Electronic Voting Systems
Is Brazil ahead of its time?Prepared for the First Workshop on Voter-Verifiable Election Systems
Denver, Co, USA, July 28-29, 2003 (v.3)
Updated for DIMACS voting workshop, Rutgers University
Piscataway, NJ, May 26-27, 2004 (v.7)
Professor Pedro A. D. Rezende *
Dept. of Computer Science - University of Brasilia
copyright notice **
Introduction
In May 2001, from the losing end of a fierce internal power dispute, the president of the Brazilian Senate publicly admitted to spying on secret voting on the Senate floor [1]. Through a back door in the voting system, protected by obfuscation, but according to the supplier "built exactly to specifications", as later revealed by an independent investigation. Since voting in elections for public offices in Brazil is mandatory for citizens over 18, and because such elections are also -- and pioneerly -- conducted by similar electronic devices, an ensuing Watergate-like affair resulted in his resignation.
But more important, the scandal set the climate for approval of legislation requiring such devices be made voter-verifiable. By the addition of an extra printer to the DRE voting machines already in use for general public elections. In January 2002 Law 10.408 was so enacted, under the constitutional provision that elections for public offices in Brazil be regulated by federal legislation [2]. Law 10.408 set voter verifiability in a manner that each voter was to see his or her choices printed on a slip of paper, behind a transparent window.
When confirmed, the vote slip would be inserted into a sealed bag, without voter interference (vv), and the bag properly handled for later audit against electronic tally by sampling, or for possible recount. According to the original bill, this print-show-collect mechanism was to be added on to all DRE machines in use, from the following election onward. The random choice of which machines were to be sampled, for regular auditing purposes, was to be made after the election time period, as would be in any meaningful audit measure of this sort.
However, a strong lobbying effort led by the chief electoral official succeeded in delaying its approval and, at the last minute, incorporating nineteen amendments which diffused the effectiveness and scope of its vv measure. For "technical reasons", the random choice of which slip bags to audit was not to be made after, but before election day, thereby extinguishing any auditing value without any benefit in cost or efficiency [3,4]. And due to the filibustering and constitutional time constraints (electoral law takes effect one year after sanction), this measure would not apply to the upcoming 2002 election.
Hurdles with voter unverifiability
The chief electoral administration post in Brazil is held by a supreme (constitutional) court justice, then occupied by Mr. Nelson Jobim, an appointee of former president Cardoso. In his lobby at the Congress, justice Jobim offered, as conpensation for delay, to "voluntarily test" the approved vv measure on 3% of the precints in the upcoming election, including all precints from two small states. And so it happened. On October 6, 2002, Brazilians voted for president, state governor, two Senate and two House seats, using mainly DREs.
On that same date, less than four hours into the tallying had elapsed when the total of Lula's votes for president suddenly, and mysteriously, dropped from over a million to minus 41 thousand, on the main screen of the central tallying headquarters. After some screams, reboots to restore (in roughly five minutes) the "normal" count, a swift police blockade of the place during that time, a laconic official explanation for the incident as "caused by a formatting error", it was at the end established, against projections by most polling surveys, that a run-off ballot was due. Three weeks later Mr. Lula da Silva was, at his fourth run, finally declared president of Brazil, from January 1 2003 through December 31 2006, with roughly 62% of the valid votes.
Lula thus became the first national leader ever elected solely through DREs (with 3% using "experimental" vv add-on mechanism), and the second for the world record total of votes received in a presidential election, after Ronald Reagan in 1980 [5]. All very nice, given his origins, but, even before the run-off, his momentary negative vote count received practically no press coverage. Only a brief real-time leak on a small TV network (Bandeirantes), and notes by two respected and non gullible newspaper columnists [6,7].
The fact that Lula's landslide victory could not carry along any important state gubernatorial seats (mostly won by president Cardoso's party) neither meriting further analysis, what the mainstream media did cover instead, and profusely, were the long lines at polling places, worse in those with vv add-ons. The problems blamed on the extra printers, with the most logical reasons for the delays never mentioned [8].
The public perception game
No mention given to the fact that operational election officials were not instructed to remove a "security" seal blocking the exit path of the slips of paper from the small add-on printer, before sealing the bag onto it, causing those with sealed path to jam during operation. A seal which was specified in the printer supplier's contract. That voters were not instructed about the need to push the confirm key once more, causing the voting machines to time out after two minutes, which then required the machine to be reset. By a tortuous menu path, with entry of a password by the precint official. That the number of voters registered by the electoral administration to vote at most vv-enabled precints were increased, beyond historic top levels. For reasons unrelated to the number of add-on printers delivered and ready for use, half of which were left as backup. And that, on top of all this, six different races concurred under compulsory voting.
