Pedro A. D. Rezende*
Department of Computer Science
University of Brasilia, Brazil
Copyright note: This is a self-archiving electronic copy of the article to be published with this title as a chapter in the volume "The Best of WOTE", 6000 in the series "Lecture Notes in Computer Science" from Springer Verlag . The copyrights to this article belong to the Springer Verlag publihers for publications other than this copy. The copyleft license note in the author's web portal does not apply to this copy.
Abstract. This article aims to share some major lessons learned from the pioneering experience in Brazil with the world’s first full national implementation of universal electronic voting. Differing notions of security, and their “collateral entanglements”, appear to play a key role and are contrasted in Brazil’s pioneering electronic voting saga. After an introduction, we puzzle through what election security may mean. We elaborate on how technological innovations may affect the underlying risks, their nature, corrections and balance. Then we describe some ways in which innovations have been deployed and validated, and how the results are being perceived, before some closing remarks.
Key words: Electronic Elections, Electronic Voting, Voting Auditability
Four times since 2000, until the writing of this article, more than one hundred million voters in Brazil have been obliged1 to vote using direct-recording electronic voting machines (DREs), which do not allow for recounts. This raises questions such as whether, and if so how, electronic elections can be audited meaningfully. Such questions have been the subject of academic debate worldwide, and in Brazil the discussions started even before DREs were fully deployed2.
The real issue is auditability. That is to say, the nature of possible assurances regarding the correct tallying of the votes cast by entitled voters. This boils down to the pertinence, or necessity, for a material representation of each vote to be held by the voting system, to allow for credible audits. Credible, here, meaning worthy of trust by the technical non-savvy. In the U.S., where local political subdivisions have significant autonomy in how they run elections, the debate started in the mid 70’s, picked up some visibility in the 80’s, and gained global headlines with the 2000 Florida results. In Brazil, where federal law defines election processes uniformly, the debate gained equivalent attention twice, though each time only briefly, in 1982 and 20013.
Many computer security experts from the U.S. and Europe participate in the U.S. debate. In Brazil, in spite of the pioneering and uniquely universal use of DREs, involvement of experts in the debate has been quite limited. In either case, however, those in charge of running elections also have a point to make, mostly divergent from the experts'.
2 The Puzzle of Election Security
Officials responsible for organizing and running elections have been, for instance, largely against audit measures based on voter-viewable printouts. Some have been quite vocal about it, as in Brazil, presumably because of the inconvenience such measures might impose on their work4. But surely also because, although few would publicly admit it, eventual discrepancies between electronic and equivalent manual tallies would allow discovery of casual ineptitude, or even possible bad faith, in the discharge of their official duties. On the other hand, such audit capability would also diminish whatever bully power, explicit or implicit, such officials might wield (or intermediate) among elected politicians and aspiring candidates or their political parties.
However, most independent information technology experts who have written on the subject5 have tended to favor the requirement that each electronic voting machine be set to print a record of each vote, with the printed record visually checkable by the voter. The reasons for this opinion, explored more fully below, include anchoring convictions of electoral results’ correctness in the participation and experience of individual common voters, as something essential for the voter confidence which – we believe – underlies the spirit of democracy.
From the technical standpoint, these experts may defend the retention of some material representation of individual votes by electronic systems for another simple reason: if they are convinced that the scientific resources and technological tools available to, or even possible for, computer security are insufficient to sustain trust in the outcome of fully electronic secret ballots, at least to an extent consistent with the spirit of democracy.
Among these experts we find living icons of Computer Science, such as Ronald Rivest (one of the inventors of the pioneer RSA method for digital signature), David Chaum (inventor of eCash “digital cash“) and Bruce Schneier (cryptographer and author of major best-sellers on computer security). Their repute has led, for instance, at least one political scientist to argue why it is much easier to protect financial electronic transactions against electronic fraud than to tally a fully electronic ballot of secret votes with equivalent overall security .
Reliance on fully electronic mechanisms for voting and for election auditing purposes yields more routes for plausible deniability to those who may wish to stealthily interfere in the electoral result while controlling the underlying technology. Relying solely on electronic measures for auditability has meant that any new measure designed to close these routes end up opening their own.
As a contribution to this debate, we posit that the heart of the disconnect between these two groups – formed by distinguished computer security experts and by election officials or suppliers in favor of fully electronic voting systems – may stem from the different way that each group, either by virtue of their craft or by gut feeling, understands “security”:
[1st sense]: security from the standpoint of voters (and experts on their behalf)
a) with rights to a secret ballot and to its correct tallying,
b) against possible manipulations of the electoral process,
c) by whoever in the electoral system,
d) which should be readily detectable by voter oversight;
[2nd sense]: security from the standpoint of those running elections
a) with rights to program or operate the electoral system,
b) against detection by voter oversight,
c) of whatever act imputable to ineptitude or bad faith,
d) through which manipulations of the tallying is possible.
3 Risk and modernity
The main difficulty we can point to, regarding the security of fully electronic voting systems as we see it, is rooted in an inconsistency between two basic requirements. The first of these requirements is vote secrecy, and the second is the requirement for dematerialization of votes (if the voting system is to be fully electronic). The inconsistency, explained in the next section, arises under real-world conditions, in the context of real democracies, from the fact that at least three potentially conflicting interests are at stake in elections: the interest of voters who believe in, or desire, democracy through fair and clean elections, and the interests of at least two competing candidacies.
