Gunnar Wolf

Some weeks ago, I contacted Rosa Martínez, a tech journalist with some questions regarding what I regarded as a trick interview with an e-voting salesman. Well, not only she offered me to publish an answer to that interview, but she also offered me to write another article on a second site she also works with.

So, I accepted. Being quite time-deprived, although I managed to send her the first answer quickly, by April 22, I only sent the second article yesterday night.

Anyway, the links. The texts are published in Spanish:

• Lo que muchos no saben del voto electrónico — The interview intervened :-) Published in Oh My Geek!, a Chile-based technology news site. Local copy of the same article in my blog also available.
  I answer to the same questions that were presented to Edgardo Torres, General Manager for Scytl Latin America, basically explaining why the arguments the voting machines sellers are pushing are flawed.
• Voto electrónico: Es cuestión de confianza was published in MoofMonster; I understand MoofMonster is based in Costa Rica, and is also a technology blog. The content is –again– copied over and posted again locally at my blog. This is more of a free-form article, where I compare two elections that were very close calls (Mexico and Venezuela), one with paper-based voting, the other with electronic voting, pointing to the fact that having a set of computers totalizing the votes does not gain any confidence from the voters (nor should it).

Doing my regular news scan, I stumbled across this: Hacker reveals in Rio how he rigged an election (in Portuguese; you can try the Google-translated version).

Why am I reposting this? Because, even after the reported studies by Diego Aranha and the information disclosure exploited by Sergio Freitas, Brazil is still portrayed as the biggest example on how electronic voting can be 100% secure and tamper-proof. Well, in this case, Rangel (his full name ahs not yet been disclosed), a 19 year old hacker, not only demonstrated how elections could be rigged, but admitted on doing so together with a small group, and even pointed at who was benefitted from this.

Rangel's attack was done during the transmission phase — After ~50% of the electoral results had been sent over the Oi network. And yes, the provider will most likely close the hole that was pointed at, but this basically shows (again!) that no system can be 100% tamperproof, and that the more electronic devices are trusted for fundamental democratic processes, the more we as a society will be open to such attacks. The security-minded among us will not doubt even for a second that, as this attack was crafted, new attacks will continue to be developed. And while up to some years ago the attack surface was quite smaller (i.e. booths didn't have a communications phase, just stored the votes, and communication was done by personal means), earlier booths have been breached as well. And so will future booths be breached.

So, the news of this attack are indeed very relevant for the field. The presentation I am quoting was held around two weeks ago — And December will surely dillute attention from this topic. Anyway, I will look for further details on the mechanism that was used, as well as to the process that follows in the TSE (Supreme Electoral Tribunal). I hope we have news to talk about soon!

For the last couple of years, one of the topics I have tackled with several columns and a couple of articles published, several presentations on conferences and many comments wherever I can is raising awareness on why security experts around the world oppose electronic voting.

Slightly over a year ago, I started gathering all the published news (in Spanish, with some notes in English if I feel them relevant enough) that came to my greedy hands and archiving them, categorized as well as I could, into what I came to call an Electronic voting observatory. I don't feed it with the frequency I'd like, but overall I do feel there is an interesting amount of information in there.

About a month and a half ago, via Twitterfeed, I set up a Twitter account where my bot echoes everything I get on that regard.

So, while you can follow the observatory via RSS (as probably most readers of my blog will do), I know there are many Twitter users among you — @e_voto might be interesting to you if you speak Spanish and are interested in the topic.

I try not to be partisan on the information I copy there; of course I am subjective (I try not to refer to news which don't provide new insight or data points, or to obvious repeats), but I am doing this effort to follow the development as it unfolds, not to push my viewpoints.

I was pointed at a great online course — If you are into e-voting analysis (or, more broadly, into democratic processes' history, evolution and future), I strongly suggest you to take a look at «Securing Digital Democracy». Just the name of the teacher should be enough to make it interesting: University of Michigan professor J. Alex Halderman, the guy who has analized/hacked several electronic booths, and one of the clearest, smartest voices to explain what should we require of a voting system and how electronic booths are the worst fit for any purpose.

The course is delivered through Coursera; I have found Coursera to be an effective, usable, unobtrusive platform — So much I even signed up for another course. I am not so happy with online courses requiring to wait so much between lessons, but after all, it tries to mimic what we see at "regular" (i.e. classroom) teaching settings. And, after all, we autodidacts are still a minority.

