Brazilian E-Voting

Posted by – 25/09/2008

DISCLAIMER: Paranoid rant ahead. You’ve been warned.

Every two years, around this time of the year, I feel concerned: it’s voting time in Brazil. For quite some time now, Brazil has had electronic voting, but that doesn’t make me more confortable with it. Yes, having the results within the same day is an enormous advantage, but I am not sure about the security of the whole process. You can call me paranoid (and surely I am a bit), but there are some things that give me the creeps about it.

For a start, let’s look at the operational process. The voting machines are certified and sealed by Electoral Justice officers the week before the voting. They are opened in the electoral section by those officers in the presence of common citizens. Those citizens are called to work in the Electoral process usually for four or five elections in a row, being replaced after that by “newcomers”.

The voting machines are not connected to any network. During the day, voters come with the voting document (voting is mandatory in Brazil), one of those citizens enable the voting machine by typing the document unique number in it, the voter give his vote and go home. Then the voting machine is unable to receive votes if not enabled by entering another document number, and it goes on and on the whole day long (pretty boring work…).

At the end of the day, the “president of the section” (usually the most experienced of those citizens) close the voting machine, prints a “tally sheet”, hand a colored 3½-inch floppy disk to the Electoral Justice officer with the votes and go home. Other officers will pick up the voting machines later on. The first officer then goes to the voting processing central of the Electoral Justice and within hours we will know the result of the election.

As you can see, there are lots of points of failure in the whole process! All this “sealing” of voting machines are just a matter of trust. First point: there’s no way we can know for sure if the machine does what it’s suppose to do. Even if officers say that they “randomly” choose machines to be tested, there’s no way to know how random is that. There’s a report [pt-BR] made by a prestigious university (English summary here), stating that 1/3 of the voting machines in a particular studied state had corrupted log-files (among other important security problems!). This study also showed differences in the countings (sometimes as large as 20-thousand votes!)… Hey! This is supposed to be a deterministic system: if nothing in the conditions changed, counts should always match!

Until recently, closed-source software were used in the voting machines, but that has changed recently. I doubt that it makes any difference, since we’ll never really know what is actually running in the machine. Surely, Electoral Justice officers know (or should know), so we’d have to trust them… So second point: we don’t know how the voting is processed within the machine.

(Also, we don’t know for sure the machine doesn’t have a network connection. It may have a wireless connection we don’t know about and can be passing all the votes to someone else, or even receiving instructions… But since that can be spotted with a scanner, I’ll trust other paranoids have already done that.)

Surely the machine must be enabled before every vote with the voters document number. If it were not, how could we know that no one voted twice, or that a non-voter have voted? But we don’t know how the machine records that! Third point: we cannot know if the voting machine database doesn’t link the voter to the vote. That is a nasty one… it opens up the possibility of “voting by intimidation”.

Also, the “tally sheet” that is printed at the end of the day only brings the total of votes, the total of absent-voters, and the votes each candidate (or party) have received. So, on to the fourth point: there’s no way of knowing for sure that your vote was counted right (or was counted at all!). At least a copy of this tally sheet is glued at the entrance of the voting section, so an independent audit only on the numbers is do-able (although hard to do!).

What happens to the colored disk between the voting section and the voting processing central is not known. It goes with the officer and what he does with it is just a matter of trust. Now for the most insteresting point: the security is based on the color of the disk!. The Electoral Justice checks if the officer handed the right colored disk and puts the data in the system. Surely (?) they might have some way to check data integrity other than that… On the same issue, maybe even worse: even if the disk is not tampered, but just read (or copied) by the officer before being handed, and if the database links the voter to the vote, this information is valuable, and may be sold.

Finally, since we don’t know (and have no way to know for sure) what the machine does, we don’t know if the machine keeps a copy of the voting database in it. So when it is taken back by other officers, we cannot know whether the same thing that may happen to the disk also could happen with the machine.

I am missing a lot of things about the whole Brazilian E-Voting process, and also I surely have missed other points of failure. I heard of fraud in the past, with paper ballots, and those were pretty nasty frauds. But this whole tale of “impossible fraud” in e-voting is nothing but a tale (as fraud is more than possible!). I think we have to begin investigating other systems, surely with cryptography involved. A system like Debian’s, far from perfect (we all have to trust secretary’s word on the secrecy of the voting system key), is much better, for instance. I understand that it’s not simple enough for non-geeks, but there might be a way!

It doesn’t need to be a whole new system! I would be happy if, as an example, the tally sheet printed a hash of my vote that I could verify later on… or if the security of the disk is not just color-based… or if the tally sheets had a way of being validated and be available on-line for auditing (and not just glued at the entrance of every voting section). Look! I am not distrusting any officer a priori… I think the message is auditing should be made easy… then I could trust a version of Linus’s Law adapted to E-Voting: “Given enough eyeballs, all frauds can be discovered”.

5 Comments on Brazilian E-Voting

  1. spectra says:

    @João Sérgio: I’ll check. Thanks for the pointer.

  2. João Sérgio says:

    Have you ever read the paper from Brzilian Computer Society about eletronic voting? It’s available(in Portuguese), at

    They found the same problems you listed

  3. spectra says:

    @Jacobo: Right. But cryptographic technology has a large spectrum of tools to avoid coersion. For instance, we could adapt the idea from Three-Ballot System to e-voting, or use some form of Chaffing & Winnowing. Just providing a hash in the receipt is not very safe, that’s why I said the tally sheet must cointain a hash, but I have said nothing about the voting receipt…

  4. Jacobo says:

    The problem with the hash to check that your vote was counted correctly is that it also allows to buy or coerce a vote. Nasty men in overcoats and a suspicious bulge where a pistol could be concealed could “ask” you to give them your hash number after you’ve voted so that they’ll be able to check…

  5. Israel Vinícius Nogueira Miranda says:

    Great insight you did. I am Brazilian too, and I share the same thoughts with you, but the hole is even deeper. How many problems we have and no one does anything about it ?
    Civil-war like violence, corruption in the congress (that destroys our change of ever being a SuperPower) and many other stupid problems that makes our every day lives a hell (Public transport, public health, police violence).

    So I say, our problem is we don’t organize. We must organize, and then complain, complain with the right people, on the right place, create civil organizations to coordinate the efforts of our civil society.

    Brazil has great technology professionals, we should gather and create an organization that studies and exposes every weakness of the electronic voting in Brazil. If we make this, and start appearing in the media, make formal complaints in the congress, society will hear, and if society shows concern about it, we will obligate them to open the system. I believe the electronic voting system should be totally open, that’s the only way everybody can trust it, and everybody can help discover weakness in the system and prevent manipulations of the result by people involved in the voting congress.

    I read many of the links you posted and I see that we need an organization that defends the civil society in the information era.

    Reach me at programadorlinux on gmail maybe we can give the first step.

    Seeing something wrong is easy, the really important part is to stand up and fight.

    “It has to start somewhere
    It has to start sometime
    What better place than here
    What better time than now
    All hell cant stop us now”

Leave a Reply

Your email address will not be published. Required fields are marked *