What is the fuzz about E-voting? 🗳️
Electronic voting, or e-voting, is "voting that uses electronic means to either aid or takes care of casting and counting votes."
With many modern aspects of life, like banking and finances, being already automatized by technology (and no ordinary citizen seems to be questioning if Visa or Mastercard are “really” safe when buying goods online), the use of security measures, like “air gap networking” and “cryptography” ensure the creation of reliable and robust systems.
However, elections in democratic states are (definitely) a high-risk scenario. The system has to work (do what it is supposed to do), even under the malicious intentions of outside attackers. This puts in question if “e-voting” is safe and if we should be using it.
As a first warning, cybersecurity is a dense and intricate subject. And, understandably, trusting issues are not unusual considering that the general public does not master the subject. However, it is interesting to see that people’s distrust is selective. Many modern-day applications use the same security measures that e-voting systems use, but (almost) no one bats an eye to them.
You exchange your credit card information to Amazon’s server every time you do a purchase. And you are fine with that, as it is safe to do so. But if an election does not go the way the losing party expects, people become ready to “doubt” the security infrastructure they use every day.
A full lecture on the “robustness” of e-voting in Brazil would become overly specific and boring to the non-technical audience. However, I will try to show in this post why e-voting (in Brazil) can be considered safe and robust (to the best of our current ability).
We will also use this opportunity to talk about transparency and auditing, two key principles when debating the use of technologies (like AI) in an ethical way.
Recently, during the last presidential elections in Brazil, many people unsatisfied with the results have been questioning and doubting the robustness and “legitimacy” of our e-voting system. Many even think that our current result is a “fraud.”
Thus, as someone versed in cybersecurity and information systems technology, I would like to present to the reader how someone “could” (if they wanted), try to fraud an election in Brazil. But let me remind the reader that possibility, feasibility, and probability, are very different concepts.
But before this, let us try to present the advantages and the questions around e-voting.
The advantages of E-voting👍
Let us present some points in favor of e-voting:
Better User Experience: In general, voting through electronic ballot boxes is more efficient (in terms of speed) for many reasons. If there is one thing that computers are good at is counting. And in a country like Brazil, with approximately 156 million voters, counting votes “by hand” would be very time consuming and inefficient (how many times have you screwed up an arithmetic calculation done by hand?). In the 1989 presidential election between Fernando Collor de Mello and Luiz Inácio Lula da Silva the vote count required nine days. However, nowadays we can finish an election, and get the official result, on the same day. Again, computers are good at counting.
Paper Ballots are Not Safe: As you may know, paper is not a very robust material. Paper ballots can be lost, misplaced, tempered, incorrectly used, stolen, and everything else that you can do with paper. For example, the 2000 presidential elections in the United States used Votomatic-style voting machines for the elections (which is nothing more than a mechanical device that punches a hole in a paper ballot). However, in Florida, due to some malfunctioning of the machines (perhaps the blade got dull) many ballots had “incompletely punched holes”, and the tabulating machines did not count these ballots (the holes were not there, to begin with). That is, some votes were not taken into account.
It is Cheapper: E-voting allows the government to reduce costs. Every day that you have to “count ballots” has a cost associated with it. There are people to supervise, people to supervise the supervisors, security, food, logistics, etc. E-voting can reduce all that to one day of work.
No Votes are Left Behind: Electronic voting is one of the most reliable ways to ensure that votes will not be lost. Electronic information can be robustly stored, protect, and counted. Imagine using paper (instead of an electronic card) to keep track of your public transportation voucher. Which one will become “goo” first after a hard rain?
Brazil is a Model for E-voting to the World: Brazil is currently among the few countries, like India, in which e-voting is the standard. Many scholars cite Brazil as “ahead of its time”, and “a model to be followed”, being in the forefront of the electronic voting movement. Also, paper voting is one of the most criticized, easy to manipulate, and vulnerable voting systems that exist.
