ArticlePDF Available


Content may be subject to copyright.
Over two decades of e-voting in Brazil — the
good, the bad and the ugly
Diego F. Aranha, Universidade Estadual de Campinas, Brazil
Jeroen van de Graaf, Universidade Federal de Minas Gerais, Brazil
Brazil pioneered the adoption of nationwide electronic voting 20 years ago.
Though quite an accomplishment at the time, today the system is outdated
regarding recent properties such as auditability and verifiability. We
discuss the system’s organization and transparency mechanisms in the
context of security requirements derived from a conventional election.
Keywords: Computers and Society, Security and Privacy Protection.
Brazil’s political system
In the new constitution of 1988, Brazil has a directly elected president; each of the 27 states has
3 senators, and the lower house (Câmara de Deputados
) has 513 members. Elections for these
positions are held every 4 years, in years that are a multiple of 4 plus 2, and are combined with
elections for governor and the state representatives. Brazilians also directly elect their mayor and
the city council members, in years divisible by 4. So an election is held every other year, always
in October. A president, governor, or mayor in a large city needs a majority to be elected, so a
second round between the two best candidates is held three weeks later if no one obtained a
majority in the first round.
Traditionally, each political party in Brazil has a two-digit number assigned to it. For instance, if
the party’s number is 91 then the presidential candidate’s number is also 91. For races where
more than one candidate per party is allowed, longer numbers are used, and candidates typically
choose numbers that are easy to remember, such as 91919, 91111, 91999 etc.
Before electronic voting was introduced, voting meant filling out the candidate’s name or
number on the ballot. Note that for some races the overall number of candidates is over one
thousand, making it impossible to design a ballot listing all the names and have the voter check a
box. Since e-voting was introduced, only numbers are used to identify the voter’s choices.
The introduction of e-voting in 1996
Both by area (larger than mainland USA) and by population (sixth), Brazil ranks as one of the
world's largest countries. Organizing fair elections in such a vast country is no easy task, and
Brazil was among the first to adopt nationwide electronic voting. The judiciary power, which is
among the most expensive of the world when its costs are expressed as a percentage of gross
domestic product (1.4% in 2016), has a special branch exclusively dedicated to election issues,
headed by the Superior Electoral Tribunal (SET). Already in 1996 Brazil started the transition
from paper ballots to electronic voting1, completed in 2000.
The technical development of this e-voting system was an audacious project, while its
deployment was a tremendous challenge. For instance, Brazil has many remote outposts which
can only be reached by plane, then by boat, and sometimes the urna eletrônica
, as the voting
machine is known here, has to be carried by animal to the designated polling station. And after
the election ended, sending the precinct’s tally results back to the election authorities for
tabulation is not that easy either. Sometimes satellite communication is used to accomplish this.
The logistics of organizing such an election are truly staggering, and considered from this angle,
the urna
certainly deserves respect.
The voting procedure works as follows:
1. The voter shows his identification document to the poll worker, who enters the voter id
into the voting equipment, thus releasing access to start voting. In addition, fingerprint
identification is already used for more than half of the voters.
2. The voter enters the digits corresponding to the candidate of his preference, or presses
BRANCO to cast an abstention vote.
3. The urna shows a photo of the candidate (Figure 1), or INVALID VOTE in case the
number does not correspond to an existing candidate.
4. The voter either presses CONFIRMA to confirm the choice, thus casting the vote (even
an invalid one), or presses CORRIGE to modify the choice, returning to the beginning of
Step 2.
5. Steps 2, 3 and 4 are repeated for each race, which are presented in the order of
increasing importance.
Figure 1. Screenshot of a simulator provided by the election authority. Candidates shown on the
left correspond to the number typed by the voter in the keyboard on the right. In this fictitious
example, the voter has chosen Natação (i.e. swimming) as the candidate for Prefeito (i.e. mayor).
The green button serves to confirm and cast the vote, while the orange button serves to modify
the current choice and reinitialize the voting procedure for this race. The white button is for
casting an abstain vote.
This system brings many advantages. First, after the voter enters the number of the preferred
candidate, the urna responds by showing a photo of the candidate. Second, the urna also
reduces ambiguity. Whereas with hand-written votes the interpretation of the voter's choice might
be problematic (is the number written a 1 or a 7?), the urna eliminates such doubts. In addition,
the digital representation accelerates vote tallying. And by using computer networks and servers,
it is possible to compute the results and determine the winner usually before midnight.
Proponents use these advantages as incontrovertible evidence in favor of this technology, but
this is not the end of the story. It is also important that the system is secure. But in order to
answer this question appropriately, we need to understand what the word “secure” actually
means in the context of an election. We approach this question in a simple and intuitive way. We
first describe a conventional election using paper ballots. From this we derive a set of security
requirements which a fair election should satisfy. Using these requirements we have a set of
criteria allowing us to assess any election system.
Deriving security requirements from a conventional election
A conventional paper-based election goes through the following steps:
1. Establish a list of the names of all eligible voters.
2. Before starting the election, all the people present testify that the ballot box is empty.
3. A legitimate voter who has not yet voted receives a ballot, enters the voting booth, and fills
out his / her preference.
4. The voter checks the preference filled out on the ballot.
5. The voter deposits the ballot in the ballot box. From that moment, the vote is cast, and s/he
can not undo or modify his vote.
6. When the time for voting expires, all present witness the opening of the ballot box and the
tallying of the ballots contained therein.
7. Those who do not agree with the count can request a recount. The votes are recounted
under the observation of all those present, until there is consensus.
These are the typical stages of the voting process in many countries, whether for confidential
elections in the legislative body chambers or for public elections at various levels of government.
Differences generally occur in the graphical formatting of ballots and in the way voters make
choices. These differences mostly do not fundamentally change the security requirements.
Requirements for fair elections
We thus obtain the following list of security requirements which can be considered a summary of
the long-established conventional wisdom among computer scientists who study voting.
Requirement A (Eligibility) Only eligible voters, called voters for short, can create a ballot and
deposit it in the ballot box.
Explanation: Any election has a finite set of persons who have the right to participate in that
election and only these persons are allowed access to the voting process.
Requirement B (One person, one vote) A voter can cast at most one vote.
Explanation: The same person is not allowed to vote twice.
