Linux-Based E-Voting In Brazil

John Sokol writes "I just heard from a good friend and Linux kernel hacker in Brazil that they have just finished their municipal election with 128 million people using Linux to vote. They voted nationwide for something like 5,000 city mayors. Voting is mandatory in Brazil. The embedded computer they are using once ran VirtuOS (a variant of MS-DOS); it now has its own locally developed, Linux-based distro. These are much nicer, smaller, and cheaper than the systems being deployed here in the US. Here is a Java-required site with a simulated Brazilian voting system. It's very cool; they even show you a picture of the candidate you voted for."

Science Fiction!

It's very cool; they even show you a picture of the candidate you voted for.

Wow! Incredible! I never thought something like that would be possible with a computer!

Re:Science Fiction!

Problem is it's too complicated for american voters. Punching a hole in next to a name was too complicated. typing in a 2-4 digit code? are you MAD??

Expecting Americans to have that level of ability is ridiculous. It's why Diebold is designing systems that are far easier to use. you go and vote, and it registers the vote they think you should have voted.

It's far more accurate and eliminates problems.

Re:Science Fiction!

Yeah, and I mean typewriters worked for ages without having to use Office software, we could go to the moon with a computer that was slower than a modern calculator, and speaking of voting didn't it work just as well without black people and women interfering?

I tell ya, things used to be just perfect the way they were, progress just ruins society.

Re:Science Fiction!

Brazilian cities were able to know the election results in the same day of voting, before midnight. That's pretty damn efficient.

Furthermore, as fas as trusting or not trusting goes, voting with pen and paper is not as perfect [wikipedia.org] as one might think.

Re:Science Fiction!

Brazilian cities were able to know the election results in the same day of voting, before midnight. That's pretty damn efficient.

That's nothing, here on Argentina, we're able to know the election results months before voting. God bless democracy!

Re:Science Fiction!

I trust a paper more then some bits. Can you abuse it and do forgery? Yes, but with paper it is much harder. Try changing my vote on a piece of paper. Then try changing some bits in a PC. Now tell me which one will be noticed first.

This is not about if paper is perfect. It is about if it is closer to perfection then a computer and it is.

The goal is not speed.

Re:Science Fiction!

What the hell? Citation direly needed! I AM a Brazilian (you insensitive clod). And I can tell you the election is one of the few things I can say work pretty well here in Brazil. Just throwing a bunch of horror stories around seems to work pretty well on our non-informed moderators, though.

Totally different from the rest of the world.

Actually, it's pretty similar to the rest of the world. Voters are mostly uninformed on the issues and uninterested in getting informed.

Re:Science Fiction!

It has worked? I am not so sure about that, for an election to work it has to be void of frauds and offer some guaranties to the electors, like anonymity. Election are not a simple problem, in fact is a very hard one.

The elections on Brazil seem to work fine, in fact many of the "left" parties (Brazil has many political parties) felt their numbers get better after the electronic voting was installed. But the system, as it is now, gives no warranty on how the votes are counted, you have to trust it is working and has not been tampered and as far as I know the code and designs of the voting machines are not open for review by the population.

I trust that the system work, it has shown consistent numbers with the election day pools and as I said the system has been show to give results that are bad for the current government, that is the one witch could more easily tamper with the election, several times.

Re:Science Fiction!

I trust that the system work

That's fine for you, but one principal of a democracy is that the vote is open and transparent. When there's a vote, I can go to the voting place and control that the process works fine. I can verify almost everything important first hand (at least in Germany, where I live). With voting machines, only a few people in the whole world can control the system. Even if the software is free, there are only few people who understand the source code and can verify it. The vote is _not_ transparent.

Oh, and don't tell me that voting machines are unhackable. Here [youtube.com] you can see a voting machine being hacked in 60 sec.

So, you have vs. .
I agree, that elections are not a simple problem, but pen&paper is a simple solution and at the moment the best.

When will we have web based voting

We have web based banking. Why not web based voting?

If anyone thinks I care more about who I vote for than the money in my bank accounts (and my liability for debt) they're disillusional. The politicians are all just different monkeys screeching different things that suit them. In the last election I voted for (mandatory council elections) I didn't know or care about the candidates who'd only shown their faces 2 weeks beforehand. On the ballot I wrote "Fuck them liars all. This form of democrasy a joke". Am I the only one that thinks it's hilarious that we can bank online but not vote online?

