Content uploaded by Diego F. Aranha
Author content
All content in this area was uploaded by Diego F. Aranha on Apr 18, 2019
Content may be subject to copyright.
Over two decades of e-voting in Brazil — the
good, the bad and the ugly
Diego F. Aranha, Universidade Estadual de Campinas, Brazil
Jeroen van de Graaf, Universidade Federal de Minas Gerais, Brazil
Brazil pioneered the adoption of nationwide electronic voting 20 years ago.
Though quite an accomplishment at the time, today the system is outdated
regarding recent properties such as auditability and verifiability. We
discuss the system’s organization and transparency mechanisms in the
context of security requirements derived from a conventional election.
Keywords: Computers and Society, Security and Privacy Protection.
Brazil’s political system
In the new constitution of 1988, Brazil has a directly elected president; each of the 27 states has
3 senators, and the lower house (Câmara de Deputados
) has 513 members. Elections for these
positions are held every 4 years, in years that are a multiple of 4 plus 2, and are combined with
elections for governor and the state representatives. Brazilians also directly elect their mayor and
the city council members, in years divisible by 4. So an election is held every other year, always
in October. A president, governor, or mayor in a large city needs a majority to be elected, so a
second round between the two best candidates is held three weeks later if no one obtained a
majority in the first round.
Traditionally, each political party in Brazil has a two-digit number assigned to it. For instance, if
the party’s number is 91 then the presidential candidate’s number is also 91. For races where
more than one candidate per party is allowed, longer numbers are used, and candidates typically
choose numbers that are easy to remember, such as 91919, 91111, 91999 etc.
Before electronic voting was introduced, voting meant filling out the candidate’s name or
number on the ballot. Note that for some races the overall number of candidates is over one
thousand, making it impossible to design a ballot listing all the names and have the voter check a
box. Since e-voting was introduced, only numbers are used to identify the voter’s choices.
The introduction of e-voting in 1996
Both by area (larger than mainland USA) and by population (sixth), Brazil ranks as one of the
world's largest countries. Organizing fair elections in such a vast country is no easy task, and
Brazil was among the first to adopt nationwide electronic voting. The judiciary power, which is
among the most expensive of the world when its costs are expressed as a percentage of gross
domestic product (1.4% in 2016), has a special branch exclusively dedicated to election issues,
headed by the Superior Electoral Tribunal (SET). Already in 1996 Brazil started the transition
from paper ballots to electronic voting1, completed in 2000.
The technical development of this e-voting system was an audacious project, while its
deployment was a tremendous challenge. For instance, Brazil has many remote outposts which
can only be reached by plane, then by boat, and sometimes the urna eletrônica
, as the voting
machine is known here, has to be carried by animal to the designated polling station. And after
the election ended, sending the precinct’s tally results back to the election authorities for
tabulation is not that easy either. Sometimes satellite communication is used to accomplish this.
The logistics of organizing such an election are truly staggering, and considered from this angle,
the urna
certainly deserves respect.
The voting procedure works as follows:
1. The voter shows his identification document to the poll worker, who enters the voter id
into the voting equipment, thus releasing access to start voting. In addition, fingerprint
identification is already used for more than half of the voters.
2. The voter enters the digits corresponding to the candidate of his preference, or presses
BRANCO to cast an abstention vote.
3. The urna shows a photo of the candidate (Figure 1), or INVALID VOTE in case the
number does not correspond to an existing candidate.
4. The voter either presses CONFIRMA to confirm the choice, thus casting the vote (even
an invalid one), or presses CORRIGE to modify the choice, returning to the beginning of
Step 2.
5. Steps 2, 3 and 4 are repeated for each race, which are presented in the order of
increasing importance.
Figure 1. Screenshot of a simulator provided by the election authority. Candidates shown on the
left correspond to the number typed by the voter in the keyboard on the right. In this fictitious
example, the voter has chosen Natação (i.e. swimming) as the candidate for Prefeito (i.e. mayor).
