E-voting and paper-based-voting - UNAM teaches us how to achieve the worst of all worlds

Imagen de gwolf
Submitted by gwolf on Lun, 03/30/2009 - 21:06

As my Institute's sysadmin, I was appointed as the responsible for my Institute's certificate handling for today's voting session for the Universitary Council (Consejo Universitario).

UNAM, Mexico's largest University, is moving towards an e-voting platform. I talked about this with our (sole) candidate for the Council, and she told me this has been used a couple of times already - And, as expected, it has led to having to repeat voting sessions, due in part to e-voting's inherent lackings: It is impossible to act on any kind of impugnation. The only thing we have is an electronic vote trail, no way to recount or to make sure that all votes got in. Besides, we had a perfectly antinatural and inadequate identification system, which means voter's identity have no way to be trusted.

Besides, we still have all the traditional Universitary bureaucratic paper flow, which completely obscures any positive points this e-voting system might have had.

Before going any further, if you are interested: There is a so-called security audit certificate for this system. In Spanish, yes. Take a look at it if you understand the language and want to crack some laughs.

I will not make a detailed review of (what I could gather about) the setup. But to make things short: I had to go to the central administrative offices to get a CD-ROM with the monitoring station's SSL certificate. This certificate is tied to an IP address, so only one computer was able to be set up as a monitoring station. So far, so good.

But, what is the monitoring station's real role? You will probably laugh. The voting session (at my Institute - Each dependency can specify its own opening and closing times) was from 10:00 and until 18:00. We were instructed to place this computer at a public location, from where:

  • Shortly before 10:00, we had to check the booth's status was set to closed and that zero votes were received.
  • During the votation period, the computer would continuously display the number of received votes, refreshing the page twice a minute1
  • During the day, anybody could go to the computer and check the number of total votes received. Its main function is, I think, to show that no votes are substracted precisely when a person is staring at it.
  • Shortly before 18:00, we had to check the booth's status was still set to open, and wait until 18:00 to witness the booth is now closed.
  • Get the needed data from the system and hand it over to the proper bodies. I'll get back to this point later on.

So, what is strange here? That there is a tremendous apparatus providing supposed security to... Information that is completely worthless. Just protecting a number that is, for all purposes, public. Oh, and the opening and closing of the booth - Of course, the system could have flaws during the process, or inject spurious votes along the way, or flip-flop the votes cast whichever way. But, did I mention votes? So far I have not mentioned how people are supposed to vote.

Together with our last paycheck, we got a piece of paper with all of the needed information: A randomly generated, 10-character-long-with-mixed-case-and-symbols password, and the link to a web page2. This paper was folded, yes, but it was in no way secured - So, whoever wanted to have all of our passwords could just go through the bunch of papers and get them.

Now, contrasting to the strong perception of physical security surrounding the oh-so-important monitoring stations, how can a person vote? Oh, sure, just fire up your favorite browser and go to https://www.jornadaelectoral.unam.mx/, produce your student number if you are a student or your full RFC3, select via checkboxes4, click on "submit", and voilà, you have voted. From any location, from any machine.

Yes, the University's population is largely itinerant, many people will be voting from abroad and all. It is good to give them a voice. But... At what price? Lets see... The security audit mentions the system is free from any malicious routine that can automatically alter the results and it has the minimum needed validations against spurious data injections from the most common Web browsers. However, if I am interested in modifying the results... I could put a trojan in a Faculty's laboratories, which modifies the votes sent by their users (students vote as well). Yes, I'd have to know how the system works, but lets accept security through obscurity does not work, and that this is a well-known system (as it has been used for over 3 years and is at version 3.5). PHP-based, for further points. Oh, and (if I recall correctly) a voter does not even get feedback as for which formula did he vote for, so no way of knowing if the computer really sent the information I requested. And given the low security for the password handling, I would not bet on it being worth much. Besides, this system was partly established to allow people voting from abroad - as long as they picked up their March 10 paycheck. That excludes anybody who has spent over three weeks away!

Many other things can be said. Last detail: e-voting's main selling point is that the results are known instantaneously, and (if no paper trail exists) no tedious re-counting is ever done, right?

Meet universitary bureaucracy. Technology changes, but processes don't. The Local Electoral Surveillance Commission has the responsability to enter once again the system after the vote has finished, and ask the server for the preliminary results. This consists of a tarball with the tally sheet (from the voters, who voted and who didn't), the total votes for each formula, and... one more file I don't remember. They also have to generate the signed legal documents where they testify to the received information. And then, ahem, they have to burn those files5 onto a CD-ROM, print them, and physically take them to the central administrative offices. Yes, take something from the server and get it to the server. For us it is not terrible (1.5Km can be readily done), but this same procedure must be done by people in other cities where there are University campii holding elections. How Nice!

Anyway... Worst of both worlds. The inefficacies of a paper-based ellection, together with the unaccountability of an e-voting ellection, sprinkled with fake sense of security here and there.

Bah.

  1. 1. Except that it didn't. I guess they didn't stress-test the server, so every couple of minutes it returned a connection error. Of course, the page would no longer self-update. And after noticing that, I (and nobody else but me) had to go and give the password and certificate for the system to continue to operate.
  2. 2. which is http://www.dgae-siae.unam.mx/ - The Schooling Administration General Direction (DGAE), an universitary body which has no relation with electoral issues. DGAE made available a poster detailing how to vote... But, again, lets ignore that fact for now
  3. 3. A nationwide ID number, largely derived from name and birth date data - Both numbers are often widely known, they cannot be considered private in any way.
  4. 4. Oh, for goodness sake... The "ballot" has 1..n options, and each has a checkbox, not a radio button. That means, you can select multiple options, which is of course invalid. Why? Because the electoral rules indicate that selecting more than one option in a ballot makes the ballot invalid, and thus, a way for making it invalid must be provided. Isn't logic beautiful?!
  5. 5. Want some more insight on what needs to be done? Take a look at the instructions. Don't forget paying attention to the lexicon used - We are still asked to count the votes, an impossible feat given the vote is 100% system-based - Quote: Los miembros de la CLVE realizarán, con base en el reporte del sistema, el cómputo de los votos depositados en la urna a favor de cada una de las fórmulas, declarando nulos los votos que procedan.