In recent months, I've had the opportunity to work with some individuals involved in the creation of the digital election system in Brazil. The system has been under development for over 15 years. These are extremely serious companies and individuals who are experts in cryptography, cybersecurity, hardware security, and, above all, the logistical process to make it happen on the scale of Brazil. All companies involved in the creation and production of the technology possess the most relevant international certifications in their fields.
Among all the problems our country faces the digital election is not one of them. In reality, it is a profound source of pride that something so complex is developed by Brazilians, bringing together the public and private sectors in an integrated and productive manner.
As a Software Engineer with decades of experience working with PKI/cryptography/infosec, I believe that online voting is a fundamentally bad idea. It stems from a fundamental misunderstanding of the requirements of an election.
The requirement is not "accurately count the votes". It is: "Allow people to vote, and have their votes counted, in a demonstrably fair way, so that an average person can have high confidence the outcome is fair, given the adversarial nature of the system and varying levels of education / honesty among all present".
A election only means something because of the consent of a large number of average people to abdicate their freedom to someone else based on what they feel was a fair process.
In Ireland, observers from multiple parties observe the votes as they are counted and publish their own numbers realtime (see tallymen).
In this context it's very hard to argue the vote was rigged...
> I believe that online voting is a fundamentally bad idea
I (I worked in the Brazilian electronic voting system in 2002) agree. That's why the voting machines can't connect to the internet and voting is completely offline (totalization is entirely based on signed files in flash cards transferred via sneakernet under strict chain-of-custody protocols).
Another aspect of the election that's very important in Brazil is secrecy of the vote - to the point that, if a voting machine records only votes to a single candidate (effectively disclosing the option of all its voters) it's either discarded or merged with another machine in the same polling place.
In the Brazilian electronic voting system, there is no mechanism to check that the counting on each machine was performed correctly. Validation only occurs after that point.
So if the machine somehow subtracts 256 votes from one candidate and transfers them to another, the total remains the same and this discrepancy isn't caught.
This is just one example of how the Brazilian system isn't ideal. The criticism against it is very well supported by sound arguments, and it's a shame that it got politicised. It's a pure technical matter.
this is done by auditions in the code and all the steps from compilation to vote consolidation, the code review start years in advance of the election.
The code is made available to all political parties and several third-party organizations for review and auditing, this including several international auditors.
The parties and auditors also monitor all steps of the process from the compilation process, to the loading of the memory cards that will be inserted in the machines with the code, the joining of card and machine that will be sealed, transpoprt of the machines, transport of the memory cards for vote consolidation and the vote consolidation process.
the machine also print a receipt with that machine results, a copy of that can be requested by any person, this can then be used to validated with the post consolidation to ensure what was consolidate and what was in the machine match.
The election process in Brasil does not rely only in the electronic side, there are several processes in place to ensure fraud does not happen and each step is monitored and audited.
> The code is made available to all political parties and several third-party organizations for review and auditing, this including several international auditors.
Anyone can register to audit it.
> process from the compilation process, to the loading of the memory cards
Don't forget the code signing. Unsigned binaries can't be executed.
> the joining of card and machine that will be sealed
The receipt only contains the number of votes for each candidate. It does not validate if X people actually have voted in candidate A. So if the machine transfer a certain number of votes between candidates, it does not raise any flags.
Such scenario can be detected by printed vote receipts in addition to the electronic ballot.
I recall in the elections of 1994 that I was in a voting center (a school) and two things did not let my mind since then regarding the voting system back in the day: (1) candidates representatives arriving with buses and more buses of people that received money to vote in someone (in those days with a BRL strong like USD) and (2) During the votes counting endless amount of ballots being trashed way due to people writing silly things or some other reasons.
My mother used to sell things to people during the entire election day, and when we went to discard part of the trash in the school we could see ballots on the thrash.
On top of that, in some places we had complete network of fraudsters responsible for ballot register (Guia/Boletim de Urna in PT-BR) and counting (apuração in PT-BR) that some voting sections did not had blank/null (voto em branco/nulo in PT-BR) plus had sometimes 3x the original amount of people in the final counting.
I said that because even if the system is not perfect today, would be a bad decision to go back to that system.