Interestingly, there were several advance warnings, issued through the mainstream media by several high-ranking officials of the electoral administration, in the months before the 2002 election, about the risks posed by such a "clumsy" device (print-show-collect mechanism for vote paper audit). Its function -- to provide voter verifiability -- disparaged as an "unnecessary" and "stupid" security measure, which could taint the success of an otherwise flawless election [9]. And curiously, after leading the demonization of the vv measure "under test", which included a real slip vote bag still attached to the printer showing up at the roof of a bus stop just in time for breaking early morning election news, some of them would later pass out the chance to corroborate (or disprove) their presumptions, in a formal appeal for manual recount of a tumultuous but fully vv-enabled state gubernatorial run-off election.
For an election in which all the precincts yielded slip paper record of individual votes in sealed bags under official custody, in which the final result was by a margin smaller than 0.2% (the Federal District), the appeal for recount by the losing candidate, from Lula's party, was unanimously dismissed by the local electoral tribunal, headed by an early critic of the later-to-be-enforced vv measure [9], on the grounds that a manual recount from a non-mandatory vv mechanism "could put under suspicion [the electronic] elections nationwide" [13]. No wonder the Gallup Institute, a global survey enterprise zealous of its reputation, does election polls, does polls in Brazil, but does not poll elections in Brazil.
Since the introduction of the vv paper audit trail measure (vvtap) through Federal Law 10.408/01 [2], high-ranking electoral administration officials have not only been disparaging vv measures, but also relentlessly pursuing and advocating for a series of alternative measures. As each one has been proved ineffective in principle at securing the integrity of election outcomes, they have moved on to lobby for the next one. Before reading about them, the reader may notice that roughly half of Brazil´s media advertising revenue comes from government sources, where criticisms of Brazil's pioneer electronic voting system is almost always disparaged as unpatriotic, and that all high-ranking electoral administration posts in Brazil have to be filled by active judges.
Seeking alternatives to vvpat
Alternative one is “parallel voting”. Some voting machines are selected to be used only by election officials on election day, as a test to ensure that machines are working correctly. Votes drawn from a hat filled with samples are to be keyed in, in full view of observers, representing the interested parties. If the manual count of the votes seen to be keyed in matches the count issued by the electronic report generated by this machine, timed to end with the official voting period, that sampled machine passes the test. What does this test prove? At most, it proves that the machine under test does not swindle when collecting that many votes. How many? The time for a simulated vote, to be carried out in all the laborious and pedantic details drawn up by electoral officials in rulings, was timed in four different states at the 2002 election. Average? more than five minutes, and thus, more than four times the known average for real voting.
Alternative two proposes software "auditing". Some source code to be used in election equipment is thrown to inspection by the political parties, under the most rigid non-disclosure agreement possible. Since some of the code is not opened for inspection, due to alleged "copyright protection", and since the time allotted for inspection is not enough (would normally take months of study), this is a silly exercise. Worse: despite no independent way ever been offered, or permitted, to ensure that the code inspected is actually the code used, this exercise has nonetheless been held, by chief electoral officials and mainstream gullible media, as homologation of electoral equipment by the interested parties. Whereas even if permitted it would still be worthless under incomplete code inspection and build.
Finally, the third alternative is to throw in additional electronics and/or software, to produce and verify digital signatures on all manner of things. Interested parties would be able to add, during the "software auditing" phase of the electoral process, their digital signatures to files loadable into DREs, after "seeing" some code compile. These files, plus parties' signature verification softwares, would then be loaded into some 450 thousand DREs, distributed to different local election headquarters. During the loading process, supervisors could then check, by sample, their party's signature on those files. Under the control, however, of the to-be-verified software proper.
If the short-circuited nature of this verification would not be enough to invalidate alternative three, the software to be verified has always included binaries from source untraceable by the "auditing" offered in alternative two, yielding a cumulative process without any basis of trust on which to build. Essentially smoke and mirrors, only this time more technically sophisticated in its third layer. It is difficult to predict what the next proposals will be like. Little is known about how Brazil's chief electoral administrators plan to evolve the system they seemingly believe to own.
