Illegal and Insecure eVoting Carried Out in Argentina
On Sunday, 5 July 2015, was the first time an e-voting system was used in Buenos Aires, Argentina. The legality of this system is highly contested and the entire e-voting is denounced by Pirate Party Argentina. Since the 2/3 approval vote by their legislature never happened, the e-voting carried out on July 5th should have been declared illegal.
On 9 December 2013, after the elections and in the last session of the year, the legislature of Buenos Aires approved the law ‘4894’, setting up open primaries and a voting system known as “Boleta Unica” (single voting ballot). The voting system allows the use of digital technologies, but requires that if electronic votes were to be used, the decision should be approved by the legislature with at least two thirds of its members.
In November 2014, the law was implemented by a decree, describing an electronic voting system with touchscreen and some features by the company (MSA), who were the ones that won the contract. The next step should have been the 2/3 approval vote in the legislature. However, since it was difficult to get the required votes they ignored the law and with the help of the winning company they chose to call their system “Boleta Unica Electronica” (Electric Single Voting Ballot) claiming that it wasn’t digital voting. It should be noted that the company sold the same system in other districts calling it digital voting.
Besides the sloppy and illegal implementation of these elections, many people (among them activists, engineers and lawyers) openly opposed this electronic voting system. They stated it was difficult to use by non-digital natives, impossible to audit by the citizenship (source code was not distributed), too expensive and that the system didn’t protect vote secrecy sufficiently. They believed the new system had no real benefit over the “Boleta Unica”.
Shortly after the news that this system was to be used in elections spread, its source code was leaked. From the source code it was discovered that the voting machines were a common PC, running Linux (Ubuntu) with a Python program from a DVD that was provided by the company (actually, any DVD that was inserted in the reader). This is directly contrary to MSA’s declarations about the system. MSA had repeatedly affirmed that the machines were more like printers than computers, that the machines didn’t have any memory or storage capabilities, as well as several other affirmations that were proven false by several independent individuals looking at the source code.
A secure voting system?
Bugs in the voting machines began to be discovered and MSA’s servers were also hacked. The whole list of technicians, together with their three letter and three number secret pins, were leaked. The certificates for the transmission of the results were publicly accessible to everyone knowing the URL (the servers were accessible via HTTP and no kind of encryption or protection was used), this information was also leaked.
Finally Joaquin Sorianello, feeling the company should know about this, called MSA and told them about their security issues, the company unplugged their servers and silently went offline. This made Joaquin call the media to inform them about all the security problems of the voting system.
Later on, security researchers also found what was called #multivoto. This new bug would allow votes to be counted several times, simply by manipulating the unencrypted RFID ballot with help of a smartphone with NFC (Near Field Communication) capabilities.
The Saturday before the election, the house of Joaquin Sorianello was raided by the police. They seized his computers and now Joaquin is facing charges. to vote with this illegal and insecure system.
This article was written by PPAR and Lorena Müller
Featured image: CC BY-SA Pirate Times from work by Nicolas Raymond and a public domain image