25 years without fraud: this is how Brazilian electronic ballot boxes work

This Sunday, the Brazilians will decide the political direction of the greatest power in Latin America.

Some decisive elections, led by former president Lula da Silva and the current one, Jair Bolsonaro, and which include the formation of the Chamber of Deputies, a third of the senators and all the governors and parliaments of the states.

President Bolsonaro launched a campaign more than a year ago to sow doubts about the security of the voting system that has permeated part of Brazilians and has given an unprecedented role to electronic ballot boxes.

Two days before the elections, the conflict between the president and the Superior Electoral Court was at a fever pitch.

The electoral authority accused Bolsonaro's party, the Liberal Party, of preparing a report riddled with "falsehoods and lies" about the security of the polls.

The 156 million voters will have to type in five sets of numbers, one for each candidate, and when they see their politician's photo, they will press a green button to confirm their choice.

A quarter of a century ago, Brazil abandoned ballots and embarked on the technology bandwagon by implementing electronic ballot boxes.

The objective was to put an end to the constant fraud of that time and to generate more accessibility, since the millions of illiterate voters could vote without difficulties.

In addition, only a system like this makes it possible for a country of continental size, with 8.5 million square kilometers and more than 200 million inhabitants, to complete the count in minutes.

Until recently, these machines were a national pride, but Bolsonaro's insistence on raising suspicions about electronic voting made the ballot box one of the battlefields of these elections.

To try to calm things down, the Brazilian electoral justice has created a new transparency commission, has multiplied by six the number of ballot boxes that are tested on election day and, a few weeks ago, decided to implement one last additional step to certify the safety of those tests.

These are measures that are added to what was already done to guarantee the robustness and transparency of the ballot boxes.

The Superior Electoral Court (TSE) updates the programs every two years and even challenges

to try to bust the system.

The goal is to stay ahead of the speed of technology and maintain the 25-year fraud-free legacy.

What is the electronic ballot box

The urn is a computer.

Unlike laptops or personal computers, it does not have the ability to connect to any network, the internet or any other computer or mobile;

it was invented not to be able to do it.

It works through the combination of physical components and programs developed by TSE technicians exclusively for the elections.

The only cable that connects to the box is the light cable.

But if there's a power outage, it keeps going: each battery lasts about 10 hours, enough time to run a full day of elections in every corner of Brazil.

Although the urn has practically the same appearance since its creation, each model has new updates in its electronic component and in its programs.

At each election (the interval between the presidential and municipal elections is two years) a reset is made: the 300 technicians of the TSE rewrite the 15 million lines of programming that make up the source code, and this is how they create all the cryptographic elements of the urn.

In total, there are almost a hundred programs that make up a choice from start to finish.

In less than two hours of the end of the elections, it is already known who the winners are

Giuseppe Janino, one of the co-authors of the electronic ballot box in 1996, explains that the main concern of Brazilian justice is to update it with all the new features that technology presents.

“That is why we have a history of almost 26 years without fraud, because there is a continuous and systematic transformation.

Obviously, if it remains stagnant over time without being updated, the ballot box is going to suffer attacks from

that are evolving at every moment”, emphasizes the former Secretary of Technology, who has coordinated the electoral technical team for fifteen years.

Inspection by different institutions (and 'hackers')

One year before each electoral process, 15 Brazilian institutions, including the Federal Police, the Public Prosecutor's Office, the Bar Association and political groups, join the technical team and have access to the source code so that they can review it, ask questions and point out problems.

Federal Police technicians verified the correct operation of the electronic ballot boxes on August 24, 2022 Superior Electoral Court of Brazil

The TSE also carries out a public security examination, when it makes

direct access to the ballot box and all programs available to

Any Brazilian over the age of 18 can register for the event, and upon approval, has the right to create and execute a plan of attack to breach the ballot box for a week.

If any security barrier is overcome, the

returns to the hands of official technicians to fix the bugs and is tested again before the elections.

With the approval of these institutions, the source code is digitally sealed and signed by the authorities.

One copy remains in a chest-room inside the Superior Electoral Court and the others are inserted inside each electronic ballot box.

This card, which now links the commands of the code with the data of the candidates, has an extra security element physically protected.

If anyone tries to tamper with it, it self-destructs.

The ballot boxes are also subjected to an integrity experiment on election day itself.

Since 2002, in all editions, a draw has been made to test the veracity of a hundred ballot boxes: officials simultaneously carry out a vote on paper and in the electronic ballot box, all recorded by video to confirm that the result is equivalent.

This year, the number of tested ballot boxes will rise to 642 to contemplate a questioning of the Armed Forces, which for the first time have raised suspicions about the process.

Of these, 56 will go through the test in the electoral precinct itself, using the fingerprint of voters.

