International 2003 Contestant for
"Word's most stupid security measure"
0. Background information
Software certification and validation
Three acts by a post-modern Janus
2. Enabling vote auditSIE: A system based on DREs
Regulating the auditability of SIE
A legislative gap
3. Ruling on software validationParallel voting
The problem with simulations
Swindler's best bet
About the authors
0. Background informationBrazil is a democratic federative republic, with the State organized in three levels. Municipalities under states (one federal district), under the federation. Unlike in other democratic federative republics whatever that means, electoral matters in Brazil are solely under federal law. State and municipal electoral laws are forbidden by the constitution. This has historical reasons. Tales of election fraud speckle our country's history since early independence (1860's), when the State was still a kingdom, newly separated from Portugal. These cases kept gaining density, particularly after Brazil became a Republic in 1889, culminating in a "revolution" (a small one, with a few dead) in 1930, aimed at getting rid of flawed electoral process which did not allowed for the typification of electoral fraud, the so called "bico de pena".
As a result of the 1930 revolution, a branch of the Judiciary Power was formed, named The Electoral Justice. A bureaucracy in charge of all elections for public offices, it turned out to be less of a branch of the Judiciary and more of an oxymoron for the democratic principle of balance of powers, despite, or perhaps because of, two long interruptions in democratic ruling, form 1932 to 1945 and form 1964 to 1985 (http://www.ccc.commnet.edu/ stuweb/~quiterio5816/History.htm). Its mission being to enforce federal electoral legislation, in practice it was given the legislative power to regulate on how the measures or dispositions in such laws shall be enforced or fulfilled, the executive power to run the elections it regulates, and last but not least the judicial power to judge itself with regard to its two other functions. Brazil's Electoral Justice is hierarchically organized as a top federal court, named Superior Electoral Tribunal (TSE), and state courts named Regional Electoral Tribunals (TREs), with its original mission becoming a trinity of functions.
Following up on its informatization program, started with a centralized databasing of registered voters in 1987, TSE began specifying, bidding, buying and deploying to TREs, for use in all public office elections beginning in 1996, Direct Recording Electronic Voting Systems (DRE), called in Brazil urnas eletrônicas. We will henceforth refer to the DREs chosen for deployment at official elections in Brazil by the acronym "UE". They are basically Intel PC platforms with flashcard storage, sold by Procomp (the IT subsidiary of Brazil's largest bank) and Unisys Brasil (image 1: photo of an UE by Procomp from http://www.politica.pro.br).
The use of UEs in brazilian elections grew progressively to reach the totality of precincts in 2000 and 2002. Voting in Brazil is compulsory, there being today around 117 million registered voters, all of which were to vote in one of the more than 400 thousand UEs deployed for nationwide elections. That's Brazil's e-vote, which have yielded president Lula's all-time world record for votes given to an elected president, according to some boasted local media reports (http://www.lula.org.br/index1.asp). That is not a mere curiosity, for it may be setting trends, as we can figure by following the news on the modernization of electoral processes worldwide (http://www.psr.keele.ac.uk/election.htm).
DREsAmong electronic voting machines, DREs are peculiarly amusing because they do not materialize a voter's vote. A DRE employs no paper, no electronics, nor any other media or means to register individual votes. It does not openly tally individual votes. It does not hold electronic representations of individual votes beyond the time frame the system's designer deems necessary for totaling the votes entered. Once the voting period is finished, all that remains available from a DRE machine are the totals per candidate, including undervotes (brancos) and overvotes (nulos) entered, and some statistics, for a particular election.
A DRE solves the problem of electronically implementing the commonly held modern democratic principle of vote secrecy by doing away with election auditability. A DRE trades the possibility of recounting individual votes for vote secrecy, obtaining such secrecy through the easiest and shortest path. That is, through the path which mistakes integrity assurance and authorship for just the latter, as the predicate of such desired secrecy. Because of this, DREs rely solely on software certification and validation to inspire, in the technical sense, trust in the accuracy of the results they can yield. This trust will, obviously, be comparable to the rigourousness, thoroughness and care with which such certification and validation are done.
Software certification and validation for 400 thousand computers is undoubtedly not an easy task. In a democracy able to defend itself, the reliability of such complex process will hinge simultaneously on the independence, competence and efficacy with which the various steps of this process can be carried out, assuming their completeness. It will hinge on sufficient means to expose or neutralize, to an acceptable degree of certainty, not only design, implementation and operational flaws, but mainly the possible collusions amongst any subset of agents against its values and principles. With DREs, the reliability of an electoral system will, therefore, depend on a delicate balance of risks and responsibilities among its human agents.