Interests for alternatives to vvpat
Inspecting the system's code has proved to be a charade, with repeated promises -- or rulings -- to "open all the code" failing to materialize at the last moment, election after election. It is difficult to discover the origin of the money spent to develop and deploy it, let alone eventual strings that may come attached. Interested parties have not been able to either validate the workings of deployed DRE machines, nor to inspect contracts in due time. Some of these contracts have never been made public beyond their summary or first outsource link, despite deemed public. The electoral administration was set out in a way to be its own judge, whereas the vast majority of voters and officials seem satisfied with the belief that technology works as panacea for negative traits in human nature.
The chief IT officer of the electoral administration, Mr. Paulo Camarão, indicates in a book about the system [10] that roughly half of its seed money would have come from the IADB (Inter American Development Bank), but IADB public documents do not acknowledge any such project [11]. Mr. Camarão, for his part, was fired from that post one year before publishing his book, by then chief electoral official justice Marco Aurelio de Mello, due to mishandlings with the federal voter registration database [17], only to be promptly rehired by his successor, Mr. Jobim. Cryptographic software has been deployed in the system by the Brazilian federal intelligence and surveillance agency, whose resources, specially financial, have been allegedly supplemented by untraceable US government funds, according to Carlos Costa, a former US government employee and FBI chief delegate whom has spoken up on this matter to Brazilian media [16].
Then, in 2003, under those circunstances and with strong lobbying by the electoral administration, a bill introducing alternative three was put before the Congress. It was to replace the vvpat measure enforceable after 2004. The vvpat measure conquered in 2001, through a hard-fought civil struggle fueled by indignation with political hypocrisy, got quickly and quietly killed two years later, before ever going into effect. With one lone chance to get first demonized, and no public hearing on technical merits pros and cons [12], despite efforts by scientists, scholars and civil activists, author included, who signed a manifesto calling for hearings[18]. Killed but not without a paradoxical irony. The House's internal electronic tracking system had to get rigged for the vvpat measure to go away with no public hearings, though with the rig provable -- and proved [14] -- by a paper verifiability trail, as follows.
After passing the Senate with no hearings, said bill went to the House. The House's Science and Technology Committee received the scientists' manifesto, and filed a request to get the records and report on it, before its final vote. Request granted by the House president, while leaders of two other government branches grew impatient for its quick approval. Under the terms initially drafted, and before October 3rd for its effect to reach the upcoming elections, a year later. Pressure mounted, and the House president reversed himself, sort of. A "flaw" in its electronic tracking system ensued, while the bill records disapeared overnight from S&T committee premises. Only to resurface by dawn at the House floor, both physically and according to a then inconsistent electronic tracking control [14]. S&T committee members were not amused by the mysterious double-flop (maybe a formatting error), and the bill got quickly voted. Into Law 10.740/03, on October 1st, amidst false arguments and isolated protests [19, 20]. The senatorial scandal of 2001 had faded into oblivion.
An unusual case study
Fading not enough. About a week later Mr. Jobim, no longer the chief electoral official but the former who had lobbied against the vvpat measure and, as supreme court justice, for a new law to kill it, allowed himself to unveil, once alleviated by the success of his lobby, perhaps a long kept secret. In an interview to a major newspaper, as the justice who is to preside over Brazil's supreme court after June 2004, he confessed that, as congressmen in legislature elected to frame a new constitution for Brazil, he had quietly inserted two unvoted items into the bill's final draft, later signed on paper by his peers and himself, thus sanctioned as the present Constitution, in 1988.
He refused to specify which items were those, but offered two explanations. First, he had done so as secretary of the framing process, under authorization fom the president of Congress for that legislature, who has already passed away. Second, "If all framers signed what they later had on paper, this means they all agreed" [15]. Brazil's Constitution is long and verbose, with more that 200 articles. The framers of 1988 had tediously voted on each article, one by one, for months. They seem to have acted, at least by the end, under two principles of faith which can damage freedom and democracy when combined: prioritization of convenience, and blind trust in authority.
The rig, the one in Brazil's present Constitution if indeed happened, went unnoticed and can not be verified because the framers devalued their need for a voter-verifiable procedure to accomplish their mission. Giving up their duty to verify on paper what they have voted for at the floors of Congress, they turned it into illegitimate power for the vote organizers. As congressmen in 2003 who, feeling empowered to do likewise regarding general elections, did so with somber irony, in the name of all Brazilians. Meanwhile, the mainstream media have begun reporting that Brazil's e-voting system -- now stripped of voter verification mechanisms -- is being promoted as a model.
