The story, how does it work and how is the security of the electronic voting machine?

Once again, as happens every four years, the Brazilian people go to the polls to elect their representatives in the legislative and executive branches.

It is an important exercise of citizenship and one of the bases that underlie the Democratic Rule of Law.

In Brazil in particular, there is an instrument through which the electoral process is facilitated and secured through the electronic voting machine.

Among other things, it is said that it came to make the process as a whole faster and safer, but there are those who question its usefulness, its importance and, above all, its safety, often due to lack of technical knowledge on the subject and sometimes due to misinformation and fake news.

But how does the electronic voting machine work? Is the electronic voting machine safe? Can we trust its use and, consequently, the results of the elections?

These are some of the most common questions and some other related ones, which the correct information is able to answer, so that everyone who is going to exercise their constitutional right in the next elections, rest assured about its role and importance for our democracy.

How the electronic voting machine came about and history

Until its The emergence of the electoral process in Brazil took place with voting on paper ballots, which required complex logistics and the counting was time-consuming and susceptible to various problems, such as, for example, in the 1994 election of the then candidate for the Presidency of the Republic, Fernando Henrique Cardoso, whose officialization took place only 14 days after the plebiscite and which, despite the delay, was considered the fastest calculation in history, even at the time of the paper vote.

Two years later it would appear, the electronic voting machine.

In the 1996 mayoral elections, for the first time voting would no longer be on paper ballots, but using the first model of electronic voting machines.

In that year, electronic voting machines were used in the state of Rio de Janeiro, in the capitals of other states and in municipalities with more than 200 thousand voters, totaling 57 cities in the country.

About a third of the almost 100 million voters at the time , exercised his citizenship in 1996, through the new advent.

The time available did not allow all municipalities to implement the novelty, which, despite the efficiency in the results, was still in the testing phase .

In 1998, in a new presidential election, about two thirds of the electorate could already vote electronically.

It was only in the 2000 elections, that 100% of the electorate was able to exercise their right to vote through electronic voting machines, although there were some problems related to the complex logistics of distributing equipment to all polling places and the operation of certain units, making voting in some sections still as in the past.

Thus, the 2022 elections represent a milestone, since that will be 22 years of democratic exercise with the support of this important device of digital transformation, if we consider when the entire electorate could use it.

How does the electronic voting machine work?

Understanding how the electronic voting machine works, as well as all the procedures associated with counting votes, is essential for us to answer about the security of the voting system and the ballot box.

There was a lot of evolution from the first polls to the current ones, although the apparent part, which is the voting terminal, has undergone little notable aesthetic changes.

They are nothing more than computers with a of hardware and software aiming at its primary function, which is to collect and count electronic voting.

In terms of hardware, the polls are equipped with X86 architecture processors, 256 MB of RAM memory, an LCD display and USB, Serial, SmartCard, PS interfaces /2 and CompactFlash.

The first versions made use of VirtuOS, Windows CE and a system created by the TSE (Superior Electoral Court).

But since 2008, thanks to the Uenux project – Electronic Ballot Box with Linux – electronic voting machines have been using Linux as the operating system responsible for their operation.

Specifically, only one Linux Kernel was used and a customization was developed, generating a single distribution for the intended purpose.

This was an important milestone for Free Software and Open Source.

With Linux, we started to use a system operational process with a lower incidence of errors, offering more transparency and reliability to the process, in addition to the possibility of having greater control over the software, eg. the fact that it is free and open source, contrary to solutions based on proprietary code.

From there, it was possible to create applications, drivers for the hardware and APIs, totally under the responsibility of the Secretary of Information Technology (STI) and the Superior Electoral Court (TSE).

Among the applications, there is VOTA (Voting Software). It is thanks to it that the voter is able to enter the candidates’ numbers, view their data and photo for checking and confirm – or not – for each elective office in the plebiscite.

VOTA is also accessible by the polling station’s terminal, in which he is able to control which voters can or cannot vote in that polling station, checking the voter’s registration number and their biometrics, in the case of voters who have already re-registered to use the printout digital.

