ArticlePDF Available

Figures

Content may be subject to copyright.
Over two decades of e-voting in Brazil — the
good, the bad and the ugly
Diego F. Aranha, Universidade Estadual de Campinas, Brazil
Jeroen van de Graaf, Universidade Federal de Minas Gerais, Brazil
Brazil pioneered the adoption of nationwide electronic voting 20 years ago.
Though quite an accomplishment at the time, today the system is outdated
regarding recent properties such as auditability and verifiability. We
discuss the system’s organization and transparency mechanisms in the
context of security requirements derived from a conventional election.
Keywords: Computers and Society, Security and Privacy Protection.
Brazil’s political system
In the new constitution of 1988, Brazil has a directly elected president; each of the 27 states has
3 senators, and the lower house (Câmara de Deputados
) has 513 members. Elections for these
positions are held every 4 years, in years that are a multiple of 4 plus 2, and are combined with
elections for governor and the state representatives. Brazilians also directly elect their mayor and
the city council members, in years divisible by 4. So an election is held every other year, always
in October. A president, governor, or mayor in a large city needs a majority to be elected, so a
second round between the two best candidates is held three weeks later if no one obtained a
majority in the first round.
Traditionally, each political party in Brazil has a two-digit number assigned to it. For instance, if
the party’s number is 91 then the presidential candidate’s number is also 91. For races where
more than one candidate per party is allowed, longer numbers are used, and candidates typically
choose numbers that are easy to remember, such as 91919, 91111, 91999 etc.
Before electronic voting was introduced, voting meant filling out the candidate’s name or
number on the ballot. Note that for some races the overall number of candidates is over one
thousand, making it impossible to design a ballot listing all the names and have the voter check a
box. Since e-voting was introduced, only numbers are used to identify the voter’s choices.
The introduction of e-voting in 1996
Both by area (larger than mainland USA) and by population (sixth), Brazil ranks as one of the
world's largest countries. Organizing fair elections in such a vast country is no easy task, and
Brazil was among the first to adopt nationwide electronic voting. The judiciary power, which is
among the most expensive of the world when its costs are expressed as a percentage of gross
domestic product (1.4% in 2016), has a special branch exclusively dedicated to election issues,
headed by the Superior Electoral Tribunal (SET). Already in 1996 Brazil started the transition
from paper ballots to electronic voting1, completed in 2000.
The technical development of this e-voting system was an audacious project, while its
deployment was a tremendous challenge. For instance, Brazil has many remote outposts which
can only be reached by plane, then by boat, and sometimes the urna eletrônica
, as the voting
machine is known here, has to be carried by animal to the designated polling station. And after
the election ended, sending the precinct’s tally results back to the election authorities for
tabulation is not that easy either. Sometimes satellite communication is used to accomplish this.
The logistics of organizing such an election are truly staggering, and considered from this angle,
the urna
certainly deserves respect.
The voting procedure works as follows:
1. The voter shows his identification document to the poll worker, who enters the voter id
into the voting equipment, thus releasing access to start voting. In addition, fingerprint
identification is already used for more than half of the voters.
2. The voter enters the digits corresponding to the candidate of his preference, or presses
BRANCO to cast an abstention vote.
3. The urna shows a photo of the candidate (Figure 1), or INVALID VOTE in case the
number does not correspond to an existing candidate.
4. The voter either presses CONFIRMA to confirm the choice, thus casting the vote (even
an invalid one), or presses CORRIGE to modify the choice, returning to the beginning of
Step 2.
5. Steps 2, 3 and 4 are repeated for each race, which are presented in the order of
increasing importance.
Figure 1. Screenshot of a simulator provided by the election authority. Candidates shown on the
left correspond to the number typed by the voter in the keyboard on the right. In this fictitious
example, the voter has chosen Natação (i.e. swimming) as the candidate for Prefeito (i.e. mayor).
The green button serves to confirm and cast the vote, while the orange button serves to modify
the current choice and reinitialize the voting procedure for this race. The white button is for
casting an abstain vote.
This system brings many advantages. First, after the voter enters the number of the preferred
candidate, the urna responds by showing a photo of the candidate. Second, the urna also
reduces ambiguity. Whereas with hand-written votes the interpretation of the voter's choice might
be problematic (is the number written a 1 or a 7?), the urna eliminates such doubts. In addition,
the digital representation accelerates vote tallying. And by using computer networks and servers,
it is possible to compute the results and determine the winner usually before midnight.
Proponents use these advantages as incontrovertible evidence in favor of this technology, but
this is not the end of the story. It is also important that the system is secure. But in order to
answer this question appropriately, we need to understand what the word “secure” actually
means in the context of an election. We approach this question in a simple and intuitive way. We
first describe a conventional election using paper ballots. From this we derive a set of security
requirements which a fair election should satisfy. Using these requirements we have a set of
criteria allowing us to assess any election system.
Deriving security requirements from a conventional election
A conventional paper-based election goes through the following steps:
1. Establish a list of the names of all eligible voters.
2. Before starting the election, all the people present testify that the ballot box is empty.
3. A legitimate voter who has not yet voted receives a ballot, enters the voting booth, and fills
out his / her preference.
4. The voter checks the preference filled out on the ballot.
5. The voter deposits the ballot in the ballot box. From that moment, the vote is cast, and s/he
can not undo or modify his vote.
6. When the time for voting expires, all present witness the opening of the ballot box and the
tallying of the ballots contained therein.
7. Those who do not agree with the count can request a recount. The votes are recounted
under the observation of all those present, until there is consensus.
These are the typical stages of the voting process in many countries, whether for confidential
elections in the legislative body chambers or for public elections at various levels of government.
Differences generally occur in the graphical formatting of ballots and in the way voters make
choices. These differences mostly do not fundamentally change the security requirements.
Requirements for fair elections
We thus obtain the following list of security requirements which can be considered a summary of
the long-established conventional wisdom among computer scientists who study voting.
Requirement A (Eligibility) Only eligible voters, called voters for short, can create a ballot and
deposit it in the ballot box.
Explanation: Any election has a finite set of persons who have the right to participate in that
election and only these persons are allowed access to the voting process.
