E-Voting Raises New Questions in Brazil



The Associated Press

Friday, September 29, 2006; 1:47 PM


SAO PAULO, Brazil -- Elections in Brazil used to be a monumental challenge, with millions of paper ballots to count by hand, many of them delivered by canoe and horseback from remote Amazon villages. Fraud was widespread, and it often took a week or more to determine the winners.


Latin America's largest country eliminated many of these hassles by switching to electronic voting a decade ago, long before the United States and other countries started abandoning paper ballots. When 125 million Brazilians vote on Sunday, they will punch computer keyboards, part of a system Brazil credits for building faith in its democracy.


"The voting machine is so secure that I would say the only way to tamper with it is to smash it with a hammer," Athayde Fontoura, general director of Brazil's Supreme Electoral Tribunal, said in an interview.


But some computer programmers who have closely examined Brazil's system say such confidence is misguided. Echoing a debate in the United States over the reliability of electronic voting, they say the tribunal needs to do more to ensure Brazil's citizens aren't disenfranchised.


Some Brazilians are lobbying the tribunal to switch from Windows CE to an open-source operating system for the voting machines, since Microsoft Corp., citing trade secrecy, won't allow independent audits to make sure malicious programmers haven't inserted commands to "flip" votes from one candidate to another.


Paper records that citizens can see as they vote to confirm that their choices were properly recorded are a must as well, said Amilcar Brunazo, a computer and data safety engineer who founded the Safe Vote Forum to press for more transparency. Brunazo also is the Democratic Labor Party's permanent "technical representative" at the tribunal.


"I agree the electronic ballot box makes it more difficult to defraud the election process," Brunazo said. "But the system is still not transparent enough and the best way to address this is by allowing an independent inspection of the operating system used in the machines."


Fontoura confirmed that Brazil is considering a move away from Microsoft's proprietary code _ "We are studying the possibility of using an open-source program like Linux in future elections. This would make the entire process much more transparent and far less expensive," he said.


But the tribunal tried and rejected a voter-verifiable paper record.


Paper receipts that appeared behind glass _ so voters could confirm their choices but not walk off with the evidence _ were tried on 23,300 machines in 2002, with plans to install them nationwide two years later. But the machines' maker was resolutely opposed to this system, and the tribunal decided to rely instead on "ballot box bulletins."


These bulletins _ printouts of each machine's overall votes, made after the polls close _ serve as a backup record of the tallies transmitted electronically over a secure network. But they can't show whether a programming flaw or malicious hack deleted or changed votes inside the machine before the printout was made, computer scientists say.


Brazil's machines are made by Diebold Procomp, the Brazilian subsidiary of Diebold Inc., of North Canton, Ohio, which also makes many of the voting machines now used in U.S. elections. And Diebold has said that voters should trust its equipment, more than any paper record, to deliver fraud-free elections.


"The more you introduce paper into a voting system the more you introduce the possibility of fraud," said Michael Jacobsen, a Diebold spokesman. "Electronic voting is the most accurate and secure voting that is out there."


Such blanket statements disturb critics of electronic voting. Just because there are vulnerabilities and risks doesn't mean that anyone has ever exploited them, but without a voter-verifiable paper record, they say, there's no way to be sure that a vote count is fraud-free or bogus.


"The problem is not that elections have been rigged necessarily _ it's that you can't say for sure that they weren't, because rigging is possible on these systems," said Dr. Avi Rubin, who directs the Information Security Institute at Johns Hopkins University in Baltimore. "Given the choice of picking a system where wholesale rigging is easy, versus one where it's impossible, why has Brazil gone with the system where it's easy?"


Brazil did build in some safeguards during its transition to electronic voting _ protections that still don't exist in the U.S.


While the code behind Microsoft's operating system remains secret, independent auditors must approve of the overlying voting software before it is inserted into the nation's 430,000 machines. The software remains open to inspections for three months before election day. And hours before the polls open, randomly chosen voting machines are tested "to verify that the software inside does what it is supposed to do," Fontoura said.


Each step of the count also is monitored onsite by representatives of the political parties, the Brazilian Bar Association and the federal prosecutor's office, Fontoura said. And the entire election process is overseen by the tribunal _ an independent, nonpartisan agency legally empowered to combat fraud as it happens and overturn elections if necessary.


That's far different from the U.S., where private voting software companies refuse to allow independent audits, elections are managed by partisan politicians with inherent conflicts of interest, federal courts are reluctant to intervene in state-run elections and the federal agencies involved have little power to investigate, let alone resolve disputes.


In Brazil, as in the U.S., the leading critics of electronic voting tend to be people familiar with the risks inherent in computing. They say that accurate paper records and independent software audits are essential precisely because no computer system _ or elections official _ can be trusted to be completely reliable.


"The main flaws are not in the software, hardware or in the data transmission systems, but in the human links that control the connections between the three _ connections held together by the myth of infallibility and incorruptibility of those who run the system," said Antonio Dourado de Rezende, a computer science professor at the University of Brasilia.




AP Technology Writer Rachel Konrad in San Francisco contributed to this report.

2006 The Associated Press