time at which data was broadcasted.

It can therefore be appreciated that the local controllers 1OA and 1OB are arranged to receive both the broadcasted data and the time reference signal provided by the synchronization server 40. Upon receipt of these, the local controllers 10A and 1OB process the information from the broadcast and data generated by a connected user interface. This processing enables each local controller to calculate timing information relating to when the data was generated by the user interface and to selectively transfer data to either a connected display or the central server 38.

In an example where the central server 38 operates in conjunction with a broadcasted television program, the central server 38 and the broadcast antenna 34 are both located at a television studio. Of course, this is not essential to the invention, and the central serve r 38 and the broadcast antenna 34 may be located at separate locations as may be necessary. An exemplary operation of the electronic system shown in Figure 2 will now be detailed, wherein the electronic system provides an interactive television program to a plurality of users. In this example, the interactive television program contains questions which the users answer in order to interact with the program. ' Before a program is broadcast, the synchronization server 40 transmits a time reference signal to- first 1OA and second 1OB local controllers. This time reference signal is used by the local controllers to set a local time variable, wherein the local time variable at each of the local controllers is substantially synchronized. The local time at the first controller 1OA is denoted with a subscript 1 (i.e. T_L1) and the local time at the second controller 1OB is denoted with a subscript 2 (i.e. T_L2) .

Any suitable time synchronization method can be used to synchronise the local time variable at each of the local controllers. In this example, the time reference signal is provided using the known Network Time Protocol (NTP) and, according to a paper entitled "Using NTP to control and Synchronise System Clocks" from Sun Mircosystem, accuracies of 10-50 mS are readily achievable in a Wide Area Network (WAN) environment.

Preferably, the maximum synchronisation error is 4OmS which corresponds to the period of a single TV frame (in Europe) . Thus, for the purpose of this example, NTP is an appropriate method for synchronizing the local time of the local controllers. It will, however, be appreciated that any other suitable synchronization method may be used to synchronise the local time variable of the local controllers. In this embodiment, the local controllers store information relating to received time reference signal in their database, although it is not essential to the invention. By logging all of the received time reference signals, there can be provided an audit trail which can be inspected, either remotely or locally, in order to identify if corrupted or modified data has been transmitted to or from a local controller, identification of such an spoof answer attack can be achieved by comparing information stored in the database with information relating to the time reference signals provided by the synchronization server 40. Once the local controllers have been synchronized, the system is ready for an interactive television program to be broadcasted. The broadcast antenna 34 broadcasts the program via a broadcast communication link to the first 14A and second 14B venues. The time at which the program was broadcasted is denoted with a subscript B (i.e. T_B) and information relating to the value of T_B is included within the broadcasted data.

Although the precise method used to embed information within the broadcasted data is not essential to the invention, it is envisaged that a preferred a method of embedding information is to include machine-readable code in a visible portion of the broadcasted program. Such machine- readable code may be in the form of cue dots , a video watermark, or a barcode. By placing machine readable code in a visible portion of the broadcasted program the problem of a broadcast receiver removing data outside of the viewable area of broadcasted (i.e. clipping the image) is overcome. Upon receiving the broadcasted program, the local controllers process the machine-readable code and extract relevant information. The local controllers then cover up the machine-readable code within the visible portion of the broadcasted program by overlaying graphics, or other user- readable information, before the received program is provided to a connected display.

Variations of the above-detailed method of embedding machine-readable code within the broadcasted program are numerous. For example, text may be added to the program from which information can be extracted by a local controller using a suitable Optical Character Recognition (OCR) method. Whilst the program is being broadcasted to the first 14A and second 14B venues, time passes and the local controllers increase the value of a local time variable. After a time delay D₁, the broadcasted program is received by the local controller 1OA at the first venue 14A. This time (the time at which the broadcasted program is received by the first local controller 10A) is denoted as T_Rβl and is defined by the following equation (equation 1) :

T_Rβl = T_B + D₁ (1).

Given that D₁ is unknown, and that information relating to both T,_O1 and T_n can be obtained from the information included in the broadcast data and the local time variable at the local controller, respectively, the first local controller 1OA calculates the value of the broadcast delay D₁ using the following equation (equation 2):

D₁ = T_Rβl - T_B (2).

