Brazil's Electronic Voting System
Interview to reporter Henry Chu,
on Brazil's 2004 electronic election system.
for the "Los Angeles Times" , USAProf. Pedro Antonio Dourado de Rezende
Departament of Computer Science
University of Brasília
September 24, 2004
Henry Chu 1) What was the primary motive(s) for establishing electronic voting in Brazil?Pedro Rezende: Basically for modernization and security, according to the chief Information Technology official from Brazil's Federal Electoral Authority. He has written and published a book on the origin of this pioneer system (Camarão, P. C. B.: "Voto informatizado: legitimidade democrática", Editora das Artes, São Paulo, 1997).
Since elections for public offices in Brazil are ruled by federal law, the system could be designed as one from scratch. The path chosen for modernization, though, got rid of ways to defraud through paper and ink, erected barriers against ways to defraud from outside, but neglected the ways to defraud from inside, through the abetting of insiders in sensible positions.
HC: 2) What kinds of security problems have arisen?
Al those of an electronic election system that can not be externally supervised or audited, and can not allow for recounts. In short, all those inherent to systems based on opaque DRE (Direct Recording Election) machines. We are just begining to learn about such problems, thanks to the leakeage of control software from the most widely used DRE machines, sold by Diebold both in Brazil and in the US.
The problems around the US machines were analysed by a group led by prof. Avi Rubin from John Hopkins, in http://avirubin.com/vote.pdf ,
and the machines used in Brazil by a group led by me, in http://observatorio.ultimosegundo.ig.com.br /artigos.asp?cod=293ENO002. In my oppinion, the problems in Brazil are much worse because the voting system is centralized, opaque DREs are ubiquitous, and the general perception is that the system is safe for voters, since no one has been able to prove any case of fraud.
But what kind of safety can this fact prove? Such lack of proof can also be a sign that the system is safe for insider trading. Given the fact of Brazil has a long history of electoral manipulation, and that all the supervisng and auditing mechanism now in place are completely innefective, the dual significance of the absence of proof of fraud should be taken into account.
HC: 3) I understand that Unicamp issued a study two years ago about the security of electronic voting. Can you tell me about its conclusions?
First of all, it was not Unicamp that issued the study. It was a foundation which hired Unicamp professors for the job. Second, the study was expensively commissioned by the Federal Electoral Authority (TSE), who set the issues and limits to be addressed by the study. Therefore it was not an independent study by Unicamp, as clearly stated in the introduction of their report, although Electoral Official and their believers like to portray it that way.
The study was comissioned to focus on vulnerabilities to external attacks on the DRE voting machines. Neither the effectiveness of external supervision and auditing mechanisms for detection of potential insider attacks, either against these machines or against the talling software and process, were addressed. However, the report conclusion opens with a genelized statement attesting to the absolute security of "the system", followed by warnings and eight suggestions of measures to "improve the system's security".
The ambiguity of such concluding statements were basically ignored by those who want to allow no more than two seconds to grasp it. That is to say, most, specially those who proud themselves on Brazil being "ahead of its time" regarding voting technology. My semiological analysis of this report is in http://www.pedro.jmrezende.com.br/trabs/relunicamp.htm
Then, with the leakage of the setup file they would have analysed, outright misleading technical assessments on the effectiveness of its self-verifying mechanism for integrity was pinpointed. Assessments that could jive with the overbroad statements opening the report's conclusion. Supposing that we both analysed the same setup file, a hypothesis corroborated by an expert who analised DREs for court proceedings cited in http://observatorio.ultimosegundo.ig.com.br /artigos.asp?cod=295JDB007, this would be very suspicious.
HC: 4) Have those problems been adequately addressed? Are there decent safeguards?
They have been given lip service. And worse, we've seen an earlier grassroot conquest to restore voter verifiability undone by some brute force legislative maneuvers. I've done an analisys of the political climate and technical justifications offered for this manuever in an article presented at a voting workshop held by NSA's research center for theoretical computer sciences, DIMACS, at Rutgers University, in New Jersey. An updated version of that article is at http://www.pedro.jmrezende.com.br/trabs/cryptobytes3.pdf
From the technical point of view, given the duration of the complaints, I would call the purported safegard against insider manipulation now in place rather indecent.
HC: 5) Are there specific examples where security and fraud were problems in an election?
