One of the creators of the TSE electronic voting machine tells how it works
Launched in 1996, the device was adopted in the country in elections from the year 2000; EXAME clarifies doubts about the use of the ballot box and the safety of the equipment
THE electronic voting machine It has been part of the Brazilian voting process since the 2000s and has periodically undergone various security enhancements since then. But after all, How did the idea of the electronic voting machine come about? And which path does she follow until she gets to the voting booths? With an eye on clarifying these doubts, EXAME talked to Giuseppe Janino, independent consultant in digital elections, co-author of the Brazilian project of electronic voting machines, with a 25-year career in the Electoral Justice. “The election was a very long process before the arrival of technology and made this democratic process difficult for a relevant part of the population, such as people with visual impairments and illiterates. With the electronic voting machine, this scenario has changed quickly, being perfected every year”, he says.
In the interview, the specialist addresses issues ranging from the implementation of the electronic voting machine in Brazil to the details of the security processes through which the device goes through each electoral cycle. See the full interview below
How did you get into the electronic voting machine project and how did this idea come about?
The great motivator for the introduction of the automated digital process in the Brazilian electoral system was precisely the scenario we lived in 30 years ago: a conventional institution, where people voted on paper ballots. These paper ballots were deposited in canvas urns, placed on top of tables – called counting tables – and we identified the ballots, then counted and published the results. In other words, we had a lot of human intervention, which brings much more risk compared to the automated process.
To cite some risks of the paper process, are the slowness and greater probability of errors. Not to mention the frauds – some were already well known. An example was the urns that already came with votes inside, people who asked voters for blank ballots to be filled in another place, subtraction of votes, inclusion of other votes in the counting table and the subjective interpretation, of taking a scribble in a cell and , depending on the interest, count the vote for one side or the other.
That is, it was a process impregnated with errors and time-consuming, taking up to weeks to have the final result. Which brought a feeling that the election was totally discredited. That’s where the motivation to mitigate human intervention in the process came from, using technology.
From 1986 onwards, the national electronic registration was carried out, a single electronic registration of all voters, and from 1996 onwards, the electronic ballot box was created, on the initiative of Minister Carlos Velloso, who formed specialized technology groups at a high level until reaching the group that developed the electronic voting machine. I entered this group, first in the first contest of the Superior Electoral Court in 1995 and, when I entered, I was placed in the group that was developing the engineering project of the electronic voting machine and that I had the honor of being one of the authors of the project.
In these 25 years of evolution of the process, I followed everything. The moment technology was embarked on, the process began to evolve at the same speed as digital advances. This resulted in several facilities and mainly credibility for the electoral process, as exclusive features of the digital environment, such as the guarantee of integrity, authorship, traceability, protection, auditing methods, all of them inherent to the digital paradigm, were included in the process, bringing speed and credibility.
How was the process of implementing the electronic voting machine?
It wasn’t easy, it required a lot of effort from the teams that were there. On the development side, designing the equipment, which was 100% designed for Brazil, including both legal and cultural characteristics, was a starting challenge. At the same time, the difficulty in conveying that the process was responsible for the voter, making him able to assimilate well the change from the conventional to the automated process.
There was a great campaign to publicize the new way of voting with electronic voting machines in squares, churches, shopping centers, bus stations, putting them on TVs, etc. in the sense of giving the greatest possible visibility for the voter to know how he should vote.
In the end, the result was very positive. The voters assimilated it very well. Because, in fact, he types on a keyboard that has the same layout as a telephone (or cell phone) keyboard, as he types the number, the candidate’s photo appears. The green key confirms the vote. If he wants to vote blank, he votes for the white key and if he has to correct he has an orange key where he clicks and sees the candidate’s photo again.
It is very easy, even for the visually impaired who were on the sidelines of the process. The keys have both Braille and audio devices, where earphones, it is possible to click, plug in the phone and start listening to what is presented on the screen before making your vote.
What were the main changes that the electronic voting machine has gone through in the last 25 years, speaking of technology?
There is always a cycle every two years to acquire new urns, to replace those that have been in use for more than ten years. In this process, there is always technological updating of electronic components, both components with greater processing and memory functionality and also that enable the inclusion of security and auditability mechanisms. Then, the urn is always evolving in terms of hardware and also accompanying the development of software. That is, let’s say that each cycle, each equipment developed, it always comes with a technological update and the software also evolves.