The received program is then fed to the display 12A by the local controller 1OA for display to the users of the system as the first venue 14A. In this way, the broadcasted program is communicated to the users of the system at the first venue 14A, the program including a stimulus such as a question.

Whilst, the users of the system at the first venue 14A are contemplating their response to the stimulus/question provided in the displayed program, time passes and the value of a local time variable at both the first 1OA and second 1OB local controllers further increases.

A first user then activates a first user interface 18A to provide a response to the stimulus. The time at which the first user activates the first user interface 18A is denoted by T_κ__βl. When the user activates the first user interface 18A, it generates a data signal in response to the user input and transmits the generated data signal to the first local controller 1OA in which it is processed. Such processing may include any or all of the steps of converting, accumulating, counting, deleting, displaying and storing the received data in either its received form or any other form into which the data may be converted by the local controller 1OA.

Using the calculated value of D₁_ the obtained value of T_B, and the value of the local time at T_KPβl (the time at which the first user activates the first user interface

18A) , the time taken for the first user to respond to the displayed stimulus at the first venue, *T_L1, is calculated using the following equation (equation 3):

»TLl = TKPSl - T^X B - D^Ul

^•

It will therefore be appreciated that the above detailed method of calculating the time at which a user activates a first user interface uses timing information embedded in the broadcasted data to compensate for the broadcasting delay D₁. By compensating for this delay, the local controller obtains a value of the time taken for a first user interface to be activated (»T_L1) which is relative to the actual time at which the broadcasted program was communicated to the users of the system at the first venue 14A.

For the purposes of this example, it is assumed that the time taken to generate a data signal in response to the user input and to transmit the data signal to the local controller is negligible. Such timing is therefore not accounted for when calculating timing information. However, it will be understood that the finite time taken to complete the steps of generating and transmitting the data signal can be included in the above calculations. Further, it may be appreciated how the above detailed method of calculating the time at which a user activates a user interface at the first venue 14A can be extended in a straightforward manner to subsequent responses from other user interfaces at the first venue .

It will also be apparent to the .reader that above method can be used to compensate for broadcasting delay to the second venue (i.e. D₂).

As can be seen from Figure 1, the first local controller 1OA is in communication with the central server 38 via the network 26 so that it can transmit and receive data to and from the central server 38. Using this network- based communication link 26, the first local controller 1OA then transmits some or all of the data relating to the first user input to the central server 38 (after encrypting the data using the encryption means 44 of the local controller) . For example, the first local controller 1OA of the present example transmits the calculated value of »T_L1 and the calculated value of D₁ to the central server, along with information identifying the user interface by which the response was provided. In addition to transmitting encrypted data to the central server 38, the local controller 1OA stores information relating to transmitted data within a database (not shown) . Preferably, this stored information is also encrypted using by the encryption means 44. In other words, the local controller 10 compiles a log of the data transmissions . This log can then be used to identify if corrupted or modified data has been transmitted to the central server due to a spoof answer attack, for example. Identification of such an attack is achieved by comparing information stored in the database with data that is actually transmitted to and received by the central server 38.

This data is received and processed by the computer system 42 of the central server 38. As above, it is ^' to be appreciated that such processing may include any or all of the steps of converting, accumulating, counting, deleting, displaying and storing the received -data in either its received form or any other form into which, the data may be converted by the computer system 42.

Using the received and processed data, the computer system 42 of Figure 2 can undertake a diagnostic process which checks the integrity of the data sent by the local controller. One such check comprises the step of comparing the calculated value of D₁ with expected or past values . Any unusual or unexpected value of D₁ provided by the local controller to the computer system 42 may indicate that the local clock signal of the local controller or the transmitted data has been tampered with. This can be indicated by the computer system and further investigation of the local controller may then be undertaken. Although optional, the first local controller 1OA also feeds a signal to the display 12A which causes the display 12A to indicate that a first response has been provided by a user at the venue 14A. The display 12A may also display further information relating to the first response, such as the identity of the user interface and the calculated time response time »T_L1

One example of when a local controller does not transmit data to the central server is when the calculated response time (i.e. »T_L1) is negative. A negative value time taken for a user to respond to the displayed stimulus indicates that the user activated a user interface before the program was received by the relevant local controller and displayed to the users at the respective venue, in such a situation, the local controller discards the data signal received from the activated user interface.

