Another election day in the US is rapidly approaching (Tuesday, Nov. 8—mark your calendars!). Millions of Americans will take to the postal system or head out to local polling places in order to file physical ballots, but why is that custom still in place despite our increasingly connected and mobile society? To that end, we’re resurfacing our close examination of e-voting around the world from the last election cycle (November 4, 2012).
I live in one of the most wired parts of the United States—the San Francisco Bay Area—but for the presidential election, I’ve already voted by mail. On a piece of paper. From the comfort of my living room. Between folks like me who vote by mail and everyone else who votes by marking paper in some way, we comprise about two-thirds of all American voters. Approximately 25 percent of all Americans, however, will use paperless and electronic voting machines to cast their ballots on November 6.
Around the world though, these percentages don’t hold. An increasing number of countries are beginning to tackle e-voting with gusto. Estonia, Switzerland, Spain, Brazil, Australia, India, Canada, and a handful of other countries have all held elections through the use of electronic voting machines in recent years.
E-voting was supposed to solve many of the problems inherent in traditional paper voting: it’s difficult for illiterate people to vote, it’s difficult to get physical paper out to all corners of a country (voters abroad can submit their ballot much more easily), tabulating the results takes too much time, physical ballot stuffing or ballot swapping can occur with little or no verification. With an electronic ballot, it’s also, of course, easier to tweak ballots in other languages or to make them available to blind or deaf voters. As recently as August 2012, advocates in Pakistan and the Philippines called for the expansion of e-voting in their respective countries.
Currently, there are four major types of e-voting around the world that are worth keeping an eye on: Brazil’s homegrown direct recording electronic (DRE) setup, Australia’s open-source software, Estonia’s Internet voting, and a Spanish startup’s efforts to expand what’s been called “crypto-voting.” Each of these approaches has its own unique set of problems, but the primary obstacles they present for many voting officials and computer scientists is their lack of ability to verify source code and expense.
From dictatorship to e-voting in just over a decade
Surprisingly, Brazil has one of the world’s oldest electronic voting systems, dating way back to 1996. While Brazil certainly is a vibrant (and huge, at 195 million people) democracy, it’s a rapidly developing country—you do know it’s the B in BRIC, right? Brazil has gone through significant economic and political change in recent decades. It wasn’t until 1985 that the country was rid of its military dictatorship, yet, just over a decade later, the country had implemented a locally designed and produced electronic voting system.
As recently as 1996, the country still had 15 percent of the country that could not read or write. That meant a significant portion (over 23 million Brazilians at the time) of the country were effectively disenfranchised from voting.
The DRE machine, known locally as an urna, is about the size of two or three stacked hardback books, and it has a small screen on one side with a keypad on the other side. The machine displays a list of candidates, along with their pictures and the numbers associated with them. Voters use the keypad to type in their preferred number—the device only allows one number to be pressed at a time.
Voters then receive a printed stub confirming that he or she voted. Each DRE device has two flash cards, which store a digital record of the vote count. The cards are removed at the end of the election and the vote totals are sent electronically to the Regional Electoral Office, where national vote counts are tallied within just several hours.
“Nowadays we have 450,000 digital ballot boxes in Brazil,” Antonio Esio from the Regional Electoral Office in Sao Paulo, told the BBC in 2008. “We are making more each year because the number of voters is increasing around six percent every election.”
Before the electronic system, voters were required to hand-write the complete names of the candidates and their parties—something many illiterate people were unable to do.
“By adopting it, you are enfranchising voters who might be disenfranchised by complicated ballots,” Tiago Peixoto, a Brazilian researcher with the ICT4Gov program at the World Bank, told Ars.
However, by 2002, some critics in Brazil countered that by relying on an electronic device, there was little actual voter verification. To use industry parlance, there was no way to verify that the vote was cast as intended and counted as it was cast. So printers were added, which showed the vote on a piece of paper protected behind plastic. Two years later, Brazil eliminated the printers, as they were too costly. The printers were slated to be back (Google Translate) for the 2014 election, but they have since been suspended a second time.
By 2008, the entire software running on the DRE machines was rewritten by developers contracted by the Brazilian Superior Electoral Court. Six months prior to any election, people who have been accredited by the Court are allowed to come in-person, “in an environment controlled by the Superior Electoral Court,” where experts can examine the source code, under a nondisclosure agreement.