The course in question started ten days ago, but you can still perfectly join. Each week has two lessons, worth of approximately 40 minutes of video each, and are "graded" through a quiz. Lets see how this evolves.

Panama just underwent a nasty e-voting exercise: Electronic-mediated elections were held for the committee of the PRD party. It sounds simple - Even trivial! There were only 4100 authorized voters, it was geographically trivial (all set inside a stadium)... But it blew up in smoke. I won't reiterate all what happened, I'll rather direct you to our project's (the e-voting observatorium) page: News regarding Panama (for those coming from the future, search starting at 2012-08-27 — and yes, it's all in Spanish, but there are free-as-in-beer translation services.

Many e-vote proponents/sellers/pushers were very eagerly waiting for this election to brag about one more success... So much that they could not just ignore it, and started rationalizing it away. Anyway, while feeding the observatorium, I came across this opinion-article in the Voto Digital website, which makes quite a bit of pro-e-voting noise. I replied to it, and I think my analysis is worth sharing also with you:

So, lets make some simple numbers, rounding the numbers: The PRD vote in Panama was done for a universe of 4100 voters.

It took 10 hours (instead of the planned 4), so 410 people were processed every hour. There were 40 voting (electronic) booths, so each processed 10 people per hour. This means, each person spent 6 minutes by the booth.

A manual vote in this fashion is highly parallelizable: Each of the voters can be given ballots with anticipation, or many of them cna be allowed in to be given the ballots in situ (depending on the electoral scheme employed). The contention time is the time it takes to each voter to get near the booth and deposit his ballot (either folded or in an envelope) - And it will very rarely be more than a couple of seconds.

So, given that using electronic booths parallelism cannot grow (there is a fixed number of machines) and the queues grew wildly, with traditional voting it would have surely fitted in the expected four hours (they were expected, also, based on their past experiences).

As for counting, that's the slowest part of manual voting, it's also highly parallelizable: If each of the 40 booths has slightly over 100 ballots, the party personnel can easily count them in under 30 minutes. Capture and aggregation for the 40 partial results would take an extra 10 minutes, even being generous.

Manual voting would have saved them around five hours, without demanding additional resources (and being thus much more economical than having to buy 40 specific-purpose computers). And as an additional advantage, the physical and tangible vote proofs would remain, in case they were ever again needed.

I will sound monothematic, but I have been devoting quite a bit of work to this topic lately: Trying to stop the advance of e-voting in Mexico, Latin America and the world.

Why trying to stop it? Isn't technology supposed to help us, to get trustable processes? Yes, it's supposed to... but it just cannot achieve it, no matter how hard it is tried — I won't get into explanations in this blog post, but there is plenty of information. Feel free to ask me for further details.

Anyway — Yesterday (Sunday, 2012-06-17) was the fifth simulated voting that will lead to the first wide-scale deployment of electronic voting booths in my country: About 10% of the population of the state of Jalisco (that means, ~500,000 people) will cast their votes on July 1st electronically.

This particular case illustrates how simulated votings can be used to forge a lie: Pounce Consulting, the company that won the e-voting project for IEPC (Jalisco's voting authority), delivered their booths over 40 days late, just before the deadline for the project to be canceled. Oh, and by the way, it's the same company that just failed to deliver on time for another planned local authority (10% of the booths in the Federal District, where I live, where fortunately 100% of the votes will be cast on traditional, auditable and cheap paper).

After this delay, five voting simulations were programmed, to get the local population acquinted with them. The first ones just failed to get the population's interest and had close to 40% failure rates (mainly regarding transmission). Several other "minor details" were reported, including mechanical details that allowed subsequent voters to see the vote of who had just left.

Anyway, making long story short: The fifth and last simulation was held yesterday. Officially, it was finally successful (about time). As these booths include the "facilities" to communicate the results via the cellular network, but the populations where they are to be deployed do not yet have cellular coverage, 10% of the booths will have to be carried back to the Districtal Header (that can be a ~10hr trip) to be counted. Also, in all places, traditional paper stationery and paraphernalia will be printed just in case it is needed (and when will they now? When half of the votes are cast and lost?)

Anyway... e-voting is still in its first stage in Mexico. Right now, I'm sure, no attempts to rig the election will be made (centrally). But every effort will be made (as it has been made) to dismiss the obviously big and nontrivial ways it has failed and will fail, and any problems will be labeled as "minor". And probably by 2018 we will be facing many more states (even nationwide) deployments.