One can find a compreensive account of what has been reported by the most vocal victims of electronic voting manipulation up to may 2002 in the proceedings of a seminar held at the House of Representatives, at http://www.pedro.jmrezende.com.br/trabs/BurlaEletronica.pdf. These proceedings were prepared for publication but, as with Michael Moore's recent documentary on president Bush, no local editor was willing to take the task. The ones we approached fear retaliation. If you know of one, we are still looking!
As to the lack of formal cases, that may hinge on a historical accident, since Brazil's Federal Electoral Authority holds virtually absolute powers regarding electoral matters. Set up in 1930 as a branch of the Judiciary to regulate, execute and judge their own actions, some significant changes in its role ensues with the electronic system they themselves pushed. It became virtually impossible to collect proofs of wrongdoings from their actions, by the means and to the level of detail to satisfy their own standards of legal and admissible proof.
As explained in a series of submissions at the Privacy International 2003 Contest for "Word's most stupid security measure", in http://www.pedro.jmrezende.com.br/trabs/Brazilvote1.htm, Brazil's republican history is fraught with eletoral manipulation and fraud. One of its high points was a revolution in 1930, aimed at getting rid of a longstanding collusion between two parties which would take turn in power.
The 1930 revolution erupted with the assassination of a politician from the state of Paraíba, a strident critic of that collusion. His state's capitol is named after him, and its flag still refers to the episode, showing the word "Nego", which means "I refuse". Refuse, I gess, to put up with that. The 1930 revolution ended in an agreement resulting in our current Federal Electoral Authority regime, which two years later went dormant by a coup.
It then hybernated on and off through several periods of civil or military dictatorship, only to emerge in 1985, now reenvigorated by modernization. Some may pretend, and others believe, that Brazil's longstanding culture of electoral manipulation and collusion went away simply because of DRE machines, but these positions require more gulibility than I can stand.
HC: 6) I understand that voting was 100% electronic in the 2002 presidential election (please correct me if I am wrong).
You are right, except for the sporadic precincts where the assigned DRE and its backup could not be used, for one reason or another, and the voting had to fall back to manual mode, with paper ballot and sealed bags, later tallied in separate, like the absentees' in the US.
HC: 7) Were there any problems?
As I perceived them, the important ones are reported in the article submitted to the DIMACS voting workshop, updated in http://www.pedro.jmrezende.com.br/trabs/cryptobytes3.pdf
HC: 8) Why aren't problems written about in the media?
This is a good question. I think the answer has much more to do with the relationship between media and power, than with the voting system itself, except for the stealth or virtual nature of the defrauding methods and passages reachable by insiders. There are emotional issues involved, the critics are usually labeled as unpatriotic, naysayers, lunatics or paranoids.
I believe a good answer shall be similar to one for why the written media in the US does not denounce the war on terror as an oximoron. How can one wage a war against unknown enemies? One does not fight an enemy's strategy, one fights an enemy WITH strategy. A war fought against an enemy identified only by its purported strategy, such as terror, can be waged forever, everywhere, without ever a win or a loss, aiming at moving targets and possibly at self. To outsiders like me, after Beslan Wladimir Puttin is looking like Levis Carrol's mirror for George Bush Jr. War on terror sounds more like a mantra to justify the legalisation of an ever more totalitarian rule, under the climate of insecurity and fear its constant uttering sustains.
And I believe, furthermore, that both strategies are linked. The strategy to push for an opaque voting system with the help of constant drumbeating on security by a superficial and audience-hungry media, and the strategy to push for more control and less civil liberties with the same kind of help. The first, warmongering against hackers, the second, against terrorists. Both to be confounded soon, as the scene deteriorates.
HC: 9) What is your assessment of the system at this point? Is it reliable, secure, mostly good or bad, etc.?
The system is certainly secure for a would-be inside defrauder with the proper knowledge, due to the innefectiveness of its self-verifying mechanism for integrity, set up according to the security model adopted by design. In my veiw, the security model chosen is not good for democracy. It is only good for those who control the system, for they can exercise the discretion on how to control the possibility of fraud, by their own means and to their own satisfaction and accord, without accountability. Just like before the 1930 revolution.
Used in http://articles.latimes.com/2004/oct/03/world/fg-brazvote3