While 2020 has been a challenging year, working remotely with an improvised home office has had its perks. For instance, I found the time to write this article in English hoping it can serve as a brief introduction to the idea that electronic voting ain’t all that bad, and how it has been successfully used in Brazil.
In a brief history about me, I’ll refrain from too many details. Suffice to say that I majored in Computer Science 20 years ago. I have worked as a programmer for various companies and multinationals, and now occupy a position of Systems Administrator for a local state government institution in Brazil, handling several aspects of application infrastructure, environment maintenance and provisioning. Far from being a security expert myself, I can confidently understand the technology involved, technical terms, the theory and tools behind it.
E-Voting is a bad idea… or is it?
More often than not, discussing the idea of electronic voting, someone is bound to throw you links to Tom Scott’s videos, which, to be fair, are excellent and valid arguments against it.
But I am here to present somewhat of a challenge against those arguments. Not just mere conceptual arguments, but concrete facts about how Brazil managed to get a firm grip on its electoral process, going from a collapsing mess of paper ballots and rampant corruption in the 1990s to, arguably, one of the fastest and most reliable voting systems in the world. That was only possible with constant government investment on a process that relies, not only in a custom designed hardware and software, but also a combination of transparent protocols and manual safety measures that almost completely thwart the uncertainties brought up by Scott in his videos.
One Institution To Rule Them All
The Brazilian Supreme Electoral Court (TSE) was created in the 1930s to regulate and control all aspects of the electoral process. It is responsible for creating and enforcing regulation on how the country, states and cities should conduct elections, from electoral campaings, funding, voter registration, district boundaries, all of it. One set of laws to rule them all.
Governance at the federal level is even more difficult when combined with the fact that voting in Brazil is mandatory by its Constitution. It is not just a civil right, it is a civil duty. Refusing to vote without justifying your absence is punished with restrictions on other civil and financial aspects of your life. Keeping tabs on aproximately 147 million voters considered to be automatically enrolled as soon as they turn 18 is quite a challenge. It is not difficult to understand why the US never bothered to even try.
Thwarting Election Fraud
By the early 1980s election scandals and voter fraud were rampant and spreading like wildfire. It became quite clear that something needed to be done at the imminent collapse of the TSE, at great cost to Brazilian democracy. But instead of throwing in the towel and giving up control to more independent state level governments, the TSE decided for a bet on innovation. It aimed its own IT department into a taskforce, along with the Aerospace Technology General-Command (CTA) and the National Institute of Space Research (INPE). A group of highly specialized professionals worked together to conceptualize an electronic voting system with security as its absolute most valued requirement. The first election to partially use the new electronic machine was held in 1996, and by the year 2000 every paper ballot was effectively replaced by the electronic vote.
The Electronic Voting Machine (CEV)
Over the years, several iterations and improvements were made to the original project, but overall this is what is looks like today.
The machine itself is not a random piece of equipment bought from any manufacturer. A custom hardware design was implemented to be strictly followed by government contractors. The exterior design was especially crafted to make it as simple as possible to use, and directly incompatible with the usual market standards, such as HDMI, USB or any off-the-shelf card readers. Everything fits inside a hardened metal case, which is physically sealed with TSE markings to prevent tampering. This includes the monitor, keypad, a small printer, emergency battery, power brick, etc.
The only hardware that sticks out from the metal case are the power cord and another limited keypad used by selected technicians to control, reset and prepare equipment as voters are allowed into a protected booth to cast their vote.
A few things to note right off the bat:
- The entire case is designed to be metal and difficult to penetrate using sharp objects. Internally, metal plates below the screen and keypad also protect internal components from hard falls or people trying to break in with an external force. It is designed to be sterdy and difficult to open without any proper tools.
- The external keypad used by technicians has limited funcionality and purpose.
- All cords are extra resistant and physically embedded so they cannot be unplugged without damaging the equipment.