But propaganda fails to see the obvious: E-voting is more expensive, more complicated, leads to more possible failure states. E-voting should not be deployed in large-scale (i.e. more than a couple of hundred voters) elections. Electronic voting is insecure, violates secrecy, allows for fraud. No matter how many locks are put into it.

Note: All of the information linked to from this post is in Spanish and related to Mexico… Part of it will be translatable via automated means, some will not. Sorry, that's what I have, and it's too much text to invest the effort to hand-translate

I have been following the development of the different e-vote modalities in Mexico for several years already, although I have only managed to do so methodically in the last half year or so. If you are interested in my line of reasoning as to why I completely oppose e-voting, you can look at the short article I published in 2010 or the slightly longer and more updated version published in our book in 2011.

Currently, in Mexico there are two different venues of e-vote that are being pushed: Bad and worse. The bad one will be carried out for about 10% of the population of the state of Jalisco and somewhat less for the state of Coahuila (Distrito Federal was also to be in this list, but the contract was cancelled due to the provider company delivering booths with too many problems and unable to deliver in the due time). The worse one is, fortunately, likely to have the least impact. Why? Because it regards votes cast by Distrito Federal residents (the capital entity, where part of Mexico City is located) living abroad. And it will have less impact because of the amount of the population registered for it: We are about 9 million residents in DF, and in the last election (first time IIRC there was the right to vote from abroad) there were only about 10,000 people registered for casting a (enveloped and sent by post) vote. Even if this year we the campaign for this was better (and I'm not yet sure about it), the number of voters will not be enough to make a dent on the results.

I'm not going into details as to why it is bad in this post — I requested information from the DF Electoral Institute (IEDF) with academic interest, to try to find more information about it, and I want to share my results with you — and, of course, to request for your input on how to continue with this. On May 3rd, I sent the following request (this I am translating to English :) You can look at the receipt for the request for the original redaction) to the official contact address, oficinadeinformacionpublica@iedf.org.mx:

• What company was hired to develop the system that will be used to receive the votes from Distrito Federal citizens residing abroad that have decided to use the Electronic Voting over Internet procedure ("Vota chilango")?
• What is the technical information for said system? That is, which technological basis was it developed on? Which operating base (hardware) will it be deployed on?
• How many revisions or security audits has the developed system ben exposed to? Which are the entities in charge of doing them? What has been their evaluation?

Of course, I wasn't very optimistic when receiving this information. Still, I have to share my results: My information request was largely denied:

(…)
III. The divulgation of this information harms the interest it protects
Given that, were it to be divulged it would affect the informatic security of the refered system. Anyway, we have to point out that said systems have enough measures and security provisions, so that the citizen can emit his vote in a universal, free, secret and direct way.
IV. The damage that can be produced by making this information public is larger than the public interest to know it
This is so because making this information public puts at risk the correct development of the Internet-based voting, because were the technical, purpose-specific information be made public, it could be misused to carry out informatic attacks.
It is also important to mention that a confidentiality agreement was signed with the company that developed said systems.
(…)
VI. The time for the information to be reserved
It will be seven years starting at the present resolution, this information will be made public when the reserve period is over or when the target is reached, except for the confidemtial information that it could contain. (…)

In case some other person is interested in following this information, the other two points were answered, and I'll try to get some relevant information from it:

• The company that provided the Internet-based voting solution was SCYTL SECURE INTERNET VOTING, S.A.
• The only entity in charge of conducting a security revision/audit is Telefónica Ingeniería de Seguridad de México S.A. de C.V.. The audit is still in process, and thus it is not yet possible to give any results from it.

So, I don't have any real conclusions yet. I'm just reporting how work is unfolding.

Tomorrow evening (Wednesday May 23) I'll give a talk on the "e-voting in Mexico 2012" subject in Congreso Internacional de Software Libre in Zacatecas, Mexico. I'll talk on the situation on this and the other topics I have been able to work on.

There's something brewing, moving in Jalisco (a state in Mexico's West, where our second largest city, Guadalajara, is located). And it seems we have an opportunity to participate, hopefully to be taken into account for the future.

Ten days ago, I was contacted by phone by the staff of UDG Noticias, for an interview on the Universidad de Guadalajara radio station. The topic? Electronic voting. If you are interested in what I said there, you can get the interview from my webpage.

