Imprimir Republish


Osvaldo Catsumi Imamura: A secure device

The engineer who created the layered security framework for Brazil’s electronic voting machine explains why the system is trustworthy

Catsumi at the Brazilian Aerospace Museum, in São José dos Campos, with one of the first models of electronic voting machines designed for the TSE

Léo Ramos Chaves / Revista Pesquisa FAPESP

One year before every election, a group of preregistered computer experts meet at the headquarters of the Superior Electoral Court (TSE) in Brasília with the objective of trying to hack Brazil’s electronic voting machine. This is known as the Public Security Test (TPS), an event held since 2009, during which independent computing specialists, or computer scientists linked to research institutions, conduct their plans of attack against the voting equipment. In 2021, 29 incursions were attempted by 26 “investigators,” the name given to those trying to circumvent the electoral system. Five of the investigators discovered some type of vulnerability, which was then corrected by the TSE technical staff. The attacks were recently repeated in a second round, in early May 2022, this time without any success.

One of the creators of the electronic voting machine, electronics engineer Osvaldo Catsumi Imamura, still monitors the TPS during each election cycle. Imamura is a graduate of the Aeronautical Technology Institute (ITA) and a researcher at the Department of Aerospace Science and Technology (DCTA), a research center linked to the ITA which is located in São José dos Campos, São Paulo. Imamura has been on the team that designed and developed the architecture of the electronic voting machine (EVM) since its inception in 1995 and was the engineer responsible for ensuring the equipment’s security. As of today, there has never been any proof of a system violation, nor that any election was tampered with, which was a relatively common occurrence when voting was done with paper ballots. Catsumi, 66, left the TSE technical team in 2005, continuing on as a consultant and occasional staff member, and retired from the DCTA last year. In the interview below, he related to Pesquisa FAPESP why Brazil’s electronic voting machine remains secure 26 years after its creation.

You participated in both stages of the TPS for this year’s election. What was tested there and what were the results?
The tests came about as the result of several requests, both from within and outside the TSE, to expand the verification of the electronic voting machine. We always discuss how these assessments may be done in such a way as to make the system as transparent as possible. In 2009, the idea of doing a public test came up, something that was already happening in other places, abroad. This would ensure that people who wanted to reach a conclusion regarding a particular scenario related to the EVM could carry out the test themselves, in order to confirm or redress their own observations. That was how the tests began.

What has changed since then?
In general, the EVM evaluation has barely changed at all, in terms of scope. The investigators involved may request access to any part of the system, such as the machine’s hardware and software. They only need to present a proposal for what they want to evaluate. From the beginning, various adjustments have been made to the process, arriving at the current version in which the tests are carried out in two stages. The first is normally done at the end of the year prior to the elections, on the date closest to the final sealing of the codes. This gives investigators time to analyze the system that will be used in the elections of the following year. A few months after the first test, investigators can verify the modifications the TSE has made.

Are the investigators researchers in the field?
In part, yes, but there have also been people from society participating, who understand computing and want to personally assess how the voting machine works. There are academic entities that sign up so that professors can provide their computing students an opportunity to exercise what they’ve learned. There was even a student from the computer program at the Federal University of Mato Grosso do Sul who suggested doing his TCC [undergraduate final project] on election security. The student convinced the teacher to participate with him.

Can everything be tested during the TPS?
That’s right. At the November 2021 TPS we observed that several attacks aimed to expose the encryption, the handling of the vote recording, and the vote totaling. We ended up grouping the investigators so that they could collaborate with each other, since there were teams that were examining the same aspect of the electoral system.

What differentiates the first test phase, conducted in the year before the election, from the second, performed during the actual year of the election?
In the first phase, each investigator performs the verifications they want to in the system and, when they finish, we, from the evaluation committee, confirm whether they managed to progress with their intended plan, if they attacked a certain aspect of the system and if they were able to make inroads they shouldn’t have been able to. In such cases, even if they haven’t reached their end goal, the attempt is evaluated as a first-phase success. We make a report to the TSE, and its technical team has three to four months to explain how the infiltration happened and give suggestions on how to correct or improve it. In the second stage of testing, we verify if the internal work of the technical team has achieved the desired objectives. So, we call the investigators back so they can analyze if the machine still has vulnerabilities. Even if nothing has happened and none of the investigators have managed to penetrate any area of the system, the TSE carries out a general review of all processes. Since new technologies are always emerging, it may be that something that was attempted this year will have an impact later on. These precautions provide parameters for evaluating future changes in the electoral system.