To understand how real life conditions make those two requirements inconsistent, one needs to note that election integrity can only be guaranteed if voters are also protected against manipulations of internal origin, which is to say, if operatives of the electoral process who may stealthily favor such tampering are to be, for that purpose, unprotected. This means that the first sense of security cited above, a legitimate sense from a perspective we believe to align with the spirit of democracy, can only be effective if coupled with the suppression of the second, an illegitimate sense from this perspective.
On the other hand, attempts to have a voting system fulfill both requirements (vote secrecy and electronic dematerialization) at once, while formally aiming to achieve that first sense of security, may – or will, as we'll argue – yield the practical effect of reaching out for the second. This would turn the risk profile of such systems unstable. Thus, one may begin to understand how technical discussions which bypass the need to extricate these two senses of security will likely degenerate.
A debate that fails to extricate these two senses of security will cloud the possible tracks through system design choices along which risk estimates can be reasonably expected to remain constant. This problem is aggravated when, from a position of authority further empowered by a choice for vote dematerialization, electoral officials in favor of fully electronic systems willfully ignore this analytical imperative, at the guise of specious, faulty or bogus arguments, mostly non-technical.
This analytical imperative stems from the fact that processes with more than two potentially conflicting interests at play (as with any electoral process) pose risks of a kind known as collusion. These risks have in common the fact that they vary when security is sensed from the perspective of different interests. A typical collusion requires two or more parties, engaged in the process, to disingenuously act as if their interests diverge, in order to reach a disguised benefit to some interest they stealthily share, at the expense of some illegitimate harm to a third interest.
In electoral processes, collusion can happen through secret alliances, in which uncompromising conflicts of interests (or independence of actions) are faked. Or they can happen the other way around. In short, electoral processes exist under the systemic, intrinsic risk of collusions, either by fake conflict or by fake cohesion of interests or actions, aimed at harming other interests in order to improve the colluders' chances for later sharing power, more power or its bounty. Therefore, to blur paths where risks can conflate as they spread, making them appear as diluted, is not conductive to good policy or sound analysis, as the current global economic crisis, stemmed from financial innovation in free markets, is now showing.
4 Balancing Risks
Vote dematerialization enrich the ways through which risks of collusion can compound and materialize, by offering colluders new means to hide their methods, if enough electoral authority is inept or involved. Labeling such considerations as “paranoia” or “conspiracy theory” will not make these facts go away; rather, such ad-hominem rhetoric signals that the extrication of those two senses of security is prerequisite for a thorough, balanced analysis of the e-voting modernization phenomena.
But the persistence of such ad-hominem rhetoric, specially by the mainstream media in chorus with the discourse of electoral officials and suppliers, also yields a constructive reading. It reminds us that collusion strategies can, of course, start with obfuscation of main motives for certain choices in the design and procurement of voting systems, in tandem with lobby for electoral regulation reform to legitimize them. If so, such strategies need to drive those two senses of security to appear indistinguishable, or inseparable. From there, to a collusion's full feast is an easy ride: through the disguising of the second sense of security as the first, say, as an inevitable consequence of technological progress.
Thus, the security of legitimate interests in representative democracies, at least in democracies bound to preserve the spirit of its humanist revival6, ought to be sought by fully acknowledging and considering not only risks of collusion, but also the ensuing profile of risks and how this profile can change with changes in the electoral processes and in voter mentality. And not to be sought by unilateral control of the process, be it by the market's invisible hand or any other, or through jealously guarded secrets of its mechanisms, which over-empower the beholders.
For its part, adequate protection against collusions can only be achieved with adequate balance between transparency of the (electoral) subprocesses and distribution of their controls among legitimate and potentially conflicting interests, integrated in a way to allow for an effective oversight. In electoral processes, or in any other process intrinsically exposed to the risk of collusions, the more technological intermediation there is the more such balance will hinge on two basic elements: Carefully tailored regulation, and participation of stakeholders (voters) in the oversight process.
This is of the utmost importance for elections, due to two main thrusts. First, the risk of collusions as a constant menace to representative democracy, due to its delicate political nature. Second, technological intermediation as a wedge, parting voters from autonomous oversight roles and, ultimately, risking their role as democracy's guarantors of last resort. In our view, backed by the empirical evidence given here, inconsistent voting system requirements can lock these two risks in positive feedback. And in our times, there seems to be nothing more effective for this than the requirements of vote secrecy and of vote dematerialization through complete computerization.
For historical evidence, on the first thrust we cite the comprehensive research by John Fund published in 2004 , regarding the U.S., the nation with yet the most successful case of democratic rule7. And on the second, plus empirical evidence on how these two thrusts may feedback, we offer the last sessions, regarding Brazil, a hesitant latecomer to democratic rule. On feedback signs we pick some from a collective spell of supposed technological prowess Brazil seems to be under, given its modern voting system, where most voters seem oblivious to the lessons from their Old Republic8.
5 Collateral Entanglements
In secret ballots, that is to say, in ballots requiring a voter's identity not to be associable with his or her vote during casting or tallying, the electoral supervision process becomes, due to this vote secrecy requirement, sensitive to the physical way in which each vote is cast. As a consequence, if the electoral process dematerializes the votes, recording only by digital means partial tallies of votes cast, whatever oversight process the system may feature seems to end up ineffective, as if “tied up”.
Tied up in the sense that any oversight measure aimed at detecting or deterring insider malfeasance (that is, malicious acts by electoral operatives in possible collusion with some candidate) will also serve to protect outside defrauders, that is, voters overseeing the process for a candidacy willing to sabotage the oversight process (to call maliciously into question an election deemed lost) or to subvert it (to insert defrauding mechanisms into the system).