Some of the things that used to happen during counting:
- Blank ballot papers being filled out by the person counting;
- Votes for legislators were done by writing the candidate's name:
\- A lot of those were illegible so counters would "take a guess" (really just count to their candidates)
\- Sometimes the same name could be attributed to different candidates, including from different political sides. Same result as above.
- Criteria for what to do when in doubt would sometimes change mid-counting. Counting would take many days even when everything was going fine, so people now would have to make a decision between restarting the counting (and run the risk of facing the same situation a few days down), or adapt for the remaining votes and essentially make it a gamble which side of the criteria your vote fell.
- People were tired (again, it would take days in the heat of the summer in a closed room with a bunch of strangers) so they would make mistake.
It’s about the average person not being able to understand what the machine does whereas everyone understands elections on paper. Also just refer to what the ccc has done to any electronic election system that was considered for German elections.
> As a Software Engineer with decades of experience working with PKI/cryptography/infosec, I believe that online voting is a fundamentally bad idea. It stems from a fundamental misunderstanding of the requirements of an election.
Voting machines in Brazil are not online, there are no plans for online voting as far as I know.
> A election only means something because of the consent of a large number of average people to abdicate their freedom to someone else based on what they feel was a fair process.
Even though paper voting is not perfect and has its own issues it offers several distinct advantages over electronic voting (whether online or offline):
(1) Paper voting and counting is inherently manual process. Therefore, election fraud (ballot tempering, stuffing, etc) is also manual and is hard to scale up.
(2) Because paper ballot fraud at scale involves many people it is harder to hide and easier to uncover and prove.
(3) Because of its simplicity, election observers can go deeper in the paper counting process and in some cases (e.g. Ireland) participate in counting and publish their own numbers providing additional independent confirmation.
(4) Chain of custody of physical objects (paper ballots) is easier to understand for an average people and easier to track for an average election observer.
(5) The last and the most important -- it is easier to audit and explain to skeptical and bitter supporters of the loosing party that it was a fair fight and their loss is legitimate. Without this last point everything else is meaningless no matter how objectively better it is.
I think it is you that misunderstands the point made in the comment.
Their point is not that the cryptography is flawed, or that the results can be tampered with or that the electronic voting system is less reliable than manual counting and voting. In fact, I do believe that electronic voting is more accurate and less (or not) vulnerable to certain types of attack/fraud.
The problems is that a large part of society is not capable of understanding the mathematics, or validating the results themselves. They don't understand how the security of cryptography propagates through the system to provide the results of the vote.
This creates another attack avenue, that is, you don't attack the results of the ballot, but you attack the entire system. You discredit the system because it is complicated, you use the limited understanding of the voter base to invalidate the results. Discredit the experts, the mathematicians, scientists, etc. It should be obvious that certain magnetic personalities should have no trouble swaying their base that they are being deceived by these "experts"...
The traditional system is not impervious to such attacks, but it is less so.
EDIT:
But this likely differs by society too. Perhaps the answer to which system is better is: it depends.
The original commenter said well that it's important that the population actually believes the system is secure (separately from it being objectively secure or not). But in Brazil, people widely believe the system to be better than paper ballots. As the other commenter said, fraud was really common with paper ballots in Brazil in the 80's and early 90's, people had little faith in them (and as a Brazilian, I find it quite funny that it's the other way around in other countries: for some reason they do believe paper is safer without really explaining how).
People may not understand the mathematics or the encryption, but they do understand that you can't just change votes in that electronic machine unless you have high level of skills (as opposed to being able to make paper ballots disappear). To successfully attack the system, you need to be able to infiltrate the machine in such a way that you cannot be found out later (if it's found a machine was tempered with, there's ways to either invalidate some votes or recover the original if possible), and because all machines are completely independent, you would need to attack, physically, one by one. There are hundreds of thousands of machines, I believe... it's just not feasible to do that without making it obvious. So no, you can't just attack the entire system.
> This creates another attack avenue, that is, you don't attack the results of the ballot, but you attack the entire system. You discredit the system because it is complicated, you use the limited understanding of the voter base to invalidate the results.
That is exactly what Bolsonaro did. He effectively proved the system is vulnerable to a trust attack... it does not matter if the system is safe from tampering if a significant part of the voters do not trust the system.