Requirement B (One person, one vote) A voter can cast at most one vote.
Explanation: The same person is not allowed to vote twice.
Requirement C (Ballot privacy)
Filling out the ballot and putting it in the ballot box is a confidential act, and under no
circumstance, not even with the connivance of the voter, should it be possible to obtain any
information about for whom or for what the voter cast or did not cast votes.
Explanation: This requirement has two aspects. First, the voter should have the freedom to
express her will without the risk of repercussion. To guarantee this, nobody should be able to
discover for whom or what he voted or did not vote. Second, it is necessary to prevent so-called
"improper influence" on voters, which includes the buying and selling of votes.
Consequently it should not be possible, even with the cooperation or connivance of the voter, to
deduce the vote. In order to guarantee the secrecy of the ballot, there exists a private space, the
voting booth, where the voter can fill out the ballot.
Requirement D (Verifying before casting) The voter can verify the vote is valid and reflects the
intention, and can review the vote before casting.
Explanation: Once the ballot has been created, but before casting it, the voter must have the right
to verify that the vote is marked as intended and that it is valid, and have the opportunity to
correct or revise it.
Requirement E (Ballot is included in tally) The voter can convince herself that her vote is
included in the set of votes tallied.
Explanation: In the case of paper ballots, this requirement is conceptually achieved in the
following way: after the voter has cast her vote by depositing the ballot in the ballot box, she waits
until the closing of the election, and when the ballot box is opened for the tallying of the votes,
she is sure that her ballot is among the set, even if he does not know which particular ballot
corresponds to the one he filled out. It should be noted that essentially the voter's faith is based
on the common sense notion that an object put in some place stays there and won't disappear by
itself.
Requirement F (Integrity of ballot and ballot box) It should not be possible for anyone to
modify a ballot, or remove it from the ballot box, nor should it be possible to add ballots not
coming from legitimate voters.
Explanation: Votes represent the (anonymous) will of voters, and any modification would change
that will. This requirement explains for instance why the ballot box is shown to be empty before
starting the election, why the ballot box should remain in a publicly visible place, and also why
transparent ballot boxes sometimes are used.
Requirement G (Secrecy until the end of the vote) All votes remain secret until the end of the
voting session.
Explanation: In principle, election should take place in parallel; it is only for logistical reasons that
the process in a precinct is sequential. Moreover, revealing partial results early would violate
ballot privacy for those who voted already. And knowing the partial result might influence a voter
later. Moreover, exclusive access to this information during the voting period could provide
advantage in terms of allocation of electioneering resources or even trigger disruption of the
voting process.
Requirement H (Correctness of the count) All valid ballots found in the ballot box, and only
those, will be included in the count.
Explanation: Votes not written on a proper ballot, for example, should not be counted as they
could represent multiple votes from a single voter. Additionally, votes that are ambiguous ought
not to be counted.
Requirement I (Counting is public) The tallying of votes happens in a public and verifiable way.
Explanation: To enhance credibility and acceptance of the outcome, it is important that the
candidate’s representatives and neutral observers be present and able to verify the process.
Requirement J (Right to audit) It should be possible to audit the count.
Explanation: In conventional paper elections, a candidate or party can contest the outcome and
request a recount of the votes, which also happens in a public session. In principle, this process
should converge to a result which everyone agrees with. In practise, a sore loser would prefer to
request recount after recount instead of admitting defeat. Some rules are usually implemented to
limit this effect. Another problem is that manual counting is notoriously unreliable: it is not
uncommon that a second count gives a third value rather than confirming one of the first two; so
no convergence occurs.
The basic design of the voting machine
The Brazilian system is an example of a DRE, standing for Direct Recording Electronic voting
machine. A DRE is essentially an ordinary PC with special peripherals and software dedicated to
the voting task. Vote counting is implemented by having a counter value corresponding to each
candidate. When a voter casts a vote for a candidate, the corresponding counter is incremented
by 1. The intuition behind this idea is to replicate as closely as possible the black-box functioning
of a ballot box: secret votes are deposited in the machine, modifying the unknown internal state.
However, unlike paper ballot voting systems, a DRE does not produce physical proof of the
voter’s intent. Thus, the candidates’ counters can be modified without detection. A meaningful
audit of the system is impossible because a recount giving the correct result becomes impossible.
DRE voting machines have been introduced in other countries, with the main experiences in the
Netherlands, India and the USA. Adopting DREs has always sparked a heated security debate,
which Brazil is only starting to have after two decades of wide use. In the USA, Avi Rubin gives a
vivid account of this episode in his book Brave New Ballot2. Rubin, together with some of his
students at Johns Hopkins, showed that the Diebold voting machines were very easy to hack.
Other works mounted as the software attacks on Dutch Nedap DRE machines by Gonggrijp and
Hengeveld3, and hardware attacks against the Indian EVMs discussed by Halderman4.
Risks to ballot privacy
With respect to the privacy of the ballot, the urna suffers from a fatal design flaw. Before a voter
casts his vote by entering the digits corresponding to the candidate of his choice, the poll worker
enters the voter id into a keyboard which is connected to the same machine. In other words, the
voter keyboard and the poll worker keyboard are connected to the same device (see Figure 2). In
its zeal for efficiency and cost-cutting, authorities decided to integrate voter authentication and
vote casting on the same equipment.
Figure 2. The voter terminal (right), and the poll worker terminal (left), connected by a 5-meter
long cable (background).
In principle this makes it very easy for an attacker to violate ballot privacy: by logging
chronologically the data registered by both devices and combining them, one can perfectly
deduce who voted for whom5. The Brazilian election authorities deny vehemently that such a
backdoor exist, but this claim is not verifiable. This decision is intimidating towards the voter
resulting in an unacceptable threat to ballot privacy.
A possible solution is that voter authentication takes place physically separated from the voting
device. This is the way it is done in every other country. Yet, if a device is used for authentication,
combining the log files is still a possibility, but at least mitigates the problem somewhat.
