E-Voting Raises New Questions In Brazil

Zaatxe writes, "Today is election day in Brazil. About 125 million people are expected to vote for president, governor, congressman (for both state and federal levels) and senator. The Washington Post has some interesting details about the electronic voting machines used in Brazil. From the article: 'Elections in Brazil used to be a monumental challenge, with millions of paper ballots to count by hand, many of them delivered by canoe and horseback from remote Amazon villages. Fraud was widespread, and it often took a week or more to determine the winners. Latin America's largest country eliminated many of these hassles by switching to electronic voting a decade ago, long before the United States and other countries... Some computer programmers who have closely examined Brazil's system say... confidence is misguided... Some Brazilians are lobbying... to switch from Windows CE to an open-source operating system for the voting machines, since Microsoft Corp., citing trade secrecy, won't allow independent audits to make sure malicious programmers haven't inserted commands to "flip" votes from one candidate to another.'" Read more below.

As a Brazilian voter, it was a shock for me to see that the voting machines here are made by Diebold. But what makes me confident in the system can also be found in the article: "Given the choice of picking a system where wholesale rigging is easy, versus one where it's impossible, why has Brazil gone with the system where it's easy? Brazil did build in some safeguards during its transition to electronic voting — protections that still don't exist in the US. While the code behind Microsoft's operating system remains secret, independent auditors must approve of the overlying voting software before it is inserted into the nation's 430,000 machines. The software remains open to inspections for three months before election day. And hours before the polls open, randomly chosen voting machines are tested 'to verify that the software inside does what it is supposed to do.'"

Simplicity is important ...

India has been using an EVM [wikipedia.org] for a while, it has no operating system and is a bare-bones equivalent of a calculator with a line printer attached. Hook it up to a standard dot-matrix printer and get voting. It is probably as simple as a system can be.

No government which outsources its technology to vote can remain soverign. Machiavelli didn't go on and on about mercenaries, for nothing. And all said & done, this doesn't actually mean an honest election brings up a good government - we're intelligent induviduals, who form dumb mobs, pulled & manipulated by politicians with electoral issues (which are non-issues in the real sense).

Re:

Mobs are more than happy to let themselves be manipulated. Then they can give free reign to all that's socially unacceptable but that they really feel like doing, because the responsibility does not lie on them any more. See, they are being *pulled*. Recen

Re:

If memory servers, the first voting machines here in Brazil were ordinary 386 PC's with no operating system, it booted with the voting software. I don't know for how long this model was used, anyway. Maybe it was just the first prototypes.

I voted today and...

I find it's somewhat weird that one can't directly vote as "null" (this means, in other words, you're refraining yourself from participating). In order to vote as "null", you have to pick an invalid candidate number. It's been like this since the last election (or maybe before, but I can't recall). There's apparently not much press on the fact. So I guess most uninformed people (majority, as usual) would simply do otherwise just thinking "they've done something wrong". For some reason, it seems to be this is a form of pushing the nation into voting *for someone*. Call me paranoid, but I can't see a good reason for that. It reminds me of that quote: "if voting worked, it would be illegal".

And yes, I'd rather not participate. There may not be any evidence of fraud in our elections, but I don't see the point in participating in the circus of lies that is politics in Brazil. If after all these years no one has realized politicians (right/left wing, doesn't matter) aren't out to help anyone there, they well deserve what's happening now.

The soul of South America lies within Colombia, Venezuela, Chile, and Argentina.

Re:I voted today and...

I find it's somewhat weird that one can't directly vote as "null" (this means, in other words, you're refraining yourself from participating). In order to vote as "null", you have to pick an invalid candidate number. [...] For some reason, it seems to be this is a form of pushing the nation into voting *for someone*.

1) A nullified vote means you made a mistake picking a candidate. This "mistake" can be delibered or not.
2) If you are not willing to participate (considering that voting is mandatory in Brazil), the voting machine has a "blank" button.
3) The voting machines have the "blank" button since the first prototype in 1996. Actually, the design of the voting machine hasn't changed much since then.
4) The blank vote has always existed, since the paper ballot and it has the same effect of nullified votes. But the blank votes were the fraud source in paper ballots: some dishonest vote counters would fill the blank votes during counting. Believe me, that happened much often than you can imagine. With voting machines, that's impossible.