Diego Aranha, a professor of computer science at the University of Brasilia, was one such expert. But, he said, he and his team were only given five hours in which to examine millions of lines of code—nowhere near adequate to perform a proper audit.
One major flaw he found was that the digital votes are randomly shuffled, as a way to provide extra security while in storage. However, the algorithm to provide that randomness is given a non-random seed: the timestamp.
“I made this assumption because I know how many times people have got this wrong,” he told Ars. “They used a really, really bad pseudo-random number generator available: the seed was a timestamp in seconds. This is mission-critical software! This is our software for our democracy.”
Despite these problems, so far, Brazil has used its DRE system in its various iterations for nearly two decades without any major political dispute over their use.
In an academic paper published in a forthcoming book, Aranha concluded: “The necessity of installing a scientifically sound and continuous evaluation of the system, performed by independent specialists from industry or academia becomes evident and should contribute to the improvement of the security measures adopted by the voting equipment.”
Looking inside the black box Down Under
“It’s a black box.” So goes the common refrain from computer scientists and cryptographers who work on electronic voting. In other words, no one can be completely certain the computer code running on a given device does exactly what it’s said to. Worse still, no one can ever know the software running on the voter’s computer is precisely the same version of the software that was initially certified.
But for over a decade, the Australian Capital Territory has figured out a way to solve this problem (in use across a handful of voting locations): just make the software open source. The software runs on older PCs running Linux and offers ballots in 12 languages. There are also ballots available for illiterate, blind, or deaf voters.
Each voter receives a barcode that is read by a scanner attached to the computer. Once the code is scanned, it resets the software to be ready to receive a vote. Once the ballot is complete, the card is swiped a second time to cast that ballot. The barcodes are not connected to an individual voter, but the software is designed to only allow one vote per voter. The votes are counted electronically, digitally signed, and sent to a server on a local network.
“We wanted to make it something that people would find trustworthy,” said Phillip Green, the electoral commissioner for the territory, in a recent interview with Ars.
“We’ve likened it to a normal election process where if you’re doing it by hand, everything is available to scrutiny,” Green said. “We shouldn’t have a black box, where you don’t know what it does. Open source code was the way to solve the transparency issue. So we get the code audited by a professional company and they’re looking for areas in the code that what comes in doesn’t come out and that there’s nothing in there that would allow someone to maliciously change votes.”
In addition, there’s a software keylogger making sure what’s typed in actually matches the votes that were recorded, as a way to prevent fraud. Green added the IT faculty at the Australian National University in Canberra use the source code frequently as a security auditing exercise for its students. This system has run more or less without any problems since 2001.
But if it’s so great, why don’t other states and territories Down Under use it? There’s no real reason, but like in the United States, state and territory voting laws and regulations are set at the state level. The ACT has chosen to go open-source, and there’s nothing stopping the country’s bigger states, like Victoria or New South Wales, from doing the same.
The decision largely has to do with size and expense. The ACT, Australia’s smallest territory by population, is home to about 365,000 people. (My home city of Oakland, California is bigger!) Only about two-thirds of the population are voters. Nationally, the country has around 15 million voters—so ACT voters represent less than three percent of all voters nationally.
“There’s no practical reason why it couldn’t work these, but it’s a hardware ,” Green added.
“We’re getting out of our system cheaply by borrowing hardware. We’re part of [the] ACT government computer system and we get monitors that are coming off refresh cycles. We either get the new ones before they get them or the old ones coming off; we’re borrowing monitors. We get out of it pretty cheaply by trying to find cheap and innovative ways, and because we’ve only got five voting locations, we can get away with that. [Other states] might want 50 to 60 sites, and would have difficulty borrowing equipment. It’s several thousand dollars per machine by the time you get the hardware together.”
Still, despite the success of the open-source e-voting setup, Green says its days may be numbered. Even though he has his doubts about the security and openness of Internet-based setups, he believes that it, not open-source e-voting, will “be the way of the future.” After all, Internet-based systems can reduce the cost of hardware by allowing people to just use their own computers.
“We’re looking at it for 2016,” he said in a resigned tone.