Electoral process and transparency mechanisms
An overview of the Brazilian electoral process can be found in Figure 3, with color coding used to
denote how critical to security each step is. Software components are first developed and audited
within the SET in the two years in-between elections, and at some point are frozen, compiled and
distributed to the local branches across the country. The voting software is then loaded in
memory cards for installation in the voting machines. These steps are highly critical, in the sense
that interference may affect large sections of the country. After the voting session ends, partial
results are collected into USB drives, and later transmitted to a central tabulator to generate the
election outcome. An audit can be requested at some point after the election.
Figure 3: Overview of the main phases in the electoral process and their criticality in
terms of security. Software development, auditing, and preparation are highly critical,
while voting is less critical due to requiring tampering with individual machines.
Transmission and tabulation are arguably the most transparent steps in the process.
Development and auditing
Contrary to other countries, in Brazil the voting software is updated and redistributed across
the country at every election, and new hardware models are specified, acquired and deployed,
replacing the older machines. The software is developed by a mix of in-house and contracted
programmers working in a dedicated division, under responsibility of the SET. Development
continues internally until 6 months before the election. Then, external inspectors can audit the
source code at the election authority headquarters in Brasília and suggest fixes or improvements.
Until 2015, inspection was restricted to staff appointed by political parties and government
institutions, but restrictions were recently relaxed to include experts and technicians from public
universities and the Brazilian Computer Society, a scientific and educational organization.
Auditing the software before the election is an attempt to give evidence that a subset of the
requirements are satisfied: a voter can vote at most once (one person, one vote) and in secrecy
(ballot privacy), all votes will be tallied and cannot be changed after the fact (integrity).
However, these software audits have many limitations. The first is the huge size and
complexity of the codebase, amounting to more than 24 million lines of code when operating
system (kernel and userland libraries) and applications are taken into account. All of these
components have been customized or developed by the SET, thus requiring the inspection of the
entire codebase. The mandatory Non-Disclosure Agreement for participants is another roadblock
to transparency. It is ineffective against malicious inspectors who leak vulnerabilities to external
attackers, whereas legitimate researchers cannot speak publicly about the security concerns they
found.
In addition to these software inspections, as of 2009, the election authority has organized
Public Security Tests to evaluate the security mechanisms implemented. The first edition was
conducted in 2009 without access to the source code, but later its scope was extended to include
source code (since 2012) and subsystems dealing with generation of memory cards and
transmission of results (since 2017). Participants and testing methodologies need to be
pre-approved, so code review and actual attacks are performed in separate sessions, taking a
few days each.
Until now these public tests have been the best opportunity for outsiders to understand and
perform security analysis on the system. And all editions have uncovered vulnerabilities, such as:
leaks in the keyboard causing privacy violation (2009); insecure pseudo-random number
generation breaking ballot secrecy, and hard-coded encryption keys (2012)6; insecure
authentication of tally results (2016); and insecure encryption and insufficient integrity checks,
leading to violation of software integrity (2017)7.
These Public Security Tests have been useful in detecting and fixing some basic flaws in the
system, but are hopelessly inadequate in proving that the system is correct. The organization also
imposes many restrictions which do not model a realistic attacker. In the chosen format only
attacks that are pre-approved can be conducted eliminating exploratory strategies, and limiting
the scope to the hardware/software component that the SET deems mature enough for
adversarial testing. To date, the biometric identification system and the tabulation infrastructure
are still out of scope, despite being in production for over a decade.
Under such limitations, most vulnerabilities discovered have a limited impact. The election
authority always claims that the vulnerabilities found are not exploitable considering the entire
electoral process, and are quickly dismissed as irrelevant after the fact, meaning that the actual
accomplishments can easily be downplayed in the press.
Preparation of the urna
Three weeks before the election the source code is compiled in a public ceremony. All source
files, executables, and other data are hashed, and this summary is digitally signed and published.
In theory, this method allows software modifications to be found in any voting machine.
The SET distributes the approved software to its state branches through a VPN network.
The software packages are stored on desktop computers running a subsystem dedicated to
generating the installation cards for the urna
. The configuration of these cards happens in a
public, videotaped ceremony, witnessed by public authorities and representatives of the political
parties. These cards are then transported across the state to be installed on the urna a few
weeks before the election. During installation the voting software is copied from the external flash
card to the machine’s internal memory. The ceremonies are public in principle, but in practice
happen in so many different places that even a well-organized political party will not be able to
send observers to each place.
Voting procedure
On election day, all polling stations follow the same basic procedure, typical of DRE-based
elections:
1. Between 7am and 8am the urna prints the zero printout
, an official public document
attesting that no votes were computed for any candidates before the elections started.
This attempts to satisfy that only valid voters are able to cast a vote . The poll worker
opens the voting session at 8AM by typing a command in the election official terminal.
2. Voters provide identification information and are authorized to cast votes in the machines.
After entering their voting option, the picture and name of the candidate are presented for
the voter to check (see example in Figure 1), in an attempt to satisfy that voters can
check their choices are included in the ballot.
3. The poll worker closes the voting session at 5PM local time, allowing voters in the queue
to cast their vote.
4. The urna prints the tally printout
, containing per-machine totals for each candidate.
Copies of this physical document are signed by election officials, distributed among
observers from the political parties and posted outside the polling station.
5. The urna produces various types of electronic audit data, consisting of: a digital version
of the tally printout, a chronological record of events registered by the machine (LOG),
and the Digital Record of the Vote (DRV), an electronic shuffled list of the actual votes.
These data are digitally signed and stored one USB drive.
6. The election official retrieves the drive and boots a networked Desktop computer in the
polling place using a dedicated LiveUSB running custom GNU/Linux. This system
establishes a secure connection with the election authority’s infrastructure using a VPN,
through which the contents of the drive are transmitted to the centralized tabulation
system.
7. The central tabulator combines all the partial results and the official result of the election
is declared. LOGs and DRV files containing voter choices can be obtained under request
by political parties after the election, as to preserve secrecy until the end of the vote and
verify correctness of the count.