Addressing the questions on E-voting 🤗
Now, since this is clearly a “pro e-voting blog post” let us try to answer some of the common questions raised by people against E-voting.
How do we ensure one voting per voter? In Brazil, a document with a photo is necessary to vote. Before voting, the Election Workers will check the voter’s identity and if the identity is confirmed, the voter is (literally) removed from the list of “voters to be.” Also, Brazil has 75.52% of voter biometric identification taking place.
How can we ensure anonymity? The list of the Voter Registry is not public and the order of the votes is not recorded, making individual voter inference impractical.
Can we trust a machine that does not give us some paper trail? Brazilian electronic ballot boxes leave a paper trail called “zerésima” and “boletim de urna”. The zerésima guarantees that there were no votes in the machine, to begin with (“this machine had zero votes at the start”). The boletim de urna gives you a counting of the votes that can be matched with the number of attendant voters in a given section. Both documents are made public via the TSE website and the Boletim na Mão app.
But what if the election workers voted for some people that didn’t show up? Election Workers are randomly selected, and they don’t work alone. For something like this to happen, an entire team of randomly selected people would have to coordinate this attack, evading the police force that monitors voting sites, and voters, and be willing to suffer the consequences of an electoral crime (voting in the place of another person is a crime punishable by imprisonment of up to three years - art. 309 of the Electoral Code).
As you can see, I did not address the problems related to “accuracy of vote,” “counting security,” “prevention of fraud,” and “fraudulent voting machines.” Thus, how can we ensure the robustness of this entire “black-box” system?
Through Randomness and Auditing.
Auditing Black-Boxes 🔎
In Brazil, the research and development of electronic voting systems are funded and maintained by the Brazilian Supreme Electoral Court (TSE). The code of these machines has not been released to the general public but is accessible for certain stakeholders, like the Armed Forces, Political Parties, and the OAB (Order of Attorneys of Brazil).
One of the reasons for making the software not “publicly available” (technically it is for representatives of the Executive, Legislative and Judiciary branches) is because we can attain “Security through Obscurity”. That is, "is hard to attack something you do not know how it works."
However, security by obscurity alone is discouraged and not recommended. We need more (and we have) than that. Thus, how can we make sure that the code that runs the voting machines is working the way it is supposed to?
Simply put, we do a mock election before the real elections, and double-check the results. The process goes as follows:
On the eve of an election, the election authorities in each State select several voting machines by lot randomly, and those machines so selected, instead of being used in actual polling stations, are retained in the seat of the State’s Regional Electoral Court for a “mock voting session”. This session is conducted for audit purposes in the presence of representatives designated by the political parties.
The mock voting session takes place on the same date as the election (making it difficult that any software update to be made after the auditing). In this mock voting session, the votes entered in the voting machines are not secret. They are witnessed by all party representatives present at the audit process (everyone knows how many votes went to each candidate). The political parties determined a random quantity of votes to be inserted in the machine for each candidate. The whole process is filmed.
The number of votes decided by the parties is decided on the spot (no one knows beforehand). The only way they could be known by others is if there were collusion between rival parties.
Then, votes are inserted in the machines, and the electronic counting of the votes takes place. The result indicated by the voting machines software has to correspond to the random number of votes decided by all parties.
Given that the machines are chosen at random, the reliability of the chosen ones is deemed to represent the reliability of the others (which has happened in all elections so far). If the audit failed to produce the matching of the votes counted to the sum of the instructions, the whole election in the State in question would be void.
This is kind of a “zero-knowledge proof” of the integrity of our voting system. If all of the premises and steps made clear above can be accepted (and they are), we can all agree that the machines are safe without ever having to open their source code.
Okay. But transparency is important. And we would like to know the source code. Unfortunately, mere mortals cannot do this at the current time. But representatives of the three powers can. Given the reports delivered by these distinct organizations (we will use the Armed Forces Report in this blog post) what can we learn about the robustness of our voting machines?