The green button serves to confirm and cast the vote, while the orange button serves to modify
the current choice and reinitialize the voting procedure for this race. The white button is for
casting an abstain vote.
This system brings many advantages. First, after the voter enters the number of the preferred
candidate, the urna responds by showing a photo of the candidate. Second, the urna also
reduces ambiguity. Whereas with hand-written votes the interpretation of the voter's choice might
be problematic (is the number written a 1 or a 7?), the urna eliminates such doubts. In addition,
the digital representation accelerates vote tallying. And by using computer networks and servers,
it is possible to compute the results and determine the winner usually before midnight.
Proponents use these advantages as incontrovertible evidence in favor of this technology, but
this is not the end of the story. It is also important that the system is secure. But in order to
answer this question appropriately, we need to understand what the word “secure” actually
means in the context of an election. We approach this question in a simple and intuitive way. We
first describe a conventional election using paper ballots. From this we derive a set of security
requirements which a fair election should satisfy. Using these requirements we have a set of
criteria allowing us to assess any election system.
Deriving security requirements from a conventional election
A conventional paper-based election goes through the following steps:
1. Establish a list of the names of all eligible voters.
2. Before starting the election, all the people present testify that the ballot box is empty.
3. A legitimate voter who has not yet voted receives a ballot, enters the voting booth, and fills
out his / her preference.
4. The voter checks the preference filled out on the ballot.
5. The voter deposits the ballot in the ballot box. From that moment, the vote is cast, and s/he
can not undo or modify his vote.
6. When the time for voting expires, all present witness the opening of the ballot box and the
tallying of the ballots contained therein.
7. Those who do not agree with the count can request a recount. The votes are recounted
under the observation of all those present, until there is consensus.
These are the typical stages of the voting process in many countries, whether for confidential
elections in the legislative body chambers or for public elections at various levels of government.
Differences generally occur in the graphical formatting of ballots and in the way voters make
choices. These differences mostly do not fundamentally change the security requirements.
Requirements for fair elections
We thus obtain the following list of security requirements which can be considered a summary of
the long-established conventional wisdom among computer scientists who study voting.
Requirement A (Eligibility) Only eligible voters, called voters for short, can create a ballot and
deposit it in the ballot box.
Explanation: Any election has a finite set of persons who have the right to participate in that
election and only these persons are allowed access to the voting process.
Requirement B (One person, one vote) A voter can cast at most one vote.
Explanation: The same person is not allowed to vote twice.
Requirement C (Ballot privacy)
Filling out the ballot and putting it in the ballot box is a confidential act, and under no
circumstance, not even with the connivance of the voter, should it be possible to obtain any
information about for whom or for what the voter cast or did not cast votes.
Explanation: This requirement has two aspects. First, the voter should have the freedom to
express her will without the risk of repercussion. To guarantee this, nobody should be able to
discover for whom or what he voted or did not vote. Second, it is necessary to prevent so-called
"improper influence" on voters, which includes the buying and selling of votes.
Consequently it should not be possible, even with the cooperation or connivance of the voter, to
deduce the vote. In order to guarantee the secrecy of the ballot, there exists a private space, the
voting booth, where the voter can fill out the ballot.
Requirement D (Verifying before casting) The voter can verify the vote is valid and reflects the
intention, and can review the vote before casting.
Explanation: Once the ballot has been created, but before casting it, the voter must have the right
to verify that the vote is marked as intended and that it is valid, and have the opportunity to
correct or revise it.
Requirement E (Ballot is included in tally) The voter can convince herself that her vote is
included in the set of votes tallied.
Explanation: In the case of paper ballots, this requirement is conceptually achieved in the
following way: after the voter has cast her vote by depositing the ballot in the ballot box, she waits
until the closing of the election, and when the ballot box is opened for the tallying of the votes,
she is sure that her ballot is among the set, even if he does not know which particular ballot
corresponds to the one he filled out. It should be noted that essentially the voter's faith is based
on the common sense notion that an object put in some place stays there and won't disappear by
itself.