An example of this is the biometric identification of the voter. It appeared in the 2006 edition of the ballot box and was included there as a device that guaranteed voter identification, a technological feature that analyzed fingerprints. There was a work developed in terms of incorporating technology based on the principle that no two fingerprints are the same in the world, it is an example of the technology to include, recognize, identify and carry out an accurate process of voter identification, among several other mechanisms, in addition to various encryption improvements, digital signatures, and other auditing elements that were developed and introduced into the process. There is plenty of evidence of the process updating as technology evolves.
How many security and auditability mechanisms do you have today? How is it possible to prove that an urn has not been rigged?
Sometimes the hypothesis arises that the printed vote would make the ballot box auditable. This is a fallacy. Today we have more than a dozen audit mechanisms that are included in the process, thanks to digital functionality and paradigms.
For example: the digital vote record. Instead of printing the vote, the ballot box has been doing this since the 2004 elections, which is the digital record. It records in a sort of spreadsheet the vote that is typed in the ballot box, in a random way, so that there is no possibility of relating the first vote with the first person who voted that day and breaking the secrecy of the vote. If there is any change in the data in this table, the electronic signature of the ballot box no longer matches. After the election, these data are delivered to the political parties, which make it possible not only to carry out the recount but also to carry out the independent calculation and totaling of the TSE. This is only guaranteed in the digital paradigm, which is a table, a file, with that I can distribute 100% of the votes, to 100% of the political parties in 100% of the sections.
Before voting day, what we call “sealing” is done, which is a kind of shielding of what was seen and is frozen in a mathematical process, in which each program is taken through an algorithm that generates a digit verifier. Just as there is the CPF check digit, whose objective is to guarantee that the numbers were typed correctly, here something similar to that is done with the program file that goes to the polls. If I change a period, a comma, a line, the check digit no longer matches and with that I [TSE] I guarantee the integrity of all programs and I assure you that they can go to the voting booths.
After that, various authorities digitally sign the ballot box program with their digital certificates. Several authorities such as the PGR, president of the TSE, president of the OAB, all sign together with their respective certificates, generating a single signature. This guarantees an additional attribute, which is authorship. That is, wherever these programs are, signatures can be verified. If the signatures match, it means that the programs are intact, and it ensures that they are authored by the TSE. After this process, a copy of the software codes is kept in the safe room of the TSE room, so that they can be verified at any time.
After this copy has been stored in the safe room, then it is distributed to the regional electoral courts and the courts insert this software into the electronic voting machines through a public hearing. In each regional court, a summons is made in which political parties, OAB, Public Ministry are summoned. At the moment, parties can request verification of signatures. To really see that the ballot boxes are authored by the TSE, intact and original.
After the software is entered into this public hearing with these witnesses, the ballot box is sealed and loaded onto the polling stations. The moment it is turned on, the first thing the urn does is read the signatures again. If the signatures don’t match, the urn doesn’t work. So there is no possibility of software that is not authored by the TSE, that is, the same copy that is in the safe-room and that has somehow been tampered with, works in the electronic voting machine.
Another element is the so-called “log” of the ballot boxes, which works as a kind of “black box” for the ballot box. It records everything that happens with the ballot box, from the moment it is installed with the software, it starts to compute everything that happened: date and time when it was turned on, off, time when it received the first voter, moment when there was a breakdown, whether it was replaced or not, time when it issued bulletins, etc. If any changes are made to this process, the digital signature does not match and the urn does not work.
These are some of these processes, we have more than a dozen, I could mention several others here, but just to demonstrate how much is gained with the digital paradigm in terms of functionality, compared to conventional voting.
Do you believe that it will be necessary to insert any more security steps for the next elections?
With each election, there is always an improvement, especially with public security tests, which are a great evolution within the process. Since 2009, the TSE has opened its systems for any Brazilian citizen over 18 to apply and check the security of the ballot box. Highly qualified people participate in this test, such as experts from the federal police, universities, master’s, doctoral students and other people who have knowledge in technology. So there is always an evolution in the electoral process.
The TSE even pays accommodation for anyone who is able to test the software and demonstrate where the weaknesses are. In this process, programs are opened, access to algorithms is given, and the TSE makes the urn available, opens the urn, deactivates various security barriers to make the hacker’s life easier, so that he can make his plan of attack.
As people move towards the data, this is recorded by the TSE. The agency makes the corrections and calls the hacker again to test if he can pass again. Only then do we have a very large evolutionary process because we are provoked by society itself. To date, there have been more than 50 attack plans. And, in the end, the ballot box only goes to the election when these barriers are effectively fixed or strengthened.
The TSE has been obliged to carry out this process since a 2015 decision. This means that the system is improved, especially in terms of safety, constantly, with the participation of society.