Allegedly there are several transparency mechanisms in the process, however all of them with
severe limitations. The integrity of files is verified by the card installation generation program, and
again during software installation. Observers can ask for additional verification just before the
elections, and during a post-election audit (if legally approved). However, all verifications before
the elections are computed and presented by the voting machine software or inside its execution
environment, not on an independent platform. The zero printout can hardly serve as a proof of
program correctness, because the first thing a malicious actor would do is to fake a valid zero
printout. The DRV stores the raw choices entered by the voters separately (instead of just
increasing a counter) which, according to the election authority, allows for a recount in case of a
dispute. But this file is kept encrypted and authenticated by the same software which tallies the
votes, and not in some independent fashion, making the effort essentially futile.
Summarizing, most of the requirements ultimately depend exclusively on the integrity of the
voting software and its resistance against manipulation, but it is humanly impossible to audit and
validate a system with such a complex codebase.
Randomized testing of voting machines
On the day before the election, a very small number of urnas is randomly selected and submitted
to a public ceremony called parallel voting
, in which elections are simulated and the outcome is
verified. Such a ceremony take place on election day, one in every state, as to mimic the same
environment as closely as possible. The rationale behind this ceremony is that, if the tested
machines are working as expected, i.e. giving a correct public tally, then all the not-tested
machines are working correctly as well.
However, it is impossible to prove beyond doubt that the voting software running in the real
elections behaves in the same way as in the simulated election, despite elaborate attempts to test
the official voting software under operating conditions similar to an official election. Because
parallel voting sessions are usually slower and have no real voters, malicious software could
easily distinguish when it is operating in the simulation or the real setting. For instance, by
monitoring the rate in which votes are cast, or the fraction of voters enrolled in the fingerprint
identification system. If malicious behavior in the real setting is only activated after certains keys
are entered, detection under simulated conditions will be hard.
Another impediment is statistical significance. Only between three and five machines are
selected per state, including one or two from the state capital. With the state of São Paulo ranking
as the most populous, with more than 90,000 deployed machines such a sample size is negligible
for reasonable confidence. At best, the parallel voting procedure shows that there is no fraud in
the voting machines selected, but says little about all the others.
Transmission and tabulation
The state branches collect tallies from all the state, which are combined to compute the election
outcome per state. Only presidential elections need to be tabulated nationwide. Digital tallies are
published by the election authority up to three days after the election, as to allow verification
against the tally printouts produced during the voting session closure ceremony. This is what
makes the transmission of the tallies and tabulation the most transparent phase of the electoral
process. In theory, a well-organized political party can obtain a statistically significant sample of
tally printouts and verify them against the digital versions published on the web.
However, in practice there are formidable obstacles for exercising this verification in real
elections. With the size and heterogeneity of the country, obtaining a sufficient coverage requires
tremendous resources. As a reference point, the post-election audit conducted by the losing party
in the 2014 presidential race cost more than R$ 1 million (Reais, Brazilian currency) and was only
able to verify 1,187 tally printouts, by sending technicians to 16 states to collect the physical
documents. In the same year, a crowdsourced effort, called Você Fiscal (which roughly translates
to “You Verify”), was able to verify 7,020 tally printouts using pictures taken after the second
round of the presidential race, amounting to 1.6% of the polling stations (or 4.1% of the votes)8.
However, the sample was entirely voluntary, and establishing its statistical significance is very
hard. As a follow-up, the election authority adopted digitally signed QR codes in 2016, storing the
tally printout in an easy way to independently capture and transmit the result. An improved
version of this voluntary project was able to verify 5,813 tally printouts from the first round of the
2016 city elections. An attempt to verify a random sample of 200 tally printouts in the second
round for mayor of the city of Rio de Janeiro failed to meet the objective.
The 2014 post-election audit
The transparency of Brazil’s election systems was seriously put to the test in 2014. In that year,
challenger Aécio Neves lost the second round in the presidential run-off from incumbent Dilma
Rousseff obtaining 48.36% of the valid votes, corresponding to an absolute difference of 3.46
million votes. Despite this large margin, the candidate’s party decided to request an audit, in an
obvious attack to the credibility of the system.
This audit effort, which took three months instead of the initially planned three days, reported
many difficulties. Just collecting the audit data (LOGs, DRV files and poll tapes) was problematic.
Since inspection software was restricted to be executed on the urna
, obtaining binaries and
examining them was complicated. Determining if the executable binaries indeed corresponded to
the inspected source code was hard, because the compilation process could not be reproduced9.
A fundamental limitation of any post-election audit of DRE-based systems is that all received
files may already have been manipulated in an untraceable way, for example, by restoring correct
versions of the software after the malicious behavior is triggered. In this case the situation was
worse since for large portions of the electoral process it was completely impossible to obtain valid
audit data, violating the right to audit. Nevertheless, the election authority and newspaper
headlines still emphasized that no fraud had been detected in the 2014 election, instead of
pointing out that essentially the audit had been a total failure.
Table 1. Summary of transparency mechanisms in the four stages of an election: preparation of
the software before the election, voting session, transmission and tabulation, and after the
election. Color coding is used to indicate if the mechanisms attain the objectives: red indicates
that no goal is achieved, yellow that goals are partially achieved; and green that security goals
are fully achieved (at least in theory).
Stage in the
election
Transparency
mechanisms
Security goals
Limitations
Development
and auditing
- Code Inspection
- Public Security Tests
Audit the source code
Fix vulnerabilities in the
system
Large and complex
codebase
Restricted security testing
Preparation
- Compile and install
ceremonies
Prove that software
was correctly compiled
and transmitted.
Impossible to prove
inspected software
corresponds to installed
software.
Voting
- Verification of
signatures and
checksums
- Zero Printout
- Poll Tape
- Digital Record of
Vote
- Parallel voting
Prove that legitimate
software was installed.
Prove software
behaves correctly
during election.
Impossible to prove that
machines in real election
work as in machines
selected for testing.
Tabulation
- Comparison between
physical printout and
digital result
- Parallel tabulation
Prove election
outcome corresponds
to the sum of partial
results.
Many logistic obstacles,
but possible in theory.
Post-election
Audit
Prove election was fair.
Without recounts, unable to
prove results if electronic
fraud is untraceable.