Software Certification and ValidationAccording to Brazil's federal electoral law in place, the task of certifying and validating the softwares in the UEs and its system rests with the political parties running for the election (Lei 9504, art. 66). As the indenter, owner and operator of the UE machines and its system, as well as the regulator which writes the rules for this certification and validation, the Electoral Justice is responsible, in theory and practice, for the terms and conditions under which the political parties are to pursue this task.
As explained before, TSE is a supreme court responsible for protecting the constitutional and legal rights of voters, at the same time that it also happens to be the operational arm of the State responsible for enabling and enforcing such rights, thus becoming their main potential violator as well. Therefore, it can only play balanced acts with its two faces if it is not to fail any of its functions. Since these functions make up a kind of holy trinity mission, failing one will mean failing the others. Thus, TSE's two faces are like the faces of Janus (image 2 from Encyclopedia Larousse), the Roman god of beginnings and portals. If one face has to turn right, the other face shall not want to turn left.
Has TSE been playing balanced acts? Well, depends on how one observes. One has to follow both faces at once to find out. This, plus the fact that contemporary mainstream media and cultures seems chronically incapacitated for looking at both faces of Janus at once, is what makes this story so interesting. Trust inspired by technical sense may not mean trust inspired by psycho social sense.
Three acts by a post-modern JanusSome of the acts played out by this post-modern Janus at Brazil's political stage are worthy of notice, for their didactic value on the interface between information technology and political power. We selected, for Privacy International's 2003 contest, three of these acts. Our choice was based on the central role of some proclaimed security measures and on such didactic value they feature. For this article we chose an act we call Parallel Testing. The reader is invited to judge by him or herself as to the efficacy, boldness and possible effects of its central character. The other two acts are the Preemptive Sampling and the Self validation acts.
2. Enabling vote audit
SIE: a system based on DREsWith complete informatization attained through the deployment of UEs at the totality of precincts for any official election, the voting system in Brazil set up by TSE and known as SIE (Sistema Informatizado de Eleições) works, in general lines, as follows (http://www.tse.gov.br/).Initialization: The electoral official responsible for a precinct (sessão eleitoral) sets up the voting system by initializing the UE which has been prepared for that precinct by the corresponding TRE, in the presence of designated political party supervisors. The UE software holds a list of names and pictures of candidates for the elections taking place at the municipality of that precinct at that date. Upon initialization, the list of names of candidates is printed out in a paper ribbon by a printer built into the UE's CPU (larger module in figure 1). The CPU is placed in a closed booth and connected to the control terminal (smaller module in figure 1) by a long serial cable, which is placed a few meters away in a desk where electoral officials will sit. The picture of a candidate is shown to the voter who chooses said candidate, as part of the voting stage in which the voter is to confirm his vote.
Vote: When someone comes into the precinct to vote, he/she is identified through an official list of voters registered to vote in that precinct, issued by TSE from its central voter registry database, against a personal document (which does not bear a photograph of its owner), issued by the precinct's corresponding TRE upon registration. The electoral official enters the voter registration number into the keyboard in the control terminal, and some voting software at the CPU checks whether that number belongs to that precinct and whether such voter has already voted in that election. If that number belongs and has not yet voted, the numerical keyboard of the UE's CPU is set to receive that voter's votes.
Finalization: At the end of the voting period, normally at 5 pm, the electoral official responsible for the precinct finalizes the vote by commanding the system to end voting. The UE software then records on magnetic media (a 3.5 diskette) a digitally signed electronic version of that precinct's voting report, called boletim de urna (BU), which is a list of candidates who have received at least one vote, followed by the number of votes he/she has received, and the null and empty votes from that precinct. It also prints copies of a textual version of the BU in paper ribbon. These copies have to be signed by the electoral officials and handed out to the party representatives who supervised that precinct's vote.
Polling: The diskette with the BU is then sent to electoral informatics poles, which are the end nodes of a computer network set up for polling the elections. Such poles are connected directly to the TREs, and these to TSE through a VPN with a tree topology. There is usually one pole for each group of approximately ten medium sized municipalities, set up at some electoral registrar. The task of these poles is to validate the BUs received, to transmit them to their upward TRE node and to store electromagnetic media and flow control papers and equipment. The TRE nodes are responsible for polling the results of municipal and statewide elections, to transmit polled results and BU votes for the presidential election (if applicable) to the root note at TSE, and to proclaim electoral results (except for presidential elections, done by TSE). TSE also runs a TCP/IP report service, for delivering on-line partial results for all the elections taken place in the country, through a specialized http browser developed and freely distributed for this purpose.
