Electronic voting in Brazil

Electronic voting was first introduced to Brazil in 1996, with the first tests carried out in the state of Santa Catarina. The primary design goal of the voting machine is extreme simplicity, the model being a public phone booth. The voting machines perform three steps – voter identification, secure voting and tallying - in a single process, aiming to eliminate fraud based on forged or falsified public documents. Political parties have access to the voting machine's programs before the election for auditing.

, Brazil is the only country in the world to conduct its elections entirely through electronic voting.

Development


The first Brazilian voting machines were developed in 1996 by a Brazilian partnership of three companies Omnitech (previously known as TDA), Microbase and Unisys do Brasil attending the Superior Electoral Court (TSE) RFP for the Brazilian Elections in 1996. This machine was a modified IBM PC 80386 compatible clone, known as UE96. In 1998, Diebold-Procomp, Microbase and Samurai (formerly known as Omnitech) partnered to produce UE98. In 2000, Microbase and Diebold-Procomp developed the UE2000 together. In 2000, Brazil completed the first completely automated election.

The original operating system was VirtuOS, similar to DOS and includes multitasking support, was developed by Microbase. It was used in the 1996, 1998 and 2000 elections. In 2002, Unisys was unable to renew their partnership with Microbase, and were unable to reuse the VirtuOS based code. Microsoft stepped in, and provided licenses for the Windows CE operating system free of charge. In 2008, under initiative from the TSE Electronic voting team migrated to a Linux (dubbed UEnux) OS to reduce costs and take full control of development cycle. It was incorrectly reported by the press that the UEnux project was carried out by Diebold/Procomp.

Concerns
There still remain some questions about the security of the electronic voting system, but no case of election fraud has been uncovered:


 * 1) Critics argue that the voting machines do not produce receipt for the voter. The application program which verifies the internal integrity of the system is itself vulnerable to modification, but it is possible to print paper receipts that allow anyone to compare how many voters attended and how many votes were entered in the ballot box, called "boletim de urna" and "zerésima", allowing audit. An inspection by the City of Sto. Estevão, Bahia described the system of seals and closure of the machine as simple, and allowed easy access to the internal memory slot. However, it is not possible to insert votes into the internal memory without electronic ballot box, data terminal of the election workers and voters, as well as their fingerprints.
 * 2) It is possible to violate the secrecy of the vote, obtaining the list of the Voter registry IDs and the order of the votes. So by simple comparison one could determine which ID voted for which candidate, but data voters are not public and the order of the votes is not recorded.
 * 3) Election workers could vote in place of absent voters without their permission. However, voting sections are composed of multiple workers drawn at random from the population as a means of preventing this type of fraud. Recently, voter biometric identification has been required.

Process
On the eve of an election, the election authorities in each State select a number of voting machines by lot (all available voting machines take part in that lot, identified by their serial number), and those machines so selected, instead of being used in actual polling stations, are retained in the seat of the State's Regional Electoral Court for a "parallel voting", conducted for audit purposes in the presence of representatives designated by the political parties. The audit vote takes place on the same date as the election. This parallel voting is a mock election but the votes entered in the voting machine are not secret, instead they are witnessed by all party representatives present at the audit process. The whole audit is filmed, and the representatives of the political parties present for the audit direct publicly that a random quantity of votes are to be inserted in the machine for each candidate. A tally is kept of the instructions received from each party representative. Each party representative orders a number of votes to be inserted at the machine, but he only reveals that number, and the recipients, during the audit. So, the numbers are not previously known, because the only way they could be known by others is if there were a collusion between rival parties. At the end of the process, then, when all the parties have directed that certain number of votes then chosen are to be registered for each candidate in the audit vote, the votes ordered to be inserted by each party representative for each candidate are added up, and the total number of votes of the mock election is known, as well as the total number of votes of each candidate. Once the mock votes end and the profile of the vote is known, the electronic counting of the votes contained in the voting machines used during the audit takes place. The result indicated by the voting machines software has to correspond to the previously known result. As the machines were selected at random by lot, if the result given by the software corresponds to the previously known result resulting from the sum of the parties's public instructions (which has happened in all elections so far), the system is deemed by the election authorities as reliable for receiving, properly registering and accurately tallying the votes. Given that the machines are chosen at random, the reliability of the chosen ones is deemed to represent the reliability of the others. If the audit failed to produce a positive result (the matching of the votes counted to the sum of the instructions), then the whole election in the State in question would be void.

Benefits
Supporters of the electronic vote claim that unless the fraud were intentionally designed into the machines, it would be impossible to carry an extensive fraud in such a small amount of time. The Brazilian Superior Electoral Court (TSE) regularly promotes an event called Public Safety Test (PST). Any citizen over the age of 18 can register to attend. During the event, the participants attend lectures about the election procedure and its security measures. They have access to unsealed voting machines and their source code. In case of success, TSE implements corrections to the system and participants are invited to come back before the following election to try repeating their attacks. As of 2022, all vulnerabilities found have been corrected. The source code to the voting software is closed to the general public, but periodically open for inspection to some entities, universities and to all political parties. However, some experts advocate that votes should be printed for inspection and recounting.

Biometrics
A new biometrics-based voting machine, with an additional apparatus that does the voter's fingerprint recognition before allowing the ballot to be cast, started being used in 2012. TSE is gradually gathering the fingerprints of all registered voters to spread the process, that was used by 22 million voters in the 2014 general election. For the 2020 Brazilian municipal elections, biometric use was suspended due to the COVID-19 pandemic, in order to avoid touch points for voters and reduce lines.