Requirement C (Ballot privacy)
Filling out the ballot and putting it in the ballot box is a confidential act, and under no
circumstance, not even with the connivance of the voter, should it be possible to obtain any
information about for whom or for what the voter cast or did not cast votes.
Explanation: This requirement has two aspects. First, the voter should have the freedom to
express her will without the risk of repercussion. To guarantee this, nobody should be able to
discover for whom or what he voted or did not vote. Second, it is necessary to prevent so-called
"improper influence" on voters, which includes the buying and selling of votes.
Consequently it should not be possible, even with the cooperation or connivance of the voter, to
deduce the vote. In order to guarantee the secrecy of the ballot, there exists a private space, the
voting booth, where the voter can fill out the ballot.
Requirement D (Verifying before casting) The voter can verify the vote is valid and reflects the
intention, and can review the vote before casting.
Explanation: Once the ballot has been created, but before casting it, the voter must have the right
to verify that the vote is marked as intended and that it is valid, and have the opportunity to
correct or revise it.
Requirement E (Ballot is included in tally) The voter can convince herself that her vote is
included in the set of votes tallied.
Explanation: In the case of paper ballots, this requirement is conceptually achieved in the
following way: after the voter has cast her vote by depositing the ballot in the ballot box, she waits
until the closing of the election, and when the ballot box is opened for the tallying of the votes,
she is sure that her ballot is among the set, even if he does not know which particular ballot
corresponds to the one he filled out. It should be noted that essentially the voter's faith is based
on the common sense notion that an object put in some place stays there and won't disappear by
Requirement F (Integrity of ballot and ballot box) It should not be possible for anyone to
modify a ballot, or remove it from the ballot box, nor should it be possible to add ballots not
coming from legitimate voters.
Explanation: Votes represent the (anonymous) will of voters, and any modification would change
that will. This requirement explains for instance why the ballot box is shown to be empty before
starting the election, why the ballot box should remain in a publicly visible place, and also why
transparent ballot boxes sometimes are used.
Requirement G (Secrecy until the end of the vote) All votes remain secret until the end of the
voting session.
Explanation: In principle, election should take place in parallel; it is only for logistical reasons that
the process in a precinct is sequential. Moreover, revealing partial results early would violate
ballot privacy for those who voted already. And knowing the partial result might influence a voter
later. Moreover, exclusive access to this information during the voting period could provide
advantage in terms of allocation of electioneering resources or even trigger disruption of the
voting process.
Requirement H (Correctness of the count) All valid ballots found in the ballot box, and only
those, will be included in the count.
Explanation: Votes not written on a proper ballot, for example, should not be counted as they
could represent multiple votes from a single voter. Additionally, votes that are ambiguous ought
not to be counted.
Requirement I (Counting is public) The tallying of votes happens in a public and verifiable way.
Explanation: To enhance credibility and acceptance of the outcome, it is important that the
candidate’s representatives and neutral observers be present and able to verify the process.
Requirement J (Right to audit) It should be possible to audit the count.
Explanation: In conventional paper elections, a candidate or party can contest the outcome and
request a recount of the votes, which also happens in a public session. In principle, this process
should converge to a result which everyone agrees with. In practise, a sore loser would prefer to
request recount after recount instead of admitting defeat. Some rules are usually implemented to
limit this effect. Another problem is that manual counting is notoriously unreliable: it is not
uncommon that a second count gives a third value rather than confirming one of the first two; so
no convergence occurs.
The basic design of the voting machine
The Brazilian system is an example of a DRE, standing for Direct Recording Electronic voting
machine. A DRE is essentially an ordinary PC with special peripherals and software dedicated to
the voting task. Vote counting is implemented by having a counter value corresponding to each
candidate. When a voter casts a vote for a candidate, the corresponding counter is incremented
by 1. The intuition behind this idea is to replicate as closely as possible the black-box functioning
of a ballot box: secret votes are deposited in the machine, modifying the unknown internal state.
However, unlike paper ballot voting systems, a DRE does not produce physical proof of the
voter’s intent. Thus, the candidates’ counters can be modified without detection. A meaningful
audit of the system is impossible because a recount giving the correct result becomes impossible.
DRE voting machines have been introduced in other countries, with the main experiences in the
Netherlands, India and the USA. Adopting DREs has always sparked a heated security debate,
which Brazil is only starting to have after two decades of wide use. In the USA, Avi Rubin gives a
vivid account of this episode in his book Brave New Ballot2. Rubin, together with some of his
students at Johns Hopkins, showed that the Diebold voting machines were very easy to hack.
Other works mounted as the software attacks on Dutch Nedap DRE machines by Gonggrijp and
Hengeveld3, and hardware attacks against the Indian EVMs discussed by Halderman4.
Risks to ballot privacy
With respect to the privacy of the ballot, the urna suffers from a fatal design flaw. Before a voter
casts his vote by entering the digits corresponding to the candidate of his choice, the poll worker
enters the voter id into a keyboard which is connected to the same machine. In other words, the
voter keyboard and the poll worker keyboard are connected to the same device (see Figure 2). In
its zeal for efficiency and cost-cutting, authorities decided to integrate voter authentication and
vote casting on the same equipment.
Figure 2. The voter terminal (right), and the poll worker terminal (left), connected by a 5-meter
long cable (background).
In principle this makes it very easy for an attacker to violate ballot privacy: by logging
chronologically the data registered by both devices and combining them, one can perfectly
deduce who voted for whom5. The Brazilian election authorities deny vehemently that such a
backdoor exist, but this claim is not verifiable. This decision is intimidating towards the voter
resulting in an unacceptable threat to ballot privacy.
A possible solution is that voter authentication takes place physically separated from the voting
device. This is the way it is done in every other country. Yet, if a device is used for authentication,
combining the log files is still a possibility, but at least mitigates the problem somewhat.
Electoral process and transparency mechanisms
An overview of the Brazilian electoral process can be found in Figure 3, with color coding used to
denote how critical to security each step is. Software components are first developed and audited
within the SET in the two years in-between elections, and at some point are frozen, compiled and
distributed to the local branches across the country. The voting software is then loaded in
memory cards for installation in the voting machines. These steps are highly critical, in the sense
that interference may affect large sections of the country. After the voting session ends, partial
results are collected into USB drives, and later transmitted to a central tabulator to generate the
election outcome. An audit can be requested at some point after the election.