Although it is not essential to the invention, the local controllers are also arranged to discard data signals received from user interfaces wherein the calculated response time is larger than a predetermined value, •T_MAX. In other words, a time window can be defined, wherein the local controller only transmits data relating to a user response to the central server 38 if the calculated time taken for the response is within the time window (i.e. a predetermined range of values, 0 - 'T_101x)..

In the embodiment of Figure 2, the value of 'T_101x is defined by information include in the broadcasted data. Therefore, the value of 'T_101x can be modified during the broadcast program, and the local controllers can then obtain the value 'T_101x from the broadcasted data and use it in subsequent calculations as necessary. Of course, the value of 'T_11J1x may be set for use by the local controllers in other ways, and may not even be variable. Further, the definition of a maximum response time, "T_101x, is optional. For example it is not required where a fastest user response ends an interactive game and subsequent responses from the same venue are to be ignored.

Data received by the central server 38 from the first 1OA and second 1OB local controllers may be used to identify the fastest correct response to the stimulus/question provided^' by the broadcasted program. As illustrated in Figure 2, Dl is less than D2 , resulting in the interactive program being communicated the users at the first venue 14A before it is communicated to the users the second venue 14B. Thus , without catering for the time delays introduced by broadcasting the interactive program, the users at the first venue 14A would have an unfair advantage when compared to the users at the second venue. This timing advantage allows the users at the first venue 14A to either take more time to contemplate their answers or be deemed the winner even if they took longer to provide response than users at the second venue 14B.

A system according to an embodiment of the invention, however, caters for time delays associated with broadcasting data to different venues. Furthermore, by using information relating to the timing of the users responses and the broadcast delay, the system can verify aspects of data transmitted from a local controller to the central server 38.

Preferably, data processed by the computer system 42 is transmitted to the local controllers via the network 26. Thus, the computer system 42 may be arranged to transmit data to the local controllers 10 via the network 26 in response to the encrypted data transmitted to it from the local controllers .

By way of an example, data transmitted by the computer system 42 to the first local controller 10A may comprise an acknowledgement message for acknowledging the receipt of encrypted data from the local controller 1OA. This acknowledgement message may include information relating to the data received by the computer system such as a copy of the received data. It may also include additional information relating to the received data including the time at which it was received and information identifying an address from which it was received. Using this acknowledgement message received from the computer system 42, the local controller 1OA can check whether the data received by the computer system 42 matches that which it sent to the computer system 42. For example, if the information contained within the acknowledgement message agrees with the related information stored in the database of the local controller 1OA, it is determined that the data transmitted by the local controller 1OA to the computer system 42 was not tampered with during transmission or the unit has not been impersonated.

While the above embodiments are described with reference to the synchronizing of the timer of the local controller using a synchronization server, it will be appreciated that the use of such a server is not essential. In other preferred embodiments, as described above, the timing information used to set the clock of the local controller is set by data included in the broadcast data, e.g. a time stamp. In these embodiments, setting of the timing signal using the broadcast data may compensate for the broadcast delay, and it may not then be necessary to calculate a broadcast delay as described above.

In some embodiments, machine readable code containing information relating to the time at which a program is broadcasted is embedded in the broadcasted program. The time signal is sent as part of the broadcast in the teletext (VBI) part of the broadcast stream. The time signal is stored in bespoke format, embedded in the standard teletext frame structure. On reception at the local controller, standard filter software may be used to extract the VBI component from the stream, and a program used to interpret the timed signal data contained therein. Standard calls in Windows are then used to set the clock on the local controller to synchronise with the time in the studio extracted from the broadcast data stream. In this way, any delay between the signal being broadcast and the reception at the venue is effectively eradicated.

(In other words, the time embedded in the broadcast stream is used to set the clock on each local controller, such that the time on each local controller is set to match the picture being seen on the local displays.)