Is there a possibility that the voting machines could be tampered with?
Theoretically, yes. Processes and technologies are always time-dependent. The technologies used to protect the EVM and its peripherals undergo rigorous analysis in the screening process so that every component of the electoral system is ready up to a year before the elections. Today, attackers may not have the time to achieve their goals, such as vote tampering. There is a lot of discussion in the press about possible incursions. And we are always debating this in academia. Some researchers are more purist, more theoretical, and raise arguments that, in theory, in mathematical models, it is possible to demonstrate that the codes could be circumvented. But it’s the source of the affirmation that the EVM is tamper-proof. They’re not wrong. The big question is how one would put this theory into practice. So far, there’s no real evidence it could be done.

In theory, one could circumvent the codes in the voting machine. The question is one of putting theory into practice. So far, there is no evidence that it has ever been achieved

One of the criticisms of the TSE is that voters need to blindly trust the electoral system. That’s because it’s based on the concept of security through obscurity, something that—according to critics—isn’t consistent with a democratic society.
Security through obscurity means not making some information evident. It’s like saying: you’re safe because you kept it secret. Most of the world’s cryptographic security product codes are guarded to prevent system intrusion. The code used in the EVMs is neither open nor public, but it is verifiable. Only a very select public, of experts, are capable of conducting this verification. It’s true that there is a point of obscurity in the code, which is the key. It isn’t—nor does it need to be—public, in the same way that we wouldn’t give the password to our bank account to anyone. When we make this decision, it’s because we believe that obscurity protects us. This criticism against electronic voting machines doesn’t hold up. During the TPS, some attacks were attempts to try to find the digital key and infiltrate the system. Nobody managed to get all the keys they needed.

To enter the EVM system, it would be necessary to break through its various layers of security. It’s been said that this may not be true because it would be enough to penetrate one of them to be inside the system. Is that a real concern?
All security is layered. There is no unique safeguard that’s exclusive to the Electoral Court, because the voting machines have to be placed both in regular schools and in distant locations that are difficult to access. Today, 80% of the EVMs are transported by ordinary people. There are no convoys of military police or the Armed Forces escorting them. There are levels, or layers, of security that needed to be created while keeping in mind that these circumstances and conditions exist, until the EVM goes into the polling station certification phase on Election Day. From the moment it’s certified, the layers that continue in effect are exclusive to the Electoral Court. The previous layers are not. If a thief steals an EVM, it means they have invaded a first layer. Is the election compromised? No. It would only be compromised if an absurd number of voting machines were stolen, making the election unfeasible for lack of devices.

But wouldn’t it be possible to tamper with the EVM during transport, for example, to install a malicious program in order to direct votes to a candidate?
Let’s suppose that someone manages to break through a particular layer and insert a program into some machines. When the equipment is initialized, in addition to the authenticity check, the malicious program will encounter other layers of protection. In order to move forward in the process, the EVM would have to work without the necessary validations when the key is activated. The voting machine is a computer, a piece of hardware, and you can change the operating system. But it wouldn’t be possible to proceed with the altered results, nor is it possible to digitally sign the EVM’s vote tally, which is the final result from that machine, so it can be validated by the Electoral Court. And this is just one step. There are several other layers of protection. Some investigators have tried, without success, to attack this point during the TPS—to try to force the EVM to initialize without needing to keep performing these checks—in order to make it possible to execute their malicious code.

How many layers are there in total?
It depends on the stage of the process: turning on the voting machine, starting a poll, or ending a poll. Each of these phases has two to three layers of protection. Adding it all up, there are just over half a dozen layers within the process all told. Sending the vote results is another process, which also has its own layers. The voting machine, from the time it’s prepared until it’s closed and generates the poll results, is not connected to anything. The connection to the network occurs only when the systems for transmitting the results of each polling station connect to the system that does the final tally. In addition to the logical security mechanisms, there are other security components to ensure the physical functioning of the equipment set, making it fault-tolerant and ensuring election integrity.

Isn’t there a risk of a hacker attack during the time when the information is being sent to the TSE? How can you be sure that the results from that voting machine are what actually arrives at the TSE?Because of the security layers that exist both when the EVM is initialized and when the voting machine’s work is finalized. There is a unique key inside each apparatus during these processes. If it’s removed or replaced, the hardware is invalidated. This key digitally signs the result and allows the Electoral Court to verify the information in each machine. If the EVM is replaced due to some physical problem or failure, the TSE uses backup voting machines.