Looking Inside the Black-Box ⬛
As far as is known, TSE voting machines run on Linux (dubbed UEnux) OS, and the proprietary software that does the counting and registering is unknown (around 17 million lines of code writing in - probably - C or C++).
The machines have many redundancy mechanisms to ensure that data will not be lost or tampered with. For example, as already mentioned the “boletim de urna” leaves a paper trail that can be used to verify the votes of a given machine (also if the number of votes coincides with a given registration area). All of this information is made publicly available here and here.
All results of the voting machines are also stored in a hard drive device called “mídia de resultado,” similar to a flash drive. These devices have special software and can only talk to machines that also possess proprietary TSE software. Thus, you cannot put this flash drive in a normal machine, guaranteeing that the contents of this drive can not be altered by third parties (unless they have access to updated TSE software and encryption keys).
After a voting session is ended, both the “mídia de resultado” and the “boletim de urna” are escorted to the local electoral office. There, the flash drive is coupled to a computer that has the correct software and keys, checked, and compared with the paper trail copy, and then the data is transmitted to the Superior Electoral Court (TSE) in Brasilia.
In cases where the flash drive happens to be lost or destroyed, the voting machines used in Brazil have other safeguards besides the paper trail (the machines themselves keep a registry of the votes in internal and external memory cards). The only way for votes to be lost is if the entire machine (before the “Boletim de Urna” is generated) is completely destroyed or stolen (something that to this day, never happened). If a machine breaks, the memory cards can ensure that data (the votes) will be transferred to a new voting machine.
In terms of cryptography, TSE software uses the same techniques to guarantee legitimate identities that online banking applications use. All information, from votes to the data stored in voting machines, is signed through digital signatures, which means asymmetric encryption methods.
In simple words, digital signatures are used to verify the authenticity of a message sent electronically, like a vote, or the counting of all votes in a given machine. Encryption algorithms like RSA allow us to guarantee that a given piece of data can only be modified by the owner of a given key. If you wanna know more about asymmetric encryption, and who it is the standard used for any verification step in cyber security, check these two links.
Just like all digital messages, credit card operations, online purchases, and votes are also verified by public-key cryptography techniques. Each vote can only be cast by a given key (associated with a unique ID number/voter), each machine is associated with its own key, and the only way to “get these keys” is to break an encryption key (via brute force) in a very short time frame (these keys are not static, but dynamically generated). If you want to understand how virtually impossible it is for computers to break encryption keys of a given size, check this video.
In short, all data contained in an electronic ballot box, as well as all results produced, are protected by digital signature. It is not possible to modify the data of candidates and voters present in these machines. This information depends on the combination of a series of keys that (literally) no one has access to, having been generated during the Ceremony of Signing and Sealing of Election Systems.
But wouldn’t it be possible that the keys could be hacked? Again, breaking an encryption key via brute force takes (much) more time that the time it takes for the election to take place. Also, voting machines use air gaps to defend themselves against attacks. This means that voting machines don’t even have the proper hardware to be connected to something like the internet. They are just boxes that count votes. They don’t have a radio or wifi antenna. The Linux operating system contained in the voting machines is prepared by the TSE so as not to include any software mechanism that allows connection to networks or remote access.
When the votes are to be transmitted to the TSE supercomputer in Brasília, everything is already encrypted. And as far as we know, there are no feasible attacks that can be done against public-key cryptography techniques inside the period that would be needed to tamper with the encrypted data/votes. Also, the data received has to match the paper trail, which is a physical record of the votes.
Also, you cannot change the source code of a single voting machine. The TSE uses modern version control tools to check if the source code of the voting machine has been tampered with. Only a restricted group of TSE servers and collaborators has access to the source code repository and is authorized to make modifications to the software. The software used in the elections is the same all over Brazil and is under the strict control of the TSE, monitored by the three powers.
But what if the TSE has fraudulent machines with a different source code? If they control the source code, they can make machines do whatever they want.
No, and that is why we have our mock voting session before the elections.
