DISCLAIMER: Paranoid rant ahead. You’ve been warned.
Every two years, around this time of the year, I feel concerned: it’s voting time in Brazil. For quite some time now, Brazil has had electronic voting, but that doesn’t make me more confortable with it. Yes, having the results within the same day is an enormous advantage, but I am not sure about the security of the whole process. You can call me paranoid (and surely I am a bit), but there are some things that give me the creeps about it.
For a start, let’s look at the operational process. The voting machines are certified and sealed by Electoral Justice officers the week before the voting. They are opened in the electoral section by those officers in the presence of common citizens. Those citizens are called to work in the Electoral process usually for four or five elections in a row, being replaced after that by “newcomers”.
The voting machines are not connected to any network. During the day, voters come with the voting document (voting is mandatory in Brazil), one of those citizens enable the voting machine by typing the document unique number in it, the voter give his vote and go home. Then the voting machine is unable to receive votes if not enabled by entering another document number, and it goes on and on the whole day long (pretty boring work…).
At the end of the day, the “president of the section” (usually the most experienced of those citizens) close the voting machine, prints a “tally sheet”, hand a colored 3½-inch floppy disk to the Electoral Justice officer with the votes and go home. Other officers will pick up the voting machines later on. The first officer then goes to the voting processing central of the Electoral Justice and within hours we will know the result of the election.
As you can see, there are lots of points of failure in the whole process! All this “sealing” of voting machines are just a matter of trust. First point: there’s no way we can know for sure if the machine does what it’s suppose to do. Even if officers say that they “randomly” choose machines to be tested, there’s no way to know how random is that. There’s a report [pt-BR] made by a prestigious university (English summary here), stating that 1/3 of the voting machines in a particular studied state had corrupted log-files (among other important security problems!). This study also showed differences in the countings (sometimes as large as 20-thousand votes!)… Hey! This is supposed to be a deterministic system: if nothing in the conditions changed, counts should always match!
Until recently, closed-source software were used in the voting machines, but that has changed recently. I doubt that it makes any difference, since we’ll never really know what is actually running in the machine. Surely, Electoral Justice officers know (or should know), so we’d have to trust them… So second point: we don’t know how the voting is processed within the machine.
(Also, we don’t know for sure the machine doesn’t have a network connection. It may have a wireless connection we don’t know about and can be passing all the votes to someone else, or even receiving instructions… But since that can be spotted with a scanner, I’ll trust other paranoids have already done that.)
Surely the machine must be enabled before every vote with the voters document number. If it were not, how could we know that no one voted twice, or that a non-voter have voted? But we don’t know how the machine records that! Third point: we cannot know if the voting machine database doesn’t link the voter to the vote. That is a nasty one… it opens up the possibility of “voting by intimidation”.
Also, the “tally sheet” that is printed at the end of the day only brings the total of votes, the total of absent-voters, and the votes each candidate (or party) have received. So, on to the fourth point: there’s no way of knowing for sure that your vote was counted right (or was counted at all!). At least a copy of this tally sheet is glued at the entrance of the voting section, so an independent audit only on the numbers is do-able (although hard to do!).
What happens to the colored disk between the voting section and the voting processing central is not known. It goes with the officer and what he does with it is just a matter of trust. Now for the most insteresting point: the security is based on the color of the disk!. The Electoral Justice checks if the officer handed the right colored disk and puts the data in the system. Surely (?) they might have some way to check data integrity other than that… On the same issue, maybe even worse: even if the disk is not tampered, but just read (or copied) by the officer before being handed, and if the database links the voter to the vote, this information is valuable, and may be sold.
Finally, since we don’t know (and have no way to know for sure) what the machine does, we don’t know if the machine keeps a copy of the voting database in it. So when it is taken back by other officers, we cannot know whether the same thing that may happen to the disk also could happen with the machine.
I am missing a lot of things about the whole Brazilian E-Voting process, and also I surely have missed other points of failure. I heard of fraud in the past, with paper ballots, and those were pretty nasty frauds. But this whole tale of “impossible fraud” in e-voting is nothing but a tale (as fraud is more than possible!). I think we have to begin investigating other systems, surely with cryptography involved. A system like Debian’s, far from perfect (we all have to trust secretary’s word on the secrecy of the voting system key), is much better, for instance. I understand that it’s not simple enough for non-geeks, but there might be a way!
It doesn’t need to be a whole new system! I would be happy if, as an example, the tally sheet printed a hash of my vote that I could verify later on… or if the security of the disk is not just color-based… or if the tally sheets had a way of being validated and be available on-line for auditing (and not just glued at the entrance of every voting section). Look! I am not distrusting any officer a priori… I think the message is auditing should be made easy… then I could trust a version of Linus’s Law adapted to E-Voting: “Given enough eyeballs, all frauds can be discovered”.