Figure 3: Overview of the main phases in the electoral process and their criticality in
terms of security. Software development, auditing, and preparation are highly critical,
while voting is less critical due to requiring tampering with individual machines.
Transmission and tabulation are arguably the most transparent steps in the process.
Development and auditing
Contrary to other countries, in Brazil the voting software is updated and redistributed across
the country at every election, and new hardware models are specified, acquired and deployed,
replacing the older machines. The software is developed by a mix of in-house and contracted
programmers working in a dedicated division, under responsibility of the SET. Development
continues internally until 6 months before the election. Then, external inspectors can audit the
source code at the election authority headquarters in Brasília and suggest fixes or improvements.
Until 2015, inspection was restricted to staff appointed by political parties and government
institutions, but restrictions were recently relaxed to include experts and technicians from public
universities and the Brazilian Computer Society, a scientific and educational organization.
Auditing the software before the election is an attempt to give evidence that a subset of the
requirements are satisfied: a voter can vote at most once (one person, one vote) and in secrecy
(ballot privacy), all votes will be tallied and cannot be changed after the fact (integrity).
However, these software audits have many limitations. The first is the huge size and
complexity of the codebase, amounting to more than 24 million lines of code when operating
system (kernel and userland libraries) and applications are taken into account. All of these
components have been customized or developed by the SET, thus requiring the inspection of the
entire codebase. The mandatory Non-Disclosure Agreement for participants is another roadblock
to transparency. It is ineffective against malicious inspectors who leak vulnerabilities to external
attackers, whereas legitimate researchers cannot speak publicly about the security concerns they
In addition to these software inspections, as of 2009, the election authority has organized
Public Security Tests to evaluate the security mechanisms implemented. The first edition was
conducted in 2009 without access to the source code, but later its scope was extended to include
source code (since 2012) and subsystems dealing with generation of memory cards and
transmission of results (since 2017). Participants and testing methodologies need to be
pre-approved, so code review and actual attacks are performed in separate sessions, taking a
few days each.
Until now these public tests have been the best opportunity for outsiders to understand and
perform security analysis on the system. And all editions have uncovered vulnerabilities, such as:
leaks in the keyboard causing privacy violation (2009); insecure pseudo-random number
generation breaking ballot secrecy, and hard-coded encryption keys (2012)6; insecure
authentication of tally results (2016); and insecure encryption and insufficient integrity checks,
leading to violation of software integrity (2017)7.
These Public Security Tests have been useful in detecting and fixing some basic flaws in the
system, but are hopelessly inadequate in proving that the system is correct. The organization also
imposes many restrictions which do not model a realistic attacker. In the chosen format only
attacks that are pre-approved can be conducted eliminating exploratory strategies, and limiting
the scope to the hardware/software component that the SET deems mature enough for
adversarial testing. To date, the biometric identification system and the tabulation infrastructure
are still out of scope, despite being in production for over a decade.
Under such limitations, most vulnerabilities discovered have a limited impact. The election
authority always claims that the vulnerabilities found are not exploitable considering the entire
electoral process, and are quickly dismissed as irrelevant after the fact, meaning that the actual
accomplishments can easily be downplayed in the press.
Preparation of the urna
Three weeks before the election the source code is compiled in a public ceremony. All source
files, executables, and other data are hashed, and this summary is digitally signed and published.
In theory, this method allows software modifications to be found in any voting machine.
The SET distributes the approved software to its state branches through a VPN network.
The software packages are stored on desktop computers running a subsystem dedicated to
generating the installation cards for the urna
. The configuration of these cards happens in a
public, videotaped ceremony, witnessed by public authorities and representatives of the political
parties. These cards are then transported across the state to be installed on the urna a few
weeks before the election. During installation the voting software is copied from the external flash
card to the machine’s internal memory. The ceremonies are public in principle, but in practice
happen in so many different places that even a well-organized political party will not be able to
send observers to each place.
Voting procedure
On election day, all polling stations follow the same basic procedure, typical of DRE-based
1. Between 7am and 8am the urna prints the zero printout
, an official public document
attesting that no votes were computed for any candidates before the elections started.
This attempts to satisfy that only valid voters are able to cast a vote . The poll worker
opens the voting session at 8AM by typing a command in the election official terminal.
2. Voters provide identification information and are authorized to cast votes in the machines.
After entering their voting option, the picture and name of the candidate are presented for
the voter to check (see example in Figure 1), in an attempt to satisfy that voters can
check their choices are included in the ballot.
3. The poll worker closes the voting session at 5PM local time, allowing voters in the queue
to cast their vote.
4. The urna prints the tally printout
, containing per-machine totals for each candidate.
Copies of this physical document are signed by election officials, distributed among
observers from the political parties and posted outside the polling station.
5. The urna produces various types of electronic audit data, consisting of: a digital version
of the tally printout, a chronological record of events registered by the machine (LOG),
and the Digital Record of the Vote (DRV), an electronic shuffled list of the actual votes.
These data are digitally signed and stored one USB drive.
6. The election official retrieves the drive and boots a networked Desktop computer in the
polling place using a dedicated LiveUSB running custom GNU/Linux. This system
establishes a secure connection with the election authority’s infrastructure using a VPN,
through which the contents of the drive are transmitted to the centralized tabulation
7. The central tabulator combines all the partial results and the official result of the election
is declared. LOGs and DRV files containing voter choices can be obtained under request
by political parties after the election, as to preserve secrecy until the end of the vote and
verify correctness of the count.
Allegedly there are several transparency mechanisms in the process, however all of them with
severe limitations. The integrity of files is verified by the card installation generation program, and
again during software installation. Observers can ask for additional verification just before the
elections, and during a post-election audit (if legally approved). However, all verifications before
the elections are computed and presented by the voting machine software or inside its execution
environment, not on an independent platform. The zero printout can hardly serve as a proof of
program correctness, because the first thing a malicious actor would do is to fake a valid zero
printout. The DRV stores the raw choices entered by the voters separately (instead of just
increasing a counter) which, according to the election authority, allows for a recount in case of a
dispute. But this file is kept encrypted and authenticated by the same software which tallies the
votes, and not in some independent fashion, making the effort essentially futile.
