Brazil had a referendum this weekend regarding prohibition of firearms. The topic of the referendum and how people reacted to it itself merits a discussion, but it was also an opportunity to learn more about electronic voting in Brazil, which is what I will talk about.
Unlike the US, where electronic voting became common in the last election, after the fiasco with the Florida butterfly ballot in 2000, Brazil started experimenting with electronic voting in 1996 and went all electronic in 2002. Also unlike the US, where states or even precincts went shopping for voting machines independently, in Brazil the federal government put out a contract and ended up hiring several companies to do it (Unisys, Diebold and other have participated in different years). They ended up with a system that seems to be both robust and incredibly cheap: $450 per box. (As I understand, in US voting machines cost several thousands of dollars each.)
They achieved this partly by skipping on a touch screen, and just using a numeric touch pad. (See picture) The machine has an LED and thirteen buttons: numbers 0-9, “blank” (“branco”), “correct” (“corrige”), and “confirm” (“confirma”). Each candidate has a number, as does every option on the referendum in this case. Those numbers are assigned ahead of time and are used in ads. In this case, everybody knew that “No” vote is “1” and “Yes” vote is “2”. So, when you use the machine it asks you a question and you enter the code. It then shows a confirmation message and you either chose “confirm” or “correct” to change it. Once you press confirm you move on to another question. (Today they only had one question, so you would be done.)
I do admire the simplicity of the design. The nice thing about it is modularity: the problem of selecting the candidates is left out of the system, which gives the voter more option into how they can proceed. E.g., a voter who wants to see all the options, can pick up a booklet that lists all the candidates with their numbers. On the other hand, a voter who already made up their mind is likely to arrive already knowing the codes for their candidates and can get done with voting quickly. (If they remember the code incorrectly they will see that when the machine shows the name of the wrong candidate. They can then get the booklet to lookup the correct number.) The problem of blind users is similarly solved: since the interface for actual voting is really simple, it could be made accessible in a trivial way: the keypad has braille on it, and you can hear names of the candidates read to you before confirming the vote. The task of letting the blind users know which candidates correspond to which numbers can then be handled by a variety of methods, though I imagine that most blind users learn the numbers from TV ads.
Now a question of security. An earlier version of the system printed out the results of each vote on a piece of paper which dropped into a box. The voter couldn’t really see what was being printed, so it wasn’t exactly voter-verified paper trail (VVPT) because the “voter-veried” part was missing. This year, the printers were removed altogether, so there is no paper trail of any sort. I am a strong believer that VVPT is the only way to make electronic elections secure, so no, Brazilian machines are not secure. However, that said, the voting procedures used here seem to be far better then anything I've heard of in US. While they definitely leave the possibility the results being falsified by clever coders, they seem to try hard to avoid any other kinds of violations. More specifically:
Each machine arrives to a voting site sealed. At 8 a.m. the machine prints out the results showing 0 votes recorded. This record is signed by witnesses and saved. From this point on the room continuously has observers, until 5 p.m. when voting ends. At that point anyone who stands in line still gets to vote using a special password and as I understand their IDs are recorded. When voting ends the machine prints out another paper with results in several copies, which are all signed. One is posted in the window of the polling place, another one is sent to the central office. The diskette is removed from the machine (the seal is broken), signed, and also sent to the central office.
The machine comes with a list of names and registration numbers of all voters in the precinct. If your number is not in the system, you don’t get to vote. (I am told by an election judge that this happens very rarely.) Once you “confirm,” you can’t re-vote.
The election committee also writes up a report which lists anything unusual that happened during the day (e.g. “a disruptive voter was removed by police,” “a voter argued with a committee member about use of a cell phone,” etc.)
All that serves to make it nearly impossible for local elections officials to modify the results. They can’t do anything to the machine before the vote since they need to make sure they get a clean print out at 8 a.m. They can’t vote for other people or for extra people since they would need to voter registration numbers for that. If they did discover the numbers (they see them when people vote, so they might remember them from last year), they would end up using someone else’s number, which would be discovered when the person shows up to vote. Finally, they immediately publish the final printout, so that while the counting is done automatically by the central office you can in theory do a recount using precinct data (each precinct seems to have around 500 people).
In addition to that, the code for the machine has supposedly been posted online. (I haven’t been able to find it.) Also, the underlying Windows and .Net code was shown to heads of parties under MS’s “Shared Code” license. Again, that’s clearly not enough, but it’s better than what’s happening in US.
This discussion would not be complete without considering the differences between Brazilian and US electoral systems. It’s getting late, though, so it will have to wait a few days.