e-voting: Bad when it's near, worse when it's far.

Note: All of the information linked to from this post is in Spanish and related to Mexico… Part of it will be translatable via automated means, some will not. Sorry, that's what I have, and it's too much text to invest the effort to hand-translate

I have been following the development of the different e-vote modalities in Mexico for several years already, although I have only managed to do so methodically in the last half year or so. If you are interested in my line of reasoning as to why I completely oppose e-voting, you can look at the short article I published in 2010 or the slightly longer and more updated version published in our book in 2011.

Currently, in Mexico there are two different venues of e-vote that are being pushed: Bad and worse. The bad one will be carried out for about 10% of the population of the state of Jalisco and somewhat less for the state of Coahuila (Distrito Federal was also to be in this list, but the contract was cancelled due to the provider company delivering booths with too many problems and unable to deliver in the due time). The worse one is, fortunately, likely to have the least impact. Why? Because it regards votes cast by Distrito Federal residents (the capital entity, where part of Mexico City is located) living abroad. And it will have less impact because of the amount of the population registered for it: We are about 9 million residents in DF, and in the last election (first time IIRC there was the right to vote from abroad) there were only about 10,000 people registered for casting a (enveloped and sent by post) vote. Even if this year we the campaign for this was better (and I'm not yet sure about it), the number of voters will not be enough to make a dent on the results.

I'm not going into details as to why it is bad in this post — I requested information from the DF Electoral Institute (IEDF) with academic interest, to try to find more information about it, and I want to share my results with you — and, of course, to request for your input on how to continue with this. On May 3rd, I sent the following request (this I am translating to English :) You can look at the receipt for the request for the original redaction) to the official contact address, oficinadeinformacionpublica@iedf.org.mx:

• What company was hired to develop the system that will be used to receive the votes from Distrito Federal citizens residing abroad that have decided to use the Electronic Voting over Internet procedure ("Vota chilango")?
• What is the technical information for said system? That is, which technological basis was it developed on? Which operating base (hardware) will it be deployed on?
• How many revisions or security audits has the developed system ben exposed to? Which are the entities in charge of doing them? What has been their evaluation?

Of course, I wasn't very optimistic when receiving this information. Still, I have to share my results: My information request was largely denied:

(…)
III. The divulgation of this information harms the interest it protects
Given that, were it to be divulged it would affect the informatic security of the refered system. Anyway, we have to point out that said systems have enough measures and security provisions, so that the citizen can emit his vote in a universal, free, secret and direct way.
IV. The damage that can be produced by making this information public is larger than the public interest to know it
This is so because making this information public puts at risk the correct development of the Internet-based voting, because were the technical, purpose-specific information be made public, it could be misused to carry out informatic attacks.
It is also important to mention that a confidentiality agreement was signed with the company that developed said systems.
(…)
VI. The time for the information to be reserved
It will be seven years starting at the present resolution, this information will be made public when the reserve period is over or when the target is reached, except for the confidemtial information that it could contain. (…)

In case some other person is interested in following this information, the other two points were answered, and I'll try to get some relevant information from it:

• The company that provided the Internet-based voting solution was SCYTL SECURE INTERNET VOTING, S.A.
• The only entity in charge of conducting a security revision/audit is Telefónica Ingeniería de Seguridad de México S.A. de C.V.. The audit is still in process, and thus it is not yet possible to give any results from it.

So, I don't have any real conclusions yet. I'm just reporting how work is unfolding.

Tomorrow evening (Wednesday May 23) I'll give a talk on the "e-voting in Mexico 2012" subject in Congreso Internacional de Software Libre in Zacatecas, Mexico. I'll talk on the situation on this and the other topics I have been able to work on.