Regulating the auditability of SIEModern States don't compare in scale to classical greek cities. Therefore, modern democracies are based on a fragile adaptation of its basic mechanism elections, raised to stand on a tripod whose legs are the processes of voting, polling and auditing. A weakness in any of these three pillars can fault the reliability of modern democracy's basic mechanism. The fascination with technology nurtured by our contemporary civilization has allowed decision makers and public officials to introduce information technologies in social processes under sole justifications of efficiency, as if the molding of social processes by any gauge of efficiency would risk no drawbacks.
This shortsidedness, of which the preemptive sampling act is a case study, has weakened the third leg of the tripod sustaining Brazil's fragile democracy. In describing this act, we will mention some decisions taken by those in charge at TSE for regulating existing electoral legislation, on their lobbying for modifications on this legislation due to evolving informatization, on their judging of own conduct on this matter in a manner that can be construed as reckless for this third leg, and on how they have gotten away with it in the face of public opinion and legislative oversight. One of our hopes is that such a stance can be better challenged, not only in Brazil but in other scenarios to come from sorcerer's apprentices, with the help of honors this case may get from the Privacy International's 2003contest.
Nationwide elections are held every two years in Brazil. For all elections held under federal Law 9504, that is since 1997, TSE had been interpreting very narrowly, through its regulations, article 66 of this Law, which establishes audit rights regarding information technologies involved in SIE. Article 66 of Law 9504 says (http://www.pt.org.br/assessor/PL4604.htm, translation by this author).Art. 66: Political parties and their coalitions will be able to inspect all phases of the processes of preparation, vote and polling of elections, including the UEs and the electronic processing of polling results, being granted to them previous knowledge of the computer programs to be used.In all these elections, only some of the code, and access to its source code, was made available to designated party inspectors under extremely limited technical and legal circumstances. But just enough to generate headlines in mainstream media suggesting the fulfillment of article 66.
Furthermore, these regulations had no provision for independent validation of whatever software was inspected, regarding its integrity between inspection and deployment (the central character of the "self-validation" act). In addition, any legal challenges to such narrowness, on the face of contradictions and paradoxes it has arisen, have been either sidetracked through legal technicalities or answered with outright debauchery. Some of the technicians, scholars and politicians involved in this inspection game and legal challenges have co-authored a book, so far available only in portuguese in pdf format, entitled "Burla Eletrônica" (http://www.brunazo.eng.br/voto-e/arquivos/BurlaEletronica.pdf), narrating some tales and details most of which collected, documented and presented by themselves in a seminar held at Brazil's National Congress in May 2002.
A Legislative GapAll in all, nationwide elections held in 1996,1998, 2000 and 2002, the last two done totally through UEs, offered no assurance of the integrity of individual votes cast through these machines. No mechanism for the recounting of individual votes and no meaningful software certification and validation procedure has been yet featured, as thoroughly described in "Burla Eletrônica". Since 1998, when the first elections under Law 9504 were held with its software audit provisions disdained by electoral authorities, some citizens and politicians have voiced their concern on the possible adverse effects this could have for brazilian democracy.
In response, they have joined and proposed, through the Federal Senate in 1999, a new electoral law addressing more positively the weaknesses of a DRE-based electoral system whose owner, regulator and judge had been reluctant to consider. The idea was to force back the materialization of individual votes, while retaining as much as possible from the UE equipment and software already designed, contracted, built and deployed. This proposal featured a security measure for auditing a sample of UEs through printed ballots.
But this proposal was modified while being voted by the Senate, turning into law a modified version of that security measure which defaced its spirit, turning a sample into a safe-conduct for swindling through collusion. Yet, a measure still exposing a would be swindler to considerable risk. That modified security measure was the central character of act one of this series. Being disliked by all, it set the search for a substitute. The security measure proposed by TSE to replace it will be the central character of this second act.
3. Ruling on software validation
Parallel votingUntil 2000, designated party inspectors were allowed only one type of test on UEs to estimate its reliability and performance. This test is the execution on sampled UEs, a few days before the election, of a software called "teste", supplied by TSE. This software is launched from a script file in a 3.5 diskette, requiring a password for an account named "teste". The software would then simulate a voting session. This test has no auditing value, for it is not carried out at producion mode, that is, during a real election. A voting simulation on a UE can only have auditing value if its running environment is indistinguishable from the environment of a real election, as perceived by the system's logic. And date, hour, startup account and password all differ in the two sistuations.