Whereas, symmetrically, any measure to detect or deter sabotage or subversion in the oversight process will also serve to protect malfeasance by insiders holding privileges to program or operate the system. These entanglements between intended and collateral effects, observable (as reported below) from Brazil's experience with its fully electronic voting system, raises the central question for this article: Is this observed pattern of “collateral entanglements” due to inept implementations of security measures in a particular fully electronic voting system, or due to conflicting voting system requirements?
Computer scientists who want to seriously study the computerization of elections shall not allow for ideologies to obfuscate the contours of the problems under focus, inherent to voting systems, but rather, they shall distinguish ideologies as a source for them, in so far as ideologies shape the social and political value of elections. From this perspective, the scientific study of electronic voting systems reached a milestone in 2000, with a PhD thesis successfully defended at the University of Pennsylvania . In her thesis, Rebecca Mercuri is believed to have demonstrated that vote secrecy and tallying integrity are mutually exclusive guarantees that a fully electronic voting system can offer.
In other words, with fully electronic elections, there is no way to have vote secrecy and tallying integrity protected in the same run because, to use a simplifying metaphor, these promises are like two sides of a coin. A coin representing the electronic voting system, with value corresponding to that of the electoral process it can execute, but a coin that cannot be "flipped" to show both sides during an election because it executes the election in a single run, without the possibility of recount for auditing purposes (due to dematerialization of the votes).
One can argue about whether and how Dr. Mercuri's work can rigorously lead to such conclusion9, but the weight of its scientific arguments can be felt in many fronts. For instance, as an answer to the central question raised here, from Brazil's pattern of “collateral entanglements”. Or, in electoral legislation across the U.S., under pressure from civil and grassroots movements, specially after dubious ethics from main DRE suppliers began to surface , . Between March 2004 and May 2005, fourteen federated states approved laws requiring voting machines to allow for Voter-Verifiable Printed Audit Trails (VVPAT), to retain or recover the supervising capacity common voters unquestionably had before elections were computerized.
Before July 2006, 27 U.S. states have such laws already sanctioned, thirteen of them with mandatory manual audit. Only fifteen U.S. states appeared to see no problem yet with DREs. As for the U.S. Congress, several bills aimed at assuring that VVPAT becomes a federal tenet for electoral supervising processes are being considered. This, not to naively pretend to do away with election fraud, but to put all of their forms in a hard-playing leveled field, that is, to expose the ways to defraud – old and new – to the risk of detection by common voters in due time. In other words, to give back to common voters – with no PhD in Computer Science – their legitimate right to supervise elections with autonomy.
5 Routes to Electronic Elections
Each democracy has to answer the call to go modern, if for no other reason then because of the massive lobbying by DRE suppliers, the larger of which has gone global. A special look at the route taken by Brazil seems warranted, if not because of its pioneering widespread use of DREs, then because of the keen interest its system has raised within the Organization of American States (OAS), or because Brazil’s deployment took a route leading to a landscape quite distinct from what has been portrayed by lobbies, by Brazil's mainstream media and by specialized global media, and perhaps also quite distinct from the route the U.S. seems to be taking10.
In Brazil, the highest electoral authority – the Tribunal Superior Eleitoral (TSE) – has picked one model of voting machines to serve all 400 thousand plus precincts in the country, has procured, deployed and put to use such machines nationwide since the municipal elections held in 2000. TSE has designed its voting system around the voting machine model it has picked, which is a type of DRE with one added twist: a terminal used by precinct officials to check voter identity physically connected, by a 12 ft. cable, to the voting machine itself.
The voter ID number is typed in this terminal, to be checked by a software running on the voting machine. This ID is checked against a list of registered voters allowed to vote in that precinct, kept in a file stored alongside the file with the vote tallies, in a voting machine's storage media. If an entry is found with that ID, and if the entry isn't marked with “already voted”, the software shows the voter’s name on the terminal's single-line display and the machine is allowed to receive a vote. Otherwise, an error message is displayed. Thus, given the current oversight rules and practices, this choice of design makes vote secrecy an act of faith in software (non-)functionality.
From 2001 on, the political input into Brazil's voting system's design began to change. In May of that year, from a collusion among top senators gone sour a case of electronic voting fraud in Brazil's Senate11 broke out in mainstream media, causing a great deal of public outrage. Besides how easy it was for operators to violate the secrecy of votes, the scandal also unveiled how fully electronic voting systems can be resourceful for colluders. Public indignation then pushed the Congress to take up the matter of revising election law, so that recount mechanisms would be introduced for general elections.
A Bill to that effect was introduced12, but encountered fierce resistance from the authorities whose activities would be monitored under its provisions. The Bill's passage was targeted for disruption by the president of the TSE, in a series of actions that drew no attention from mainstream media. First he asked the Senate, in his capacity as the head of the highest electoral authority (appointed by, and from among Supreme Court Justices), to await for input from his institution. To deliver, he waited until five days before the constitutional deadline for passing the Bill if it were to have effect during the next elections, reminding senators of this urgency (meaning, no floor debate).
Among the proposed amendments he sent to the Senate, on plain paper with no official letterhead, one effectively did away with the printed vote function, by providing for prior selection, on election eve, of the voting machines to be used as sample in mandatory recount for audit purposes. The senator who sponsored these amendments and lobbied his peers for approval, under loose rules for matters declared urgent, was awarded by TSE, two weeks after the Bill was approved with this crippling amendment, a 15-month mandate as governor of his state13.