Re:

Blank votes are very different from null votes.

A blank vote means "I don't care". A null vote mean "I'm not satisfied with any of the candidates".

Blank votes goes for the candidates with the most votes in the last turn. On the other hand, if in the last tu

Re:

Blank votes goes for the candidates with the most votes in the last turn. On the other hand, if in the last turn no candidate reaches 50%+1 votes (because of the null votes), the election is cancelled, and the current candidades may not run for the next on

Re:

Brazil is just as good as your vote, dude. And, btw, the reason you have to pick an invalid candidate number is to emulate the paper ballots where anything but what you're supposed to write there nullify the vote. It's just sad to see how many people giv

Why Does Diebold Oppose Printers?

I mean on the surface it would seem that this is a perfect opportunity for them to sell more hardware and make more money.

The only explanation I can think of is that they are afraid their buggy voting machines will give different counts than the paper ballots. Despite all the worries and fuck ups with Diebold machines people won't really believe that the machines are problematic until they can see they screwed up in a real life situation. Sure there were a couple incidents where a machine started counting backward or people fucked up but this doesn't necessarily seem any more serious than the flaws in paper voting and after all these problems were caught.

Yes if problems are caught there are probably others that aren't but it doesn't have the same PR effect.

Re:

For something as important as voting, it sure seems like the US as a country could afford printers.

Anything to make it more likely that every vote is accurately tallied sounds like a worthwhile use of taxpayer dollars.

Electronic voting machines that can't

Re:Why Does Diebold Oppose Printers?

You are completely right about the fact that both paper ballots and comptuer ballots have some margin of error, and as an engineer i have to wonder why this margin of error is not known.

Any approximation is useless without knowing the limits to which it applies. What needs to happen is a study needs to be done to find the percent error in the voting process (paper or electronic), and if the final votes are within this percent something needs to happen.

If Bush wins an election by 1.0% of the population, while the margin of error on the voting process is +/-3.0%, well then did he really win the election?? Any counting process is useless without knowing error margins, voting included. What if the margin of error is +/- 10%?? This needs to be figured out.

MS Ain't So Bad Here

Frankly I think the concern about using an MS OS rather than an open source OS is misplaced. In fact despite my general dislike for MS I have to say that in this situation MS is probably a better choice than a Linux based OS.

Sure people are going to claim the 'lots of eyeballs' effect makes linux more secure. However, there are major sections of the code that are deep vodoo and very very few people understand. An attacker would of course choose to put his code in one of these sections and if you are really running this code atop a full blown OS and you know (because the government has demanded it be published) the software that will run on top of if there are probably tons and tons of innocent looking ways to screw with the results.

I don't know if this would really work but one might imagine a situation where the ballot will be divided into two pages. Likely whether or not the vote was recorded and sent to permanent memory before the page is flipped or after will have some statistical difference in memory reservations or paging or some subsystem like this. One could code a race condition that scrambles the cast vote which while rare is slightly more statistically likely to happen in these situations than the other ones. Hell in an election often the young have different voting patterns than the old so you could just have some statistical relation to the speed at which options are picked.

The point is the bad guy is likely to have lots of resources and be able to concentrate them in one very small area of the code in a way that looks valid or if discovered innocent. The eye balls need to look over all the code. Yet we know from the number of bugs found in the linux kernel that many bugs do make it past without even being engineered to like innocous.

While the MS kernel is likely to be more buggy it is much harder to contribute a patch to the MS kernel making it more difficult for a bad guy to slip the code into the kernel in the first place. So while it would be nice if the kernel was visible to everyone I think not accepting third party patches is a more important security feature than being open source for a situation like this. Getting someone hired as part of MS's OS team or corrupting one of them is way harder than getting a patch acceted to the linux kernel that delibrately contains a very subtle area.

Of course what they really should be doing is not using anything complicated like a real OS anyway and instead an EVM.

Re:MS Ain't So Bad Here

More preciscely unless you plan to eliminate all errors that could affect the kernel running in the voting machine (impossible for either linux or windows kernel) the battle is between the eyeballs trying to find bugs that might affect voting and the bad guys trying to make bugs that affect voting.