News indicate that Paraguay, Argentina, Mexico, and other countries where corruption and election fraud are not just abstract concepts, may soon borrow or rent Brazil's system. At the same time, the same midia gulliblely, if not by some complicity, ignore important messages from Mr. Jobim's justifications for constitutional piracy. First, that unverifiability means uncertainty, which yields impunity, which invites abuse of power, specially of the illegitimate kind. Second, that voters who devalue their need to verify the correct accounting of their own decisions, do so at their own risk.
Conclusion
Is Brazil, after all, ahead of its time regarding voting technology? Maybe.
It is understandable that voter verifiability measures tend to raise, besides complexity, the risk of malicious interference by underdogs upholding rights to supervise election procedures. Such rights, if abused, can spoil electoral organizations. But this shall not be held as reason to simply discard such measures from the outset. Rather, it shall be held as motivation to better research e-voting systems, given that verifiability is a technical price to pay for automation. Brazil's pioneer experience with e-voting evidences the flawed nature of such simplistic reasoning, while giving yet more pointers to the fact that election security is a matter of balancing risks and responsibilities.
Nevertheless, when dots are connected, one can find the same global enterprises and traces of interest dominating the electronic voting market, the related services' and regulatory lobbying practices worldwide, trying to uphold and advance such flawed reasoning. Brazil may have been chosen, due to historical, judicial and geopolitical circumstances, as a guinea techno-pig. For social engineering strategies aimed at advancing new power roles for IT players and their obscure alliances, eventually held or so potentialized, under the ideological reign of market fundamentalism, if we allow ourselves the benefit of the conspiratorial doubt.
The most important democracy of our times is now debating the convenience and possible effects of legal measures enforcing voter verifiability in electronic systems. If we can trace parallels between official arguments put forth here and there, particularly those with feedback effects, the links so formed would be carrying signals. Signals indicating, to informed and cautious readers, that conspiratorial hypothesis are not so far fetched at the e-voting cenario. And that Brazil is, indeed, ahead of its time. Able to prove to the world the seriousness this debate merits, and the perils within.
References
[1]- National newspaper special report: "Crise no Senado, Tempestade no Planalto"
Jornal O Estado de São Paulo, May 2001
http://www.estadao.com.br/ext/especiais/tempestade/tempestade.htm, acessed July 27, 2003.[2]- The 2002 Law implementing voter-verifiable measure: "Lei 10.408/02"
D.O.U. de 11.01.2002,
http://www.brunazo.eng.br/voto-e/textos/lei10408.htm, acessed July 27, 2003.[3]- Interview with Brazil's chief electoral official: "Ilimar Franco entrevista Nelson Jobim"
Jornal O Globo, Rio de Janeiro, October 15, 2001,
http://oglobo.globo.com/pais/1659118.htm[4]- Note in National newspaper: "CCJ aprova impressão do voto eletrônico"
Jornal Folha de São Paulo, pp. A9, October 29, 2001.[5]- Electoral statistics: "Comitê Nacional Lula 2002"
http://www.lula.org.br/index1.asp, acessed July 27, 2003.[6]- National sindicated newspaper column: "Coluna Jânio de Freitas",
Jornal Folha de São Paulo, October 8, 2002, São Paulo, SP.[7]- National sindicated newspaper column: "Coluna Carlos Chagas",
Jornal Tribuna da Imprensa, October 10, 2002, Rio de Janeiro, RJ.[8]- Local newspaper main stories on elections: "Confusão Eletrônica" pp.21, "No Limite da Paciência", pp.22,
Jornal Correio Braziliense, October 7, 2002, Brasília, DF.[9]- Interview with chief electoral official in Federal District: "Fabricio Azevedo entrevista Lécio Rezende da Silva: Garantimos a lisura das eleições"
Jornal da Comunidade, August 4, 2002, pp.4, Brasília, DF.[10]- Camarão, P. C. B.: "Voto informatizado: legitimidade democrática" pp. 196-203
Ed. das Artes, São Paulo, 1997.[11]- Inter Amerincan Development Bank. "Approved Projects - Brazil"
http://www.iadb.org/exr/doc98/apr/lcbraz.htm, acessed July 27, 2003.[12]- The 2003 electoral law bill: "Câmara dos Deputados do Brasil - Proposição PL-1503/03, do Senado Federal"
Brazil's House of Representatives, National Congress
http://www.camara.gov.br/sileg/Prop_Detalhe.asp?id=124899, acessed July 27, 2003.[13]- Editorial page from mainstream newspaper: "Magela Recorre ao TSE para recontagem dos votos"
Jornal O Estado de São Paulo, November 19, 2002, São Paulo, SP
http://www.estado.estadao.com.br/editorias/2002/11/19/pol025.html, acessed July 30, 2003.[14]- Report tracking Law 10.740/03's approval: "Lei do voto virtual às cegas"
Forum do voto seguro,
http://www.brunazo.eng.br/voto-e/textos/PLazeredo.htm, accessed May 10, 2004.Links doc.1 through doc.10 in report point to scanned versions of paper documents showing:
a) the trail the corresponding bill would have followed in Congress;
b) the trail's logical inconsistency.
