Tip:
Highlight text to annotate it
X
Shirley: On October 7th a new authentication system will be used in the electoral process, which will check the voter´s ID through his fingerprints and will be integrated to the voting machine.
What some people are asking is whether this system preserves the secrecy of voting. This will be our topic today at Soluciones.
This year, the Integrated Authentication System (SAI) was incorporated to the Venezuelan voting system.
This system verifies the voter´s ID, preventing identity theft and voting fraud at the polling stations.
The process is simple: the voter goes to the polling station, presents his ID card and has his fingerprint read by the SAI. Once his identity is verified, the polling station president unlocks the voting machine for the voter.
When the voter makes his choice, the machine prints a voucher which is immediately cast inside the ballot box. Finally, to end the voting process, the voter must sign the polling station log and dye his pinkie with indelible ink.
Shirley: Today we´ll debunk all the myths surrounding the secrecy of voting, and for that we´ve invited today part of the technical team that audits the automated voting system since 2005.
Next to me is Mario Torres, member of the electoral commission of Comando Venezuela; he´s an electronics engineer and a professor at Universidad Simon Bolivar.
We also have Miguel Cañas, an electrical engineer and a telecommunications specialist, and also a member of the electoral commission of Comando Venezuela.
Since the year 2005, you know how this system and the electronic platform work.
Let´s start with our first question, which has to do with a myth: this new system has the particular characteristic of integrating authentication, i.e. fingerprint capture, to the voting machine using the fingerprint registry for each specific polling station.
How does the system avoid correlating the order of arrival of voters, their fingerprint, their ID card and the votes cast?
Mario: Good morning, Shirley. The new voting system is essentially the same old voting system, with the same voting machines, to which this new biometric authentication device is being incorporated, called SAI by the CNE.
This device just adds the function of having the voter placing his fingerprint on a reader before casting his vote. The first point that needs to be stressed is that the voting machine is completely isolated;
in other words, when the voter gets to the polling station his fingerprint will be checked against a database in the device´s memory, and the device only has the fingerprints of the voters assigned to that particular station.
The device is not connected to any system; no online verification is taking place. The fingerprint capturing process precedes the actual voting, so the information is completely separate.
Capturing and voting are done in such a way that the information from each process is isolated from the other.
This has been tested several times. We have audited this automated voting system since 2005. We have checked the voting code line by line, same with the machines´ source code.
We have been very thorough; we´ve checked the production system. And we have verified that the sequence in which the votes are written in the machine is always disrupted.
It is our commitment during the next audits to guarantee that this will be the case, as it always has been, and the only record kept is that of the fingerprints.
Shirley: Let´s have a technical explanation. I want you to give people an explanation so they really trust that there is no correlation between
the voter´s identity (their personal data and ID numbers), the order of arrival to the station and their votes. How, technically speaking, is that sequence broken?
Miguel: The voter´s identity, namely his ID number and fingerprint, is stored in one section of the memory.
The voting information, which is only the choice made by the voter, is in a different section of the memory.
We have verified that there is not a "third place" where this data is stored. We´ve also verified that the voting data is randomly shuffled so that the sequence of voting is lost.
This has been verified and proven, and the code has been checked line by line; it works and has worked in all previous voting events.
This random shuffle will also occur for the voters´ information, so that the data from both processes (independently randomized) is impossible to correlate.
The data will be completely isolated and shuffled. As I´ve said, the shuffling works very well with the voting data, and the same method will be applied to the voters´ personal information; we´ll verify this during the audit.
Shirley: The recorded votes are compiled into a registry that´s printed after the voting is closed, but the voting information still remains in the machine.
Will the voters´ personal info also be stored together with the voting information, or will they be stored separately?
Mario: No, they will be stored completely separated.
There is a guarantee that the personal information and the votes will be kept completely separate, and that the sequence in which the votes were saved in the machine´s memory will be broken and shuffled.
The section in the memory where the votes are stored holds no information about the voters, and the section that stores personal info has no register of the choices made; the sequence in which the votes were cast is also broken.
This data shuffling has been tested several times. Given this, there is no possible way of knowing which person voted for which candidate. There is no way.
Shirley: The votes are encrypted. This has been made public knowledge.
Now, people who question the CNE wonder if the voting data can be read by the CNE. Is that possible?
Mario: No, the answer is no. Let me explain it briefly: when a voter casts his vote, this information is encrypted and stored into the machine´s memory.
The encryption key is made up of little bits provided by all the auditors who participate in the software audit; the code is not generated by the CNE.