Requirement F (Integrity of ballot and ballot box) It should not be possible for anyone to
modify a ballot, or remove it from the ballot box, nor should it be possible to add ballots not
coming from legitimate voters.
Explanation: Votes represent the (anonymous) will of voters, and any modification would change
that will. This requirement explains for instance why the ballot box is shown to be empty before
starting the election, why the ballot box should remain in a publicly visible place, and also why
transparent ballot boxes sometimes are used.
Requirement G (Secrecy until the end of the vote) All votes remain secret until the end of the
voting session.
Explanation: In principle, election should take place in parallel; it is only for logistical reasons that
the process in a precinct is sequential. Moreover, revealing partial results early would violate
ballot privacy for those who voted already. And knowing the partial result might influence a voter
later. Moreover, exclusive access to this information during the voting period could provide
advantage in terms of allocation of electioneering resources or even trigger disruption of the
voting process.
Requirement H (Correctness of the count) All valid ballots found in the ballot box, and only
those, will be included in the count.
Explanation: Votes not written on a proper ballot, for example, should not be counted as they
could represent multiple votes from a single voter. Additionally, votes that are ambiguous ought
not to be counted.
Requirement I (Counting is public) The tallying of votes happens in a public and verifiable way.
Explanation: To enhance credibility and acceptance of the outcome, it is important that the
candidate’s representatives and neutral observers be present and able to verify the process.
Requirement J (Right to audit) It should be possible to audit the count.
Explanation: In conventional paper elections, a candidate or party can contest the outcome and
request a recount of the votes, which also happens in a public session. In principle, this process
should converge to a result which everyone agrees with. In practise, a sore loser would prefer to
request recount after recount instead of admitting defeat. Some rules are usually implemented to
limit this effect. Another problem is that manual counting is notoriously unreliable: it is not
uncommon that a second count gives a third value rather than confirming one of the first two; so
no convergence occurs.
The basic design of the voting machine
The Brazilian system is an example of a DRE, standing for Direct Recording Electronic voting
machine. A DRE is essentially an ordinary PC with special peripherals and software dedicated to
the voting task. Vote counting is implemented by having a counter value corresponding to each
candidate. When a voter casts a vote for a candidate, the corresponding counter is incremented
by 1. The intuition behind this idea is to replicate as closely as possible the black-box functioning
of a ballot box: secret votes are deposited in the machine, modifying the unknown internal state.
However, unlike paper ballot voting systems, a DRE does not produce physical proof of the
voter’s intent. Thus, the candidates’ counters can be modified without detection. A meaningful
audit of the system is impossible because a recount giving the correct result becomes impossible.
DRE voting machines have been introduced in other countries, with the main experiences in the
Netherlands, India and the USA. Adopting DREs has always sparked a heated security debate,
which Brazil is only starting to have after two decades of wide use. In the USA, Avi Rubin gives a
vivid account of this episode in his book Brave New Ballot2. Rubin, together with some of his
students at Johns Hopkins, showed that the Diebold voting machines were very easy to hack.
Other works mounted as the software attacks on Dutch Nedap DRE machines by Gonggrijp and
Hengeveld3, and hardware attacks against the Indian EVMs discussed by Halderman4.
Risks to ballot privacy
With respect to the privacy of the ballot, the urna suffers from a fatal design flaw. Before a voter
casts his vote by entering the digits corresponding to the candidate of his choice, the poll worker
enters the voter id into a keyboard which is connected to the same machine. In other words, the
voter keyboard and the poll worker keyboard are connected to the same device (see Figure 2). In
its zeal for efficiency and cost-cutting, authorities decided to integrate voter authentication and
vote casting on the same equipment.
Figure 2. The voter terminal (right), and the poll worker terminal (left), connected by a 5-meter
long cable (background).
