Published in 2003, three years after all Brazilian voters chose their candidates using the voting machine for the first time, Law 10.740 established the Digital Voting Record (DVR), which replaced the printed vote. The DVR is a list issued after the entire voting and counting process is complete. It allows political parties and other stakeholders to make as many recounts of the votes as desired.
Giuseppe Janino, Secretary of Information Technology of the Superior Electoral Court (TSE), explains that with the DVR the votes began to be digitally stored as they were delivered by the voter, protecting secrecy and ensuring that it is not possible, under any circumstances, to match votes to their respective voters.
That's because the DVR is a file that stores all the raw data typed on the keyboard. In other words, all votes typed in numerical form on the keyboard are stored in a table. According to the secretary, this table has a "scrambler" that prevents the original sequence of voting from being identified. The raw data is recorded in this table - similar to an Excel spreadsheet - randomly.
The DVR is another mechanism that ensures security to the electronic voting system. With the digital record, it is possible to recount the votes in an automatized manner, without compromising the credibility of the electronic voting process. In addition to being digitally signed, the DVR is also encrypted, i.e. its recording is protected with unreadable code.
Also according to the secretary, this transparency mechanism ensures the substitution of printed votes in a much more efficient and effective manner, with integrity ensured by the lack of any human intervention in the vote recording process.
In comparing the DVR with manual, paper-based voting, Giuseppe Janino emphasizes that it is a leap in auditability and transparency. “It is as if we could take all of the old canvas ballots and hand them over to all political parties so that they could count all votes, aggregate them and verify if the result is correct," says the Secretary.
Storage of votes
The votes are stored in two media (one internal and one external) and digitally signed. In case there is an attempt to tamper with the vote records, even if the voting machine is turned off, the machine itself will detect the inconsistency (invalid digital signature) and issue an integrity error alert. The two-media storage scheme also prevents loss of votes, since in case of failure of one of the medias the voting data can be retrieved from the other.
Access to the data
Upon request, the Electoral Justice provides a copy of the Digital Voting Record to a party or coalition competing in the election. This is no longer possible for the 2012 elections, because a TSE Resolution determines that any such requests should have been made by January 15, 2013. Moreover, the norm determines that the files may be discarded 189 days after the proclamation of the results, as long as no appeal has been filed contesting the vote in that polling station.
In March 2012, TSE held the 2nd Edition of the Electronic Voting System Public Security Test. The best contribution was given by a group of researchers from the University of Brasilia (UnB). The group managed to resequence the votes submitted by the DVR. It did not breach the secrecy of the vote, however, since it failed to match the names of voters to the votes entered on the voting machine.
Giuseppe Janino explains that the test failed to breach the secrecy of the vote precisely because there is no way to match the name of a voter to a vote contained in the DVR. The attack managed to resequence the votes in the order they were entered into the voting machine. However, according to the secretary, it would be practically impossible to know the order of voting since voting is done in order of arrival at the polling station while the list of voters of a particular station is made available to the polling officers in alphabetical order.
In addition, the Secretary explains the attack was only possible thanks to the participants receiving the source code of all software executed by the voting machine in advance, something that would not occur in a regular election.
The UnB team ran its tests based on a mock vote held in a testing environment. Based on this input, the TSE has already implemented an improvement to the safety barriers in places that guarantees the secrecy of the vote, increasing the complexity of the mathematical procedures of the DVR's software.