Among other functions this application has the following role:

• Issuance of the report called “zerésima”, which brings all the identification of the machine, proves that all the candidates are registered in it and that there is no vote computed for any of them, that is, the urn has “zero votes”. After printing the zerésima, the president of the section, the poll workers and the inspectors of the parties or coalitions that are present, must sign it, and then start voting in the respective section;
• Ensuring the integrity and anonymity of the votes of each voter through a method in which the votes are “shuffled”, so that it is not known who voted in whom, in compliance with the Brazilian Federal Constitution, which determines the secrecy of the vote;
• Determination of the result of the section by counting the votes of each candidate, relative to the respective polls;
• Recording of the recorded files for the totalization with encryption on a CompactFlash memory card – which serves as a local backup of the data – internal to the ballot box and extracted at the end of the process to a kind of USB flash drive, called “Result Memory”, for the exclusive use of the Electoral Justice;
• Printing some views those of the ballot box (BU), 5 of which are mandatory and 5 more optional and which is already the published and auditable result of the election for the polling station and which are signed by the inspectors and by the poll workers and which, after the election, can be accessed on the portal of the Superior Electoral Court (TSE) and at the end of voting, at the polling points themselves and which must be exactly what came out in the BU and was fixed in the electoral section.

In addition, the equipment or hardware that characterizes the ballot box, is composed of two terminals, the one for the polling station and the one for the voter, which is the cabinet in which the vote is cast. is typed, which are connected by a cable, which is not detachable. In addition to this, the only other cable is the one connected to the electrical energy.

In the event of a lack of electrical energy, there is an internal battery that guarantees the operation of the equipment.

There are no wireless (Wi-Fi) connections of any kind, neither to the Internet, bluetooth or of any kind with any external or internal network. There are also no physical connections possible on the case or on the motherboard, to connect it by an RJ45 network cable, for example, or a wireless network card.

As already mentioned, data is stored on two CompactFlash memory cards, to ensure redundancy.

The keyboard is shielded and nothing can be connected to it, either to record what is typed or to change the numbers that are pressed.

Inside the voter terminal, there is a small internal printer, responsible for both the zeréssima and the ballot box.

Once the hardware is turned on, a series of of verifications is carried out, starting with the digital signature of the BIOS and successively with the other elements, such as the operating system, in what is known as a security chain. Exactly as is done when checking authentic software.

If the cryptographic module does not attest to the complete consistency of the environment, the initialization is aborted, preventing the urn from being used.

Absolutely everything that happens since the device is turned on, until the end of the voting process, is recorded in system logs and can be used for later audits and verification of the integrity of the processes.

What is a parallel voting process?

It is a procedure – among many – that aims to verify the correctness of the system’s functioning and which basically consists of randomly choosing between 4 and 5 urns per federation unit, on the eve of the vote and forwarding them to the TRE, where they will be filmed.

On election day, they are connected in the TRE and random votes are inserted, as if they were voters, so that at the end the accuracy and consistency between the simulation and the data contained can be verified. s in the ballot box.

Since 2002, when the procedure was adopted, there has never been any divergence in the results obtained in the parallel voting process.

The electronic ballot box is it safe?

Our purpose is neither to affirm that the ballot box is, nor that it is not safe, but to present facts and strictly technical aspects and in the technologies used, so that when In the end, you can trust or not the electoral process in which it is a fundamental part.

This is because much of the controversy and questions of those who criticize the model, have as a key piece this device that at the same time is so well known, but few know everything that is involved.

In 2009, the Superior Electoral Court (TSE), submitted a set of urns to hackers so that they could try to invade them using only their technical knowledge and imposing restrictions according to real and probable situations in an election.

For 4 days, the 20 experts were not able to es of invading the system, although they have pointed out situations in which they could be successful, which served to implement improvements by the TSE.

This is part of a set of measures, which are known as “Public Security Tests” (TPS), through which your security mechanisms are thoroughly tested, so that it is possible to prove that electronic voting machines are really secure.

In the TPS, the TSE promotes the opening of several of the systems and processes involved, so that professionals and specialists in the area of ​​digital security, carry out attempts to violate the different layers of security, both in terms of hardware and software, aiming to identify any existing flaws.

For the 2022 elections, the test was carried out in May.

