Brazil: Certification, Source Code Review and Testing
Last updated on December 17, 2013
In the elections held from 1996–2004, the code used in the electronic voting machines was developed by private sector firms. In the initial 1996 elections, Unisys contracted a company called Microbase to develop the software. Microbase used a proprietary operating system called “VirtuOs,” whose code base was not generally available for auditing. In models developed for the 2002 and 2004 elections, Microbase used Windows CE as the operating system. In 2006, the TSE transferred software development to their internal team, and in 2008 adopted an operating system based on GNU/Linux.
The TSE reserves final authority over the source code, so no outside authority certified the code used in 1996 or in subsequent elections. The electoral law mandates the TSE make the final source code available to political parties and, after 2003, the Bar Association (Ordem dos Advogados do Brasil or OAB), 120 days before the election. Activists and academics say that that the TSE failed to comply with this requirement for the 1996, 1998 and 2000 elections. After 2000, in the wake of heightened scrutiny of the system, the TSE began to allow outside actors to review the source code, but interviews with activists and congressional staffers indicate that only two parties – PDT and the Worker’s Party (Partido dos Trabalhadores or PT) – regularly participated in the audits. PDT typically has computer scientists affiliated with the party examine the code, while PT hires an outside company. The OAB expended considerable effort and money prior to the 2004 elections to audit the code by hiring an outside company and examining the software in various states, but has only conducted minimal auditing since 2004 due to costs and lack of internal capacity. There has been criticism of this auditing process by civil society groups and computer scientists. Computer scientists criticize the fact that auditors must sign a non-disclosure agreement and, consequently, any problems found during the audit are not made public. Auditors also point out that only a few days are given for auditing, and the examination of code occurs in very controlled conditions on the TSE’s computers, which is insufficient to comprehensively examine the code.
Academics and the OAB have also reported that there have been cases where the code has been modified after it was given to the parties, meaning parties did not audit the final version of the code. The TSE has argued the code needed to be modified for technical reasons, but has not fully explained the changes.
The first comprehensive, independent and nonpartisan audit of the full electronic voting system code and equipment was conducted several years after the adoption of electronic voting in 2001 and 2002 by eight computer scientists at the State University of Campinas (Universidade Estadual de Campinas or UNICAMP). The UNICAMP team concluded the system was “robust, secure, and trustworthy,” and they made eight recommendations for improving the system. These recommendations focused on improving how the code is maintained and developed from election to election, as well as details of the cryptographic signing mechanism. According to the TSE, all recommendations made by the UNICAMP report were incorporated into the system after its publication. Since then, the TSE has sponsored a few additional independent audits of the code, generally by university researchers. For example, a 2002 report by Jeroen van de Graaf and Ricardo Felipe, computer scientists at the Federal University of Minas Gerais and the Federal University of Santa Catarina, respectively, found the electronic voting system was an improvement over the paper ballot system. The authors, however, also criticized the time made available for political parties to audit the code. The researchers emphasized the limited utility of the cryptographic authentication safeguards, as there is no way for observers to know if it is functioning properly. Van der Graaf and Felipe argued for the use of a voter verified paper trail as a means of enhancing the audit ability of the system.
Beginning in 2009, the TSE organized public tests of the system, during which they invite computer scientists and interested parties (“hackers”) to attempt to find external vulnerabilities in the electronic voting system. The first test in 2009 did not provide access to the voting machine code, while the 2012 test did. Participants in the 2012 test were given only three days to design, execute and evaluate attacks to the system. Further, access to the source code was limited, as only four computers with the source code were provided. Given the number of participants, this left limited time for each team to actually examine code. Basic tools to search and evaluate the code such as “grep” were also unavailable. The security tests focused solely on the voting machines, not other aspects of the system.
One of the teams that participated in the 2012 test succeeded in compromising the anonymity of the vote. After each election and for each machine, parties are provided with a list of individual votes cast (without identifying information of the voter) in a randomized order. The team of computer scientists from the University of Brasilia, led by Professor Diego Aranha, discovered a flaw in how individual votes were stored that would allow parties to recover the precise order in which votes were cast. According to the TSE, the vulnerability identified by Professor Aranha has now been fixed.
The TSE also allows for a form of auditing that they call the “parallel vote.” The day before the election, two electronic voting machines in each state are randomly chosen for testing by representatives of the parties and the OAB. After the machines are selected, party and civil society representatives go to where the machine is located and bring them back to the state election headquarters. The observers can then test whether or not the machines are properly recording the votes being cast. According to the TSE, this parallel vote procedure has never found any irregularities or problems. Some computer scientists have criticized the parallel vote because it occurs a day before Election Day. According to these critics, it would be possible for manipulation of the system to occur between the time of the parallel vote and when Election Day begins.
NEXT:
Brazil: Security