- Modern iterations of the external keypad now have a fingerprint reader so voters can be identified with a 2nd factor before allowed into the voting booth. Thanks to a nation-wide regulatory agency, like the TSE, all voter records are kept in one database and citizens are required to keep things up-to-date every 2 or 4 years. Other government agencies now feel the urge to tap into what is considered the largest, most up-to-date civil database in Brazilian history, apart from the Brazilian IRS.
- No network interfaces. No ehternet. No Wi-Fi. None of it. The CEV is completely cut off from any and all networks. The only access to its memory is done via a custom USB port and its main memory card, which are physically sealed in during the election.
- No fancy touch screens. The robust and intuitive physical keypad was chosen because that’s what most people are familiar with. It looks like a phone keypad.
- No complicated user interfaces. During the campaign, all candidates are assigned a unique number that identifies them. Voters are only required to input the candidate’s identification number and confirm. They are encouraged to write those down and bring a cheet-sheet on election day to remember. Press GREEN to confirm, RED to correct, WHITE to vote for nobody.
The Software and Operating System
In its current version, the CEV runs a highly customized, stripped version of Linux, compiled specifically for this purpose. There is absolutely no proprietary software installed, and all components are recompiled from opensource. Once every unecessary driver and package is removed, all components and files that remain are hashed and digitally signed with the TSE’s in-house Certificate Authority and the keys from political parties as well. The digital signatures play an important role into the general election process, as we’ll see further down.
This Linux distribution is managed by the TSE IT Department itself, inluding the in-house development of the counting software, which tabulates and counts the votes while trying its best to keep the integrity of voter privacy and vote secrecy required by the Brazilian Constitution.
The Election Process In a Nutshell
Before the election, representatives from all political parties, the Brazilian National Lawyer Association (OAB), the Public Prosecutor’s Office (MP), a number of Universities and several other agencies are all invited to participate in a number of pre-election audits. This includes policital representatives, as well as software technicians with enough skills to validate and confirm what the TSE is actually doing.
180 days before election, an audit is held at TSE headquarters where all involved parties are allowed to inspect and review the source code and documentation. The moment can be used to suggest any changes or improvements. Technicians are allowed to bring their own equipment and software to run any validation they want in the source code.
20 days before election, another ceremony is held where the same source code and components are again opened for inspection. This time, the source code is compiled on premise to produce the artifacts that will be installed in every voting machine.
Once compilation is done, a TSE technician runs another software routine to create a hash for every artifact that will be included in the CEV. At this point, public encryption keys from all political parties and major state agencies are gathered. The encryption keys are used to collectively sign all hashes to make sure nothing can be altered without everyone’s keys being involved.
While one may have doubts about the software running in the TSE technician’s workstation, every other technician in the room is allowed to bring their own physical equipment, use their own hashing and encryption software to rerun and validate and double check what is being done at the TSE’s technician workstation.
Once everyone is satisfied with the results, the signed artifacts are flashed into a few portable storage media cards. One copy will be kept in TSE’s safe and one master media will be used to flash every voting machine just before the election.
Every hash and digital signature created in this ceremony is published on the TSE’s website and available to the public. They can be downloaded and used in other audits that occur during and after election day.
Roughly a week before election day, all machines are flashed with the signed software, sealed from all sides, and sealed into boxes to prevent any tampering. All of 500 thousand CEV units are now ready to be shipped to voting locations across the country.
Once voting machines are distributed, boxes are only opened at election polls, early in the morning of election day. For every opened box, another ceremony is held with local officials and representatives of political parties. The CEV is booted for the first time after being flashed. Using only the attached external keypad, the CEV is reset and all counts are cleared. The embedded printer spits out what is known as the Zero Report (Zerésima) showing the total count for all candidates as zero.
As noted before, voter registration and voter ID is somewhat automatic once a Brazilian turns 18. Citizens are required to show up at a local TSE facility (known as TREs) to update the record of where they live and scan their fingerprint for biometric 2FA. From that, the TSE system will assign you to a voting poll closest to where you live.