In an election situation there are just TONS of correlations between voting patterns and the state of the voting machine (how quickly people select options, how busy the machine is, how warm the machine is etc.. etc..). The bad guys just need to pick one correlation to use in their attack. The eyeballs need to look for every exploitable correlation making their job very very hard.

This asymetry means that it is more efficent to raise the barrier to inserting the bug in the first place by using code that doesn't accept third party patches than to try to find the bugs once they are in there.

Of course the right kind of OSS kernel would be even better, e.g., minix (I don't think tannenbaum accepts 3rd party patches) or some other closed development community but between linux and windows here windows wins for all the reasons that make it worse other places.

Re:

"While the MS kernel is likely to be more buggy it is much harder to contribute a patch to the MS kernel making it more difficult for a bad guy to slip the code into the kernel in the first place." You seem to forget how easy it is to hex-edit and such. P

Probably simplistic but MS=USA=bad?

I wonder if some of the concern by the critics is that the software running the voting machines is opaque, and owned by a US company. US involvement in South/Latin America is quite a politically sensitive issue and the US has historically used covert and military actions to influence politics in the region. So I'm not suprised there are concerns - even if misplaced - over the MS software.

Imagine if there was a borderline vote in some US states and the voting machines were running a closed software package from a country that had potential influence and something to lose or gain over who got elected.

I can imagine concerns might be raised in the voting areas by some people.

Re:

You seriously want to attach something a erroneous as microsoft's warranty to something as important as an election. Manual counting and voting requires fraud on a massive scale, electronic voting , only requires one bug, and the election results are what

Re:

Dear company executive, if you by accident would make sure I win the election next yet then there is no end to what we can do together.

Yours truly,
GWB
------

That wasn't very hard or costly.

Re:MS Ain't So Bad Here

That doesn't make sense to me.
You are saying that in order to hack the linux kernel, you would need to make a patch to the mainstream kernel, and get it accepted. Someone will review your code, and you need to disguise it as a fix for something. For this step alone, that involves deceiving kernel hackers, you need the knowledge of a top level kernel hacker, and there are few of them, and _some_ of them can't be easily bought for any reasonable amount of money, because they are well known people, and have a reputation to protect.
Then you need to make sure that the makers of the machines use a recent enough version of Linux. So you need to send the patch at least one year, and more realistically, a couple of years in advance.
After that, you need to pray that, in the meantime, your code doesn't break anything for any of its millions of users. And some of those millions are actually watching the changelog, and could find some flaw in your patch by chance.

With any closed kernel, there is not known worldwide development process, so it _could_ be much easier to instill a bad patch, you maybe just need to buy one developer for a ridiculous amount of money, and that would be it. Of course, they could have better safeguards, but we don't know anything about that, so we can safely assume the worst.

Aside from that, I think these ways of skeweing the elections are overkill. You can always buy your votes on-site, and find a way to change the software of the voting machines on delivery, or maybe changing the whole voting machine before it goes to its place. You can buy some auditors, or people at Diebold. That would be much easier, safer and cheaper than changing the OS kernel.

Re:

After that, you need to pray that, in the meantime, your code doesn't break anything for any of its millions of users

Never mind that, you'd also need to pray that you correctly guessed the candidates and the way people will actually enter their vote all th

Mod parent up...

The reason for using a vanilla F/OSS operating system is that it will, for the reasons described by the parent, be unlikely that it's corrupted specifically for the purpose of throwing an election. The voting application should only make generic use of the

Re:

Sure people are going to claim the 'lots of eyeballs' effect makes linux more secure. However, there are major sections of the code that are deep vodoo and very very few people understand.

Even less people understand the voodoo of the MS kernel and there is

diebold only _MAKES_ them but don't have the IP

the development of the system, and all the intelectual property associated, belong to the electoral justice.

when the system was first develop and used in capitol cities in the 90's, procomp (one of the manufacturers hired to develop the system) was not a diebold subsidiary yet. the other two were Itautec (subsidiary of the 2nd largest private bank of brasil) and Unisys.

all the intelectual property developed by the 3 companies was transfered to the union.

since the IP belongs to the government, they can choose to hire other comapnies to manufacture the units in the future if they son choose.