Summarizing, most of the requirements ultimately depend exclusively on the integrity of the
voting software and its resistance against manipulation, but it is humanly impossible to audit and
validate a system with such a complex codebase.
Randomized testing of voting machines
On the day before the election, a very small number of urnas is randomly selected and submitted
to a public ceremony called parallel voting
, in which elections are simulated and the outcome is
verified. Such a ceremony take place on election day, one in every state, as to mimic the same
environment as closely as possible. The rationale behind this ceremony is that, if the tested
machines are working as expected, i.e. giving a correct public tally, then all the not-tested
machines are working correctly as well.
However, it is impossible to prove beyond doubt that the voting software running in the real
elections behaves in the same way as in the simulated election, despite elaborate attempts to test
the official voting software under operating conditions similar to an official election. Because
parallel voting sessions are usually slower and have no real voters, malicious software could
easily distinguish when it is operating in the simulation or the real setting. For instance, by
monitoring the rate in which votes are cast, or the fraction of voters enrolled in the fingerprint
identification system. If malicious behavior in the real setting is only activated after certains keys
are entered, detection under simulated conditions will be hard.
Another impediment is statistical significance. Only between three and five machines are
selected per state, including one or two from the state capital. With the state of São Paulo ranking
as the most populous, with more than 90,000 deployed machines such a sample size is negligible
for reasonable confidence. At best, the parallel voting procedure shows that there is no fraud in
the voting machines selected, but says little about all the others.
Transmission and tabulation
The state branches collect tallies from all the state, which are combined to compute the election
outcome per state. Only presidential elections need to be tabulated nationwide. Digital tallies are
published by the election authority up to three days after the election, as to allow verification
against the tally printouts produced during the voting session closure ceremony. This is what
makes the transmission of the tallies and tabulation the most transparent phase of the electoral
process. In theory, a well-organized political party can obtain a statistically significant sample of
tally printouts and verify them against the digital versions published on the web.
However, in practice there are formidable obstacles for exercising this verification in real
elections. With the size and heterogeneity of the country, obtaining a sufficient coverage requires
tremendous resources. As a reference point, the post-election audit conducted by the losing party
in the 2014 presidential race cost more than R$ 1 million (Reais, Brazilian currency) and was only
able to verify 1,187 tally printouts, by sending technicians to 16 states to collect the physical
documents. In the same year, a crowdsourced effort, called Você Fiscal (which roughly translates
to “You Verify”), was able to verify 7,020 tally printouts using pictures taken after the second
round of the presidential race, amounting to 1.6% of the polling stations (or 4.1% of the votes)8.
However, the sample was entirely voluntary, and establishing its statistical significance is very
hard. As a follow-up, the election authority adopted digitally signed QR codes in 2016, storing the
tally printout in an easy way to independently capture and transmit the result. An improved
version of this voluntary project was able to verify 5,813 tally printouts from the first round of the
2016 city elections. An attempt to verify a random sample of 200 tally printouts in the second
round for mayor of the city of Rio de Janeiro failed to meet the objective.
The 2014 post-election audit
The transparency of Brazil’s election systems was seriously put to the test in 2014. In that year,
challenger Aécio Neves lost the second round in the presidential run-off from incumbent Dilma
Rousseff obtaining 48.36% of the valid votes, corresponding to an absolute difference of 3.46
million votes. Despite this large margin, the candidate’s party decided to request an audit, in an
obvious attack to the credibility of the system.
This audit effort, which took three months instead of the initially planned three days, reported
many difficulties. Just collecting the audit data (LOGs, DRV files and poll tapes) was problematic.
Since inspection software was restricted to be executed on the urna
, obtaining binaries and
examining them was complicated. Determining if the executable binaries indeed corresponded to
the inspected source code was hard, because the compilation process could not be reproduced9.
A fundamental limitation of any post-election audit of DRE-based systems is that all received
files may already have been manipulated in an untraceable way, for example, by restoring correct
versions of the software after the malicious behavior is triggered. In this case the situation was
worse since for large portions of the electoral process it was completely impossible to obtain valid
audit data, violating the right to audit. Nevertheless, the election authority and newspaper
headlines still emphasized that no fraud had been detected in the 2014 election, instead of
pointing out that essentially the audit had been a total failure.
Table 1. Summary of transparency mechanisms in the four stages of an election: preparation of
the software before the election, voting session, transmission and tabulation, and after the
election. Color coding is used to indicate if the mechanisms attain the objectives: red indicates
that no goal is achieved, yellow that goals are partially achieved; and green that security goals
are fully achieved (at least in theory).
Stage in the
Security goals
and auditing
- Code Inspection
- Public Security Tests
Audit the source code
Fix vulnerabilities in the
Large and complex
Restricted security testing
- Compile and install
Prove that software
was correctly compiled
and transmitted.
Impossible to prove
inspected software
corresponds to installed
- Verification of
signatures and
- Zero Printout
- Poll Tape
- Digital Record of
- Parallel voting
Prove that legitimate
software was installed.
Prove software
behaves correctly
during election.
Impossible to prove that
machines in real election
work as in machines
selected for testing.
- Comparison between
physical printout and
digital result
- Parallel tabulation
Prove election
outcome corresponds
to the sum of partial
Many logistic obstacles,
but possible in theory.
Prove election was fair.
Without recounts, unable to
prove results if electronic
fraud is untraceable.
Transparency of voting systems
ADRE is a black box and the voter has no way of knowing what’s going on or ascertaining that
his vote is counted correctly. The lack of physical proof generated by the voting machine has the
following dangerous implication: if each voting machine has the same software, rigging an
election becomes much easier than with paper ballots. In the latter, to corrupt an election result,
an adversary has to act at hundreds of places, whereas in the centralized solution used in Brazil,
a very small group of technicians with inside knowledge could potentially manipulate the election
outcome without being detected.
A recent attempt of improving the transparency of the system was a law approved by
Congress in 2015, mandating voter-verified paper audit trails to be reintroduced in the system
starting from the upcoming 2018 election. After several difficulties raised by the SET in terms of
budget and the protection of ballot secrecy against poll workers, the law was suspended based
on a claim of unconstitutionality. Given that refactoring the entire system to accommodate some
kind of end-to-end paper record is very unlikely, there is not much hope of more transparent
elections if the law is finally declared unconstitutional and put to rest.