In principle this makes it very easy for an attacker to violate ballot privacy: by logging
chronologically the data registered by both devices and combining them, one can perfectly
deduce who voted for whom5. The Brazilian election authorities deny vehemently that such a
backdoor exist, but this claim is not verifiable. This decision is intimidating towards the voter
resulting in an unacceptable threat to ballot privacy.
A possible solution is that voter authentication takes place physically separated from the voting
device. This is the way it is done in every other country. Yet, if a device is used for authentication,
combining the log files is still a possibility, but at least mitigates the problem somewhat.
Electoral process and transparency mechanisms
An overview of the Brazilian electoral process can be found in Figure 3, with color coding used to
denote how critical to security each step is. Software components are first developed and audited
within the SET in the two years in-between elections, and at some point are frozen, compiled and
distributed to the local branches across the country. The voting software is then loaded in
memory cards for installation in the voting machines. These steps are highly critical, in the sense
that interference may affect large sections of the country. After the voting session ends, partial
results are collected into USB drives, and later transmitted to a central tabulator to generate the
election outcome. An audit can be requested at some point after the election.
Figure 3: Overview of the main phases in the electoral process and their criticality in
terms of security. Software development, auditing, and preparation are highly critical,
while voting is less critical due to requiring tampering with individual machines.
Transmission and tabulation are arguably the most transparent steps in the process.
Development and auditing
Contrary to other countries, in Brazil the voting software is updated and redistributed across
the country at every election, and new hardware models are specified, acquired and deployed,
replacing the older machines. The software is developed by a mix of in-house and contracted
programmers working in a dedicated division, under responsibility of the SET. Development
continues internally until 6 months before the election. Then, external inspectors can audit the
source code at the election authority headquarters in Brasília and suggest fixes or improvements.
Until 2015, inspection was restricted to staff appointed by political parties and government
institutions, but restrictions were recently relaxed to include experts and technicians from public
universities and the Brazilian Computer Society, a scientific and educational organization.
Auditing the software before the election is an attempt to give evidence that a subset of the
requirements are satisfied: a voter can vote at most once (one person, one vote) and in secrecy
(ballot privacy), all votes will be tallied and cannot be changed after the fact (integrity).
However, these software audits have many limitations. The first is the huge size and
complexity of the codebase, amounting to more than 24 million lines of code when operating
system (kernel and userland libraries) and applications are taken into account. All of these
components have been customized or developed by the SET, thus requiring the inspection of the
entire codebase. The mandatory Non-Disclosure Agreement for participants is another roadblock
to transparency. It is ineffective against malicious inspectors who leak vulnerabilities to external
attackers, whereas legitimate researchers cannot speak publicly about the security concerns they
found.
In addition to these software inspections, as of 2009, the election authority has organized
Public Security Tests to evaluate the security mechanisms implemented. The first edition was
conducted in 2009 without access to the source code, but later its scope was extended to include
source code (since 2012) and subsystems dealing with generation of memory cards and
transmission of results (since 2017). Participants and testing methodologies need to be
pre-approved, so code review and actual attacks are performed in separate sessions, taking a
few days each.
Until now these public tests have been the best opportunity for outsiders to understand and
perform security analysis on the system. And all editions have uncovered vulnerabilities, such as:
leaks in the keyboard causing privacy violation (2009); insecure pseudo-random number
generation breaking ballot secrecy, and hard-coded encryption keys (2012)6; insecure
authentication of tally results (2016); and insecure encryption and insufficient integrity checks,
leading to violation of software integrity (2017)7.
These Public Security Tests have been useful in detecting and fixing some basic flaws in the
system, but are hopelessly inadequate in proving that the system is correct. The organization also
imposes many restrictions which do not model a realistic attacker. In the chosen format only
attacks that are pre-approved can be conducted eliminating exploratory strategies, and limiting
the scope to the hardware/software component that the SET deems mature enough for
adversarial testing. To date, the biometric identification system and the tabulation infrastructure
are still out of scope, despite being in production for over a decade.