Transparency of voting systems
ADRE is a black box and the voter has no way of knowing what’s going on or ascertaining that
his vote is counted correctly. The lack of physical proof generated by the voting machine has the
following dangerous implication: if each voting machine has the same software, rigging an
election becomes much easier than with paper ballots. In the latter, to corrupt an election result,
an adversary has to act at hundreds of places, whereas in the centralized solution used in Brazil,
a very small group of technicians with inside knowledge could potentially manipulate the election
outcome without being detected.
A recent attempt of improving the transparency of the system was a law approved by
Congress in 2015, mandating voter-verified paper audit trails to be reintroduced in the system
starting from the upcoming 2018 election. After several difficulties raised by the SET in terms of
budget and the protection of ballot secrecy against poll workers, the law was suspended based
on a claim of unconstitutionality. Given that refactoring the entire system to accommodate some
kind of end-to-end paper record is very unlikely, there is not much hope of more transparent
elections if the law is finally declared unconstitutional and put to rest.
To counter the drawbacks of DREs, researchers came up with new end-to-end systems: the
system produces a receipt for the voter, which allows him/her to verify that his vote was counted,
but without yielding any information about the vote cast thus preserving ballot privacy. This
process is usually broken into two steps. Individual verifiability allows the voter to be convinced
that her vote is included in the set of digital objects which together determine the election
outcome. Universal verifiability allows any person, being a voter or an outsider, to verify that the
election result was computed correctly from this set. A related notion is software independence
,
which essentially says that the correctness of an election process must not depend on its
software10: “A voting system is software-independent if an undetected change or error in its
software cannot cause an undetectable change or error in an election outcome.” For more
information about this, please consult IEEE S&P May/June 2017 Special Issue on Voting, or the
book edited by Hao and Ryan11.
Needless to say that the Brazilian urna does not satisfy any of the verifiability or software
independence notions. DREs have decreased in interest in most of the world, but not so in Brazil.
Election authorities, stubbornly ignoring these facts, continue to defend and promote the use of
outdated, insecure DRE technology. They claim that additional audit mechanisms that have been
created are sufficient to provide transparency, but this goes against the consensus view among
computer scientists who study voting security that physical proof of the voter’s intent is always
required.
The good, the bad, the ugly
It is undeniable that the urna brought stability to the election process in Brazil. To some extent
this is because twenty years ago, when the system was introduced, voters were completely
unfamiliar with this new technology and marvelled at it. Most political parties dubbed the system
too complicated to understand, and disregarded it.
Unfortunately, the shortcoming of the system, already reported to the SET over 15 years ago,
are obvious. First, voter authentication and voting takes place on the same machine, potentially
violating ballot privacy. Second, since there is no physical evidence of the voter’s intent, any
recount is impossible, making any audit of the system meaningless. The system is a black box,
and to believe its results one has to have blind faith in the election authorities.
Nevertheless, to enhance the credibility of the system, election authorities have endeavoured
to make the urna into something of national pride. It is being proclaimed as the envy of other
nations, a product worth of exportation. Researchers who criticize the system and proclaim it
insecure are usually ignored. There is no rational dialogue between the election authority and
society about the pros and cons of the current election system. The urna is perfect, so what is
there to discuss?
One of the co-authors decided to expose this mechanism in a book for a wider audience,
whose title translates to The myth of the urna: unveiling the (in)security of Brazil’s voting system.
One of the conclusions of this book states that, in Brazil, important judicial decisions are not
based on scientific research; they are often based on the personal opinions of judges who have
no understanding of (election) technology. The sensible thing to do would be to instate a
commission with legal and scientific experts who will report to the SET and collaborate to improve
security and transparency of the system by means of adopting a paper trail or another end-to-end
verifiability mechanism. But not so in Brazil.
References
1. Paulo Ceśar Bhering Camarão. The Computerized Vote: Democratic Legitimacy (In Portuguese).
Empresa das Artes, 1997, ISBN 8585628308.
2. Aviel Rubin. Brave new ballot: The battle to safeguard democracy in the age of electronic voting
.
Broadway Books, 2006.
3. Rop Gonggrijp, Willem-Jan Hengeveld: Studying the Nedap/Groenendaal ES3B Voting Computer:
A Computer Security Perspective. EVT 2007
4. Scott Wolchok, Eric Wustrow, J. Alex Halderman, Hari K. Prasad, Arun Kankipati, Sai Krishna
Sakhamuri, Vasavya Yagati, Rop Gonggrijp: Security analysis of India's electronic voting machines.
ACM Conference on Computer and Communications Security 2010: 1-14
5. Jeroen van de Graaf, Ricardo Felipe Custódio. Electoral Technology and the Voting Machine
Report of the Brazilian Computer Society (in Portuguese)
. Available at
http://www.sbc.org.br/index.php?option=com_jdownloads&Itemid=195&task=vie
w.download&catid=77&cid=107
6. D. F. Aranha, M. M. Karam, A. Miranda, and F. Scarel. Software vulnerabilities in the Brazilian
voting machine. IGI Global, 149–175, 2014. Available at
http://www.igi-global.com/book/design-development-use-secure-electronic/94868
7. Diego F. Aranha, Pedro Y. Barbosa, Thiago C. Cardoso, Caio Lüders, Paulo Matias. The Return of
Software Vulnerabilities in the Brazilian Voting Machine
. Technical report, 2018. Available at
https://doi.org/10.13140/RG.2.2.16240.97287
8. Diego F. Aranha, Helder Ribeiro, André Luis Ogando Paraense: Crowdsourced integrity verification
of election results - An experience from Brazilian elections. Annales des Télécommunications
71(7-8): 287-297 (2016)
9. Brazilian Social Democracy Party PSDB. Report on the Special Audit in the 2014 Voting System,
2014. Available at
http://www.brunazo.eng.br/voto-e/arquivos/RelatorioAuditoriaEleicao2014-P
SDB.pdf
10. Ronald Rivest. "On the notion of ‘software independence’in voting systems." Philosophical
Transactions of the Royal Society of London A: Mathematical, Physical and Engineering Sciences
366.1881 (2008): 3759-3767.
11. Feng Hao, Peter YA Ryan, eds. Real-world Electronic Voting: Design, Analysis and Deployment
.