Then, after that deadline had elapsed and the crippled Bill was in the lower house, the same president of the TSE – where electoral laws are interpreted – changed the story, suggesting that better it be voted on as an urgent matter14, arguing that the matter could still go into effect for next election since it was, “after all, a technical matter”, and therefore beyond the constitutional restriction for electoral matters, of prior approval by one year.
After the crippled Bill was passed and sanctioned as suggested, becoming Law number 10,408/02 (VVPAT Law), he invited some Congressmen to his office at the Supreme Court to inform them that he had misunderstood the constitutional restriction: such legal matter was indeed electoral in nature, and therefore the VVPAT Law would not apply to the next election. As an excuse for his fumble, he offered to have electoral authorities voluntarily "test", in 3% of the voting machines at the upcoming 2002 election (which included a bid for Brazil's presidency), the VVPAT mechanism that such Law had made, as he understood it then, obligatory only for elections scheduled to be held after 2003.
For this “test” he would order the adaptation of only some of the existing DRE machines, expanded to allow the appendage of a VVPAT device (image below), as proposed in VVPAT Law's justification.
Figure 1: Brazil's 2002 DRE with VVPAT module
6 Political Design Validation
The guest legislators accepted the offer, allowing the target of supervision to "test" a mechanism which Congress had chosen for monitoring their activities, and “test results” could be observed. Due to the purpose of this work, we'd rather mention what the mainstream media didn't: Failures in the instructions for how to set up the (vote) printers, failures in voter training (voters needed to press “confirm” one more time, but weren't told that), failures in voter registration (careless excess of voters registered precisely to precincts that featured printed vote without proper instructions) .
Failures that led to long lines, frustrations and problems, failures ignored both by mainstream media and by a self-evaluation that the TSE later published about such "test." Problems that the TSE self-evaluation and mainstream media blamed, as if obvious, on the audit measure itself, not on the conflict of interest in having electoral authorities test a mechanism that legislators had chosen for voters to supervise their power. This self-evaluation was prepared and presented to Congress, in 2003, by the TSE president who not only ran this plot, but also, as a congressman in the constitutional assembly of 1988, admittedly smuggled articles into Brazil's Constitution. 
Based on this TSE self-evaluation, a senator with unclean record15 then proposed a Bill that would amend the VVPAT Law so as to eliminate the VVPAT audit measure. The last shred of voters' right to recount votes after the computerization of elections was to be eliminated before it was ever exercised. To replace it, the senator offered Brazilian voters what he called "digital vote registry." As a justification for his offer, we learned that:
"The substitution, proposed by the current Bill, of the printed vote by the digital record of the vote for each office, with the identification of the voting machine on which the vote was recorded and the possibility of recovering it, perhaps for future analysis, while protecting the voter's privacy, will without a doubt increase the security and transparency of the elections process, making the printing of a record for the voter to check a dispensable measure."
Just like the crippled version of the VVPAT Bill, this amendment also passed with no floor debate and with no public hearing . As to the “transparency of the process”, not a chance: every plea made thus far by election supervisors to access the encrypted “digital vote registry” has been denied “for security reasons” . Meanwhile, Brazil's on-again, off-again main supplier of DREs16 has been acquired by a company that has been selling DREs of the same basic design17 in the U.S., as code leaked from both reveals , , .
Several documents indicating serious security (in the first sense) flaws plaguing Brazil's voting system18 were made available to lawmakers, as they considered amending the VVPAT Law, but the indications were dismissed. These indications were later corroborated by source code leaked to the Internet, which turned out to be part of the software used in voting machines in Brazil's 2000 municipal elections, according to an analysis done by the author , comparing with code later appended to an expert report filed in a court case, in a lawsuit over a disputed municipal election known as the Santo Estêvão case .
The code analyzed was the part which controls security for the DRE software (setup.bat file, in Brazil's 2000 voting machine model). The analysis revealed how ineffective the electoral oversight process was . Despite the importance of such findings, they raised no interest with mainstream media or the general public. However, the Santo Estêvão expert report is extremely important because it documents the only independent technical analysis yet permitted on voting machines used in official elections in Brazil.
The report reveals, for example, how the physical seals for the DRE machine, which purportedly guarantee them against tampering after software installation, were absolutely ineffective in the first sense of security cited above, while absolutely effective in the second sense19. Four physical seals were prescribed, in pedantic details as to the positions they should be placed, by an official bylaw20 which was amended as soon as the Santo Estêvão expert report was filed. This amending was done with backward dating, so that corrections appeared to have preceded the independent expert findings.
This security flaw in Brazil's electronic voting system was acknowledged by authorities only because the obscurantism surrounding the system briefly lapsed, when the Santo Estêvão's judge allowed an independent expert witness to examine voting machines. Yet, this cluster of facts does not connect dots in the public mind. Most people confuse such obscurantism with security, and this lapse of obscurantism with breach of security (as a breach by the expert witness).
The report also reveals how the language of electoral bylaws, under such obscurantism and leveled by official boastings about the security they warrant, can shed light on the main questions raised here: on the nature of “collateral entanglements” in fully electronic voting systems, on how inconsistency in system requirements can entail such entanglements, and how these entanglements can feedback risks. It reveals, in other words, how that second sense of security can be disguised to appear as the first, through a discourse of authority. This episode has, in our view, the value of a cornerstone in understanding how such deceitful collective perception is build: weaved of flag-waving vainglory, of collective ignorance and of conceited arrogance, into a pattern of reductionist beliefs.