Re:

Secure WinCE? Against what, exactly? I would hope to god the voting machines weren't connected to a public network, and at any rate the WinCE codebase is almost entirely different from that of NT and 9x. Also:

A distinctive feature of Windows CE vis-à-

How hard can voting machine software be?

Randomize the buttons so that the order of candidates changes every time, store the order in a table.
When a button is pressed run a lookup on the table and increment to count for that candidate.
Send some text to a line printer with details of the vote.
Repe

Re:

That's going to be a few hundred lines of code at worst, surley it doesn't take that long to pick up any bugs.

Actually it's only one line - but it's a line of Perl.

Re:

Randomize the buttons so that the order of candidates changes every time, store the order in a table.

Forgive me, but that sounds like a VB programmer idea. Anyway, Sao Paulo state had about 1000 candidates for congressman. Are you sure putting them in t

Re:

That's what I always thought. I just assumed there was more to it than that, so I was wrong.

Fraud is the lesser of Brazil's problems...

No candidate reached 50%+1 votes, so we will have a 2nd round with the two leading candidates.

Yet, the leading candidate is the current president, whose government was swamped by all sorts of scandals -- the most recent being that members of his campaign's staff were arrested while trying to buy a (probably forged) dossier against the main opposing party's candidates.

In any decent country, such a man would not have reached the end of his term. Compared to Lula, Nixon was a saint! But here, reached the point where tons of people seem to believe honesty is not relevant to a politician. Or maybe they don't bother looking for it because they believe it's impossible to find...

Re:

People do mind about honesty, but they're rather vote for someone who "steals, but does" like Maluf than a seemingly good-intended less-known politician. And people can't remember stuff for much longer than a goldfish. I live in Brasília and I'm compl

Re:

Alckmin is definitely not Maluf-like.

His main proposal is to reduce taxes, which may be the best thing a politician can do (and Brazil DESPERATELY needs); he intends to stimulate trading with rich countries, rather than third-world ones like Lula did; as g

Re:

I admit he's not *exactly* Maluf-like. Maluf is a traditional conservative politician, of course. But when he talks about his achievements as governor of São Paulo, his speech does sound pretty much like Maluf's, especially when talking about the stuf

Re:

The correct portuguese is "rouba mas faz" ("robs but does"). Actually, the equivalent to the pork barrel are the "emendas do orçamento" ("ammendments to the budget"). The "rouba mas faz" thing is the blatantly illegal part, bribes and backstage dealin

It was better before

The machine is in constant evolution, but some of them aren't very good, and I belive the machine is loosing it's safety guards. The original machine had a system read-only for the operating system, now it's stored on a SD card, still it's locked with a se

Good and secure machines

Well, I worked with that machines and I can say they are secure. They dont have any output with external world, like ethernet and others kinds of communication. The votes are stored in floppy disks, with a big seal. If the seal is broken, the votes cant be official. But the seal is big and hard to damage. I believe today we have a great vote system, because we have the results in 13 hours after the election.

It's worse!

Some years ago, those who distrust e-voting machines managed to put into votation in the Brazilian Congress a proposed law who would require 10% (yes, only 10 percent) of the machines to come with printers. The idea was for those machines to print two copies of the vote: one for the voter, who would have confirmed his vote, and another to be put into a sealed urn by the voter (who would be able to check whether the printing was correct). If doubts arose on the results of an election, those urns could then be opened for manual counting, and if big differences were found between these 10% of printed votes and the full results, the election would be cancelled and redone (probably with paper balots).

A sound idea, don't you think? But, guess what? Yeah, the law wasn't approved. And as a result, there's absolutely no written proof at all of what or whom people actually voted for.

Also, there's a law around that forbids independent research of voting intentions to be spread in news some days before an election. I'm not sure whether this law is being enforced right now, but the official reason behind it is that such researchs "interfere" in the voting decision of the people. Now, just imagine what this means: e-voting machines registering "votes" that cannot be traced, plus voting researches disallowed days before an election. Yes, you're right: if someone that was far behind in the voting intentions got elected, it might be alleged that the people changed their mind between the last allowed research and actual election day. How can you argue against it? You can't.