To counter the drawbacks of DREs, researchers came up with new end-to-end systems: the
system produces a receipt for the voter, which allows him/her to verify that his vote was counted,
but without yielding any information about the vote cast thus preserving ballot privacy. This
process is usually broken into two steps. Individual verifiability allows the voter to be convinced
that her vote is included in the set of digital objects which together determine the election
outcome. Universal verifiability allows any person, being a voter or an outsider, to verify that the
election result was computed correctly from this set. A related notion is software independence
which essentially says that the correctness of an election process must not depend on its
software10: “A voting system is software-independent if an undetected change or error in its
software cannot cause an undetectable change or error in an election outcome.” For more
information about this, please consult IEEE S&P May/June 2017 Special Issue on Voting, or the
book edited by Hao and Ryan11.
Needless to say that the Brazilian urna does not satisfy any of the verifiability or software
independence notions. DREs have decreased in interest in most of the world, but not so in Brazil.
Election authorities, stubbornly ignoring these facts, continue to defend and promote the use of
outdated, insecure DRE technology. They claim that additional audit mechanisms that have been
created are sufficient to provide transparency, but this goes against the consensus view among
computer scientists who study voting security that physical proof of the voter’s intent is always
The good, the bad, the ugly
It is undeniable that the urna brought stability to the election process in Brazil. To some extent
this is because twenty years ago, when the system was introduced, voters were completely
unfamiliar with this new technology and marvelled at it. Most political parties dubbed the system
too complicated to understand, and disregarded it.
Unfortunately, the shortcoming of the system, already reported to the SET over 15 years ago,
are obvious. First, voter authentication and voting takes place on the same machine, potentially
violating ballot privacy. Second, since there is no physical evidence of the voter’s intent, any
recount is impossible, making any audit of the system meaningless. The system is a black box,
and to believe its results one has to have blind faith in the election authorities.
Nevertheless, to enhance the credibility of the system, election authorities have endeavoured
to make the urna into something of national pride. It is being proclaimed as the envy of other
nations, a product worth of exportation. Researchers who criticize the system and proclaim it
insecure are usually ignored. There is no rational dialogue between the election authority and
society about the pros and cons of the current election system. The urna is perfect, so what is
there to discuss?
One of the co-authors decided to expose this mechanism in a book for a wider audience,
whose title translates to The myth of the urna: unveiling the (in)security of Brazil’s voting system.
One of the conclusions of this book states that, in Brazil, important judicial decisions are not
based on scientific research; they are often based on the personal opinions of judges who have
no understanding of (election) technology. The sensible thing to do would be to instate a
commission with legal and scientific experts who will report to the SET and collaborate to improve
security and transparency of the system by means of adopting a paper trail or another end-to-end
verifiability mechanism. But not so in Brazil.
1. Paulo Ceśar Bhering Camarão. The Computerized Vote: Democratic Legitimacy (In Portuguese).
Empresa das Artes, 1997, ISBN 8585628308.
2. Aviel Rubin. Brave new ballot: The battle to safeguard democracy in the age of electronic voting
Broadway Books, 2006.
3. Rop Gonggrijp, Willem-Jan Hengeveld: Studying the Nedap/Groenendaal ES3B Voting Computer:
A Computer Security Perspective. EVT 2007
4. Scott Wolchok, Eric Wustrow, J. Alex Halderman, Hari K. Prasad, Arun Kankipati, Sai Krishna
Sakhamuri, Vasavya Yagati, Rop Gonggrijp: Security analysis of India's electronic voting machines.
ACM Conference on Computer and Communications Security 2010: 1-14
5. Jeroen van de Graaf, Ricardo Felipe Custódio. Electoral Technology and the Voting Machine
Report of the Brazilian Computer Society (in Portuguese)
. Available at
6. D. F. Aranha, M. M. Karam, A. Miranda, and F. Scarel. Software vulnerabilities in the Brazilian
voting machine. IGI Global, 149–175, 2014. Available at
7. Diego F. Aranha, Pedro Y. Barbosa, Thiago C. Cardoso, Caio Lüders, Paulo Matias. The Return of
Software Vulnerabilities in the Brazilian Voting Machine
. Technical report, 2018. Available at
8. Diego F. Aranha, Helder Ribeiro, André Luis Ogando Paraense: Crowdsourced integrity verification
of election results - An experience from Brazilian elections. Annales des Télécommunications
71(7-8): 287-297 (2016)
9. Brazilian Social Democracy Party PSDB. Report on the Special Audit in the 2014 Voting System,
2014. Available at
10. Ronald Rivest. "On the notion of ‘software independence’in voting systems." Philosophical
Transactions of the Royal Society of London A: Mathematical, Physical and Engineering Sciences
366.1881 (2008): 3759-3767.
11. Feng Hao, Peter YA Ryan, eds. Real-world Electronic Voting: Design, Analysis and Deployment
CRC Press, 2016. ISBN: 0767922107.[
Diego F. Aranha is Assistant Professor at the Universidade Estadual de Campinas. His professional
experience is in cryptography and computer security, with special interest in cryptographic engineering
and security analysis of real-world systems. He coordinated two teams of independent researchers who
detected and explored software vulnerabilities in the Brazilian voting machine during restricted tests
organized by the electoral authority. Contact at
Jeroen van de Graaf is an Assistant Professor in the Department of Computer Science at the Universidade
Federal de Minas Gerais. Contact at
... However, historically the context according to the ACE Project, (2006; 24) the evoting mechanism was implemented in 1985 when the election of the chairman of the Supreme Court of Brazil was computerized. In 1986, the Brazilian government conducted a feasibility study (Diego and Jeroen, 2007;16) on the use of e-voting technology. The background for the application of e-voting is focused on the desire of the state to combat endemic fraud in the ballot tabulation process and overcoming problems related to election accessibility and damaged ballots in the conventional electoral system (Diego and Jeroen, 2007;16). ...