Most victims of such reductionism so become by cutting corners in understanding what is at stake. By mixing up electoral process and electronic voting, or by confusing vote secrecy with secrecy in the process of collecting and tallying votes. Or, by naively believing in rough conjectures about what transparency means, or how much of it is enough in this process. Others so become by not knowing what good transparency could do when computers take over, and others, by being clueless about how much more important it becomes in these cases. Yet others, by believing in hunches about why more transparency would hurt security, in a vague and undefined – if not Manichean – sense: the hackers!
To aggravate, there are “specialists” with thin scruples and cloudy ambitions always ready to explore such reductionism, as if voting machines were akin to magician's black boxes . Thus, the urge to breach the dogma of security through obscurantism, frequently disguised as technicism, to reveal how fully electronic voting systems entangle legitimate and illegitimate senses of security. Those two senses of security cited here are not the same, in fact each can only be effective with the suppression of the other. As to which will prevail, this is up for grabs when voters don't care to participate in the process all the way to the level of autonomous oversight. Not easy, because dogmas are powerful.
8 Evoking the Holy Byte
Fully electronic voting systems would have marveled Machiavelli, had they been available around his time. By the exuberance of belief patterns they seem prone to elicit, towards some kind of techno-messianism. The one sprouted in Brazil has been called “the creed of Saint Byte”, a pun with a local creed (pun translated as “the holy byte”)21. These patterns evolve with the dogmatization of some conjectures, circulated as commonsensical truths by mainstream media. Some conjectures are about how much transparency is good for electronic systems, with voting systems as a test bed for the faith.
The creed of the holy byte purports to reveal how this leave-it-to-the-experts type of reductionism can save Brazil's democracy from human sin. By spreading the faith in the inseparability of those two senses of security , , the faith that put designers, deployers and operators of such systems in a straight path to digital sainthood. The faith in the power of electronic purity, which shall free us from that evil plaguing civilizations for millenia: the diabolical, inefficient paper. Free at last!
Figure 2: 1987 advertisement: "Without it, life would be hell”
Perhaps due to its pioneering in electronic vote, Brazil is coming out as a copious source for signs of this techno-messianic phenomenon. One has only to ingest the potion22 offered by local mainstream media, through eyes and ears at the electronic altar of consumerism, to reach a Mystical Vision in one's own home: angelical beings designing, programming, configuring and operating DREs.
To exemplify, we cite two impressive signs. One, the continuing veto by TSE of requests to allow for independent homologation procedures, prescribed by well-established technical standards for electronic information systems23 (such as the International Standard Organization), on Brazil's official voting system. Two, the suppression of the only means by which voters could independently verify the tally, for any eventual manipulation therein, in the bylaws for the 2006 elections: ballot reports, printed and signed on paper by precinct officials at the end of voting period, shall henceforth not be handed out to more than “one representative of the political parties”24.
Figure 3: The route of Brazil's voting system model
The alleged explanation for the first of these signs, for the shutdown of doors to independent homologation, is the self-serving argument that electoral bylaws (written by the system operators themselves) do not prescribe such tests. The only tests allowed, labeled as audit, as oversight or as independent homologation to suit the occasion, are the ones their own wisdom define, which amounts to overseers' mere hands-off observation of DREs emitting reports of self-indulgence. And for the second sign, for the shutdown of doors to tallying verification by disgruntled candidates or skeptical voters, the explanation is to expedite the proclamation of election winners and to save paper.
None of these signs of techno-messianism seem to wake up the mainstream media to their investigative journalistic value, even as fables. Rather, Brazil's mainstream media has been busy with the self-appointed task of protecting the masses from the risk of “losing trust in our system”. For that, it endlessly recites, preferably through the mouth of some higher electoral authority, mantras from the creed of the holy byte. Such as: “our pioneer electronic voting system is 100 % secure, for if it was not, proofs of fraud would appear before us!”.
While the holy byte dogmas circulate as self-evident truths, the real debate over the security of electronic voting systems is, to the general public, skewed or muted. While the new means to defraud elections entailed by fully electronic systems, bearing stealthier and more concentrated swindle power than ever, keep getting disparagement or silence from the fourth estate . While the argument of tallying agility as justification for this rationale remain bogus: France and Germany tally faster with paper ballots than Brazil does with DREs.
Moved by a creed untold as such, mainstream media now behaves and report as if elections have become (except for proportional races) some sort of video game. The voter is invited to watch a sort of poll-driven virtual race, with the checkered flag falling on election day. In the final lap, the voter goes up to a black box and pushes some buttons, then sits down in front of the TV to see the results. “Experts” take care of the rest. The importance of autonomous voter oversight to the process has disappeared from public awareness. Nonetheless, lessons from Brazil's Old Republic25 were not forgotten by all.
9 History Lessons
Those who heed History can observe – and in this case report – double standards being, again, applied to electoral matters. Given the aim of this article we now focus on the American continent, especially on a self-appointed role played lately by the OAS, the role of some sort of “democracy police”.
Of the only country to have yet adopted VVPAT as uniform requirement for its electronic voting system26, OAS officials demanded, in an election held there in 2004, that the final tally be audited by manual recount in a sample they would help pick, of 1.5% of the precincts. At the end, 54% of the precincts were audited clean by manual recount. This was a referendum that could have toppled an elected president at the middle of his mandate. For the rest of Latin America, however, OAS encourages, or engages as a broker for, the use of Brazil's electronic voting system, which does not allow for recount. The same system whose designers, operators and lobbyists fight hard to never allow to become effectively auditable, to the point of even defrauding the legislative process which sets its main requirements27.