I held some e-mail contact with the interviewer, and during the past few days, he sent me some links to notes in the La Jornada de Jalisco newspaper, and asked for my opinion on them: On September 23, a fellow UNAM researcher, César Astudillo, claims the experience in three municipalities in Jalisco prove that e-voting is viable in the state, and today (September 26), third generation of an electronic booth is appearingly invulnerable.

Of course, I don't agree with the arguments presented (and I'll reproduce the mails I sent to UDG Noticias about it before my second interview just below — They are in Spanish, though). However, what I liked here is that it does feel like a dialogue. Their successive texts seem to answer to my questioning.

So, even though I cannot yet claim this is a real dialogue (it would be much better to be able to sit down face to face and have a fluid conversation), it feels very nice to actually be listened to from the other side!

My answer to the first note:

El tema de las urnas electrónicas sigue dando de qué hablar por acá en Jalisco... nosotros en Medios UDG hemos presentado distintas voces como la del Dr. Gabriel Corona Armenta, que está a favor del voto electrónico, del Dr. Luis Antonio Sobrado, magistrado presidente del tribunal supremo de elecciones de Costa Rica, quien nos habló sobre los 20 MDD que les cuesta implementar el sistema por lo que no lo han logrado hasta el momento, pudimos hablar hasta argentina con Federico Heinz y su rotunda oposición al voto electrónico y por supuesto la entrevista que le realizamos a usted.

Sin embargo este día La Jornada Jalisco publica la siguiente nota

http://www.lajornadajalisco.com.mx/2011/09/23/index.php?section=politica...

nos gustaría saber cuál es su punto de vista al respecto,

quedo a la espera de su respuesta

Hola,

Pues... Bueno, sé que el IFE hizo un desarrollo muy interesante y bien hecho hace un par de años, diseñando desde cero las urnas que proponían emplear, pero no se instrumentaron fuera de pilotos (por cuestión de costos, hasta donde entiendo). Se me hace triste y peligroso que el IEPC de Jalisco esté proponiendo, teniendo ese antecedente, la compra de tecnología prefabricada, y confiando en lo que les ofrece un proveedor.

Se me hace bastante iluso, directamente, lo que propone el título: «comicios en tres municipios prueban la viabilidad del voto electrónico en todo el estado». Pongámoslo en estos términos: ¿El que no se caiga una choza de lámina con estructura de madera demuestra que podemos construir rascacielos de lámina con estructura de madera?

Ahora, un par de párrafos que me llaman la atención de lo que publica esta nota de La Jornada:

la propuesta de realizar la elección en todo el estado con urnas electrónicas que desea llevar a cabo el Instituto Electoral y de Participación Ciudadana (IEPC) es viable, pues los comicios realizados en tres municipios son pruebas suficientes para demostrar que la urna es fiable

y algunos párrafos más adelante,

“Cuántas experiencias más se necesitan para saber si es confiable, 20, 30, no lo sé (...) Pero cuando se tiene un diagnóstico real, efectivo y serio de cuándo técnicamente procede, se puede tomar la decisión”

Como lo menciono en mi artículo... No podemos confundir a la ausencia de evidencia con la evidencia de ausencia. Esto es, que en un despliegue menor no haya habido irregulares no significa que no pueda haberlas. Que haya países que operan 100% con urnas electrónicas no significa que sea el camino a seguir. Hay algunas -y no pocas- experiencias de fallas en diversos sentidos de urnas electrónicas, y eso demuestra que no puede haber confianza en las implementaciones. Aunque el equipo nos saliera gratis (que no es el caso), hay que invertir recursos en su resguardo y mantenimiento. Aunque se generara un rastro impreso verificado por el votante (que sólo ha sido el caso en una pequeña fracción de las estacione de votación), nada asegura que los resultados reportados por el equipo sean siempre consistentes con la realidad. El potencial para mal uso que ofrecen es demasiado.

Saludos,

And to September 26th:

Disculpe que lo molestemos otra vez, pero este día fue publicada otra nota más sobre el tema de las Urnas electrónicas en Jalisco donde se asegura que la urna es invulnerable.

http://www.lajornadajalisco.com.mx/2011/09/26/index.php?section=politica...

¿nos podría conceder unos minutos para hablar con usted, como la vez pasada, vía telefónica sobre el caso específico de Jalisco, en referencia a estas notas publicadas recientemente? si es posible ¿podría llamarle este día a las 2 pm?