What do you think of the claim that the voting machines could be audited using the printed vote?
Let me give you an example. The Brumadinho dam, which failed, had been audited. Nevertheless, the design flaw was not verified in the audit. The audit is an important tool for verifying that execution is in compliance with operational planning, based on technical and administrative records and documents. Auditing is not synonymous with, nor a guarantee of, security. All of the logic systems used in the elections pass through a regime of digital signatures to ensure that what has been sealed is exactly what will be used, and they allow for an audit before and after the elections. However, the audit is not enough to attest to the security of the systems involved. The only way to verify the correctness of a logical system is through testing and technical analysis of the codes. The TPS was designed to meet this demand.

And the printed vote?
It represents a kind of pseudo-confidence. The voter could receive a slip of paper, but what would be the guarantee that the information printed on that paper had been tabulated? The fraud when we had the paper vote never happened in the hand of the voter—when they inserted it in the ballot box—it took place during the counting, when the ballot box was opened and the printed votes were placed on the table. For that very reason, one of the focuses of the electronic voting machine project was to improve this step in the process. The Electoral Court seeks to ensure that the ballot cast at the EVM is the same as what is tallied.

Does the electronic vote override, then, the printed one?
There is a type of measurement called Mean Time Between Failures, MTBF, which roughly indicates when a product should begin to show problems. The MTBF of electronic components, such as the electronic voting machine, is above 100,000 hours; for a printer, which is a mechanical device, it’s between 10,000 and 20,000 hours. There is no way to cross-validate using elements that have different failure probabilities. In other words, it’s not possible to validate what the voting machine printed with what was recorded electronically, unless this MTBF difference is equalized. When designing the electronic voting machine in 1995, one of the ministers of the TSE told our team: “You need to present technical guarantees so that, in the case of a dispute the court can make a well-founded judgment.” For now, what counts is the electronic vote because it is possible to prove technically that the occurrence of inconsistencies in the electronics is much lower than in the mechanical system.

Osvaldo Catsumi ImamuraElectronic voting machines manufactured by the company Procomp, in 2004, during the final test phaseOsvaldo Catsumi Imamura

How did you become part of the group that created the electronic voting machine?
At the end of 1994 and the beginning of the following year, Minister Carlos Veloso, then president of the TSE, advised that something had to be done that was better than manually counting paper ballots. The Electoral Court opened a bid tender to hire the first technicians in the area of information technology [IT]. At the same time, an invitation was sent to the executive branch, which had engineers and technicians in the institutions of the Ministries of Science and Technology, Education, Industry and Commerce, Communication, and the military. One of the invitations was to the former Ministry of Aeronautics. The DCTA [Department of Aerospace Science and Technology], which is the Air Force research center in São José dos Campos, was consulted. The invitation even went to the IEAV [Institute for Advanced Studies], where I worked. And so, I was appointed to join the technical team as a representative of the Ministry of Aeronautics.

You were part of a group that stayed at the TSE for several years. Who else was a part of that?
The team was initially made up of 14 people. After three months of work, when the architecture of the EVM was complete and the public bid process concluded, most of the members returned to their institutions, except for me and three others who came from INPE—Paulo Seiji Nakaya, Antônio Ezio Marcondes Salgado, and Mauro Hissao Hashioka. I took over managing hardware and software development at TSE; Nakaya led the logistics area; Salgado was responsible for the communication and manufacturing production networks; and Hashioka assumed general management. Giuseppe Dutra Janino, who was among the technicians who had passed the qualification exam, was one of the people from the TSE that we trained to continue the process, assuming the position Secretary of IT for the court in 2005.

So, it was your job to ensure the system’s security?
At the beginning the team would generate requirements for the entire system, which included security. As I had already worked on other processes of this kind and knew specialists in academia from this area, I became responsible for the security of the system from 1998 to 2005. I suggested that the Brazilian Intelligence Agency [ABIN] be involved, since they have an institution, the Research and Development Center for Communications Security [CEPESC], dedicated to maintaining government cryptographic modules. We made an arrangement for them to develop modules exclusive to the TSE.

How do you see Brazil today in comparison with other EVM systems, internationally?
There are various models around the world, some more sophisticated, others less so. Some countries do the entire process electronically—and no longer on paper—like we do here, while others even use the internet as part of their electoral system. That’s the case in Estonia, which has made every voting process virtual that they possibly could, not only elections, but also government administrative functions. They have been voting over the internet for over ten years, but they have also already suffered a strong hacker attack. In the world of cybernetic systems, the weakest link today is the network connection, in other words, the internet.