(Originally published as "A importância da recontagem de votos", on the website of the Agência O Estado de São Paulo, November 13th, 2000 http://www.estadao.com.br/tecnologia/coluna/stanton/2000/nov/13/194.htm )
The main news of last week was, without a doubt, the still undefined result of the US presidential election, and the vote recount in the state of Florida. It seems that it will still take some time for the final result of this election to be defined, and this has already been the cause for a number of leader-writers and columnists in the Brazilian press to suggest to our neighbours to the North that they ought to adopt the same electronic voting technology which was used in the Brazilian municipal elections in October this year, an experience without parallel in the world for an election on this scale. Among the journalists that succumbed to this temptation were Teresa Cruvinel of O Globo (from Rio de Janeiro), and Clovis Rossi, Eliane Cantanhede and Luis Nassif of the Folha de São Paulo. According to these commentators, had this Brazilian technology been in use, the election results would have been available in a question of hours, and the world would have been spared the spectacle of the so far unpredictable postponement of the victory rites of either Gore or Bush. Amongst those political commentators who dealt with this matter, only Jânio de Freitas (Folha de São Paulo, November 12th) disapproved of this simple prescription.
Electronic voting technology was first used by the Supreme Electoral Court in the 1996 Brazilian municipal elections, when it was confined only to the larger cities. This use was further extended in 1998 and again in 2000, when it took in the whole country. The single most striking characteristic of the technology is the tallying of the votes cast using a voting machine by the machine itself after voting finishes, with the production of both digital and printed reports of the number of votes given to each candidate. Following this through, the recounting of votes would be unnecessary, since the results would always be the same. Thus, the use of Brazilian electronic voting machines in Florida would doubtless simplify the election there. What then could possibly be the reasons for this technology to have so far not been adopted in other countries? Should one suppose that only Brazilians are capable of such an invention, or is it that something essential has been left out of their solution?
As it happens, the question of the use of electronic means (computers) in election processes has been studied for some time in other countries, so far without having led to their adoption. In the US, after an evaluation process that lasted for 8 years, New York City decided to abandon a project which would have replaced its old mechanical voting machines by newer, electronic ones, because it proved impossible to satisfy adequately the city's requirements, especially in the security field (www.notablesoftware.com/Papers/voteauto.html). A list of security requirements for electronic voting was published as long ago as 1993 by Peter G. Neumann, a scientist at Stanford Research International (www.csl.sri.com/neumann/ncs93.html). His findings give cause for concern, for they point out the extreme difficulty of building a purely electronic system, which is simultaneously reliable and free from adulteration, without compromising the secrecy of the voter's choice. The basic problem lies in the reliability of the software installed in the electronic voting machines, which needs to be bug-free, and also immune to improper modification by ill-intentioned specialists with access privileges. Some years ago, it was thought that software could be validated merely by the inspection of its source code by external auditors, but, in a famous article published in 1984, Ken Thompson, already famous as one of the inventors of the Unix operating system, explained how the security of a software component could be undermined by the installation of a Trojan horse, without any modification of the source code (www.acm.org/classics/sep95).
In Brazil too there are observers and critics of the electronic voting process. The website www.votoseguro.org, maintained by Amilcar Brunazo Filho, is rich in information and opinions concerning the automation of Brazilian elections, and the problems which still remain to be solved. The site also has a pointer to the Fórum do Voto Eletrônica, a discussion group on electronic voting. An interesting essay (in Portuguese) on the introduction of electronic voting in the country, written by Osvaldo Maneschy, a member of this discussion group, may be found in www.jus.com.br/doutrina/urnael14.html.
The criticisms ventilated in this discussion group are an application of the above-mentioned criteria of Neumann, together with practical proposals for satisfying them, and are well expressed in an article by Brunazo himself, which is available (in Portuguese) at www.senado.gov.br/web/senador/requiao/aseguran.htm. This article deals squarely with the problem of confidence in the electoral process: apart from having a secure system, it is also essential to show that it is secure. As Neumann has already shown us that pure electronic voting is intrinsically insecure, it has to be complemented by additional procedures to engender confidence.
Brunazo splits the voting process into four phases: voter identification, the casting of a secret ballot, the tallying of the votes of a single ballot box, and the totalling of votes from different ballot boxes. In traditional (non mechanical) voting, each of these phases is conducted separately, and is subject to external controls: the voter is adequately identified; he next checks that the ballot paper is blank, and cannot identify him, thus guaranteeing the secrecy of his vote; the tallying of votes is done in the presence of observers representing the candidates; and the results of each ballot box are made public, permitting the independent totalling of the votes. In the current model of electronic voting machine used in Brazil, the first three of these four phases have been lumped together in one. The voter's ID number is used as a key to ready the voting machine for this voter's use, potentially threatening the secrecy of the ballot. Then, the voter chooses his candidates, and confirms this choice on the screen. Finally, his vote is added to the others cast in the same voting machine, there being maintained only the total numbers of votes at the end of the session.
The basic problem is the question of the correctness of the voting machine's software, since there is no redundancy in the system which can be used to check this correctness experimentally. For instance, if someone had installed a Trojan horse in the voting machine software, which systematically and wrongly transferred to an opponent the votes cast for a given candidate, there would be no proof that such a fraud had been perpetrated. The voting machine could indicate to a voter that his choice was confirmed, and then register the vote for another candidate. Such behaviour could also result from a software bug. We simply would know nothing about it. What is worst is that the Supreme Electoral Court tells us, "The system is secure. Trust us." Such a position is technically untenable, as it depends on a number of unknown factors, including the good faith of people who are neither judges nor officials of this court. And, unfortunately, there are many reasons from past elections to distrust electoral processes. It is essential to have a transparent system, where processes can be satisfactorily audited by both voters and candidates.
Brunazo's proposal to restore trust in electronic voting involves two changes to the current voting machines. Firstly, voter identification should be carried out in the traditional fashion, by checking the voter's ID with a list of voters. The machine should be readied for voter use, without use of his ID information, and, after the voter has made his choice, the voting machine should print out a ballot paper, with the details of his vote. After checking that the printed ballot really corresponds to his choice, it can be deposited in a traditional ballot box. Should the voter perceive that the printed vote does not coincide with his choice, both printed and electronic votes would be cancelled, and the voting repeated. Note that we will now have two independent records of the votes cast, and, in case of doubts about the tally of electronic votes, the printed votes may be counted, either manually, or by use of an appropriate optical reader. Such a proposal has been included by Senator Roberto Requião in his bill number PLS 194/99, currently under discussion in the Brazilian senate. Senator Requião's bill includes a provision for the manual recounting of 3% of the ballot boxes, chosen at random. The remaining ballot boxes would have a similar function to an aircraft flight recorder, which is used only in the event of an accident. This procedure is expected to reinforce trust that the new voting machines are not being used to undermine democracy.
Returning to the problems in Florida, and especially to Palm Beach county, where mechanical voting machines were used, but seem not to have worked as expected by more than 20.000 voters. There is nothing more damaging for the acceptance of technological innovation than to produce in users a feeling of impotence and loss of control over their lives. This happened in Florida, and perhaps it may still be corrected after auditing what really happened. If the current Brazilian model of electronic voting machine had been in use, there would have been no way even to protest the results. Recounting of votes is not an out-dated nuisance, but a fundamental part of the democratic process,
Michael Stanton (www.ic.uff.br/~michael) is professor of computer networking at the Computing Institute of the Universidade Federal Fluminense, in Niterói, Rio de Janeiro state, Brazil.