In the course of the work to make the solution more robust, several mechanisms were established. According to the TSE, today there are a total of 30 security layers, the main ones being:

• Technicians, employees and poll workers do not have access to the source code of electoral systems, to the internal part of the hardware and therefore, even with physical access to the polls, they are incapable of violating the software and hardware. In addition, once voting is completed, it is not necessary to move the electronic voting machines to the capitals, which is where the TREs (Regional Electoral Courts) are located, which would allow manual interventions along the way, thus reducing the possibility of access to their content and data;
• The transmission of data from each urn is done quickly and securely through a re (VPN) of the TSE, using a kind of pendrive – called the result memory – of each urn, conducted by an inspector, who only has access to the TSE system using a digital certification that allows authentication in the system;
• There is isolation of any types of networks, which means that the urn is not connected to the Internet via physical network or Wi-Fi, bluetooth or any other type of network, nor is there anything in your hardware that makes this possible, even if you want to. Nor does the Linux distribution used and customized by the TSE itself have network connection capabilities and, therefore, changes to the voting systems or the data of each urn, require a possible hacker to have physical access to the equipment to make any changes;
• Every urn has all connection ports and access points / physical openings protected by physical seals made by the Mint , with unique numbering and created according to security criteria that prevent their forgery and/or tampering and that are located at the back of the ballot box, inaccessible to the electorate and free from exposure to everyone in the polling station;
• In each election year, the TSE promotes the opening of the source code of the systems so that specialists can verify possible vulnerabilities. For 2022, after three months of investigation, specialists from Unicamp, USP and the Federal University of Pernambuco (UFPE), were categorical in guaranteeing the security of the ballot box;
• All data that may eventually be tampered with, resulting in its accuracy being compromised and putting the accounting in doubt, such as voter biometrics, operating system kernel, voting machine file system, keys , general voting record and the ballot box, are submitted to individual encryption, which means that even in the face of eventual access, the hypothetical attacker needs the decryption key, without which the data is unreadable;
• For each candidate voted on, the votes are shuffled, so that not even the electoral justice knows who voted for whom. This data is also encrypted.
• The partial results of each urn are auditable through logs and records that the system issues and that include a series of information, such as dates, times, accesses and information that can be used to identify possible violations or unauthorized access;
• The systems used for voting, counting and totaling are sealed and digitally signed in a public event, in which political parties, coalitions, the Public Ministry, the Brazilian Bar Association, called Digital Signature Ceremony and Seal of Electoral Systems and that for the 2022 elections, it took place on September 2nd;
• On the occasion of the event above, the hash is generated, which is a specific code that aims to identify each sealed program. Changing any bit in the program’s source file would cause incompatibility with the original hash, in a process that is similar to that used in the cryptocurrency blockchain. The list of hashes is made available to all participants of the public event and also available on the TSE portal, in order to allow verification if the program used in an urn is the same that was generated in the public ceremony;
• After the sealing ceremony, in the stage of preparing the ballot boxes or even on voting day, the authenticity of the software by the parties, the OAB and the Public Ministry, as an additional measure and proof that the systems present in each device are in fact those signed, ensuring that there was no tampering;
• After the voting in the polling station is completed, each ballot box prints a few copies of the Ballot Box (BU), which are signed by inspectors present and by polling station officials. One of the copies is posted on the door of the polling station and the other is given to the party inspectors present. Thus, each voter, supervisor, party, candidate, can make their own total, adding the votes of each bulletin and comparing them with the TSE data;
• In the ballot box, information regarding the polling station, number of voters who attended and voted, votes for the respective candidates, blank and null votes and voters, have a verification code and which, like the hash, are unique and help to identify inconsistencies in the data. The electronic voting machine contains the records of all voters who vote in the section, including the number of voters, absentees and justifications;
• Votes are stored on two media (CompactFlash memories), one internal and accessible only by physically opening the ballot box and breaking the seals, and another external one, which can be used to proceed with voting in the event of the need to replace a device that has had a defect. For each voter who votes, their choices are “shuffled” to the other data, which are encrypted;

That is, even if someone manages to circumvent all the existing layers of security, they would still need to have physical / face-to-face access to a representative number of polls and later, compromise the auditable mechanisms, such as ballot boxes, memories, seals, hashes and others.

As they say, there is no system or environment that is 100% safe, but the objective is to move in that direction and, in doing so, make its exploitation, if not impossible, unlikely.

In other words, altering the outcome of an election with more than 156 million voters, in more than 460 thousand sections, would require physical access by a huge number of hackers, within a range of time less than the end of voting and the transmission of data by the TSE VPN and in that time, being able to circumvent all the existing layers of security.

It is necessary to remember that the time elapsed between the end of voting and the counting by the TSE, in most cities, is very few hours.

Efficiency and the security of the Brazilian model of electronic voting machines and the process as a whole, has served as a reference for many countries that have already come to learn from the Brazilian model of electronic voting machines and the electronic election process.

Conclusion

In 2022, the electronic voting machine and the electronic voting system will be put to the test more than ever in terms of security and guarantee of democracy.