Re:When will we have web based voting

We have web based banking. Why not web based voting?

Risk of fraud. Under the current system I can't go out and bribe, blackmail or threaten voters, because I have no way of determining whether or not they voted as I asked. 'Vote for X or I break your legs' doesn't work if I cannot find out whether or not any given person actually did vote for X. But while you can take steps to ensure that the polling booth is private, you can't say the same for an internet terminal whose location you do not know and whose configuration you do not control. For all you know the voter's boss is watching him as he votes for the candidate who will restrict workers' rights and remove regulations on abusive bosses.

The moment there's a way a person can prove who they voted for to a third party, the secret ballot is dead.

Re:When will we have web based voting

Actually, in Estonia, there has been web-based elections a year ago. The national ID card has PKI certificates in it and this cryptographically makes it safe. There's more information on the net, ie
http://en.wikipedia.org/wiki/Electronic_voting_in_Estonia

Re:When will we have web based voting

The difference is that you trust your bank with your money. You trust they will not steal from you and protect your privacy. You can check that they are not stealing from you.

If you vote on a third party website, you'll trust it with your votes, and its secrecy but, contrary to banks, you will have no way of checking that your vote is correctly accounted for.

Re:When will we have web based voting

There are three problems that must be tackled by voting syst m :
1. Anonymity of vote (nobody can tell who I voted for)
2. No third party of trust (I do not need to trust anyone, especially thos organizing the election)
3. Trust of count (The votes are correctly counted and totalled)

There are surprisingly little literature around cryptographic system designed to solve these three problems. All the electronic voting system that I am aware of rely on the revocation of one of these properties.

Next step is a paper trail

This is great

• Licence money saved (even small ones)
• No forced obsolescence of machine by "technology enhancements" and upgrades
• No locking down of SW because some source "trade secrets" or "company secrets"
• Possibly produced localy and therefore good for the economy. (I do not think we should buy everything from china)

I do really miss a paper trail, that is needed in case there are doubts of "fraud", we do not want such doubts, do we ?

IT is a trap !

Open sourcing the software changes nothing to the fact that it is impossible to check how the votes are tallied. It just takes two bytes change in the binary to reverse the results of an election. In a world where the task of counting votes can be done by a machine small enough to fit into a smart card, you'll never be sure that the code published is the code running if you don't want to trust the officials organizing the vote.

This is a step back from paper ballots.

Review of the voting machine by a poll worker

I work at the polls here in Virginia, and we have an electronic voting machine. Here's my review of the Brazilian device compared to ours:

• No touch screen on the Brazilian box, just a key pad. This is a great feature. Touch screens are not that easy for elderly people to use. They are unfamiliar with the concept, and, worse, tend to lean on the screen for support, causing the mouse pointer to jump all over the place. Simpler would be better, and a keypad is much more universally recognized.
   
• 20 hour battery life on the Brazilian box. Having a battery that can last for the entire voting period means that even in the event of a complete power failure, the vote can go on. A great feature. We have battery back-up on our machines, but they last only 2-3 hours.
   
• The Brazilian box looks much more rugged that our machines. I bet they could take a drop onto the floor. Our machines are not bad for PCs, but there's no way they would survive a fall.
   
• Lower cost. The Brazilian box costs $1000; ours cost $5000. Lower cost means more machines.
   
• I couldn't tell how the ballot is entered on the machine, but it doesn't look like they use a PC Card to load the ballot each time, the ballot is loaded just once, and then voters vote. I've never liked using the card readers; if they get misaligned, you have to swipe the cards "just so". If a swipe fails, the vote has to be voided. If the swipe failure causes a hardware lock, the machine has to be rebooted. If the machine gets rebooted too many times, we have to take it out of circulation. A lot of potential trouble caused by a simple I/O device! Better to be without it.
   
• Neither the Brazilian box nor mine is truly auditable. Ours at least has a paper tally report that gets printed at the end, so one could trace the tally on the flash drives to a tape. But there's no way to do a human recount on either machine. I have some heartburn over this, but with good voter registration controls, there are cross-checks that can be done to lower the security profile considerably. For example, we keep a paper tally of the number of voters, and each hour we cross-check the paper tally against the machines. If the machines show a different headcount than the paper, we investigate immediately. In my experience, the fault has so far always been on the human, paper side (but I'm relatively new at this.)