[15]- Maganize story: "A prova dos abusos"
Revista Época, October 13, 2003, pp. 75. Editora Globo, Rio de Janeiro
[16]- Fernandes, Bob: "A hora da Autópsia".
magazine Carta Capital n. 283, March 24, 2004, pp. 35. Editora Confiança, São Paulo.
[17]- Rutkowski, Lauro: "Erros derrubam o secretário de informática do TSE".
newspaper Zero Hora , August 6, 1996, pp.6. Porto Alegre.
[18]- Public manifesto: "Alerta contra a insegurança do sistema eleitoral informatizado"
Forum do voto seguro,
http://www.votoseguro.com/alertaprofessores, accessed May 10, 2004. when there were 878 signataries.
[19]- Taquigraphic notes of House evening session of October 1st, 2003:
Brazil's House of Representatives, National Congress
http://www.camara.gov.br/Internet/plenario/notas/ordinari/v011003.pdf, accessed May 10, 2004, pp 333-334.Speech by the leader of Workers Democratic Party (PDT), Rep. Alceu Colares, denouncing:
a) false representations by Rep. Moroni Torgan about the 2001 vvpat measure which the bill there and then under vote would ban;
b) the rigging of the House's internal electronic tracking system, on the path taken by said bill.
[20]- Excerpt from official video trascripts of Brazil's House of Representatives evening session of October 1st, 2003:
Forum do voto seguro
www.brunazo.eng.br/voto-e/arquivos/collares1.rm [codec Real video 3.0, aprox. 3 min, 4.5Mb].
Speech by PDT Leader (referenced in [19]), who frantically waves paper trail documents (scanned and linked in [14]) which show a rig at the House's internal electronic tracking system, on the path taken by the bill there and then under vote, to an unamused and unresponsive House president, Rep. João Paulo Cunha, conducting the session.
www.brunazo.eng.br/voto-e/arquivos/collares2.rm [codec Real video 3.0, aprox. 7 min, 8.5Mb] Complete speech
* The author
Pedro Antonio Dourado de Rezende is a tenured professor at Computer Science Department, University of Brasilia (UnB). ATC PhD in Apllied Mathematics from University of California at Berkeley in 1983, heads the UnB Cryptography and Info Security Extension Program since 1997. Author of over one hundred articles on related topics, is a member of Brazil's Public Key Infrastructure Steering committee since 2003, by appointment of President Lula da Silva to represent civil society.
** Copyright note
This article, in all its versions except v.9, is distributed under the following copyleft license:
http://www.gnu.org/licenses/fdl.html
Document history
ref: http://www.pedro.jmrezende.com.br/trabs/election.htm
- v.1, v.2 - unpublished.
- v.3 - Jul 28, 2003 - prepared for 1st Workshop on Voter-Verifiable Election Systems, Denver, USA.
- v.4 - Jul 30, 2003 - references [8, 9] revised, citation and reference [13] added.
- v.5 - Aug 04, 2003 - correction in citation for [5].
- v.6 - Oct 19, 2003 - last three paragraphs of v.5 updated, cit. ref. [14, 15] added.
- v.7 - May 10, 2004 - major revision, cit. ref. [16-20] added. Updated for DIMACS Voting Workshop
National Science Foundation - Univerity of New Jersey at Rutgers, USA.- v.8 - Jul 01, 2004 - expanded version in pdf format
[in preparation for v.9, to be published by Cryptobytes ]
- v.9 - Sep 2004 - Cryptobytes, Vol 7, N. 2, Fall 2004, pp. 2-8, RSA Security Laboratories, USA:
http://www.rsasecurity.com/rsalabs/cryptobytes/CryptoBytes_Fall2004.pdf [copyright Cryptobytes]
local copy (for archival purposes)