CRC Press, 2016. ISBN: 0767922107.[
Diego F. Aranha is Assistant Professor at the Universidade Estadual de Campinas. His professional
experience is in cryptography and computer security, with special interest in cryptographic engineering
and security analysis of real-world systems. He coordinated two teams of independent researchers who
detected and explored software vulnerabilities in the Brazilian voting machine during restricted tests
organized by the electoral authority. Contact at dfaranha@ic.unicamp.br.
Jeroen van de Graaf is an Assistant Professor in the Department of Computer Science at the Universidade
Federal de Minas Gerais. Contact at jvdg.ufmg@gmail.com.
... The voting machines do not have any type of network hardware, which makes it impossible to connect to the internet, Bluetooth or other devices. They start operating at 8 a.m. on voting day, and from 5 p.m. they print the poll tape (or "boletim de urna"), and no more votes are accepted [6]. ...
... Finally, the transparency, security and organization of the Brazilian electronic voting system is discussed by [6]. The authors point out that the Brazilian voting machine is a black box and a post-election audit is almost impossible. ...
... Finally, there are still many concerns about the transparency of the voting machine and all the systems that make up the voting and tabulation processes, as described by [6]. Despite the fact that the process of votes transmission and tabulation is auditable through the poll tape, there are several discussions about the creation of independent mechanisms to audit the operation of the voting machines, including a paper trail to verify the votes stored in the voting machine memory [9,11]. ...
Conference Paper
Democracy is one of the processes that has become electronic over the years, and Brazil, as one of the countries with the largest democracy in the world in terms of number of voters, has also started the informatization of the voting process. However, it is important to note that, in addition to advantages that an all-electronic voting process brings to an election, such as rapid vote tabulation and the availability of results, there are technical issues to be addressed to prevent fraud and system failures, ensuring a fair process. In this sense, this paper presents a case study that analyzes what are the problems faced in the Brazilian electronic process by studying public reports released by the authorities. Brazilian e-voting system has several security mechanisms, such as voter authentication by biometrics, and is capable of detecting unauthorized modifications. Our findings show that, despite the Brazilian e-voting technological evolution, the system still faces some problems that can compromise the outcome of an election, and also bring some doubts about the procedures defined for carrying out public security tests in the e-voting system.
... The results validates the crypto biometric system in terms of key retrieval and accuracy. Furthermore, [24] have illustrated the transparency and organizations mechanism of nationwide e-voting in the context of security concerns and requirements. The authors have discussed a case of brazil pioneering the nationwide adoption of voting over 20 years ago. ...
Article
Full-text available
A smart city refers to an intelligent environment obtained by deploying all available resources and recent technologies in a coordinated and smart manner. Intelligent sensors (Internet of Things (IoT) devices) along with 5G technology working mutually are steadily becoming more pervasive and accomplish users’ desires more effectively. Among a variety of IoT use cases, e-voting is a considerable application of IoT that relegates it to the next phase in the growth of technologies related to smart cities. In conventional applications, all the devices are often assumed to be cooperative and trusted. However, in practice, devices may be disrupted by the intruders to behave maliciously with the aim of degradation of the network services. Therefore, the privacy and security flaws in the e-voting systems in particular lead to a huge problem where intruders may perform a number of frauds for rigging the polls. Thus, the potential challenge is to distinguish the legitimate IoT devices from the malicious ones by computing their trust values through social optimizer in order to establish a legitimate communication environment. Further, in order to prevent from future modifications of data captured by smart devices, a Blockchain is maintained where blocks of all legitimate IoT devices are recorded. This paper has introduced a secure and transparent e-voting mechanism through IoT devices using Blockchain technology with the aim of detecting and resolving the various threats caused by an intruder at various levels. Further, in order to validate the proposed mechanism, it is analyzed against various security parameters such as message alteration, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attack and authentication delay.
... Data tersebut dapat dilihat pada gambar di bawah ini. 67 terhadap penggunaan teknologi e-voting. Adapun latar belakang penerapan evoting difokuskan kepada keinginan negara untuk memerangi penipuan endemik dalam proses tabulasi surat suara dan mengatasi masalah yang berkaitan dengan aksesibilitas pemilu dan surat suara rusak dalam sistem pemilihan konvensional. ...
Article
Full-text available
Public services as the basic needs of the community in the form of service activities facilitated by the state are considered not optimal and effective. One of the implementations of public services, especially in terms of the implementation of democracy is in the holding of elections through conventional mechanisms facilitated by the state through the General Election Commission. There are several problems in its implementation such as high levels of fraud, human error, and budget. Based on these problems, it has implications for the damage to the principle of election and the decline in the level of community satisfaction with the implementation of elections. Considering that Indonesia has entered the era of revolution 4.0, public service reform is needed in order to effectively establish election principles. The purpose of this paper is to find out the mechanism and problem of organizing elections as one form of public service in Indonesia. The theoretical foundation that we use is good and clean governance which is a fundamental principle in the administration of public and election services. Thus, the writer uses the juridical normative research method, through a case approach, comparative approach and conceptual approach. Therefore, the authors initiated the concept of e-voting in elections as an effective and efficient solution in rebuilding people's trust in the government in terms of public services. So, based on this research it can be concluded that currently public services in the holding of elections are considered not able to run well, causing the level of public satisfaction with the holding of elections to decline. keywords: Public Service, General Election, Industrial Revolution 4.0, e-votingAbstrakPelayanan publik sebagai kebutuhan dasar masyarakat berupa kegiatan pelayanan yang di fasilitasi oleh negara dinilai belum optimal dan efektif. Salah satu implementasi pelayanan publik terutama dalam hal pelaksanaan demokrasi yaitu dalam penyelenggaraan pemilu melalui mekanisme konvensional yang difasilitasi negara melalui Komisi Pemilihan Umum. Terdapat beberapa problematika dalam penyelenggaraannya seperti tingginya tingkat kecurangan, human error, dan pendanaan yang tinggi. Berdasarkan permasalahan tersebut berimplikasi kepada pencederaan asas pemilu dan turunnya tingkat kepuasan masyarakat terhadap pelaksanaan pemilu. Mengingat Indonesia telah memasuki era revolusi 4.0 diperlukan reformasi pelayanan publik agar terciptanya asas-asas