Electronic Voting Machine series: audits ensure inviolable voting system

Electronic Voting Machine series: audits ensure inviolable voting system

A magnifying glass amplifying the word

Check the photo gallery here.

Check the video gallery here.

Listen to the story (in portuguese)

Watch the story (in Portuguese).

Electoral law ensures transparency in all stages of the Brazilian elections. Among other norms, the law guarantees that political party inspectors, the Brazilian Bar Association (OAB) and the General Attorney's Office have early access to the computer software to be used throughout the electoral process for inspection and auditing purposes.

These entities may, for instance, monitor the specification, development and seal-off stages of the computer systems, and digitally sign all software that will be used in the voting and counting of votes (together with TSE officials and the General Attorney's Office). The transparency of the electoral process can also be checked through the Digital Voting Record (RDV in Portuguese), the "parallel voting" procedure and the Voting Machine Bulletin.

According to Giuseppe Janino, TSE's Secretary of Information Technology, the electronic voting system in Brazil is committed to keeping up with the evolution of technology, with new features added from time to time bringing favorable enhancements to the system. “All devices currently used in the electoral process are always reviewed and verified in order to improve them and guarantee security and transparency to the electoral system", he says.

Analysis of the system by other institutions

The security mechanisms applied by the TSE, which ensure the reliability of the systems and the success of elections, are always being tested. Throughout the 17 years of computerized voting in the country, several audits and expert reviews have been conducted in the system, not only by political parties but also by IT experts from renowned universities.

In 2002, the State University of Campinas (Unicamp), after auditing the software, concluded that "the electronic voting system meets the fundamental requirements of the electoral process, namely those of respect for the expression of the choice of voters and the guarantee of their confidentiality”. Six years later, in 2008, the Brazilian Federal Police, on a technical report made of the municipal elections of Caxias (northeastern state of Maranhão), ruled out all allegations of fraud at the polls.

In addition to the audits, the TSE has already held two Electronic Voting System Public Safety Tests in 2009 and 2012. The contributions offered by IT experts and Computer Science researchers have helped the Court implement further improvements in the system.

Seal-off ceremony and digital signature

Every election year, about a month before the election, a ceremony is held to mark the official digital signature and seal-off of electoral systems. Officials of the TSE, the Brazilian Bar Association and the General Attorney’s Office, as well as representatives of political parties, will all attend the event. The purpose of the ceremony is to publicly certify the authorship, authenticity and integrity of the electoral software.

A digital signature is a cryptographic technique that seeks to ensure that the software has not been intentionally modified nor lost its original characteristics due to failed writes or reads. In the absence of such the digital signature is deemed valid, thus proving that the file has not been modified in any manner. A digital signature also ensures the authenticity of the program, i.e. that the program was officially generated by the TSE.

After the digital signature of the authorities and representatives attending the ceremony is attached to the software, those are recorded in two non-rewritable media and stored under physical seals, which are also signed by the President of the TSE, the General Attorney's Office and the OAB. They are then placed in envelopes, resealed, and, finally one of the media is stored in the TSE's safe-room, which is fireproof and protected from natural disasters.

The software is then sent to all Regional Electoral Courts (TRE) and will only work on computers of the Electoral Justice after activation through passwords generated by the TSE. In case of any question regarding the programming of any voting machine arises, it can be remedied by comparing the data from that voting machine with the original media stored in the safe-room of the Superior Electoral Court.

Digital Vote Record

The Digital Vote Record (RDV in Portuguese) is another tool that provides security to the electronic voting system. With the RDV it is possible to recount the votes in an automated manner, without compromising the credibility of the electronic voting process. In addition to being digitally signed, Giuseppe Janino, the RDV is also encrypted, i.e. its recording is protected with unreadable code.

According to the TSE's IT Secretary, this transparency mechanism ensures the substitution of printed votes in a much efficient and effective manner, with integrity ensured by the lack of any human intervention in the vote recording process.

In comparing the RDV with manual, paper-based voting, Janino emphasizes that it is a leap in auditability and transparency. “It is as if we could take all of the old canvas ballots and hand them over to all political parties so that they could count all votes, aggregate them and verify if the result is correct," says the Secretary.

Parallel voting

Parallel voting is another mechanism adopted by the Electoral Justice to ensure the credibility of the electronic voting system. The procedure is conducted on the eve of the election, when the 27 Regional Electoral Courts (TREs) conduct a public hearing and, by lot, define the polling stations where parallel voting will take place. One polling station from each capital and two to four from the interior of each state of the country are selected.

The selected voting machines are then removed from their places of origin and taken to the TREs on the Saturday before the elections, where they remain under surveillance.

On the same day and time of the official vote, i.e. from 8 AM to 5 PM, the inspectors verify the digital signature of the software and the digital summary issued by the equipment. Subsequently, the participants of the parallel voting process reveal whom they will vote on and register their choice, both on the voting machine and in an independent terminal, for verification purposes. The results are then compared (i.e. the vote revealed by the participant and the result registered in the voting machine's bulletin). All these steps are filmed. The goal is to show that what was typed on the keyboard of the voting machine really corresponds to the choice of the voter.

Voting Machine Bulletin

After 5 PM on election day, the chairman of the polling station, using his own password, closes the voting and issues the Voting Machine Bulletin (BU in Portuguese) for that station. The BU corresponds to a report printed in five copies by each voting machine, and must include: the identification of the polling station; the identification of the voting machine; the number of voters who attended and voted; and the result of votes per candidate and party.

The five (or more) copies of the bulletin are signed by the chairman of the station and by the political party representatives or inspectors present. The first copy is posted in a conspicuous place in the station, publicizing the results. Three other copies are submitted, together with the report of the station's activities, to the electoral registry. The fifth copy is delivered to the political party representatives and inspectors. 

According to Giuseppe Janino, using the printed Voting Machine Bulletin is a way to publish the election results as soon as they are available, even before the data is transmitted to the TREs. “The publication of the bulletin at the polling station on paper is a simple action, but still one of great importance, because in practice it means that the election results are available to the public at the very moment they end", he concluded.