Buenos Aires is currently in the middle of electing its mayor and city council. With a first round that took place on July 5th, and a second round due on July 19th, the election is the first time Argentina's capital city has used an electronic voting system called Vot.ar, created by local company Magic Software Argentina (MSA).
Like many e-voting systems before it, the security and accountability of MSA's Vot.ar has long been questioned by local computer technicians, lawyers, human rights defenders and Internet users. But instead of addressing the flaws or postponing Vot.ar's deployment, the Buenos Aires authorities have chosen instead to silence and intimidate critics of the system's unfixed problems. A local judge demanded ISPs block web pages, and ordered a raid on the home of one technologist, Joaquín Sorianello, who disclosed to MSA a key insecurity in their deployed infrastructure. Even as the election continues with its troubled technology, online information on the problems is legally censored from online readers, and Sorianello's property remains in limbo.
Vot.ar's system relies on a paper ballot with an embedded RFID chip. Each voter places one of these ballots into a polling machine and makes a choice on a touch screen. The selection is printed onto the ballot by the machine, and (in theory) also stored on the accompanying RFID chip. The voter drops this completed “e-ballot” into an ordinary ballot box. Totals are tallied from the collected RFID ballots using the same MSA computer, and transmitted from the polling place to a central server, with the e-ballot being kept for auditing and recounts.
Sorianello reached out in late June to MSA to report that the private SSL certificates used in the secure transmission of data between the polling centers and the central servers were publicly accessible. An attacker with access to these certificates could monitor or manipulate the results being sent to the authorities. Another group of independent researchers discovered that with a normal, NFC-ready smartphone, multiple votes for the same candidate could be added to the e-ballot’s embedded RFID chip, invisibly distorting the electronic count.
The authorities’ response was not to investigate and fix these problems, but to cover up the evidence and punish the whistleblowers. On July 3rd, two days before the election, the computer crimes division of Buenos Aires’ Metropolitan Police, under the orders of Judge María Luisa Escrich, raided Sorianelllo's home. The officers took his computers, e-book reader, and other devices. Sorianello was not present for the raid, but in a telephone conversation with a local newspaper, he pointed out that "if I wanted to do something harmful or hack, I wouldn’t have told the company".
Meanwhile, on the same day, the same judge, in an apparent attempt to limit the spread of the leaks, ordered Argentinian Internet service providers (ISPs) to "immediately block" access to five URLs on justpaste.it, one of the sites where information on the Vot.ar system was being collected. News of the censorship order became public only after the first round of the election was completed.
Vía Libre Foundation, a local NGO that promotes the use of free software, the right to privacy and the protection of digital rights in Argentina, has long warned about the risks of adopting an insecure and unaudited e-voting system in the country. Enrique Chaparro, its head, told EFF:
The (Vot.ar) System is engineered around the storage of ballot data in RFID chips. That technology has been proven insecure in many occasions and led Israel to abandon a similar system in 2009. The procurement process was biased and unusually fast by any standards (15 days for bidding and 4 days for evaluation).
Beatriz Busaniche, another member of Vía Libre added:
The whole implementation of e-voting was imposed through an Executive Decree from the Government of the City of Buenos Aires, while the law clearly states that for the use of electronic voting, an special majority in the Legislature is needed (4894 Act. Anex II art. 25). Vot.ar's source code was never made available for public scrutiny and there were no independent audits, based on the premise that MSA cannot show its code because of security concerns.
On the day of Buenos Aires' first election round, voters used the flawed Vot.ar system with little public knowledge of its problems and the attempted silencing of its critics. According to the local press, 500 of the machines failed to send their results to the central server, leading to 184,317 missing votes that were only finally included after a physical recount (Buenos Aires has an electorate of 2.5 million voters).
EFF has been closely involved in e-voting deployments where researchers have been targeted or criticized by the authorities for highlighting vulnerabilities. In India, a country with the largest elections in the world, computer security researcher Hari Prasad and his colleagues Alex Halderman and Rop Gonggrijp exposed serious flaws in the design of local electronic voting machines that allowed results to be manipulated and could potentially compromise the secrecy of the vote in 2010. For his work, Prasad was charged for the alleged theft of an e-voting machine, and was detained in Mumbai for a week before being released on bail. EFF awarded Hari Prasad our 2010 Pioneer Award for doing his job in the face of legal harassment, and exposing flaws in a system that could undermine the democratic functioning of his country.
This year, professor Halderman and Vanessa Teague of the University of Melbourne discovered a cryptographic flaw in a New South Wales' e-voting system that may have left as many as 66,000 votes vulnerable to surveillance and tampering in that states' most recent election. An official from New South Wales' Electoral Commission attempted to discredit Halderman and Teague's work as a part of biased campaign against all e-voting, but finally conceded the risk and modified their systems to address their concerns.
The Vot.ar system as it is currently operated lacks basic requirements on transparency, security and accountability. As with India and Australia, public critics like Sorianello and others remain the Argentinian authorities' best defence against these flaws: and yet, administrators and judges have chosen to defend their own flawed technology instead of supporting the public review process.
MSA, the city of Buenos Aires, and Judge Escrich should correct their own errors. They should back down from a fruitless and disruptive investigation, and treat their countries' technologists not with raids and Internet censorship, but with the respect for the work they have done to protect democracy and the future of electronic voting. They have many problems to solve in the days before the next electoral round, and have neither the spare time nor the credibility to legally disrupt volunteers trying to help them fix their own city's e-voting mess.