Under such limitations, most vulnerabilities discovered have a limited impact. The election
authority always claims that the vulnerabilities found are not exploitable considering the entire
electoral process, and are quickly dismissed as irrelevant after the fact, meaning that the actual
accomplishments can easily be downplayed in the press.
Preparation of the urna
Three weeks before the election the source code is compiled in a public ceremony. All source
files, executables, and other data are hashed, and this summary is digitally signed and published.
In theory, this method allows software modifications to be found in any voting machine.
The SET distributes the approved software to its state branches through a VPN network.
The software packages are stored on desktop computers running a subsystem dedicated to
generating the installation cards for the urna
. The configuration of these cards happens in a
public, videotaped ceremony, witnessed by public authorities and representatives of the political
parties. These cards are then transported across the state to be installed on the urna a few
weeks before the election. During installation the voting software is copied from the external flash
card to the machine’s internal memory. The ceremonies are public in principle, but in practice
happen in so many different places that even a well-organized political party will not be able to
send observers to each place.
Voting procedure
On election day, all polling stations follow the same basic procedure, typical of DRE-based
elections:
1. Between 7am and 8am the urna prints the zero printout
, an official public document
attesting that no votes were computed for any candidates before the elections started.
This attempts to satisfy that only valid voters are able to cast a vote . The poll worker
opens the voting session at 8AM by typing a command in the election official terminal.
2. Voters provide identification information and are authorized to cast votes in the machines.
After entering their voting option, the picture and name of the candidate are presented for
the voter to check (see example in Figure 1), in an attempt to satisfy that voters can
check their choices are included in the ballot.
3. The poll worker closes the voting session at 5PM local time, allowing voters in the queue
to cast their vote.
4. The urna prints the tally printout
, containing per-machine totals for each candidate.
Copies of this physical document are signed by election officials, distributed among
observers from the political parties and posted outside the polling station.
5. The urna produces various types of electronic audit data, consisting of: a digital version
of the tally printout, a chronological record of events registered by the machine (LOG),
and the Digital Record of the Vote (DRV), an electronic shuffled list of the actual votes.
These data are digitally signed and stored one USB drive.
6. The election official retrieves the drive and boots a networked Desktop computer in the
polling place using a dedicated LiveUSB running custom GNU/Linux. This system
establishes a secure connection with the election authority’s infrastructure using a VPN,
through which the contents of the drive are transmitted to the centralized tabulation
system.
7. The central tabulator combines all the partial results and the official result of the election
is declared. LOGs and DRV files containing voter choices can be obtained under request
by political parties after the election, as to preserve secrecy until the end of the vote and
verify correctness of the count.
Allegedly there are several transparency mechanisms in the process, however all of them with
severe limitations. The integrity of files is verified by the card installation generation program, and
again during software installation. Observers can ask for additional verification just before the
elections, and during a post-election audit (if legally approved). However, all verifications before
the elections are computed and presented by the voting machine software or inside its execution
environment, not on an independent platform. The zero printout can hardly serve as a proof of
program correctness, because the first thing a malicious actor would do is to fake a valid zero
printout. The DRV stores the raw choices entered by the voters separately (instead of just
increasing a counter) which, according to the election authority, allows for a recount in case of a
dispute. But this file is kept encrypted and authenticated by the same software which tallies the
votes, and not in some independent fashion, making the effort essentially futile.
Summarizing, most of the requirements ultimately depend exclusively on the integrity of the
voting software and its resistance against manipulation, but it is humanly impossible to audit and
validate a system with such a complex codebase.
Randomized testing of voting machines
On the day before the election, a very small number of urnas is randomly selected and submitted
to a public ceremony called parallel voting
, in which elections are simulated and the outcome is
verified. Such a ceremony take place on election day, one in every state, as to mimic the same
environment as closely as possible. The rationale behind this ceremony is that, if the tested
machines are working as expected, i.e. giving a correct public tally, then all the not-tested
machines are working correctly as well.