To brag about this engagement, TSE has even published a booklet with a list of countries OAS is helping get used to, or get to use, Brazil's electronic voting system28. Argentina, Costa Rica, Dominican Republic, Ecuador, Mexico and Paraguay29. However, Argentinian judges have three times blocked the use of Brazil's DREs in official elections, in 2001, 2003 and 2005, allegedly because the machines did not allow for manual recounts or tally audits. In Mexico the offer was turned down, if for no other reason because some states there have been using VVPAT machines. Paraguay has been the only other country (besides Brazil) to have yet elected, in 2003, a president using mainly DREs (borrowed from TSE).
This leads us to ask if the “technical debate” over the use of VVPAT or DRE systems hold any bearings to democracy, or to the sovereignty of democratic states. If so, taking into account the U.S. Secretary of State's proclaimed mission to help spread democracy, and her pattern-fitting suggestion that Venezuela's and Argentina's are not “true democracies”30, how would Mexico and Brazil fit in? What about the U.S. states that have adopted VVPAT as a norm, like Venezuela, or that mention paper ballots and ways to count them in its Constitution, like Argentina?
This question can be rephrased as one regarding the possible relations between labels for democracy and levels of sovereignty. We can take note that Argentina's government has, in 2005, called the bluff on high-risk, high-yield IMF-backed irresponsible investments that would have otherwise choked the nation's economy. That Mexico's 2006 presidential election is dealt with by U.S. mainstream media as some sort of anti-Ukraine-like story31. And that the DRE-elected president of Paraguay has sanctioned, in 2005, a law authorizing unlimited numbers of U.S. troops to station near his country's border with Argentina and Brazil, armed with immunity to local and international law besides guns.
Democracy can spread in different ways. Since this article aims at contributing to constructive ways, we end by stressing our view on the importance of an electronic voting system's design being consistent, as the empirical evidence raised here goes to show. For those who care for their democracies in the spirit framed here, wherever located, whatever labeled, however spread, we offer a call to beware of the rationale behind any media-driven disparagement of common voter's right to unencumbered election auditing. No amount of spinning can be a substitute for effective auditing, due to the nature of the risks involved. And for those who don't, we ask to not pretend.
1. Brunazo, A.: The Proconsult Case (O Caso Proconsult). In Avaliação da Segurança da Urna Eletrônica Brasileira. Report for the III Simposium of Information Security, October 2000. Brazilian Air Force Institute of Technology, São Paulo. http://www.brunazo.eng.br/voto-e/textos/SSI2000.htm.
2. Brunazo, A. , Rezende, P.: Brazil's 2001 Senate Panel Scandal, in Stupid Security Measures for Brazil's e-Vote: Act One, Session 3. CIVILIS & Forum do Voto-E http://www.brunazo.eng.br/voto-e/PIcontest/PI2003contest-act1.htm.
3. Shelley, K.: Decertification and Whitdrawal of Approval of Accuvote-TSx Voting System. http://www.ss.ca.gov/elections/ks_dre_papers/decert.pdf.
4. Schwartz, J.: High-Tech Voting System Is Banned in California. New York Times. May 1, 2004. http://www.nytimes.com/2004/05/01/national/ 01VOTE.html.
5. Rubin, A., Kohno, T., Stubblefield, A. and Wallach, D.: Analysis of an Electronic Voting System. http://avirubin.com/vote.pdf.
6. Rezende, P.: Analysis of an Electronic Voting System (Análise de um sistema eleitoral eletrônico). Brazilian Media Observer, Sep. 7, 2004.
7. Rezende, P.: Analysis Review of an E-Voting System (Reavaliação da Análise de um sistema eleitoral eletrônico). Brazilian Media Observer, Nov. 2, 2004. http://observatorio.ultimosegundo.ig.com.br/artigos.asp? cod=301ENO002.
8. Rezende, P.: Electronic Voting Systems: Is Brazil ahead of its time? Cryptobytes, Vol 7, N. 2, Fall 2004, pp. 2-8, RSA Security Labs, USA: http://www.rsasecurity.com/ rsalabs/cryptobytes/CryptoBytes_Fall2004.pdf.
9. Rezende, P.: Analysis of the Unicamp Report (Análise do Relatório da Unicamp) In Burla Eletrônica (2002). http://www.cic.unb.br/docentes/pedro/trabs/ relunicamp.htm.
10. Rezende, P.: The Sect of the Holy Byte (A seita do Santo Byte). Brazilian Media Observer, Sep. 23, 2003. http://observatorio.ultimosegundo.ig.com.br/ artigos/eno230920031.htm.
11. Rezende, P.: Diogenes' Lantern (A Lanterna de Diógenes). Report for a public hearing at Brazil's Senate (2001). http://www.cic.unb.br/docentes/pedro/trabs/paisagem.htm.
12. Rezende, P.: Do We Need a Federal Journalism Council? (Precisamos de um Conselho Federal de Jornalismo?). Brazilian Media Observer, September 21, 2004.