The only way to reconstruct the encryption key is for each of the participants to provide their section of the code.
The encryption code is known by the machine, but there´s an extremely sophisticated procedure (which we´ve checked thoroughly) through which the code, despite being known by the machine, remains unknown to the CNE.
The CNE has no way to reproduce the encryption key unless every single software auditor provides his section of it.
This is a very delicate procedure carried out with care, and every machine has a unique encryption key.
Each of the 39 thousand machines has its unique encryption key.
Shirley: You´ve explained this before, what guarantees the secrecy of voting is that the time sequence of the procedure is randomized and therefore impossible to reconstruct.
What people wonder is, is it possible at all to reconstruct it?
Mario: No, absolutely not.
Shirley: Why not?
Mario: Because the algorithm used to write information in the memory has a standard random number generator.
We´ve used the exact same generator in our lab, we´ve reproduced the code and run it several times, and we see that the distribution is completely white, random.
There´s no way to reconstruct the voting sequence. I don´t like using the word impossible, but the possibility is practically zero. There´s no way to reproduce the sequence.
Shirley: Let´s go to a break. We´ve talked about the voting process, but there´s other myths regarding the tallying and transmission of the votes.
Want to add something? We´ll do it after the break, we´ll be right back.
VO: The new platform developed by the National Electoral Council, SAI (Integrated Authentication System) employs basically the same security measures as the previous system.
When the voter is cleared, his ID number is stored in a temporary memory that has 5 slots, and the ID number is randomly assigned to one.
This way there is no correlation between the order of ID clearance and the order in which people go into the polling booth.
The same happens with the votes when they´re recorded: they´re encrypted and stored in a temporary memory with a capacity of 5 votes only, which is also randomized so there is no correlation between the voter and his choice.
Neither the votes nor the ID numbers are stored sequentially, so it´s impossible to correlate the voters with their votes.
Additionally, the voter information registry has no information about the votes cast. In the technical audits carried out during previous electoral processes
, it has never been proven that the secrecy of voting has been compromised. Voting has been, and will be, secret and secure.
Votes are encrypted and have no information about the voter.
Shirley: Today we´re debunking all possible myths about the secrecy of voting.
The last question before break had to do with the tallying and transmission process.
This new system records the votes, prints a voting registry at the end of Election Day, and the polling stations close.
The first question is, is the data transmission unidirectional or bidirectional?
The myth is that during this transmission, the results that were printed on the voting registry can be modified. Is that possible?
Mario: Absolutely not, let me explain.
Firstly, the machines are offline while the voting is going on; they´re isolated and have no transmission channels.
Once the president of the polling station decides to end the voting process, which is an irreversible act, he presses the button for closing the session and the machine automatically generates and prints the voting record.
Afterwards, the voting machine technician connects the machine and that´s when the transmission process starts.
When the operator clicks on "transmission", a unidirectional information flow begins. The machine will transmit an encrypted digital version of the voting registry to the tallying center.
The communication process, from a technical standpoint, is in fact bidirectional, but the information flow is unidirectional.
The process is bidirectional because the machine needs to receive a confirmation from the system that the transmission was successful;
the machine needs to inform the operator and the polling station president that the transmission was satisfactory,
but the information flow is totally unidirectional. Voting registries are transmitted from every machine to the national tallying center.
Shirley: The second ´myth´ is that the voting registries are transmitted to Cuba via the new submarine cable.
Is it possible to decipher the transmission, or tamper with it and then retransmit it?
Mario: Well, that is...
Shirley: I´m just here telling you about these ´myths´ people are talking about.
Mario: Each voting register is transmitted with 6 layers of encryption. Going through 6 layers of encryption in real time, while the machines are transmitting,
is practically impossible. But let´s assume they´re sent to Cuba and come back... the information that´s being transmitted is ultimately public!
The voting registries are printed before transmission.
Even if it was possible to modify these registries, and it´s not, it would be pointless since the changes would be noticed; they wouldn´t match the printed versions.
Shirley: Third ´myth´: there´s a ´secret´ tallying center.
What guarantees do the voters have that these registries arrive to a single, national tallying center?
Mario: One of the things we check on the machines´ software is the configuration files.
The transmission configuration is checked thoroughly, and it contains the phone number or code to which the machine will send its information.
The machine is configured to transmit only to the national tallying center.
A "white list" is also used; the machine can only transmit using that line and no other.
Shirley: The fourth ´myth´, which we´ll discuss after the break, is about the people who certify that the votes aren´t modified in the tallying center.