However, it is impossible to prove beyond doubt that the voting software running in the real
elections behaves in the same way as in the simulated election, despite elaborate attempts to test
the official voting software under operating conditions similar to an official election. Because
parallel voting sessions are usually slower and have no real voters, malicious software could
easily distinguish when it is operating in the simulation or the real setting. For instance, by
monitoring the rate in which votes are cast, or the fraction of voters enrolled in the fingerprint
identification system. If malicious behavior in the real setting is only activated after certains keys
are entered, detection under simulated conditions will be hard.
Another impediment is statistical significance. Only between three and five machines are
selected per state, including one or two from the state capital. With the state of São Paulo ranking
as the most populous, with more than 90,000 deployed machines such a sample size is negligible
for reasonable confidence. At best, the parallel voting procedure shows that there is no fraud in
the voting machines selected, but says little about all the others.
Transmission and tabulation
The state branches collect tallies from all the state, which are combined to compute the election
outcome per state. Only presidential elections need to be tabulated nationwide. Digital tallies are
published by the election authority up to three days after the election, as to allow verification
against the tally printouts produced during the voting session closure ceremony. This is what
makes the transmission of the tallies and tabulation the most transparent phase of the electoral
process. In theory, a well-organized political party can obtain a statistically significant sample of
tally printouts and verify them against the digital versions published on the web.
However, in practice there are formidable obstacles for exercising this verification in real
elections. With the size and heterogeneity of the country, obtaining a sufficient coverage requires
tremendous resources. As a reference point, the post-election audit conducted by the losing party
in the 2014 presidential race cost more than R$ 1 million (Reais, Brazilian currency) and was only
able to verify 1,187 tally printouts, by sending technicians to 16 states to collect the physical
documents. In the same year, a crowdsourced effort, called Você Fiscal (which roughly translates
to “You Verify”), was able to verify 7,020 tally printouts using pictures taken after the second
round of the presidential race, amounting to 1.6% of the polling stations (or 4.1% of the votes)8.
However, the sample was entirely voluntary, and establishing its statistical significance is very
hard. As a follow-up, the election authority adopted digitally signed QR codes in 2016, storing the
tally printout in an easy way to independently capture and transmit the result. An improved
version of this voluntary project was able to verify 5,813 tally printouts from the first round of the
2016 city elections. An attempt to verify a random sample of 200 tally printouts in the second
round for mayor of the city of Rio de Janeiro failed to meet the objective.
The 2014 post-election audit
The transparency of Brazil’s election systems was seriously put to the test in 2014. In that year,
challenger Aécio Neves lost the second round in the presidential run-off from incumbent Dilma
Rousseff obtaining 48.36% of the valid votes, corresponding to an absolute difference of 3.46
million votes. Despite this large margin, the candidate’s party decided to request an audit, in an
obvious attack to the credibility of the system.
This audit effort, which took three months instead of the initially planned three days, reported
many difficulties. Just collecting the audit data (LOGs, DRV files and poll tapes) was problematic.
Since inspection software was restricted to be executed on the urna
, obtaining binaries and
examining them was complicated. Determining if the executable binaries indeed corresponded to
the inspected source code was hard, because the compilation process could not be reproduced9.
A fundamental limitation of any post-election audit of DRE-based systems is that all received
files may already have been manipulated in an untraceable way, for example, by restoring correct
versions of the software after the malicious behavior is triggered. In this case the situation was
worse since for large portions of the electoral process it was completely impossible to obtain valid
audit data, violating the right to audit. Nevertheless, the election authority and newspaper
headlines still emphasized that no fraud had been detected in the 2014 election, instead of
pointing out that essentially the audit had been a total failure.
Table 1. Summary of transparency mechanisms in the four stages of an election: preparation of
the software before the election, voting session, transmission and tabulation, and after the
election. Color coding is used to indicate if the mechanisms attain the objectives: red indicates
that no goal is achieved, yellow that goals are partially achieved; and green that security goals
are fully achieved (at least in theory).