Beginning in 2002, TSE has decided to put in practice a new auditing measure prescribed to go into efect only after 2004, by Art. 66 § 6º of federal Law 9.504§ 6º - On voting day, there shall be an audit for verifying UE operations, done on a sample of UEs through parallel voting, in the presence of designated inspectors from parties and coalitions, in the manner to be set by resolution from TSE"Brazil's Electoral Justice puts a lot of faith in this type of audit, called by them "parallel voting", as a mechanism for independent validation of UE's software to the point of one court TRE-RJ going out to publish in its web site the following statement (translation by the author).In a moment when dissonant voices atack the electronic process deployed in this country, parallel voting can, if well executed, dissolve all and any doubt concerning SIE, while also serving as a substitute for the printed ballot audit measure for election 2004" (http://www.tre-rj.gov.br/eleicao2002/ votacaoparalela/votacaoparalela.htm)Using its legislative power prerogative for regulating legal matters of such importance and vagueness, TSE then issued its resolutions number 21.127, 21.201, 21.221 e 21.247 (Instruções e Resoluções do TSE em 2002 http://www.tse.gov.br/eleicoes/eleicoes2002/ instrucoes/inst_2002.html).
The problem with simulationsThe problem faced here is a classic one in the science of war. If a simulation of the real balloting, for the purpose of independent software validation with respect to voter security, is not planned in a way that its operation is seen, from the system's perspective, as indistinguishable from the real balloting, a flawless test result can serve as safe-conduct for swindling through collusion. This is because a malicious software in the UE can use the distinguishing signal to disarm its mechanism for rigging its output.
If there is a collusion between some political party and the developer or deployer of UE's otherwise unauditable software, this software may take, upon absence of signal indicating ongoing simulation, a fixed percentage from one candidate's votes subtracted and added to another candidate, when voting ends and before outputting the BU. UE's software are deployed around a week before the vote, replicated in trickled down fashion from TSE. So that a collusion may include opinion poll makers secretly raising data to determine the percentage needed to swing a race, while discounting this percentage at poll result releases. One sign of such arrangements would be a wild divergence among opinion polls.
The resolutions issued by TSE for setting up this parallel testing measure, mentioned above, opted for a complex and rigorous set of procedures, filled with bureaucratic steps, for simulated votes to be entered in the clear at a UE drawn for the test, at sight of inspectors, who could also follow an independent tally of the votes entered, done in the clear as well. They also set up the sample size to 54 UEs, from a universe of around 400 thousand. These procedures are outlined in articles 11 to 16 of TSE's resolution 21.127. The 54 sampled UEs are to be drawn 2 from each state, where they are to be submitted to tests at TRE's premises, with the independent tally done for both in a separate computer, with three cameras filming the scenes from different angles. The tests are to be conducted from 7:00 AM to 5:00 PM at the day of election, that is, simultaneously with the real election.
The process of entering a simulated vote is to be done in five steps.
So much control has a drawback. The average time it takes to carry out a vote simulation with this process has been clocked by some inspectors, during execution of this parallel test for the 2002 elections, in the average of a little more than five minutes. This average had little variance among the states where the simulation was clocked, RJ, SP, MG and DF, none of which could carry out more that 140 simulated votes in its test. On the other hand, for the real election the average time it takes for a voter to vote is around one minute and 15 seconds.
- A simulated vote is randomly picked from a bag of handwritten fake paper ballots, previously filled up by the participants, with names chosen from real candidates for the election being simulated..
- The ballot picked is keyed in at the control machine.
- The control machine tallies the vote from this ballot in the clear, and prints back such ballot.
- Each of the two UEs being tested is then keyed in with a voter registration number, randomly chosen from that UE's precinct of origin, so that a vote can be therein simulated.
- Someone then picks up the ballot printed by the control machine, announces each of its vote as the same vote is keyed in on the voter's keyboard of the UE being tested. For both UEs.
Swindlers' best betHere we have a problem. According to TSE's 2002 election final report, having voted 94.804.126 out of 115.254.113 registered voters in 320.458 precincts, the abstention rate was 17.74%, for an average of 295 voters for each UE (Relatório das Eleições de 2002. http://www.tse.gov.br/eleicoes/eleicoes2002/ relatorio/relatorio.doc). This low abstention rate can be attributed to the fact that elections are compulsory in Brazil. Therefore, the way the parallel test was set up for audit purposes by TSE features abstention rates for sampled UEs of more than 50% in average, with little variance in wild discrepancy with the avarage real balloting UEs of less than 20%.