Variations of the above-detailed method of embedding machine-readable time code within the broadcasted program are numerous. For example, text may be added to the program from which information can be extracted by a local controller using a suitable Optical Character Recognition (OCR) method, and/or such machine-readable code may be in the form of a video watermark or a barcode. One exemplary embodiment of the invention will be described to provide an overview of the system, and the way in which the various different security measures may be combined. The local controller receives instructions through the VBI portion of the television broadcast data received from the broadcasting means . Included in these instructions is a regular time signal, synchronised with the picture of the broadcast. The local controller uses the time signal to set its local clock. This signal may be regular, and broadcast, for example, about every 5 seconds. The use of this time signal allows the risk of the clock being altered ^■ fraudulently to be reduced, and also may guard against slippage of the clock for other reasons, e.g. due to inaccuracies or defects in the components of the local controller .

Another signal in the broadcast data instructs the local controller when to start and stop listening for data from the keypads. Any user inputs made at the user interface devices e.g. keypads during this period are transmitted to the local controller by the user interface devices . The user inputs are transmitted as data signals indicating the key presses involved, together with timestamps assigned by the user interface devices to them. The local controller discards data received outside the listening "window", although in practice there may be a small allowance at the end to accommodate the buffering of the data by the user interface device. The local controller may check the data received from the user interface device to ensure that the embedded timestamps are valid. For example, if the timestamps do not correspond to times within the listening "window" , then the local controller may discard the associated data, or may flag up that there is a discrepancy for further investigation. A discrepancy in the timing information would suggest that the local controller time signal had been altered and/or the user interface device timer was incorrect, potentially indicative of fraud. The keypresses, together with their associated timestamp, are stored in the local controller memory and also sent to an archive database for storage. The stored data relates to data received from all of the user interface devices e.g. keypads associated with the local controller. The database may be a file-based database. The broadcast data also includes a further signal instructing the local controller to transmit its data to the control server, for example at the end of a round of questions . The local controller sends the stored information to the control server. The data transmission is encrypted and the identity of the two parties authenticated.

Once the processing of all data for the contest is complete at the control server the keypad at which the winning input was made is identified according to the information currently received by the control server. There is then a supplementary process which will seek to confirm the consistency of the data received. The control server sends a request to the local controller identified as being associated with the "winning" user interface device e.g. keypad to send the stored data received from the winning user interface device to the control server. This extract from the data stored by the local controller relating to data received from the selected winning user interface device is then returned to the control server using the same protected communication method, i.e. using authentication and encryption processes, so that the control server can perform a comparison. For example, by extracting and formatting this data in a controlled, consistent way, a "checksum" relating to the data can be established.

A technician may remote connect to the local controller to manually confirm the checksum or other verifying function whilst logged into the device at a later stage.

A further security measure may involve a visit to the venue where the local controller is located e.g. a pub by a verification representative. This will include an examination of the physical seal provided on the local controller to confirm that the local controller has not been tampered with in-situ. The verifier can then run a software process on the local controller that will confirm that the data for the winning user interface device matches that sent to the control server both during the game and the subsequent requests for specific data relating to a winning user interface device. This may be carried out by performing checksums on the data, and comparing the results.

In addition to storing of the information relating to the data to be transmitted by the local controller in accordance with the invention in its various aspects and embodiments, it will be appreciated that any one or ones of the additional security measures described above may be implemented. Other security measures may alternatively or additionally be taken. For example, the recording and transmission of checksums may be performed at any time to try to ensure that data has not been modified since transmission. Processes on the local controller may be performed to confirm the identity and/or correct operation of the user interfaces during the game . Any data transmitted between the local controller and the central server may be encrypted. Authentication of parties involved in transmission between the local controller and the central server, or of the user interfaces and the local controller or central controller may be performed. If desired, a local controller may be removed

Those skilled in the art will realise that the above embodiments are purely by way of example and that modification and alterations are numerous and may be made while retaining the teachings of the invention. For example, it will be understood the invention is not limited to the use of a broadcast antenna 34 in order to broadcast data. Rather, any such suitable broadcasting means may be employed to broadcast data, for example a cable-based or IP-based broadcast distribution network.

Claims

Claims

1. An interactive system for a plurality of users, the system comprising: a local controller operable to receive data from at least one user interface device; broadcasting means for broadcasting data to the local controller; and a central controller for processing data, the local controller being in communication with the central controller such that it can transmit data to the central controller; wherein the local controller comprises means for storing information relating to data to be transmitted from the local controller to the central controller.