But this issue has become so politicized in Brazil that it has become impossible to discuss it reasonably. Pointing out any flaws in it is interpreted as an "attack to democracy".
first, paper ballot suffer the exact same problem..
In fact i strongly believe that Bolsonaro would do the same thing regardless of the system, if we had paper ballots he would complain it is not electronic.
The same trust attack you can do on electronic system you can do on analogical systems. Anything you do will be subject to this problem
second, the truth is that electoral system does not care if people trust in it or not. Even with Bolsonaro attacks and a massive distrust by the right wing on the system it was still used and the results accepted.
The only thing that matter is whatever you can prof in the electoral court if there was fraud and no one was able to do it, not even bolsonaro.
The main point is that it is a lot easier to trust something you can understand than some black-box machine certified by experts. Thus, eletronic voting systems are more vulnerable to trust attacks.
i agree that not understanding something make it easier to mistrust, but understanding does not ensure it will be trusted.. the same way not understanding something does not necessary mean people will not trust it..
paper ballots are easy to understand but it is know to have many vulnerabilities thus it suffer from trust attacks the same way..
On the other side, i think a good example is that most people do not understand 1% about how modern cars work yet many people trust then with their life daily..
I personally would not trust a 100% analog election with paper ballots and manual counting of the votes like old ages, but i do see the value on adding paper ballots on top of modern electronic voting system as another layer of audition.
You use the physical paper ballot that will be manually counted but digitally printed by the machine and thus could have an electronic signature to validate making it impossible to create fake votes. You could even have automated counting of those votes if you some qr code and only manually count the paper ballots in some cases.
all a person could do it trash some votes, but then the count between the paper ballots and the electronic consolidation would not match.
I'm not sure your argument makes any sense.... So you're saying it's not about the absolute mathematical results of the poll, but more about the feelings of the general population?
It's both, the methods by which the election is made secure and accurate should be understandable by most people. Most people don't understand cryptography and cybersecurity.
Just because those companies have certifications it doesn’t mean they can’t make a mistake.
In addition to that, the source code is closed and not generally auditable by third parties.
I was a student under Diego Aranha (a cryptography researcher from Brazil, now based in Denmark) many years ago when he got the chance to participate in the public test/audit of the voting system software.
At the time they did find issues with the code that would allow you to de-anonimize the votes cast in a voting machine [1].
EDIT: If anyone wants to take a look at the vulnerabilities found at the time, check the paper [2]. In fairness the paper is from 2013, so a lot may have changed.
> In addition to that, the source code is closed and not generally auditable by third parties.
That's not correct. While you can't get it from GitHub, there is a process to audit it and any Brazilian citizen (or resident, I'm not sure) over 21 can request and be part of it. The process extends for many months starting the year prior to the election. Input from the multiple audits and tests are valuable in guiding the evolution of the software and hardware.
You literally proved my point. It’s not generally auditable.
Even if you ignore the fact that the audit window is restricted and that the software is developed behind closed doors, just the first step in the process is absurd if you want this to be practical for anyone to audit:
> A Justiça Eleitoral prepara uma sala segura para deixar os sistemas a serem utilizados na eleição vindoura à disposição das entidades fiscalizadoras interessadas. As entidades podem utilizar ferramentas automatizadas e solicitar os esclarecimentos que julgarem necessários. Caso encontrem alguma inconformidade, deverão apresentá-la ao TSE, que deverá corrigi-la e apresentar o ajuste realizado. É importante destacar que todas as alterações realizadas nos sistemas são rastreáveis e ficam disponíveis para verificação das entidades fiscalizadoras.
Anyone can apply. You'll need to go there in person. I just don't see that as a huge hurdle, but, if you have a medical reason to be unable to be there in person, you can petition the election court. They are extremely reasonable with accommodations that don't create problems for their own tight schedules (remember the logistics are anything but trivial).
The vast majority of computer professionals I have discussed this topic with are very clear: there will never, ever be a safe way to digitise elections. Your engineers may be proud of valiant efforts, but all computer systems are hackable in principle despite the best intentions of everyone involved. This problem is manageable even for big, important stuff like banks, because there are ways of resolving things when the systems inevitably get hacked from time to time. But elections are just too big and too important (not to mention highly targetable) to introduce layers of technical complexity in which there may lurk vulnerabilities.