Yes, the TSE has control of the software, but the software itself is audited by representatives of all political parties, the OAB, and the armed forces. Since machines used in the mock voting session are randomly chosen, the TSE could not know what voting machines to safely alter without anyone noticing.
At the same time, it’s not as if a small group of developers has total power over the source code of the ballot boxes. All the work done by this part of the TSE is compartmentalized. That is, the team responsible for the machine’s software is not the same as the one in charge of the tallying system. The team that commits the source code is not the same one that controls and keeps track of those commits.
From an attacker’s point of view, the number of election systems involved in running an election is so large that it is impractical for an internal agent to have a degree of knowledge of the whole system that allows him to carry out any kind of attack.
Regardless, what would it take to accomplish this anti-democratic deed?
What Would it Take to Fraud an Election in Brazil? 🐱💻
Let’s list all the systems used to ensure that a black-box system (like electronic ballot boxes) is applicable in a high-risk situation like the Brazilian elections:
Multiple Redundancy: the entire vote counting system has redundant checking mechanisms to ensure that (1) all information matches; and (2) information cannot be lost.
Code Auditing: political parties, the Public Prosecutor’s Office, the Armed Forces, and the OAB can monitor the development of the software through inspection of the source code.
Functional Auditing: The function of the ballot boxes can be audited and tested before the election. A form of “Zero-Knowledge prof” allows interested parties and regional election courts to test the integrity of the ballot boxes by randomly choosing machines to be tested.
Encryption: Public-key encryption ensures that information recorded/transmitted by voting machines cannot be altered.
Air Gap Security: Voting machines do not have the necessary machinery to allow them to communicate with other unauthorized machines.
Security by Obscurity: Since external agents do not know the way voting machines operate, real-time attacks become extremely difficult during the short time that the voting machines operate online.
System Incompatibility: election workers are not able to breach the software and hardware that makes up voting machines. Only specific machines (with specific software) can be used to retrieve the information inside these machines.
Now, let us imagine for a minute how could we fraud an election in Brazil.
First, we will need to alter some (or all) of the voting machines. (software and hardware). Since the development of voting machines is compartmentalized, this is not a “one-man” job. It is a team job that will require espionage and infiltration.
Many people, working under the same objective, would have to infiltrate many different (highly secure and monitored) governmental offices, while still keeping contact with each other, without getting caught. And let us imagine that this highly motivated team was able to attain control (by some miracle) of the last “commit” of the source code and the final model of the machines.
But this team needs to pass a voting test (“the mock election”). If for example, the code and machines generated had some sort of setting that could detect if they were being “monitored for auditing purposes” or used for “real elections” (like the Volkswagen emissions scandal), they could fool the auditing procedure.
Something like this could fool the mock voting only if all machines have been tampered with (and that would be very difficult to accomplish). If only a portion of the machines has been tampered with, to get only the non-tampered machines to the mock voting would be a question of luck.
But let us suppose our team is rich, and they were able to bribe all of the states in Brazil. All of the regional election courts are in their pocket. And they were able to select only untampered machines. Or let us suppose that our team of spy-hackers infiltrated all the multiple organizations that guard the development of the TSE proprietary software and hardware, making all of the machines fraudulent.
But now we have to (somehow) hide all of our work. These alterations could be detected in the inspection of the source code (done by the political parties, the Public Prosecutor’s Office, the Armed Forces, and the OAB). Thus, we will have to have the representatives of all of these organizations in our pockets too. How much bribery, threat, and espionage would be necessary? A lot.
Now, perhaps the reader already has enough information to understand the herculean task that frauding an election in Brazil involves. The whole system is developed to have as many fail-safe points as possible. “Hacking” the elections is not a one-person job (it is not even a 100-person job). It would require a level of intelligence, espionage, and corruption that is almost impossible to (properly) hide. Operations like these could crumple down if just a couple of insiders turncoats came out in the open.