pemilu secara efektif. Tujuan dari penulisan ini adalah untuk mengetahui mekanisme dan problematika penyelenggaraan pemilu sebagai salah satu bentuk pelayanan publik di Indonesia. Landasan teori yang penulis gunakan yaitu good and clean governance yang merupakan asas fundamental dalam penyelenggaraan pelayanan publik maupun pemilu. Dengan demikian penulis memakai metode penelitian normative yuridis, melalui pendekatan kasus (case approach), pendekatan komparasi (comparation approach) dan pendekatan konsep (conceptual approach). Oleh karena itu penulis menggagas konsep e-voting dalam pemilu sebagai solusi yang efektif dan efisien dalam membangun kembali kepercayaan masyarakat kepada pemerintah dalam hal pelayanan publik. Maka berdasarkan penelitian ini dapat disimpulkan bahwa dewasa ini pelayanan publik dalam penyelenggaraan pemilu dinilai belum mampu berjalan dengan baik, sehingga menyebabkan tingkat kepuasan masyarakat terhadap penyelenggaraan pemilu menurun. Sehingga penulis merekomendasikan untuk merubah penyelenggaraan pemilu secara konvensional menjadi e-voting dan merevisi Undang-undang Nomor 7 Tahun 2017 tentang Pemilihan Umum.Kata Kunci: Pelayanan Publik, Pemilu, Revolusi Industri 4.0, e-voting
... Despite technical evidence to the contrary, another recurrent claim put forward both by the SEC and the Supreme Court is that the current system provides sufficient security, thus adding a physical record would only serve to increase the system's complexity and attack surface. It is not clear how the debate will proceed further, but introducing a physical record for auditing and recounting would be the cheapest short-term option to increase transparency of the voting system without requiring a major overhaul of its design and operation [31]. ...
Article
Full-text available
This paper presents a detailed and up-to-date security analysis of the voting software used in Brazilian election based on results obtained by the authors in a recent hacking challenge organized the national electoral authority. During the event, multiple serious vulnerabilities were detected in the voting software, which when combined compromised the main security properties of the equipment , namely ballot secrecy and software integrity. The insecure storage of cryptographic keys, hard-coded directly in source code and shared among all machines, allowed full content inspection of the software installation memory cards, after which two shared libraries missing authentication signatures were detected. Injecting code in the libraries allowed the execution of arbitrary code in the machine, violating the integrity of the voting software. Our progress is richly described, to illustrate difficulties and limitations in the testing methodology chosen by the electoral authority, and to inform how teams participating in future challenges can optimize their performance. We trace the history of the vulnerabilities to a previous security analysis, providing some perspective about how the system evolved in the past 6 years. As far as we know, this was the most in-depth compromise of an official large-scale voting system ever performed under such severely restricted conditions.
... Since the 90's, Latin America commenced a slow but steady process of adapting to new technologies and making use of them to enter the trend of adopting E-Voting. In 1996 and 1998 respectively, Brazil and Venezuela were the first nation to interact with this new system [1]. ...
Article
Full-text available
The problems in information security regarding vulnerabilities, threats and risks in voting systems for popular election in Latin America and the world persist; because in most of the countries of the world there is no maturity in democracy and defined policies; the problems of confidentiality, integrity and authenticity in the electoral processes can be evidenced. The objective is to perform the analysis to identify the threats, risks and weaknesses in electoral systems in Latin American countries and determine which of the systems used by different countries may be appropriate, to be considered as an alternative. The deductive method and exploratory research has been used to perform the analysis of the articles and information regarding electoral processes. It resulted in a description in statistical tables of the threats and weaknesses that must be examined to implement a system for electoral voting; considering the culture, technological availability and social conditions of each country. It was concluded that to mitigate the potential risks of the information, it is necessary to identify the weaknesses in the electronic voting system to improve the integrity and security of the electoral process; made in the last three presidential elections in Brazil, Colombia, Ecuador.
Book
Full-text available
This volume contains papers presented at E-Vote-ID 2021, the Sixth International Joint Conference on Electronic Voting, held during October 5-8, 2021. Due to the extraordinary situation provoked by Covid-19 Pandemic, the conference is held online for second consecutive edition, instead of in the traditional venue in Bregenz, Austria. E-Vote-ID Conference resulted from the merging of EVOTE and Vote-ID and counting up to 17 years since the �rst E-Vote conference in Austria. Since that conference in 2004, over 1000 experts have attended the venue, including scholars, practitioners, authorities, electoral managers, vendors, and PhD Students. The conference collected the most relevant debates on the development of Electronic Voting, from aspects relating to security and usability through to practical experiences and applications of voting systems, also including legal, social or political aspects, amongst others; turning out to be an important global referent in relation to this issue. Also, this year, the conference consisted of: { Security, Usability and Technical Issues Track { Administrative, Legal, Political and Social Issues Track { Election and Practical Experiences Track { PhD Colloquium, Poster and Demo Session on the day before the conference E-VOTE-ID 2021 received 49 submissions, being, each of them, reviewed by 3 to 5 program committee members, using a double blind review process. As a result, 27 papers were accepted for its presentation in the conference. The selected papers cover a wide range of topics connected with electronic voting, including experiences and revisions of the real uses of E-voting systems and corresponding processes in elections.
Article
Full-text available
This paper presents a detailed and up-to-date security analysis of the voting software used in Brazilian election based on results obtained by the authors in a recent hacking challenge organized the national electoral authority. During the event, multiple serious vulnerabilities were detected in the voting software, which when combined compromised the main security properties of the equipment , namely ballot secrecy and software integrity. The insecure storage of cryptographic keys, hard-coded directly in source code and shared among all machines, allowed full content inspection of the software installation memory cards, after which two shared libraries missing authentication signatures were detected. Injecting code in the libraries allowed the execution of arbitrary code in the machine, violating the integrity of the voting software. Our progress is richly described, to illustrate difficulties and limitations in the testing methodology chosen by the electoral authority, and to inform how teams participating in future challenges can optimize their performance. We trace the history of the vulnerabilities to a previous security analysis, providing some perspective about how the system evolved in the past 6 years. As far as we know, this was the most in-depth compromise of an official large-scale voting system ever performed under such severely restricted conditions.