... In 1986, the Brazilian government conducted a feasibility study (Diego and Jeroen, 2007;16) on the use of e-voting technology. The background for the application of e-voting is focused on the desire of the state to combat endemic fraud in the ballot tabulation process and overcoming problems related to election accessibility and damaged ballots in the conventional electoral system (Diego and Jeroen, 2007;16). In use, the e-voting machine in Brazil has several purposes, including: identifying voters, voting processes, and counting votes (Centinkaya, 2005;87-90). ...
Full-text available
Indonesia as a democratic country has entered the era of the millennium in the implementation of general elections simultaneously, it is necessary to utilize computer technology using the Electronic-Voting (E-Voting) method. Several regions in Indonesia have used the E-Voting method as a means of democracy which is applied at the hamlet and village head election levels. Village Head election policy with E-Voting as a new means of democracy through a touch of the monitor screen and E-Verification through voters' E-KTP. For example: Pemalang Regency (Ujunggede Village), Jembrana Regency in Bali (Mendoyo Dangin Tukad Village). Elections through e-voting must be designed as best as possible to realize the principles of direct elections, namely direct, general, free, secret (overflow) and honest and fair (fair) in direct elections. Electronic voting systems (e-voting) must be taken seriously and ensure transparency, certainty, security, accountability, and accuracy. In addition to technology readiness, of course, it must be supported by the readiness of the community in implementing this e-voting system in the future. The government's unpreparedness and lack of socialization of e-voting can also be a factor triggering failure in implementing this system.
... Dalam pemilihan itu terdapat 16.559 pemilih (8,3%) yang memberikan suara mereka secara elektronik di empat tempat pemilihan suara (Nani, 2015). Pemerintah Negara Bagian Victoria memperkenalkan E-Voting berdasarkan uji coba untuk pemilihan Negara bagian 2006 (Nani, 2015 (Diego and Jeroen, 2007;16) terhadap penggunaan teknologi evoting. ...
... Adapun latar belakang penerapan evoting difokuskan kepada keinginan negara untuk memerangi penipuan endemik dalam proses tabulasi surat suara dan mengatasi masalah yang berkaitan dengan aksesibilitas pemilu dan surat suara rusak dalam sistem pemilihan konvensional ( Diego and Jeroen, 2007;16 terlebih pengimplementasi e-voting untuk memerangi penipuan endemik dalam proses tabulasi surat suara dan mengatasi masalah yang berkaitan dengan aksesibilitas pemilu dan surat suara rusak dalam sistem pemilihan konvensional (Dantas, 1994;13 (Thomas Jeffrey, 2010;20). Penggunaan EVM dengan VVPAT ini dilakukan sebagai jawaban dan bukti konkret atas kritik masyarakat bahwa EVM tidak transparan dan tidak bisa di audit atas setiap pilihan pemilih. ...
p> Abstrak Indonesia sebagai negara demokrasi sudah menggunakan metode E-Voting sebagai sarana demokrasi, walaupun baru diterapkan di tingkat pemilihan kepala dusun dan kepala desa. Sistem pemungutan suara elektronik ( e-voting ) harus diseriusi dan menjamin transparansi, kepastian, keamanan akuntabilitas, dan akurasi. Selain kesiapan teknologi, tentunya harus didukung dengan kesiapan masyarakat dalam melaksanakan sistem e-voting ini ke depannya. Ketidaksiapan dan kurangnya sosialisasi pemerintah terhadap e-voting juga dapat menjadi faktor pemicu kegagalan dalam penerapan sistem ini. Sejak pandemi Covid-19 yang menyebar diseluruh dunia, melumpuhkan kegiatan manusia khusus di Indonesia. Pemilihan Kepala Daerah di Indonesia yang diselenggarakan pada 9 Desember 2020 mengalami polemik physical distancing ditengah pandemi Covid-19. Penerapan sistem E-Voting telah dilakukan oleh beberapa negara misalkan di Brajil, India, Swiss dan Australia mendapatkan respon positif dalam masyarakat, namun juga terdapat kekurangan dalam pelaksanaannya. Metode penelitian diskriptif kwalitatif dengan pendekatan perbandingan data sekunder. Hasil penelitian ini, sistem E-Voting dalam Pemilihan Umum dapat meningkatkan nilai demokrasi khusus peningkatan partisipasi masyarakat dan memberikan keefektivan serta keefesienan dalam proses pemilihan berlangsung. Namun, penerapan sistem E-Voting masih terkendala dengan adanya hacker yang bisa membobol sistem serta kesiapan pemerintah dalam penggunaan E-Voting. Kata kunci: E-Voting, Pemilu, Dan Demokrasi Abstract Indonesia as a democratic country has used the E-Voting method as a means of democracy, even though it has only been implemented at the level of election of hamlet heads and village heads. Electronic voting systems must be taken seriously and ensure transparency, certainty, security, accountability and accuracy. In addition to technological readiness, of course, it must be supported by the readiness of the community to implement this e-voting system in the future. The government's unpreparedness and lack of socialization of e-voting can also be a trigger factor for failure in implementing this system. Since the Covid-19 pandemic, which has spread throughout the world, has paralyzed human activities, especially in Indonesia. The Regional Head Election in Indonesia which was held on December 9, 2020 experienced a polemic of Physical Distancing amid the Covid-19 Pandemic. The implementation of the E-Voting system has been carried out by several countries, for example in Brazil, India, Switzerland and Australia, getting a positive response in the community, but there are also shortcomings in its implementation. Qualitative descriptive research method using a comparative approach using secondary data.The results of this study, the E-Voting system in General Elections can increase the value of democracy, especially increasing public participation and providing effectiveness and efficiency in the electoral process. However, the implementation of the E-Voting system is still constrained by the presence of hackers who can break into the system and the government's readiness to use E-Voting. Keywords: E-Voting, Election, and Democracy </div
... Furthermore, after embedding in a biometric vector using a fuzzy commitment approach, the transmitted information is encrypted using a random key. [3] have demonstrated the transparency and organizational mechanism of countrywide e-voting in the context of security issues and needs. The authors presented an instance in which Brazil pioneered the countrywide adoption of voting more than 20 years ago. ...