13. Rezende, P.: The Anatomy of a Fraud to the Constitution (Anatomia de uma Fraude à Constituição). Dossier on the smuggling of unvoted articles into Brazil's seventh Federal Constitution. http://www.cic.unb.br/docentes/pedro/trabs/fraudeac.html
14. Rezende, P.: Brazil's e-vote: an overview. http://www.cic.unb.br/docentes/ pedro/trabs/evote_overview.html
15. Fund, John: Stealing Elections: How Voter Fraud Threatens Our Democracy.
Encounter Books (2004)
16. Mercuri, Rebecca: Electronic Vote Tabulation Checks & Balances. Ph.D. dissertation, defended Oct. 27, 2000 at the School of Engineering and Applied Science of the University of Pennsylvania, Philadelphia, PA. http://www.notablesoftware.com/Papers/thesdefabs.html
17. Ansolabehere, Stephen: The Search for New Voting Technology. Boston Review, nov 2001, http://bostonreview.net/BR26.5/ansolabehere.html
* The author
Pedro Antonio Dourado de Rezende is a tenured professor at Computer Science Department, University of Brasilia (UnB). Advanced to Candidacy for PhD in Applied Mathematics from University of California at Berkeley in 1983, heads the UnB Cryptography and Info Security Extension Program since 1997. Author of over one hundred articles on related topics, was a member of Brazil's Public Key Infrastructure Steering Committee from 2003 to 2006, as representative of civil society by presidential appointment.
1Voting in official elections in Brazil is mandatory for eligible voters of ages 18 to 65, under national electoral law.
2In Brazil, electronic voting machines were introduced in 1996. However, debates on electronic voting audit had already started in 1982, with the first reported case of electronic fraud in vote tallying. This happened in the gubernatorial election at the state of Rio de Janeiro, also the first to be tallied electronically, in what became known as the ProConsult case. [see ref. 1]
3In 1982, with the ProConsult case (previous footnote), and in 2001, with the "Senate's panel scandal”, briefly covered ahead. [for a thorough account of the latter, see ref. 2]
4Several electoral officials in Brazil, including judges, have publicly opined that this kind of audit measure constitutes “retrocession.” [see ref. 2]
5Aviel Rubin, http://avi-rubin.blogspot.com/; Bruce Schneier, http://www.schneier.com/crypto-gram.html;
Douglas Jones, http://www.cs.uiowa.edu/~jones/voting/cbc2004supp.shtml;
Dan Wallach, http://avirubin.com/vote/analysis/index.html;
David Chaum, http://people.csail.mit.edu/rivest/voting/papers/ CryptoBytes_Fall2004.pdf
David Dill. http://securingamerica.com/ccn/node/8023g;
Ed Felten, http://itpolicy.princeton.edu/voting/audit07full.pdf; Michael Waldman (Editor of the “Brennan Report”), http://www.brennancenter.org/ presscenter/releases_2006/pressrelease_2006_0627.html;
Rebecca Mercuri, http://www.notablesoftware.com/evote.html;
Ron Rivest, http://people.csail.mit.edu/rivest/Rivest-TheThreeBallotVotingSystem.pdf
Roy Saltman, http://www.votefraud.org/saltman_roy_1988_report.htm;
Robert Strunk, http://www.votefraud.org/expert_strunk_report.htm
6From the French and the American Revolutions of the Eighteen Century
7At least in the sense of being the nation with the longest continuous period of democratic rule.
8In Brazil, where the widespread use of DREs was pioneered from 1996 on, history books – and Wikipedia – explain how the nation's first period of democratic rule, from 1989 to 1930, known as "the Old Republic", was plagued by collusion. Election organizers and two main political groups, led by landed gentries, were involved. Regardless of the real outcome, the books were cooked at each election so that the two groups would alternate at filling the country's presidency, while the three pretended, with help from the fourth power – mainstream media --, to find no wrong through the electoral supervision process. The Old Republic's plot became known as "política café-com-leite" ('cappuccino' politics), from which voters took decades to realize detrimental consequences. This, in turn, led to civil unrest and a coup, the 1930 revolution, to reform democratic rule. After two interruptions of democratic rule, (from 1937 to 1945 and from 1964 to 1988), now under the spell of some supposed technological prowess, most Brazilians seem oblivious to the lessons from their Old Republic. Like their neighbors from Paraguay, where Brazil's DREs has been borrowed, but unlike their neighbors from Venezuela, whose later debut with democratic rule was plagued by similar plot, from 1958 to 1998, know as "pacto del Punto Fijo".
9In the same year Mercuri defended her PhD thesis, for instance, Berry Schoenmaker published the article “Fully Auditable Electronic Secret-Ballot Elections”: http://www.xootic.nl/magazine/jul-2000/schoenmakers.pdf
10As far as we can tell, Brazil is unique among modern democratic republics in concentrating, in a single institution, the electoral functions from the three powers a republic should keep separate, namely, those to legislate, to execute and to adjudicate. This institution, called 'Electoral Justice', is organized as a branch of the Judiciary, and binded only by the Constitution and federal election laws. The Constitution and electoral laws compel all statutory, executive and adjudicative matters regarding official elections into a Kafkean system of 'electoral tribunals', one for each state, all under a federal 'Superior Electoral Tribunal' [TSE]
11A case of legislative vote fraud known as the “Senate panel scandal”. [see ref 2]
12Senators Roberto Requião and Romeu Tuma introduced a Bill mandating that the DREs be adapted to run VVPAT extension modules, for unencumbered tally audit by manual recount of a 3% sample of precincts.
13A court case that had dragged on in TSE for more than two years, over a bid in which senator Hugo Napoleão had ran for governor of the state of Piauí in 1998. The declared winner had been governing for more than half the mandate, but the election was impugned, based on a claim that the winner's campaign finances were not up to snuff.