This is the recipe on how you can build a dictatorship that has no appearance of being a dictatorship. You don't need to be violent. All you need is to put some clever technology into it, and you're done. Government becomes a permanent ownership of you and of your associates. After all, who said that multiple "competing" parties aren't really a single entity with lots of names, existing only for the people to believe they have choice?

In the last two presidential elections (2002 and this 2006 one), all the four presidential candidates were from left-wing parties. There's a range: from soft left-wing to extreme left-wing. But it's all left. Different parties, or single-party with four different names for you to "choose" from?

Who knows?

Re:

A sound idea, don't you think? But, guess what? Yeah, the law wasn't approved.

I remember that... too bad you just decided not to say why it wasn't approved. They tested this system in places where most voters are simple-minded people (for the Brazilian

Re:

I don't see your point. This problem is nothing that proper TV-training cannot solve, as was the case with the use of the e-voting machines themselves has shown. Had these "dumb" people been trained for weeks before having an actual contact with the machin

Re:

Good to know. But I know Lula has already mentioned he'd like to see a new Constitution. Since he's the same guy who tried controlling the newspaper with the "National Council on Journalism"...

And regarding parties, PFL is center, yes. A center party, havi

Re:

Hmm... yes, I can see how's that. The obvious solution would then be for a single copy to be printed and put into the urn. Actually, now I'm not sure whether the proposal was for two prints, my memory can be tricking me there.

Re:

Yes, I concede that having two prints isn't good. However, I might be remembering the event without much precision. AFAIK it was two prints, but it might actually have been one. I'm not sure now.

Trust

You mean that a broad, automatic, transparent tampering, is difficult because it requires the tampering software to be concealed ? The fact that it would require to hire a few competent and dishonest developers surely doesn't make it secure enough to use i

Re:

Please note that not only left-wingers are against intellectual property. A lot of libertarians and classic-liberal conservatives also oppose it on the grounds that IP violates private property. The reasonig is basically as follow:

"Thy should a 3rd party t

Re:Microsoft has a reason to be worried

I might be worried that some left-wing nutjob in Brazil would nationalize that source code and fork in a "fuck the yankee imperialist capitalist" move that Latin America loves so much.

You are american, right? You must be, because you show little knowledge of foreign politics. Sure, Latin America has its share of "left-wing nutjobs", like Evo Morales in Bolivia and Hugo Chavez in Venezuela. But that's not the case in Brazil. We also have our left-wing nutjobs (and one of them ended in third place in yesterday's election) but they seldom achieve anything important.

About the "little respect for forign IP in the past", it didn't matter if it was foreign or national, it was a question of public health, which should be one of the top priorities in any government. AIDS strikes harder on poor people, and the pharmaceutical industry doesn't seem to be willing to spread the return of their investiment for too long.
And just for you to know, the Minister of Health that made this move was a center-right wing politician (which by the way won the election for governor in Sao Paulo, where 1/4 or Brazil population lives).

Re:

Wrong, wrong, extremely wrong! The party of the ex-Minister of Health, newly elected governor of the Sao Paulo state, Mr. Jose Serra, from which our former president, Mr. Fernando Henrique Cardoso, is also a member, is the PSDB. What "PSDB" means? It means

Re:

Lenin, after the Communist Revolution in Russia, strenghtened the property system in his NEP policy. Why? Because that way he would be able to get tons of money from international capitalists. When he gathered enough to make the revolution completion possi

Re:

How do districts in the U.S. count several times more votes than they have registered voters? Yup, the same way.

Re:

"Ooooh, and without a paper trail, how do you prove that you did in fact vote, if your salary payment is suddenly stopped? Something tells me that mandatory voting may be the law, but it is not enforced."

I worked in the elections ( I was drafted..) and can

Re:

all these countries, including the U.S. that are having electronic voting issues are being used by less democratic nations to prove that democracy is bad. Slashdot is playing right into the hands of people like Kim Jong Il, and Hugo Chavez

Yeah. If you ques

Re:

Nah. It was a joke. What you posted just sounded similar to something GWB would say.

I can see how failures in voting processes could make democracy not look as grand as Americans say it is, but I don't see how not voting at all could be more favorable than

Re:

I do not understand your post. How is "need access to the OS code" different from "given access to the relevant codebases" ?