Quedo a la espera de su respuesta agradeciéndole su ayuda, apreciamos mucho esta colaboración que está haciendo con nosotros

Hola,

(…)

Respecto a esta nota: Nuevamente, ausencia de evidencia no es evidencia de ausencia. Se le permite a un pequeño segmento de personas jugar con una máquina. ¿Significa eso que fue una prueba completa, exhaustiva? No, sólo que ante un jugueteo casual no pudieron encontrar fallos obvios y graves.

Un verdadero proceso que brindara confianza consistiría en (como lo hicieron en Brasil - Y resultaron vulnerables) convocar a la comunidad de expertos en seguridad en cómputo a hacer las pruebas que juzguen necesarias teniendo un nivel razonable de acceso al equipo.

Además, la seguridad va más allá de modificar los resultados guardados. Un par de ejemplos que se me ocurren sin darle muchas vueltas:

• ¿Qué pasa si meto un chicle a la ranura lectora de tarjeta magnética?
• ¿Qué pasa si golpeo alguna de las teclas lo suficiente para hacerla un poquito menos sensible sin destruirla por completo? (o, ya entrados en gastos, si la destruyo)

La negación de servicio es otro tipo de ataque con el cual tenemos que estar familiarizados. No sólo es posible modificar el sentido de la votación, sino que es muy fácil impedir que la población ejerza su derecho. ¿Qué harían en este caso? Bueno, podrían caer de vuelta a votación sobre papel - Sobre hojas de un block, probablemente firmadas por cada uno de los funcionarios, por ejemplo. Pero si un atacante bloqueó la lectura de la tarjeta magnética, que es necesaria para que el presidente de casilla la marque como cerrada, despojó de su voto a los usuarios.

Sí, se tienen los votos impresos (que, francamente, me da mucho gusto ver que esta urna los maneja de esta manera). El conteo es posible, aunque un poco más incómodo que en una votación tradicional (porque hay que revisar cuáles son los que están marcados como invalidados - no me queda muy claro cómo es el escenario del elector que votó por una opción, se imprimió otra, y el resultado fue corregido y marcado como tal)... Pero es posible.

Sin embargo, y para cerrar con esta respuesta: Si hacemos una corrida de prueba, en circunstancias controladas, obviamente no se notarán los muchísimos fallos que una urna electrónica puede introducir cuando los "chicos malos" son sus programadores. ¿Podemos estar seguro que este marcador Atlas-Chivas-Cruz Azul tenga el mismo índice de fiabilidad como una elección de candidatos reales, uno de los cuales puede haberle pagado a la empresa desarrolladora para manipular la elección?

Y aún si el proceso fuera perfecto, indican aquí que están _intentando_ licitar estas urnas (y nuevamente, si lo que menciona esta nota es cierto, son de las mejores urnas disponibles, y han atendido a muchos de los señalamientos - ¡Qué bueno!)... ¿Para qué? ¿Qué nos van a dar estas urnas, qué va a ganar la sociedad? ¿Mayor rapidez? Despreciable - Media hora de ganancia. ¿A cambio de cuánto dinero? ¿Mayor confiabilidad? Me queda claro que no, siendo que no sólo somos cuatro trasnochados los que ponemos su sistema en duda, sino que sus mismos proponentes apuntan a la duda generalizada.

La frase con la que cierra la nota se me hace digna para colgar un epílogo: "en ese futuro quizá no tan distante la corrupción también ocurre y ésta se debe siempre al factor humano". Y el factor humano sigue ahí. Las urnas electrónicas son programadas por personas, por personas falibles. Sin importar del lado que estén, recordarán la polémica cuando se hizo público que la agregación de votos en el 2006 fue supervisada por la empresa Hildebrando, propiedad del cuñado del entonces candidato a la presidencia Felipe Calderón. ¿Qué evita que caigamos en un escenario similar, pero ampliamente distribuído? Y aquí hay que referirnos a la sentencia de la Suprema Corte de Alemania: En dicho país, las votaciones electrónicas fueron declaradas anticonstitucionales porque sólo un grupo de especialistas podrían auditarlas. Una caja llena de papeles con la evidencia clara del sentido del voto de cada participante puede ser comprendida por cualquier ciudadano. El código que controla a las urnas electrónicas, sólo por un pequeño porcentaje de la población.