Stage in the
election
Transparency
mechanisms
Security goals
Limitations
Development
and auditing
- Code Inspection
- Public Security Tests
Audit the source code
Fix vulnerabilities in the
system
Large and complex
codebase
Restricted security testing
Preparation
- Compile and install
ceremonies
Prove that software
was correctly compiled
and transmitted.
Impossible to prove
inspected software
corresponds to installed
software.
Voting
- Verification of
signatures and
checksums
- Zero Printout
- Poll Tape
- Digital Record of
Vote
- Parallel voting
Prove that legitimate
software was installed.
Prove software
behaves correctly
during election.
Impossible to prove that
machines in real election
work as in machines
selected for testing.
Tabulation
- Comparison between
physical printout and
digital result
- Parallel tabulation
Prove election
outcome corresponds
to the sum of partial
results.
Many logistic obstacles,
but possible in theory.
Post-election
Audit
Prove election was fair.
Without recounts, unable to
prove results if electronic
fraud is untraceable.
Transparency of voting systems
ADRE is a black box and the voter has no way of knowing what’s going on or ascertaining that
his vote is counted correctly. The lack of physical proof generated by the voting machine has the
following dangerous implication: if each voting machine has the same software, rigging an
election becomes much easier than with paper ballots. In the latter, to corrupt an election result,
an adversary has to act at hundreds of places, whereas in the centralized solution used in Brazil,
a very small group of technicians with inside knowledge could potentially manipulate the election
outcome without being detected.
A recent attempt of improving the transparency of the system was a law approved by
Congress in 2015, mandating voter-verified paper audit trails to be reintroduced in the system
starting from the upcoming 2018 election. After several difficulties raised by the SET in terms of
budget and the protection of ballot secrecy against poll workers, the law was suspended based
on a claim of unconstitutionality. Given that refactoring the entire system to accommodate some
kind of end-to-end paper record is very unlikely, there is not much hope of more transparent
elections if the law is finally declared unconstitutional and put to rest.
To counter the drawbacks of DREs, researchers came up with new end-to-end systems: the
system produces a receipt for the voter, which allows him/her to verify that his vote was counted,
but without yielding any information about the vote cast thus preserving ballot privacy. This
process is usually broken into two steps. Individual verifiability allows the voter to be convinced
that her vote is included in the set of digital objects which together determine the election
outcome. Universal verifiability allows any person, being a voter or an outsider, to verify that the
election result was computed correctly from this set. A related notion is software independence
,
which essentially says that the correctness of an election process must not depend on its
software10: “A voting system is software-independent if an undetected change or error in its
software cannot cause an undetectable change or error in an election outcome.” For more
information about this, please consult IEEE S&P May/June 2017 Special Issue on Voting, or the
book edited by Hao and Ryan11.
Needless to say that the Brazilian urna does not satisfy any of the verifiability or software
independence notions. DREs have decreased in interest in most of the world, but not so in Brazil.
Election authorities, stubbornly ignoring these facts, continue to defend and promote the use of
outdated, insecure DRE technology. They claim that additional audit mechanisms that have been
created are sufficient to provide transparency, but this goes against the consensus view among
computer scientists who study voting security that physical proof of the voter’s intent is always
required.
The good, the bad, the ugly
It is undeniable that the urna brought stability to the election process in Brazil. To some extent
this is because twenty years ago, when the system was introduced, voters were completely
unfamiliar with this new technology and marvelled at it. Most political parties dubbed the system
too complicated to understand, and disregarded it.
Unfortunately, the shortcoming of the system, already reported to the SET over 15 years ago,
are obvious. First, voter authentication and voting takes place on the same machine, potentially
violating ballot privacy. Second, since there is no physical evidence of the voter’s intent, any
recount is impossible, making any audit of the system meaningless. The system is a black box,
and to believe its results one has to have blind faith in the election authorities.