And, perhaps more importantly, digitisation makes the system impossible for regular folks to properly understand and trust. People can understand ink and paper ballots: you gather them in boxes and you count them. If the result is very close, you count them again (more carefully and with more eyes on it). Until everyone is agreed on who won. That clarity is very important so people can accept the result. Lots of human eyes on every step of the process. People are rightly suspicious of results from systems that include some black box of technical complexity that 99% of people can’t begin to understand.
When electronic voting was introduced in my country - Bulgaria, immediately the results were quite different than previous elections - with as much as 10% diff.
It was largely attributed to the fact that incumbents did not know how to “hack” this new system (yet?) but were pretty adept at cost effectively manipulating paper ballots.
For example they would infiltrate remote areas with little to no observers and stuff the ballot boxes.
Once the new electronic voting system was introduced, suddenly they didn’t know what to do, so the votes ended up more representative, e.g. much closer to projected numbers than before.
Now the system is “electronic counting + paper ballot” So you still go to a voting place, there are still independent/multi party observers, there are still paper ballots available for recount, but you have cryptography on top of it to prevent traditional tempering.
We also tested a dual system with printers (early 00s i think?) but they were found to be unreliable and challenging due to the scale needed.
There was also not a serious discussion on what to do if there's differences between the two.
Also probably more funds to research a safe way to redo all public electronic signatures (resign the candidates database and the operating system) to quickly launch a second, third round if we need to vote again due to differences.
The majority people everywhere is very clear: there will never, ever be a safe way to make elections with paper.
It’s funny how all of sudden the forward thinking, all-digital tech community turn itself in old school conservative when discussing digital elections without even considering the bigger issues with alternatives.
Electronic voting is a good idea here because it raises the "barrier to commit fraud".
Basically, back when we ran our elections on paper, there was a lot of fraud as it's pretty easy to pull off fraud schemes.
With electronic voting, the system is so complex that almost no one can pull off a fraud scheme with two major expectations: voter intimidation and voter impersonation.
Although even that last one is getting tougher as we now scan peoples' fingerprints. The poll worker can manually override the system but this will be recorded and they will be in hot waters of they override too much.
Yes, in theory non-electronic elections are more secure, but in practice it's more complicated as we are dealing with a country with a horrible history at implementing rule of law and we have a significant amount of local authoritarian leaders (e.g. drug lords) that would definitely make it near impossible to run paper elections fairly.
> because it raises the "barrier to commit fraud".
It raises the cost and technical competence barrier, but lowers the “number of people required” barrier. So good luck having all your future elections controlled by the CIA, or whatever.
Funny you mention the CIA. Biden's CIA people are literally on record telling Bolsonaro to stop doubting the voting machines. That's what ultimately convinced me they are compromised.
When the software is compiled, it downloads libraries off the network and links them against the final binary before it is signed. Says so in the brazilian military's report. As far as I know, those libraries have not been audited. No one who has ever argued with me on this matter has ever provided evidence refuting this beyond shadow of doubt.
I thought everyone on this site would be able to spot the supply chain vulnerability in there. After all, not rarely people post stories here of people getting hit by those very same vulnerabilities when some malicious actor hijacks some npm package or something.
But no. The top comment is someone using authority as an argument. Just literally "these are very serious companies and people here". They got all these certificates, so all is well and we should just accept it. I can't even reply to the comment either for some reason. Sigh.
The saddest part of all this is all the brazilians asking for source code on social media. Most of them don't know what source code even is. They don't know that source code doesn't matter if you can get malicious code linked into the binary. They don't know that only publication of the signed binary that actually ran on election day could prove anything.
If Bolsonaro wasn't interested in rigging the elections, but rather to cast doubt on the result (as suggested in https://www.securityweek.com/brazilian-hacker-claims-bolsona...), then he might have (unintentionally) done a good service by trying to persuade a hacker to poke holes in this implementation of this "insane idea".
> trying to persuade a hacker to poke holes in this implementation of this "insane idea".
This is a lot easier said than done.
I have lost count of how many times I shot down people saying "I can hack the Brazilian voting machines" by citing hardware, software, and process countermeasures. I won't say we thought about everything (I worked on it in 2001-2002) but we thought a LOT about it and couldn't come up with one single idea that wouldn't fail in an obvious, easily detectable, manner.