Utilizing India's Aadhar system for secure and effective voter identification, a digital voting system with Aadhar authentication is an electronic voting mechanism. Voters use theirAadhar cards, which are connected to personal and biometric data, to authenticate themselves. With the preservation of data confidentiality and privacy, this system seeks to expedite the voting process, lessen voter fraud, and guarantee correct voter identification
... The digitalization of voting processes is receiving increased attention as societies follow a solid digitization approach [26]. For example, entire countries have already deployed Electronic Voting (EV) systems (e.g., Brazil [3] and Estonia [31]), or are developing novel solutions, such as the recent Remote EV (REV) system in Switzerland [90]. Although the deployment of EV was completely halted in Germany [47] and Ireland [77] due to technical and political reasons, it was considered as an alternative, demonstrating the increasing attention revolving around this topic. ...
Full-text available
Blockchains (BC) and Distributed Ledgers (DL) offer favorable properties, especially immutability and decentralization, which are suitable for voting systems’ Bulletin Boards (BB). In recent years, an influx of BC-based voting systems have been observed. Distributing trust among multiple trustees is a crucial reason to adopt BCs and DLs in voting systems. The practical deployment must be decentralized, too, and not just done through virtualizing interconnected systems. As discussed widely, adopting a BC or DL can incur threats to a system that assumed a trusted and centralized Public Bulletin Board (PBB). Therefore, the exploitation of BCs or DLs requires careful consideration of cryptographic mechanisms and the overall system design, as well as the adversary model. Besides these operational necessities, the long-term privacy of ballots is essential. Thus, the key question investigated in this article is: Can BC, and DL-based voting systems be considered harmful? Hence, first (i) requirements of BC-based voting systems are provided, followed by (ii) terminology definitions, and (iii) complemented by the design and implementation of a fully decentralized voting system: Æternum, which achieves Unconditional Privacy (UP) and neither relies on computational hardness assumptions nor on a trusted Trusted Third Party (TTP). Achieving UP is crucial because future adversaries may be able to break hardness assumptions. Æternum does not present a Single-Point-of-Failure (SPoF) either, since (i) the PBB in use is based on a permissioned DL, and (ii) the final tally and proofs can be verified by anyone, without requiring trust in any authority.
... Since 2000, all Brazilian voters have been able to select their candidates using electronic ballot boxes. The results of the 2010 presidential election, which received over 135 million voters, were declared 75 minutes after the polls closed (Aranha & van de Graaf, 2018). ...
Full-text available
Electronic voting is fast growing rapidly and offers more benefits than traditional paper voting. The use of technology in the voting process has received a lot of attention in recent years. The existing voting systems have several security flaws, and proving even basic security characteristics regarding them is challenging. E-voting system using blockchain works as a step towards creating secure and transparent environment for elections, where the users will be able to view the total votes casted in real time without having the permission to edit after elections get over. The popularity of E-voting system is increasing in countries all over the world, for that reason this research presents a brief overview to evaluate previous national electronic voting systems in a variety of nations, how they evolved and what were their disadvantages before the appearance of blockchain technology. Then we explain the blockchain technology as well as review some of the electronic voting systems that use blockchain technology and present the strengths and weaknesses of it.
Full-text available
The volatile political climate in Kenya was significantly exacerbated by several electoral frauds and transmission delays of the presidential results during this election. The Kriegler Commission suggested the adoption of technology in the electoral process in order to offer effective, transparent, auditable, and credible outcomes, among other significant reforms. The IEBC which was established in 2011 oversaw the general elections of 2013 and 2017. However, in both instances, the IEBC was questioned on how it conducted the elections. Kenya's Supreme Court decided that the latter round of presidential election results was invalid due to vote irregularities. The legitimacy of the official election results, which are frequently rejected, have consequently been at the center of Kenya's electoral crisis. This has eroded public confidence in the digital technologies at IEBC's. There are significant obstacles to integration of ICT in election process due to budgeting and financial costs, lack of sufficient specialized knowledge, technological drawbacks, low levels of awareness, public employee resistance, information security, laws, necessary technology, and a lack of faith in e-Government. These factors are broadly categorized into technology characteristics, organizational, and individual factors. To this end, this study sought to determine the enablers and impact of ICT integration on performance of IEBC. Diffusion of innovation theory and the technology-organization environment model served as the study's foundations. For this study, a survey design was selected. The target population comprised of 373 permanent employees working at the IEBC headquarters as well as 200 politicians. Purposive, convenience and simple stratified random sampling were applied to select a sample size of 236 respondents. The findings of this study revealed that organizational-level factors, technology characteristics and individual-level factors positively and significantly influence performance of IEBC. This study recommended IEBC to pay particular attention to organizational-level factors that affect ICT integration as they ultimately affect its performance. In this regard, there is need for IEBC to ensure that it is well-equipped to use various innovative aspects, have a high availability of appropriate ICT equipment in the organization, utilize prior expertise in relevant ICT domains, conduct employee training to create a greater understanding, positive attitude, more usage, and diversified use of innovation, and provide adequate training and aiding staff when they encounter difficulties utilizing different technologies. Additionally, there is need to provide proper management support for the adoption and usage of various technologies, avail individual workers with incentives like recognition and awards for innovation adoption, and train them to promote effective completion of specific task performance.
Full-text available
The development of reliable and safe e-voting systems is relevant because of the wide range of applications. This paper provides an analysis of modern electronic voting systems based on security criteria. An analysis was conducted based on the most popular modern e-voting system architectures. The analysis provides a baseline for developing a secure e-voting system.
Full-text available
This volume contains papers presented at E-Vote-ID 2022, the Seventh International Joint Conference on Electronic Voting, held during October 4–7, 2022. This was the first in-person conference following the COVID-19 pandemic, and, as such, it was a very special event for the community since we returned to the traditional venue in Bregenz, Austria. The E-Vote-ID conference resulted from merging EVOTE and Vote-ID, and 18 years have now elapsed since the first EVOTE conference in Austria.
Full-text available
This paper presents a detailed and up-to-date security analysis of the voting software used in Brazilian election based on results obtained by the authors in a recent hacking challenge organized the national electoral authority. During the event, multiple serious vulnerabilities were detected in the voting software, which when combined compromised the main security properties of the equipment , namely ballot secrecy and software integrity. The insecure storage of cryptographic keys, hard-coded directly in source code and shared among all machines, allowed full content inspection of the software installation memory cards, after which two shared libraries missing authentication signatures were detected. Injecting code in the libraries allowed the execution of arbitrary code in the machine, violating the integrity of the voting software. Our progress is richly described, to illustrate difficulties and limitations in the testing methodology chosen by the electoral authority, and to inform how teams participating in future challenges can optimize their performance. We trace the history of the vulnerabilities to a previous security analysis, providing some perspective about how the system evolved in the past 6 years. As far as we know, this was the most in-depth compromise of an official large-scale voting system ever performed under such severely restricted conditions.