Nevertheless, to enhance the credibility of the system, election authorities have endeavoured
to make the urna into something of national pride. It is being proclaimed as the envy of other
nations, a product worth of exportation. Researchers who criticize the system and proclaim it
insecure are usually ignored. There is no rational dialogue between the election authority and
society about the pros and cons of the current election system. The urna is perfect, so what is
there to discuss?
One of the co-authors decided to expose this mechanism in a book for a wider audience,
whose title translates to The myth of the urna: unveiling the (in)security of Brazil’s voting system.
One of the conclusions of this book states that, in Brazil, important judicial decisions are not
based on scientific research; they are often based on the personal opinions of judges who have
no understanding of (election) technology. The sensible thing to do would be to instate a
commission with legal and scientific experts who will report to the SET and collaborate to improve
security and transparency of the system by means of adopting a paper trail or another end-to-end
verifiability mechanism. But not so in Brazil.
References
1. Paulo Ceśar Bhering Camarão. The Computerized Vote: Democratic Legitimacy (In Portuguese).
Empresa das Artes, 1997, ISBN 8585628308.
2. Aviel Rubin. Brave new ballot: The battle to safeguard democracy in the age of electronic voting
.
Broadway Books, 2006.
3. Rop Gonggrijp, Willem-Jan Hengeveld: Studying the Nedap/Groenendaal ES3B Voting Computer:
A Computer Security Perspective. EVT 2007
4. Scott Wolchok, Eric Wustrow, J. Alex Halderman, Hari K. Prasad, Arun Kankipati, Sai Krishna
Sakhamuri, Vasavya Yagati, Rop Gonggrijp: Security analysis of India's electronic voting machines.
ACM Conference on Computer and Communications Security 2010: 1-14
5. Jeroen van de Graaf, Ricardo Felipe Custódio. Electoral Technology and the Voting Machine –
Report of the Brazilian Computer Society (in Portuguese)
. Available at
http://www.sbc.org.br/index.php?option=com_jdownloads&Itemid=195&task=vie
w.download&catid=77&cid=107
6. D. F. Aranha, M. M. Karam, A. Miranda, and F. Scarel. Software vulnerabilities in the Brazilian
voting machine. IGI Global, 149–175, 2014. Available at
http://www.igi-global.com/book/design-development-use-secure-electronic/94868
7. Diego F. Aranha, Pedro Y. Barbosa, Thiago C. Cardoso, Caio Lüders, Paulo Matias. The Return of
Software Vulnerabilities in the Brazilian Voting Machine
. Technical report, 2018. Available at
https://doi.org/10.13140/RG.2.2.16240.97287
8. Diego F. Aranha, Helder Ribeiro, André Luis Ogando Paraense: Crowdsourced integrity verification
of election results - An experience from Brazilian elections. Annales des Télécommunications
71(7-8): 287-297 (2016)
9. Brazilian Social Democracy Party – PSDB. Report on the Special Audit in the 2014 Voting System,
2014. Available at
http://www.brunazo.eng.br/voto-e/arquivos/RelatorioAuditoriaEleicao2014-P
SDB.pdf
10. Ronald Rivest. "On the notion of ‘software independence’in voting systems." Philosophical
Transactions of the Royal Society of London A: Mathematical, Physical and Engineering Sciences
366.1881 (2008): 3759-3767.
11. Feng Hao, Peter YA Ryan, eds. Real-world Electronic Voting: Design, Analysis and Deployment
.
CRC Press, 2016. ISBN: 0767922107.[
Diego F. Aranha is Assistant Professor at the Universidade Estadual de Campinas. His professional
experience is in cryptography and computer security, with special interest in cryptographic engineering
and security analysis of real-world systems. He coordinated two teams of independent researchers who
detected and explored software vulnerabilities in the Brazilian voting machine during restricted tests
organized by the electoral authority. Contact at dfaranha@ic.unicamp.br.