2. The interactive system of claim 1, wherein the system is arranged to compare the stored information with data transmitted tp and/or received by the central controller. :

3. The interactive system of claim 2, wherein the system is arranged to identify fraudulent users of the system by said comparing step.

4. The interactive system of claim 1, 2 or 3 , wherein said means for storing information relating to data to be transmitted from the local controller to the central controller is a database.

5. An interactive system according to any one of the preceding claims , wherein the local controller further comprises encryption means for encrypting data transmitted from the local controller to the central controller using at least one secret encryption key unique to the local controller.

6. An interactive system according to claim 5, wherein the encryption means uses a plurality of encryption keys and each of the encryption keys has a defined hierarchical level relating to its use by the encryption means. '

7. An interactive system according to any one of the preceding claims, wherein the central controller is arranged to communicate data to the local controller in response to data transmitted from the local controller to the central controller.

8. An interactive system according to claim 7, wherein the central controller is arranged to transmit an acknowledgement message to the local controller in response to data transmitted from the local controller to the central controller .

•9. An interactive system according to claim 8 , wherein the acknowledgement message comprises information relating to the data received by the central controller for determining whether the data received by the central controller matches the data transmitted from the local controller to the central controller.

10. An interactive system according to claim 8 or 9 , wherein the central controller is arranged to encrypt the acknowledgment message using a secret encryption key.

11. The interactive system of any one of claims 7 to 10, wherein the local controller is arranged to transmit a confirmation message in response to the acknowledgement message comprising information relating to data received from the central controller.

12. The interactive system of any one of the preceding claims, wherein the central controller is arranged to compare timing information received from the local controller and based on a local timing reference signal with timing information not based on the local timing reference signal .

13. The interactive system of any one of the preceding claims, wherein the local controller is arranged to perform and store a checksum using data to be transmitted or transmitted to the central controller.

14. An interactive system according to any preceding claim, wherein the local controller further comprises security means for identifying whether the local controller has been physically tampered with.

15. A method of operating an interactive system for a plurality of users, the method comprising: broadcasting data to a local controller operable to receive data from at least one user interface device; transmitting data from the local controller to the central controller; processing data at the central controller; and storing information relating to the data to be transmitted at the local controller.

16. The method of claim 15, further comprising comparing the stored information with the data transmitted to and/or received by the central controller.

17. The method of claim 15 or claim 16, comprising identifying fraudulent users of the system by said comparing .

18. A method according to any one of claims 15 to 17, further comprising the step of encrypting the data transmitted from the local controller to the central controller using at least one secret encryption key that is unique to the local controller.

19.^' A method according to claim 18, wherein the step of encrypting uses a plurality of encryption keys and each of the encryption keys has a defined hierarchical level relating to its use in encrypting data.

20. A method according to any one of claims 15 to 19, further comprising the step of communicating data to the local controller in response to data transmitted from the local controller to the central controller.

21. A method according to any of claims 15 to 20, further comprising transmitting an acknowledgement message to the local controller in response to data transmitted from the local controller to the central controller.

22. A method according to claim 21, wherein the acknowledgement message comprises information relating to the data received by the central controller for determining whether the data received by the central controller matches the data transmitted from the local controller to the central controller.

23. A method according to claim 21 or 22, further comprising the step of encrypting the acknowledgment message using a secret encryption key.

24. The method of any of claims 21 to 23, wherein the local controller is arranged to transmit a confirmation message in response to the acknowledgement message comprising information relating to data received from the central controller.

25. The method of any of claims 15 to 24 , comprising the local controller performing and storing a checksum using data to be transmitted or transmitted to the central controller .

26. The method of any of claims 15 to 25, comprising the central controller comparing timing information received from the local controller and based on a local timing reference signal with timing information not based on the local timing reference signal.

27. A method according to any of claims 15 to 26, further comprising the step of inspecting security means for identifying whether the local controller has been physically tampered with.

28. The method of any of claims 15 to 27, wherein said step of storing the information relating to the data to be transmitted comprises storing the information in a database.

29. A computer program element comprising computer software code portions for performing the method of any one of claims 15 to 28 when the program element is run on data processing means .

30. An interactive system substantially as herein described and with reference to any one of the accompanying drawings .

31. A method substantially as herein described and with reference to any one of the accompanying drawings .