In any event, I think SL geeks are obvious choices to volunteer to be Officers of Election. We know the vulnerabilities of the technology, and have the necessary attention to detail to appreciate the kinds of auditing checks that need to be done to run a fair and open election.

About the Brazilian voting system...

Some people who work during the elections are volunteers. while others are drafted by the Superior Electoral Tribunal. You can still not go there and do your job as long as you have a strong justification (like not being in the city you vote on the day of election). There is no voting 'in transit' i.e. voting in another city, or in any other 'electoral college' besides your own.

As a compensation, you get a 'lunch ticket' and a letter which entitles you a 1-day off so you can compensate your day working on the Sunday election (just give the letter to your employer, he cannot refuse you the day off, it's part of the electoral law)

By 5:00 PM, no one else can vote. If there is a line, people are given numbers ad only those with numbers in line can cast their votes.

once the last voters finish, the voting system is set to 'closed', meaning no more votes can be computed. at least three paper trails are generated, for three of the people in charge of the voting table. Any one can go there and ask for an extra paper trail, such as me and you. usually, a few people ask for additional paper trails on behalf of their own parties. You can check the paper trail gainst the voters registered for that college, to see if there are any irregularities.

Potentially, a parallel vote counting can be set up, completely contolled by the population, just using the paper trails generated at the end of the election.

The president of the table then takes the machine to the Electoral Tribunal and there they pick up the internal data and do the vote counting.

IMO it's reasonably resistent to tampering, and allow for parallel counting, which makes it resistent to frauds. Yeah, being open source would help for sure, and setting up a country-wide parallel vote counting would be very hard, but it is possible.

I believe the U.S. should just license our technology and be happy with it ;-)

Re:How it's done

Is like this.

Oh well, I'm sorry that you Americans will have to put up with your Diebold chosen masters in the next election... hope it doesn't turn out too bad for you.

From the wiki:

In 2004, Diebold-Procomp decided to migrate to Linux as a cost reduction measure.

Why?

I don't see any of the problems resolved.

You can still tamper with the system and there is no verifiable audit.

I don't know that the underlying choice of OS was biggest problem (if I were building it, sure I'd choose Linux) - there are more fundamental process issues that are at fault. Namely, that someone could tamper with the election and no one could (dis)prove it.

Re: Why?

At least, here in Brazil, the election results always match the exit polls and no serious allegations of tampering were made. We've been using this system for 10 years without any major problems.

Something that the Americans could learn from the Brazilian system is the simplicity of its use: no touch screen, you just type the number of your candidate in a keyboard that is the same used in telephones and then press a huge green button.

In defence of the US

Looking at this here:
http://en.wikipedia.org/wiki/Elections_in_Brazil [wikipedia.org]

About half way down it lists the result of the 2006 election : couple of points on that:
(1) There are a lot of parties (~30)
(2) They have low overall control within the parliament (15% max)
(3) The socialists are on top
E-voting or no, if the socialists were to rig the election (a) it would be obvious that they did it, (b) they would have to go all out to make any kind of difference, (c) they are unlikely to have the corporate influence necessary to pull it off and (d) there isn't much you get for it.

In the US, on the other hand, there is effectively two parties each with ca. 50% of the electorate each, so rigging the election is (a) worthwhile and (b) easy to get away with. On top of that the Republicans are very good friends with the people that make the machines, and finally, you get to be 'leader of the free world' and all your buddies get rich.

Means, motive and opportunity - right there. The interface is the least of their worries.

Re:How it's done

Crappy software running on linux is just as easy to rig...

the problem with Diebold is political not technical

Re:How it's done

All the IP is owned by the Brazilian Government. Diebold is just the assembler with the lowest price.

Not that it makes the machine secure, it is just slightly better than the US situation.

Re:Great!

Now where is the link to the source code and how can I verify that it is the code that was really running on the machines?

As a matter of fact, contrary to what Wikipedia says, the source code *is* available. The Ministério PÃblico (something like the public prosecutor in US), the OAB - Ordem dos Advogados do Brasil, an organ that congregates all lawyers in the country and any of the political parties can have access not only to the source code but to the compilation, digital signing and installation process. They also can run simulations and test the system for security and fraud and request any ballot to be audited. The whole software and data is also available for 2 years after the election. During the election days, representatives of any party can stay at any polling station to be sure that the election is not being rigged in this point. Personally, I think our system is quite secure and would require a major conspiracy involving basically everyone.