Preprint
Full-text available
This paper presents a detailed and up-to-date security analysis of the voting software used in Brazilian elections. It is based on results obtained by the authors in a recent hacking challenge organized by the Superior Electoral Court (SEC), the national electoral authority. During the event, multiple serious vulnerabilities were detected in the voting software, which when combined compromised the main security properties of the equipment , namely ballot secrecy and software integrity. The insecure storage of cryptographic keys, hard-coded directly in source code and shared among all machines, allowed full content inspection of the software installation memory cards, after which two shared libraries missing authentication signatures were detected. Injecting code in those libraries opened the possibility of executing arbitrary code in the equipment, violating the integrity of the running software. Our progress is described chronologically , to illustrate difficulties and limitations in the testing methodology chosen by the electoral authority, and to inform how teams participating in future challenges can optimize their performance. We trace the history of the vulnerabilities to a previous security analysis, providing some perspective about how the system evolved in the past 5 years. As far as we know, this was the most in-depth compromise of an official large-scale voting system ever performed under such severely restricted conditions.
Article
Full-text available
In this work, we describe an experiment for evaluating the integrity of election results, and improving transparency and voter participation in electronic elections. The idea was based on two aspects: distributed collection of poll tape pictures, taken by voters using mobile devices; and crowdsourced comparison of these pictures with the partial electronic results published by the electoral authority. The solution allowed voters to verify if results were correctly transmitted to the central tabulator without manipulation, with granularity of individual polling places. We present results, discuss limitations ofthe approach and future perspectives, considering the context of the previous Brazilian presidential elections of 2014, where the proposed solution was employed for the first time. In particular, with the aid of our project, voters were able to verify 1.6% of the total poll tapes, amounting to 4.1% of the total votes, which prompted the electoral authority to announce improved support for automated verification in the next elections. While the case study relies on the typical workflow of a paperless DRE-based election, the approach can be improved and adapted to other types of voting technology.
Chapter
Full-text available
This work presents a security analysis of the Brazilian voting machine software based on the the experience of the authors while participating of the 2nd Public Security Tests of the Electronic Voting System organized by the Superior Electoral Court (SEC), the national electoral authority. During the event, vulnerabilities in the software were detected and explored to allow recovery of the ballots in the order they were cast. We present scenarios where these vulnerabilities allow electoral fraud and suggestions to restore the security of the affected mechanisms. Additionally, other flaws in the software and its development process are discussed in detail.
Article
The Nedap/Groenendaal ES3B voting computer is being used by 90% of the Dutch voters. With very minor modifications, the same computer is also being used in parts of Germany and France. In Ireland the use of this machine is currently on hold after significant doubts were raised concerning its suitability for elections. This paper details how we installed new software in Nedap ES3B voting computers. It details how anyone, when given brief access to the devices at any time before the election, can gain complete and virtually undetectable control over the election results. It also shows how radio emanations from an unmodified ES3B can be received at several meters distance and used to tell what is being voted. We conclude that the Nedap ES3B is unsuitable for use in elections, that the Dutch regulatory framework surrounding e-voting currently insufficiently addresses security, and we pose that not enough thought has been given to the trust relationships and verifiability issues inherent to DRE class voting machines.
Conference Paper
Elections in India are conducted almost exclusively using electronic voting machines developed over the past two decades by a pair of government-owned companies. These devices, known in India as EVMs, have been praised for their simple design, ease of use, and reliability, but recently they have also been criticized following widespread reports of election irregularities. Despite this criticism, many details of the machines' design have never been publicly disclosed, and they have not been subjected to a rigorous, independent security evaluation. In this paper, we present a security analysis of a real Indian EVM obtained from an anonymous source. We describe the machine's design and operation in detail, and we evaluate its security in light of relevant election procedures. We conclude that in spite of the machines' simplicity and minimal software trusted computing base, they are vulnerable to serious attacks that can alter election results and violate the secrecy of the ballot. We demonstrate two attacks, implemented using custom hardware, which could be carried out by dishonest election insiders or other criminals with only brief physical access to the machines. This case study carries important lessons for Indian elections and for electronic voting security more generally.
Article
This paper defines and explores the notion of 'software independence' in voting systems: 'A voting system is software independent if an (undetected) change or error in its software cannot cause an undetectable change or error in an election outcome'. For example, optical scan and some cryptographically based voting systems are software independent. Variations and implications of this definition are explored. It is proposed that software-independent voting systems should be preferred, and software-dependent voting systems should be avoided. An initial version of this paper was prepared for use by the Technical Guidelines Development Committee in their development of the Voluntary Voting System Guidelines, which will specify the requirements that the USA voting systems must meet to receive certification.
Electoral technology and the voting machine—Report of the Brazilian Computer Society (in Portuguese)
  • J Van De Graaf
  • R F Custódio
J. van de Graaf, R. F. Custódio. (2002). Electoral technology and the voting machine-Report of the Brazilian Computer Society (in Portuguese). Sociedade Brasileira de Compuação, Porto Alegro, Brazil. [Online]. Available: http://www.sbc.org.br/institucional-3/cartas-abertas /send/93-cartas-abertas/351-relatorio-dos-trabalhos -de-cooperacao-realizados-para-o-tse
Brave new ballot: The battle to safeguard democracy in the age of electronic voting
  • Aviel Rubin
Aviel Rubin. Brave new ballot: The battle to safeguard democracy in the age of electronic voting. Broadway Books, 2006.
Report on the Special Audit in the 2014 Voting System
  • C T Fernades
  • M A Simplício
  • E S Gomi
C. T. Fernades, M.A. Simplício, and E.S. Gomi. (2014). Report on the Special Audit in the 2014 Voting System [in Portuguese]. Brazilian Social Democracy Party, Brasília, Brazil. [Online]. Available: http://www.brunazo.eng.br /voto-e/arquivos/RelatorioAuditoriaEleicao2014-PSDB.pdf