I suppose the goal of your message was to assert the security of the country's voting system.
I think it's naive to think that any digital system is secure. What we try to do is to make hacking not worthwhile by raising the difficulty level.
But when it comes to an entire country, especially the size and regional relevance of Brazil, the stakes are so high that it becomes too attractive to not hack.
I wouldn't be worried about Bolsonaro or Lula hacking it. I'd be worried about the US, China, Russia, Israel, North Korea. They all possess the ability to hack Brazilian elections. From distance, they don't even have to go there. And they all have a history of systematically interfering in other countries' internal matters.
secure x secure enough x better than before due to sheer scale needed
for instance it's in our constitution that after the identification that someone can vote, the vote MUST be anonymous. even on the paper time. unlike votes by mail where you have identification (we simply can't have here, for instance)
I'm skeptical on many things, but what you said is much harder to happen than just buying votes on poor neighbourhoods or influencing local militias on our second biggest city.
This is less far off from reality specially for legislative positions.
> unlike votes by mail where you have identification (we simply can't have here, for instance)
We could, but it'd need two envelopes, one that identifies the voter, and a second, without voter identification, with the vote itself. A first election official would validate that the outer package contains a vote from someone who has a right to vote, and would pass the inner envelope to be opened and the vote counted by another person. With a process that includes randomly selected witnesses, it should be possible.
But, since all voters need to either vote or justify why they didn't/couldn't, the need for such systems is much diminished.
> They all possess the ability to hack Brazilian elections.
It's much easier to attack a democracy through disinfo campaigns and sponsoring coups. It was like that in the ousting of Dilma in 2016 (yesterday yet another court of law ruled she didn't commit an impeachable offense). Far-right ultra-nationalist propaganda has been used - with enormous success, I must add - to destabilize both countries like Brazil up to the whole EU (Brexit, anyone?).
In Brazil we are amidst a scandal that points to the president himself ordered higher highway patrol enforcement specifically in regions where the opposition candidate was expected to win more votes, in an attempt to limit participation in those specific demographics.
> What we try to do is to make hacking not worthwhile by raising the difficulty level.
I worked in the 2002 election (for Unisys, who made a lot of the voting machines) and the machine itself, its software, and all the handling protocols around it are designed to make hacking it a very high-effort/low-return affair. As I mentioned before, there are many ways to push an election they way of a candidate, but, in Brazil at least, none of those pass through the voting system.
> He said he told the leader he could not hack into the electronic voting system because it wasn’t connected to the internet.
The lack of remote access is a major obstacle. But surely, Bolosonaro must have meant to apply a more creative "out of the box" solutions than "hack it HARDER, God damn it! Use sudo, or something". ;-)
Like: hack the company building the electronic voting system. Surely, they are connected to the Internets?!
> [Delgatti] said that after he explained why he could not hack into the electoral system, the Bolsonaro campaign asked him to tamper with a borrowed voting machine to make it appear, less than a month before the election’s first round, that the machine had been successfully hacked and results could be compromised. The fraudulent hack was to be shared with news media, Delgatti said, but it was canceled.
So: the plan was not to rig the elections, but to shed FUD on result (in case Bolsonaro lost).
There are also some articles claiming that he got money from a Bolsonaro ally, dunno how legit though:
"The Federal Police told the Federal Supreme Court (STF) that the hacker Walter Delgatti Neto, known for having given rise to the "Vaza Jato" operation, received at least R$ 13,500 from advisors to federal deputy Carla Zambelli (PL-SP)."
Wow, lots of comments discrediting digital election.
Brazilian authorities run open testing from time to time and fixes (tangencial so far) vulnerabilities. So far, there were zero proof that any hacking or flaw in our voting system. This only became an “issue” because discredit the election became part of Bolsonaro’s coup attempt. (Which is, btw, the authoritarian wannabe playbook.)
Anyway, you should witness the mess it was before, when votes were in paper and counting by hand. Frauds was widespread. I mean, look and the US election system… it’s a kind of meme in Brazil due to how rudimentary and prone to fraud.
The testing is not open. Selected groups are invited, and it runs for a given length of time. To the point that obviously only so many flaws can be found, as the test environment is not realistic.