According to the request, this will make the experiment more reliable, although the technicians warn that it can confuse voters.

Digital signatures for all stages

The ballot boxes have electronic signatures at all stages of the process.

Made with encrypted mathematical codes and backed by a digital certificate, this feature guarantees that the information sent has not been altered and that the sender is true.

The urn reads the electronic signatures from its first command, in a verification chain, before executing any action.

And so on with the 30 layers of security.

If one fails, the urn stops operating.

This usually happens in up to 9% of all ballot boxes, which can be immediately replaced by another in a few minutes, without losing the information on the votes.

To verify that there is no vote within your system, before starting the voting, the ballot box automatically prints a receipt, similar to a bank statement, with the names of the candidates.

At term, a new bulletin is printed, listing all the candidates and the number of votes each has received.

One of these copies is posted on the door of the polling place with its QR code, so that citizens can see the results.

It is the ballot box itself that counts your votes and all the information is recorded on three cards, two internal and one removable, with highly complex cryptography.

The removable card is then taken to a registry and connected to a private network of the electoral justice system.

There they are analyzed by artificial intelligence to identify if there are rare patterns, such as candidates without any votes or a single candidate with all the votes.

It is when the central makes the sum of votes from all the ballot boxes and presents them immediately on the internet.

In less than two hours after the end of the elections, it is already known who the winners are.

In the case of places that are difficult to access, such as indigenous villages, the data is sent via satellite to the TSE headquarters and those are the first to arrive.

“It is the contrast of Brazil;

where there are fewer resources is where more is invested in technology”, says Giuseppe Janino.

In 25 years, there was never a proof of disagreement.

The result of the vote is always the sum of the votes of each of the bulletins printed by the ballot boxes.

This content remains intact inside the polls until one hundred days after the elections, a period in which the parties can request the information to carry out an audit.

The ballot box also has a black box that records all the operations carried out, when it is turned on or off, the time and date of each vote and when the result is issued.

New prosecutors in the process

In the face of Bolsonaro's growing attacks on the electoral system, the TSE created a new transparency commission made up of various representatives of civil society, which includes universities and also members of the Armed Forces.

Professor Marcos Simplicio has five urns in his laboratory at the Polytechnic School of the University of São Paulo since January of this year.

The goal of his team is to find loopholes, to break the secrecy and integrity of the vote.

For that, he has full access to the source-code and the complete documentation of the urn.

Simplicio guarantees that he works with "total freedom" to do all the tests he wants and that, throughout the year, his team detected eight points of improvement and attention, although none of them was able to compromise the privacy and integrity of the patients. votes: "I can say categorically that we have not been able to change votes in a non-perceptible way by the TSE."

What they did find were points that could make the system "more transparent."

The professor affirms that such "preventive" suggestions were kidnapped by a political discourse that tries to remove the credibility of this system.

“An improvement in transparency doesn't mean it's insecure,” he replies.

Joaquín Lago Pérez, head of new technologies in the electoral processes unit of Minsait, an Indra company, maintains that digitization is getting closer to democracies, not only for voting with machines, but also in counting the ballots and at other stages.

The expert stresses that the technology to digitize electoral processes is ready and, based on the pilot projects he has carried out in Europe, the population has been open to adapting.

However, for it to be put into practice, legislative changes are needed, which still do not allow it.

It is also a matter of necessity: “Right now there is no clear interest in changing the model because the current one works.

There is, above all, reluctance to open voting online.

The substitution of voting on paper ballots for machines is probably an intermediate step, but many countries do not want to tackle it because it requires a strong investment”.

The expert assures that digital mechanisms could help generate more participation, continue with the green agenda of the countries, reduce logistics costs and guarantee the speed of counting.

Even so, he maintains that completely armored systems do not exist and, in the case of online voting, the main risk would be an attack that tries to put the system out of service.

In the Brazilian scenario, Diego Aranha, a professor in the Department of Computer Science at Aarhus University in Denmark, who has participated in the organization and coordination of IT teams in the security tests of electronic ballot boxes in Brazil, affirms that the vulnerabilities are corrected and mitigated every year.

“Since 2020, the system has become much more robust against external attacks.

Someone who is outside the Court, has no control over the logistics and distribution of the software nor the distribution of the files”, he argues.

And according to the TSE, it would be "impracticable" for an internal agent to be able to carry out an attack that compromises the results due to the complexity of the process.

Aranha says that the scientific community has agreed that reestablishing a model of ballots and with the manual counting of all votes would be a mistake, but suggests that the physical registration of the electronic vote for a sample count – around 1%, depending on the difference between the candidates – is an extra mechanism to demonstrate the security of the machines.

The Chamber of Deputies has rejected the proposal for a printed vote with manual counting.

You can follow