14Again with no floor debate, and with no further amendments so that the Bill wouldn't have to go back to the Senate
15Sen. Eduardo Azeredo, who has been indicted in Federal criminal court for allegedly masterminding the money-laundering and embezzlement scheme that became known as “Valerioduto” [see ref. 14]
16Procomp, an IT company formerly owned by Brazil's largest domestic bank, later bought up by the largest U.S. supplier of DREs in late 2007, Dieblold.
17Except for a new outfit and no VVPAT extension or dangling voter ID input modules
18These documents include a manifesto and petition by university professors warning lawmakers and the public of major risks inherent to fully electronic voting systems, which do not allow audits of the electoral process, asking that debates to legalize them include public hearings; a Technical Reports from the Brazilian Computing Society (SBC) and from Coppetec, a technology research center from the largest public university in Brazil, the former recommending the use of VVPAT modules in voting machines to allow for unencumbered tally audits by manual recount of a sample of the precincts; an Expert Report on a DRE from a Santo Estevão precinct, part the electoral lawsuit case TRE-BA 405/2000. This is a document produced for lawsuit in which two right-wing parties litigate over the result of Santo Estêvão's 2000 municipal election.
19The seals, if placed as prescribed, are left intact when the DRE cabinet is open by releasing a screw hidden behind the DRE's mounted battery. This would give access to the DRE physical storage (flashcards). On the other hand, any unauthorized access to voting machines, say, to unmount the battery and inspect the DRE, is a Federal crime.
20TSE Resolution nº 20.966
21Translator's note: Creed of Saint Byte is a parody of Seita do Santo Daime, pronounced alike in Portuguese. The latter is, citing wikipedia, "a syncretic spiritual practice, which grew out of the Brazilian Amazonian state of Acre in the 1930s and became a worldwide movement in the 1990s. Practitioners of Santo Daime (who call themselves Daimistas) believe strongly in the spiritual benefits of drinking the sacramental tea Ayahuasca, [which may be classified as halucinogen], in the context of rituals, or spiritual works. Santo Daime can be understood as part of the rich spiritual landscape of religion in Brazil." To follow the pun's intention, we translate to “holy byte”
22From the parody of the “Seita do Santo Daime” [see previous footnote]
23Among signs of this revelation we can cite: a dogmatic contamination of technical studies on the security of Brazil's electronic voting system, ordered and paid for by Brazil's main electoral authority -- TSE --, such as the 2002 report "from Unicamp" in light of an independent analysis of the 2000 setup.bat file [see refs 6, 7 and 9]; a veto on the participation of Rebecca Mercury in a scientific meeting on electronic v, sponsored by TSE and the University of Santa Catarina in 2003, under the allegation that her views would have, according to a witness, "nothing to contribute to the betterment of our system"; a systematic refusal of TSE to allow any independent homologation of the voting system, by voters or by technical assistants to candidacies, not even as prescribed by national or international industrial or commercial standards such as ISO's for Information Systems' Security.
24As per § II of Art. 42 of Resolution nº 22.154, issued by TSE on May 2006, later amended by Resoluion nº 22.332, issued on August 8, 2006. Some state authorities, like São Paulo's (through TRE-SP Instruction nº 12.523 of Sept. 22, 2006), have directed precinct officials at the 2006 general election to ignore that late amendment, and thus, to deny printed ballot reports to representatives of single political parties.
25The flag from Brazil's state of Paraíba is a homage to a former candidate for Brazil's vice-presidency, João Pessoa, whose assassination is believed to have sparked the 1930 Revolution, a popular revolt that busted the enduring collusion plot known as "política café-com-leite" ('cappuccino' politics). Paraíba's capitol is also named after him. According to the state's official web site, the red part of the flag stands for the blood shed in his assassination, and the remaining black for the mourning feeling after his death. The word NEGO, which means "I refuse", over the red part refers to the ensuing revolt against the "café-com-leite" collusion practice, fueled by the state's refusal to accept the official 1930 presidential election result. That result had declared the defeat of João Pessoa, governor of Paraíba at the time, and of his presidential mate, Getúlio Vargas. The rebellion set in motion by Pessoa's assassination, before inauguration, ended up conducting Vargas to the presidency, exposing a distance which legality can stray away from legitimacy.
27The law revoking the undebuted VVPAT measure (Law 10.740 of 2003) and the law introducing electronic voting systems into Brazil's electoral process (Law. 9.100 of 1995) were admittedly drafted by TSE staff. Under constant lobbying by electoral officials, the corresponding Bills were voted by the two houses of Congress, passed and sanctioned into Law by the president in record time (less than six months), with significant engagement of politicians involved in electoral litigation and not a single public hearing or amendment allowed. Throughout the process of drafting, discussing, voting and sanctioning them, any and all contributions offered by the academic community were ignored. Law nº 10.740 was approved by Brazil's Congress in September 29, 2003 with grave irregularities, documented in www.brunazo.eng.br/voto-e/textos/PLazeredo.htm (see [ref. 8])
28 “Informatization of Brazil's Electoral Justice” (Informatização da Justiça Eleitoral Brasileira), TSE, Brasília, 2005
29 By the time the booklet was published, presumably in 2005
30 “The Follies of Democratic Imperialism” http://ww.worldpolicy.org/journal/ articles/wpj05-sp/encarnacion.html
31Western mainstream media splashed the so-called “Orange Revolution”, in late 2004, in the aftermath of the run-off vote of the 2004 Ukrainian presidential election, taking for granted charges that it was compromised by massive corruption, voter intimidation and direct electoral fraud. Just the Opposite it did, less than two years later, with similar charges regarding the 2006 presiential election in Mexico.