You´ve been there, so I want you to talk about how that works, so people can feel safe that their choices won´t be tampered with. We´ll be right back with your questions.
Shirley: Today we´re clearing up all doubts regarding the secrecy of voting.
The last question was whether it was possible to modify the voting registries after they´re sent to the national tallying center.
Who is present in that center? Who guarantees that those votes won´t be tampered with?
Mario: The first think I´d like to say is that we auditors and representatives of the political parties have always been present at the national tallying center.
Always. You really can´t see the results in the center, what you see is the operation of the system,
and who accesses the system is very carefully monitored, especially who access the core of the system: the database where the registries are stored.
The registries arrive from the machines and are stored in this database; when a results bulletin is released,
the CNE not only publishes the results, but also produces a CD with the results of each one of the registries (whose addition makes up the bulletin).
If the database was tampered with and one of the registries modified or altered, the political parties could detect the fraud easily,
since they have witnesses and copies of both the registries at the polling stations and the CD.
Imagine what would happen if the digital copy of the registries didn´t match the printed registries at the polling stations.
Shirley: So, a paper trail and the presence of witnesses at the polling stations are still fundamental.
That´s important to say. Let´s talk about something that worries people.
Since 2005, the national voter registry hasn´t been audited, so people wonder if that could be a source of fraud; for instance,
dead people who vote or people who are registered more than once.
What guarantees can we give people of the trustworthiness of the system, even though the voter registry hasn´t been audit?
Miguel: In fact, the registry hasn´t been audited exhaustively since 2005.
Back then it was audited by a Latin American commission of electoral bodies which concluded that, despite irregularities (some very ancient),
these irregularities were not politically motivated and the registry could be used in an election. In fact, since 2005 elections have been won and lost using the same registry.
The registry has grown with new voters, and several deceased people have been removed from it, though not all of them;
the registry has been checked yearly by the political parties and they´ve agreed that the irregularities present aren´t politically motivated.
This means that the deceased people who are still in the registry technically belong to all political sectors, and other irregularities such as voters sharing the same name aren´t numerous and don´t represent a danger to the process.
Shirley: Regarding the new authentication system, will the fingerprint database be audited?
You said that for a person to vote in his polling station his fingerprint has to match, but if there´s multiple sets of fingerprints there could still be double voting.
Will the fingerprint database will be audited?
Mario: Definitely. It´ll be one of the most important audits. We´re preparing a very detailed audit plan to carry it out, which in fact has already been submitted in writing to the CNE.
It includes a list of the activities we´ll perform, out of which 3 are the most important: a uniqueness test, guaranteeing there is only one fingerprint per voter;
a universality test, meaning each voter has at least one fingerprint so he can vote; and finally a quality test,
guaranteeing that the quality of the fingerprints is homogeneous for all voters, so the system will take the same amount of time authenticating two different voters.
Shirley: Let´s read the messages we´re getting from Twitter.
Must all fingerprints be audited to weed out people with several identity cards? You just answered that one.
Miguel Alvas says "good morning, what would happen if I had problems with my fingerprint while trying to vote?"
Well, I think it´s the CNE´s job to clear such doubts, but do you have an answer?
Mario: Yes. In the case that the person doesn´t have a fingerprint on record, the system will let him vote and just record his fingerprint.
Another possibility is someone unable to place his fingerprint on the machine because he has a cast on or something: in that case the president
of the polling station will place his fingerprint and make a note that the voter couldn´t do it himself, enabling the person to vote.
Another case is the system not recognizing the person; if that happens,
the voter must fill out a so-called "regularization" form and then he´ll be allowed to vote.
Shirley: We have little time left. My last question is, if the fingerprint is not what activates the machine, but the people at the polling station, why was this system implemented? Why is this authentication system something positive for this election?
Miguel: The president of the polling station checks the voter´s ID, the voter registers his fingerprint and a blue light turns on,
which lets the president know that person is cleared to vote.
Once the voter is in the booth, the president needs to activate the voting machine.
Shirley: The question is, since in the end it´s the president who activates the machine, could there be still ´extra´ votes, virtual votes?
Miguel: The machine has a mechanism to limit these ´virtual´ votes; they´re limited now. They weren´t before.
Now, if that limit is reached, the machine is blocked.
Shirley: Thank you for coming. There´ll be another show so we can clear all these questions we´ve received via Twitter regarding the secrecy of voting.
For now, from what you have explained, voting is secure, reliable and above all, secret, since the time sequence of the process is randomized when stored and therefore irreproducible. Thanks for watching.