With this security measure, a cut rate of about 30% abstention could very well signal to an UE's software that happens to be malicious, not to rig its BU before output. Curiously, unlike the preemptive sampling described in act one of this series, a slow parallel test would present no risk from erroneous signaling for a would be swindler in collusion. That is, a false signal for a real balloting UE, under the audit threat of a slow parallel test, would be interpreted as an instruction not to rig a precinct with abnormally high abstention rate. Not bad if it can subtract, say, 4% of one candidate's votes and add them to another's in all precincts but the ones in one tail end of the statistical abstention distribution curve. Whereas a lack of correct signal to an UE drawn for audit through printed ballots, as described in the first act of this series, will make its would-be malicious software do the trick and get caught with its BU not matching the printed votes, putting the whole SIE under suspicion.
Before issuing the resolutions which would set up the procedures for this parallel testing, TSE held a public hearing to let party and coalition inspectors offer their opinions on how this test should be planned and executed. Some of them voiced their concern that discrepancies in data patterns from test and real balloting could compromise the auditing value of the test. At least one of the authors of this document asked the judge presiding the audience to take note of abstention rate as one simple example of data pattern which discrepancy should be avoided. The judge dismissed his request as pointless, and we ended up with the procedures in resolution 21.127 and the statistics from election 2002 as described above. In this same election, we also ended up with wild divergence among opinion polls in some state gubernatorial elections the states RJ, DF, and RS (http://www.estadao.com.br/eleicoes/noticias/2002/ out/24/349.htm), a sign compatible with collusion to explore faulty audit measures, as also described above.
With that election behind us, TSE released and circulated a report on it. Relatório das Eleições (Relatório das Eleições http://www.tse.gov.br/eleicoes/eleicoes2002/ relatorio/relatorio.doc) What does this report say about the parallel test, conducted for the first time in that election? Not much. But what it says and what it doesn't say are both revealing. Ommited was any data that could let surface the discrepancy between abstention patterns in the audited and the balloting machines. About this test, the only mention was in item 3.2.3, paragraph 32, which says:Auditing through parallel voting, carried through in election 2002, developed itself with degree of excelence in all TREs, in both rounds of the election, and their results prove the correct functioning of SIE
5. EpilogueWe hereby respectfully submit, as our candidate for the most stupid computer security measure in the world, the procedure for simulating elections through DREs as a software's security validation measure, as described for brazilian UEs in Art. 11 to 16 of TSE's resolution 21.127, named here the parallel test measure.
In the Federal District's gubernatorial election of 2002, decided by less that 0,1% of the votes, there were abundant signs of fraud. The candidate who barely lost asked for a recount of printed ballots, and the court (TRE-DF) voted unanimously not to recount, sticking to the dubious electronic tally, with the printed ballots hanging in bags attached to all of its UEs in storage (DF was one of the two small states with ballot-printing UEs in all its precincts). The case is pending at TSE at the time of this writing, but no electoral court in Brazil has ever officially admitted to the possibility of electronic voting fraud.
Meanwhile, TSE's president has submitted a proposal to Congress asking, among other things, for the audit measure through printed ballots to be revoked, based on the conclusions drawn in his widely circulated report on election 2002, that is, on the "degree of excelence" with which TSE's version of parallel testing was carried through, showing it as an alternative to auditing through printed ballots, the central character of act one of this series. Even with preemptive sampling, printed ballot auditing still bothers decision makers at TSE, who cleary prefer their version of parallel testing. On the other hand, the assimetry of risks for would-be swindlers in collusion facing these two security measures, as mentioned above, bother others, but not many. As for the acceptance by Congress of the proposal to ban ballot printing in favor of this version of parallel testing, the chances have to be set to high if we consider past lobbies by the Electoral Justice on the legislative power. We may have to accept our "bico de pena" back, this time in a virtual version.
The act presented here has been coadjuvated by some patriotic brazilians who, as concerned cybercitizens, hoped to sensitize election officials on the importance of sound computer security measures, and get their society to hold them accountable for the consequences of their decisions.. Before their hope faded into oblivion, they got a boost from the chance of being heard by the public who might be touched by the outcome of Privacy International's 2003 contest. Good luck to us all, for no one in this world is safe today from the consequences of our collective fascination with technology as panacea.
About the authorsThis document was produced through a cooperation effort among participants of CIVILIS.
CIVILIS is the name of a core group of 12 activists from all over Brazil, organized around an open discussion list with about 200 subscribers and its web site, http://www.votoseguro.org, regarding electronic elections in Brazil, its process and reliability. The person responsible for the domain name of that site, Amilcar Brunazzo Filho, who is also its web master, participates in CIVILIS and took part in the elaboration of this document.