Full-text available
This paper presents a detailed and up-to-date security analysis of the voting software used in Brazilian elections. It is based on results obtained by the authors in a recent hacking challenge organized by the Superior Electoral Court (SEC), the national electoral authority. During the event, multiple serious vulnerabilities were detected in the voting software, which when combined compromised the main security properties of the equipment , namely ballot secrecy and software integrity. The insecure storage of cryptographic keys, hard-coded directly in source code and shared among all machines, allowed full content inspection of the software installation memory cards, after which two shared libraries missing authentication signatures were detected. Injecting code in those libraries opened the possibility of executing arbitrary code in the equipment, violating the integrity of the running software. Our progress is described chronologically , to illustrate difficulties and limitations in the testing methodology chosen by the electoral authority, and to inform how teams participating in future challenges can optimize their performance. We trace the history of the vulnerabilities to a previous security analysis, providing some perspective about how the system evolved in the past 5 years. As far as we know, this was the most in-depth compromise of an official large-scale voting system ever performed under such severely restricted conditions.
Full-text available
In this work, we describe an experiment for evaluating the integrity of election results, and improving transparency and voter participation in electronic elections. The idea was based on two aspects: distributed collection of poll tape pictures, taken by voters using mobile devices; and crowdsourced comparison of these pictures with the partial electronic results published by the electoral authority. The solution allowed voters to verify if results were correctly transmitted to the central tabulator without manipulation, with granularity of individual polling places. We present results, discuss limitations ofthe approach and future perspectives, considering the context of the previous Brazilian presidential elections of 2014, where the proposed solution was employed for the first time. In particular, with the aid of our project, voters were able to verify 1.6% of the total poll tapes, amounting to 4.1% of the total votes, which prompted the electoral authority to announce improved support for automated verification in the next elections. While the case study relies on the typical workflow of a paperless DRE-based election, the approach can be improved and adapted to other types of voting technology.
Full-text available
This work presents a security analysis of the Brazilian voting machine software based on the the experience of the authors while participating of the 2nd Public Security Tests of the Electronic Voting System organized by the Superior Electoral Court (SEC), the national electoral authority. During the event, vulnerabilities in the software were detected and explored to allow recovery of the ballots in the order they were cast. We present scenarios where these vulnerabilities allow electoral fraud and suggestions to restore the security of the affected mechanisms. Additionally, other flaws in the software and its development process are discussed in detail.
Full-text available
This paper defines and explores the notion of 'software independence' in voting systems: 'A voting system is software independent if an (undetected) change or error in its software cannot cause an undetectable change or error in an election outcome'. For example, optical scan and some cryptographically based voting systems are software independent. Variations and implications of this definition are explored. It is proposed that software-independent voting systems should be preferred, and software-dependent voting systems should be avoided. An initial version of this paper was prepared for use by the Technical Guidelines Development Committee in their development of the Voluntary Voting System Guidelines, which will specify the requirements that the USA voting systems must meet to receive certification.
The Nedap/Groenendaal ES3B voting computer is being used by 90% of the Dutch voters. With very minor modifications, the same computer is also being used in parts of Germany and France. In Ireland the use of this machine is currently on hold after significant doubts were raised concerning its suitability for elections. This paper details how we installed new software in Nedap ES3B voting computers. It details how anyone, when given brief access to the devices at any time before the election, can gain complete and virtually undetectable control over the election results. It also shows how radio emanations from an unmodified ES3B can be received at several meters distance and used to tell what is being voted. We conclude that the Nedap ES3B is unsuitable for use in elections, that the Dutch regulatory framework surrounding e-voting currently insufficiently addresses security, and we pose that not enough thought has been given to the trust relationships and verifiability issues inherent to DRE class voting machines.
Conference Paper
Elections in India are conducted almost exclusively using electronic voting machines developed over the past two decades by a pair of government-owned companies. These devices, known in India as EVMs, have been praised for their simple design, ease of use, and reliability, but recently they have also been criticized following widespread reports of election irregularities. Despite this criticism, many details of the machines' design have never been publicly disclosed, and they have not been subjected to a rigorous, independent security evaluation. In this paper, we present a security analysis of a real Indian EVM obtained from an anonymous source. We describe the machine's design and operation in detail, and we evaluate its security in light of relevant election procedures. We conclude that in spite of the machines' simplicity and minimal software trusted computing base, they are vulnerable to serious attacks that can alter election results and violate the secrecy of the ballot. We demonstrate two attacks, implemented using custom hardware, which could be carried out by dishonest election insiders or other criminals with only brief physical access to the machines. This case study carries important lessons for Indian elections and for electronic voting security more generally.
Electoral technology and the voting machine—Report of the Brazilian Computer Society (in Portuguese)
  • J Van De Graaf
  • R F Custódio
J. van de Graaf, R. F. Custódio. (2002). Electoral technology and the voting machine-Report of the Brazilian Computer Society (in Portuguese). Sociedade Brasileira de Compuação, Porto Alegro, Brazil. [Online]. Available: /send/93-cartas-abertas/351-relatorio-dos-trabalhos -de-cooperacao-realizados-para-o-tse
Brave new ballot: The battle to safeguard democracy in the age of electronic voting
  • Aviel Rubin
Aviel Rubin. Brave new ballot: The battle to safeguard democracy in the age of electronic voting. Broadway Books, 2006.
Report on the Special Audit in the 2014 Voting System
  • C T Fernades
  • M A Simplício
  • E S Gomi
C. T. Fernades, M.A. Simplício, and E.S. Gomi. (2014). Report on the Special Audit in the 2014 Voting System [in Portuguese]. Brazilian Social Democracy Party, Brasília, Brazil. [Online]. Available: /voto-e/arquivos/RelatorioAuditoriaEleicao2014-PSDB.pdf