In the end, as an attacker, when you look at all of these safety measures and redundancies, the first thing that comes to mind is, "it is just not worth it…"
If you want to temper an election, the “easy way” (like almost all political parties do) is to invest all of this money that would go to a “doomed-to-fail spy-hacking mission” into disinformation and marketing.
In reliable applications, where end-to-end encryption and protection are guaranteed, you don’t attack the servers or the machines. We attack the endpoints. We attack the people. That is why more than 90% of all cyber-attacks are “social engineering attacks”.
So, would it be possible for to someone hack the elections in Brazil? Not really. Not in the sense of it being probable. The amount of effort required to tamper with the elections in an unsuspected way would have to mirror (and surpass) events like the Stuxnet exploit (an almost 10-year project orchestrated by foreign countries against the Iranian nuclear program).
But what about the vulnerabilities presented in the report delivered by the “Equipe das Forças Armadas de Fiscalização e Auditoria do Sistema Eletrônico de Votação (EFASEV)”?
What vulnerabilities?
Let us see the main points raised by this report:
The EFASEV report has a lot of complaints about how they could not stress-test the source code. And to be true, the STF only allowed for the static analysis of the code, not a dynamic one. Honestly, it is hard to find vulnerabilities without some tinkering. However, this is not the same as saying that there are vulnerabilities in the code. If there is any, it was not detected by the EFASEV report.
Questions were raised about whether the source code version could be changed after the audit (a commit being performed later or reverted). However, it was found that the digital signatures of the commits were those signed at the Locking Ceremony. That is, the audited code was the code used.
The EFASEV concludes that the security test regarding the Pilot Project with Biometrics was inconclusive, as the adherence to the use of biometrics by voters was not within the range of 75% to 82%. Biometrics are still being implemented, but an inconclusive result does not mean that there are irregularities. It means that it was not possible to certify the security of the machines based on a small sample (not representative of the Brazilian electoral population).
During the “Compilation, Digital Signature and Sealing of the Electoral Systems,” the entire system is brought “Online” to allow all of the machines to be updated with the same software. According to EFASEV, this is the only time when there can (hypothetically) be a security breach (when the machines are online, updating the source code to be used).
All other components, such as the generation of the “Resultado de Mídia,” “Boletim de Urna,” and the “Zerésima,” were found to be secure (no vulnerabilities were found).
To be fair, I agree with the part of the EFASEV report that says that “without dynamic testing, a full security analysis can not be performed.” However, this is not to say that the TSE does not perform dynamic testing (and they do). Would the availability of the source code outside controlled environments to third parties present risks to the integrity of the source code? Probably. Is this risk small enough to justify the “complete openness” of the source code used by voting machines? I do not know.
Transparency and reliability are sometimes in opposition. Finding the gray areas where these principles don’t communicate very well is part of the whole debate regarding the ethics and security of information systems.
However, is this “possible vulnerability” presented in the EFASEV report enough for us to doubt Brazilian’s e-voting system? No.
Again, the amount of hacking, engineering, espionage, and corruption that would be required to “modified the source code” in the brief moment when it is being uploaded/downloaded to the machines is “too much.” Several zero-day exploits would have to be used and abused by attackers (in a way that would not raise suspicious). Whether this would be an inside or outside job, it is not doable.
As aforementioned, nowadays, if you want to attack these kinds of systems, you don’t go for the system. You go for the endpoints (the voters). The spreading of disinformation and vote buying is a much more serious threat to our democracy than “hacking.”
A billion-dollar-powered conspiracy with multiple infiltrated agents would have a hard (impossible) time tampering with the elections. But with a couple of millions, a political party could automate disinformation spread and targeted marketing to distort voter perception and gather support, as has been done times and times again.
If you don’t know what side to take in this debate, let philosophy help you with the simplicity prior.
“The simplest solution is almost always the best.” William of Ockham
What is more probable (the simplest explanation)? The billion-dollar-powered conspiracy with multiple infiltrated agents hacking robust public key cryptography? Or that in a polarized country like Brazil, one candidate won by 1%? 🤔
What do you think?