Worthy of note, here, is the fact that voting locations are not at all subject to the whims of elected politicians. Brazilian law firmly states that you vote exactly where TSE assigns you to vote, and that is always the poll that is closest to your residence. You simply do not get to choose. More importantly, politicians never get to chose either. This completely eliminates gerrymandering and the manipulation of district division. Every vote counts, and every vote counts equally.
Because the TSE controls and knows before hand where everyone should cast their vote, each voting machine is pre-loaded with the exact list of voters that are allowed in that district. When you show up at the poll, a group of technicians will be there to prepare the voting machine for you.
Their job is to double check your identity and input your voter ID into the external keypad to activate the voting machine.
It might seem like a privacy violation is happening before your eyes, since a voter ID could be easily matched against the vote inside the machine. However, several audits have verified that the voting software is clever. It scrambles the internal counting table and does not allow any count to be traced back its voter ID. The total count is all that matters.
At the end of the day, local representatives are called back for a closing ceremony. The CEV is instructed to print the results of its count. This paper copy is not used for the official count. All representatives get their own copy and another is physically posted at a public board for everyone to check local results.
Notebly, the printed paper copy does not only contain local results, but also a digitally signed QR code with the same information. Anyone with a smartphone can scan the QR code, and later compare the results that are eventually posted at the TSE’s website. A number of civil initiatives attempt to keep tabs on the election results that way, urging everyone to snap a photo of their poll’s QR code and upload it for an independent count.
The actual digital contents are obtained during the closing ceremony, where one seal is broken to extract the memory card where results are stored. The contents of the card are also digitally signed. And, because the voting machine itself is not connected to any network, the contents are uploaded using another computer at hand, which is also not connected to the Internet. A private secure network is used exclusively to upload the results to services hosted at the TSE’s datacenter. If any connection problems are found, the memory card or the CEV unit itself can be physically brought to a local TSE facility, where the contents can be transmitted.
Audits, audits, audits
Throughout the entire election process, any institution or political parties involved are invited to question and contest the results, if they feel that is necessary.
Even after the election is closed and decided, a public audit can and is usually conducted. For those, a number of random CEV units are selected from storage. The equipment is physically opened and dismantled so that everyone involved can inspect it, including its internal parts. The software can be verified and all signatures can be matched against the keys gathered during the Audit Ceremonies before the election. The contents of the count made by the unit can be matched against the results published on the Internet.
In the recent 2014 election, a highly controversial and unexpected result shocked a divided country. The opposing party that lost immediately requested a complete audit and recount of the results. While the recount was quickly achived among various software validations, over the next few months not a single evidence of fraud or tampering was found.
Public Security Audits
Every election year, before the election, the TSE also conducts public audits of the CEV design, where IT specialists are invited to blackbox testing and report any vulnerabilities they find. As a result, a number of security flaws have been found and fixed over the years.
Parallel Voting Simulation
On the eve of election day, a number of CEV units, loaded with the official election software, are randomly selected. They are used in a simulated parallel voting session, where auditors openly vote without any secrecy so that results can be manually verified at the end. This parallel audit is conducted in all major cities and a few others in every state.
Is it perfect, thought?
Of course, it’s not. But the argument that electronic voting is a bad idea all around and should never be considered, IMHO, sounds more like a paranoid thought experiment.
Conducting secure electronic voting will never be easier or cheaper than paper ballots and manual counting. But, is it worth to disregard the benefits? If you are asking yourself how much does it cost, then you should also be asking what is at stake? Election fraud in Brazil has dropped to an all time low, and the full results of a nationwide presidential run can be broadcast later on the same day, just in time for the nightly news.
There is a lot to improve in the process we use today. I think the secret to the sucess of Brazilian elections, is the fact that the process does not rely entirely on electronic machines. The TSE knows there are paths to corrupt an electronic election, and they work hard to mitigate them by implementing manual protocols and safety measures, using digital and analog tools in a smart way. The voting machine itself is electronic and it counts really fast, but everythine else around it is still analog and strictly controlled by a large number of real people.
If you ask any Brazilian today if they would give it up, I doubt you will actually find anyone that wants to go back to counting paper ballots for weeks in a row in city sports gyms around the country.