Auditability
The Brazilian electronic ballot box has at least nine audit instruments, listed as follows:
-
Public Safety Test - PST: event always held in the year prior to the ordinary elections, in which the ballot box's hardware and software are opened and put to the test by any Brazilian citizen, so that the security mechanisms employed are exercised. In case of identification of any point of improvement in the systems, the TSE technical team works on the improvements and invites the PST participants to validate the implemented evolutions.
-
Opening of the source code and monitoring of development: the TSE opens the source code of electoral systems for wide auditing by various civil society actors. Auditors can review the entire source code, test the electronic voting machine, and receive clarification from the TSE technical team. This period, which used to be six months, is now twelve months before the ordinary elections.
-
Electoral System Digital Sealing and Signing Ceremony: the electoral systems previously audited, both in the PST and in the opening period, are submitted to a public ceremony, in which the systems have their authorship verified, to then be compiled and signed digitally. Digital summaries of all Ceremony products and inputs are also produced. The source code and compiled software are recorded on non-rewritable media and stored in a vault for reference in case of questions about the authenticity of the software. The digital signatures produced during the Sealing can be validated at different stages of the electoral process from that moment onwards, which helps certify the integrity and authenticity of the software. In addition, the digital summaries generated are also published on the Internet as another instrument to verify the integrity of the software distributed by the TSE.
-
Ceremonies for the generation of media, loading and sealing of the ballot boxes: in public ceremonies, the media used by the ballot boxes is generated, followed by its loading process (installation of the software and copying of voters' and candidates' data) and placement of physical seals. In these ceremonies, it is possible to verify the authenticity of the software used (inside and outside the ballot box) through the validation of digital signatures or digital summaries produced during the Sealing. Also during the ceremony, it is possible to demonstrate the voting in at least one ballot box selected by the present inspection.
-
Verification of authenticity in the polling station: on the eve of the election, there is a drawing to select the ballot boxes that will be audited at the polling station. In this audit, the authenticity of the ballot box software is verified by validating the digital signatures or digital summaries produced during the Sealing. The procedure is carried out before the start of voting and can be accompanied by voters and inspectors present in the electoral section. Even in sections that are not drawn, it is possible for voters and polling stations to certify the software's authenticity by checking the equipment's security LED, which turns on the green light when the hardware validates the software as being official.
-
Integrity test: on the eve of the election, there is a drawing of the ballot boxes which will undergo a voting test under the same conditions as a polling station. The ballot boxes are collected from the polling stations and on the day of the election they are submitted to a monitored voting test: previously known votes registered on paper are deposited in the electronic ballot box, in a procedure recorded on video. At the end, there is a parallel counting of votes, which is compared with the result issued by the ballot box. In this way, the integrity test demonstrates that the ballot box works correctly: that the votes cast in it are correctly counted at the end of the day. This test is public and usually broadcast live by the Regional Courts on their social media.
-
Ballot box bulletin: at the end of voting, the ballot box counts the votes and makes the results of the polling station public. This record is materialized in the ballot box bulletin, which is printed by the equipment and can be copied using the QR Codes contained therein. Based on the ballot box bulletin, it is possible to compare the result published by the ballot box with that published by the TSE and even conduct a parallel counting of votes.
-
Ballot box log: all operations performed by the ballot box software are recorded chronologically. This event log can be audited to verify that the ballot box behaved as expected. The log is kept redundantly in the ballot box, with full and authentic copies replicated on the equipment's internal and external media.
-
Digital Vote Record - DVR: the ballot box keeps a faithful record of the voters' typing. This record is kept in the DVR file, which preserves voting secrecy and guarantees the integrity of votes through encryption and digital signature. It is from the DVR that the zeroth (report issued before the vote to indicate that the ballot box does not have registered votes) and the ballot box bulletin are produced. The DVR can also be audited, in order to verify the correctness of the calculation. The DVR is kept redundantly in the ballot box, with full and authentic copies replicated on the equipment's internal and external media.
In this way, it is evident that Brazilian ballot boxes have several audit instruments, which are capable of certifying that the equipment behaves correctly, operates with authentic and previously audited software, in addition to maintaining correct and auditable records about its operations and votes cast.