Illegal and Insecure eVoting Carried Out in Argentina

Illegal and Insecure eVoting Carried Out in Argentina

On Sunday, 5 July 2015, was the first time an e-voting system was used in Buenos Aires, Argentina. The legality of this system is highly contested and the entire e-voting is denounced by Pirate Party Argentina. Since the 2/3 approval vote  by their legislature never happened, the e-voting carried out on July 5th should have been declared illegal.

Some background

On 9 December 2013, after the elections and in the last session of the year, the legislature of Buenos Aires approved the law ‘4894’, setting up open primaries and a voting system known as “Boleta Unica” (single voting ballot). The voting system allows the use of digital technologies, but requires that if electronic votes were to be used, the decision should be approved by the legislature with at least two thirds of its members.

In November 2014, the law was implemented by a decree, describing an electronic voting system with touchscreen and some features by the company (MSA), who were the ones that won the contract. The next step should have been the 2/3 approval vote in the legislature. However, since it was difficult to get the required votes they ignored the law and with the help of the winning company they chose to call their system “Boleta Unica Electronica” (Electric Single Voting Ballot) claiming that it wasn’t digital voting. It should be noted that the company sold the same system in other districts calling it digital voting.

eVoting Paula Müller 5 JUL 2015 Buenos Aires

5 July 2015 – People waiting for eVoting in Buenos Aires, by Paula Müller

The problems

Besides the sloppy and illegal implementation of these elections, many people (among them activists, engineers and lawyers) openly opposed this electronic voting system. They stated it was difficult to use by non-digital natives, impossible to audit by the citizenship (source code was not distributed), too expensive and that the system didn’t protect vote secrecy sufficiently. They believed the new system had no real benefit over the “Boleta Unica”.

Shortly after the news that this system was to be used in elections spread, its source code was leaked. From the source code it was discovered that the voting machines were a common PC, running Linux (Ubuntu) with a Python program from a DVD that was provided by the company (actually, any DVD that was inserted in the reader). This is directly contrary to MSA’s declarations about the system. MSA had repeatedly affirmed that the machines were more like printers than computers, that the machines didn’t have any memory or storage capabilities, as well as several other affirmations that were proven false by several independent individuals looking at the source code.

A secure voting system?

Bugs in the voting machines began to be discovered and MSA’s servers were also hacked. The whole list of technicians, together with their three letter and three number secret pins, were leaked. The certificates for the transmission of the results were publicly accessible to everyone knowing the URL (the servers were accessible via HTTP and no kind of encryption or protection was used), this information was also leaked.

Finally Joaquin Sorianello, feeling the company should know about this, called MSA and told them about their security issues, the company unplugged their servers and silently went offline. This made Joaquin call the media to inform them about all the security problems of the voting system.

Later on, security researchers also found what was called #multivoto. This new bug would allow votes to be counted several times, simply by manipulating the unencrypted RFID ballot with help of a smartphone with NFC (Near Field Communication) capabilities.

The Saturday before the election, the house of Joaquin Sorianello was raided by the police. They seized his computers and now Joaquin is facing charges. On Sunday, people of Buenos Aires had to vote with this illegal and insecure system.

On July 5th the expensive, illegal and insecure election was held. However there will be ballotage on 19 July to finally decide between the two candidates with most votes.

This article was written by PPAR and Lorena Müller

Featured image: CC BY-SA  Pirate Times from work by Nicolas Raymond  and a public domain image