There are plenty of examples of flaws in the voting system. Most of them have been corrected, but not all.
Yes, fraud is widespread with paper voting. But it does not scale. One single flaw in an electronic voting system could scale to every single voting machine, thus impacting even presidential elections.
They're rampant all over the internet. It costs a multi-billionaire Russian oligarch $12k/year to pay one of these "trolls" and they produce thousands of comments per day, everywhere!
I would argue that an election system in which fraud is easy but obvious for everyone when present is more robust than a system in which fraud is hard but impossible for anyone to see.
Anything involving people can only be done safely if people can be trusted. While in Australia there is such trust in the local people involved, in Brazil that's just not the same story.
There's a lot of discussion about whether electronic voting _can_ be done reliably and safely, but I think the psychological factor is also very important here.
An election shouldn't only be objectively trustworthy, it should _feel_ trustworthy. And all the cryptographic fundaments in the world simply don't provide the same certainty that your vote has been received anonymously, will be counted, and can be emited only once as introducing a sealed envelope in a transparent box while a person strikes your name from a list of voters.
The counting process is supervised by representatives of all parties with competing interests, and if you're still not sure, you can observe it yourself here since it's open to the public.
I simply don't understand the need to replace this process with an electronic one, which _at best_ provides the same guarantees, but in a way that is not immediately evident to the voters.
Calling this guy a hacker is a joke... as is this whole story. He is a scammer who got famous for accessing phone numbers of authorities using tricks he learned while scamming bank clients.
Maybe it's my underlying German-ness but I don't understand why people would want an electronic voting system. Being confronted with the gazillions of possible failures in hardware and software, the idea seems at least risky to me. And for what gain? Can't we simply think of election day as something to celebrate democracy by putting a mark on a physical piece of paper? Call me old-fashioned, but I really enjoy visiting the election office.
Politically, I could perfectly imagine the German right to far-right to create an atmosphere of fear, uncertainty and doubt to bring faked results into action. Sure, you can do that on paper as well but I think it's way harder to cover up than "something digital".
I remember an example of some arcane software that was used "internally" by some local German office to just sum up the votes and generate some kind of result sheet for the local area.
It turned out, although it was air-gapped, it was susceptible to an attack against its update mechanism. Some white-hats showed it was possible to inject malicious code and change the results.
You never know. That's the essence of the problem.
The nodes that transmit the votes back to the central office are, indeed, much higher value targets than the voting machines. In any case, the voting machine data is preserved, both digitally and in printed form (this last one generated at the end of the voting, before the ballot is locked down for transport), so any discrepancies can be flagged by individuals and parties.
The printed summary is displayed publicly at the voting places and the data is encoded in an easy to copy QR code.
In short, I think most Brazilians trust technology more than they trust their fellow Brazilians.
We have a long history of lack of rule of law and of local authorities getting away with some pretty despicable shit. So, the less they can interfere with elections, the better off we are.
And pulling off a major fraud scheme with our voting machines is petty damn difficult as their software is loaded and sealed months before the election and all political parties can send representatives to observe the processes and to reqd the source code.
I do however wish that the source code were fully open for anyone to read. But I'm afraid of how much this transparency will be abused by disinformation campaigns.
Funny that Bolsonaro did the exact same thing with his claims about the voting process, but this was not the reaction from his minions. Suddenly you had people that can't do basic math claiming they know the election system is rigged because his leader said so.
So many corrupt hypocrites in this world.
It's sad to see how history repeats itself even in such a short time span. It's almost a carbon copy of Trump's election steal attempt.
You're not wrong. Although we can agree that this _sounds true_ because of who Bolsonaro has demonstrated he is, it doesn't mean that it's true until we see some evidence.
Indeed, mostly smoke so far. But there might be some leads, like:
> Delgatti said he met with Ministry of Defense technical experts to discuss the electronic voting system on five occasions. The first time, he said, was right after meeting with Bolsonaro, when he was driven from the presidential residence to the Ministry of Defense, entering through the back entrance.
MoD should be able to confirm or deny that the meeting took place. Possibly, from there evidence of wrong doing might surface. But then again, it might not.
Among all the problems our country faces the digital election is not one of them. In reality, it is a profound source of pride that something so complex is developed by Brazilians, bringing together the public and private sectors in an integrated and productive manner.