English Miguel Caas and Mario Torre Smartmatics technology preserve the secrecy of the vote
Shirley: On October 7th a new authentication system will be used in the electoral process, which will check the voterÂ´s ID through his fingerprints and will be integrated to the voting machine. What some people are asking is whether this system preserves the secrecy of voting. This will be our topic today at Soluciones. This year, the Integrated Authentication System (SAI) was incorporated to the Venezuelan voting system. This system verifies the voterÂ´s ID, preventing identity theft and voting fraud at the polling stations. The process is simple: the voter goes to the polling station, presents his ID card and has his fingerprint read by the SAI. Once his identity is verified, the polling station president unlocks the voting machine for the voter. When the voter makes his choice, the machine prints a voucher which is immediately cast inside the ballot box. Finally, to end the voting process, the voter must sign the polling station log and dye his pinkie with indelible ink. Shirley: Today weÂ´ll debunk all the myths surrounding the secrecy of voting, and for that weÂ´ve invited today part of the technical team that audits the automated voting system since 2005. Next to me is Mario Torres, member of the electoral commission of Comando Venezuela; heÂ´s an electronics engineer and a professor at Universidad Simon Bolivar.
We also have Miguel CaÃ±as, an electrical engineer and a telecommunications specialist, and also a member of the electoral commission of Comando Venezuela. Since the year 2005, you know how this system and the electronic platform work. LetÂ´s start with our first question, which has to do with a myth: this new system has the particular characteristic of integrating authentication, i.e. fingerprint capture, to the voting machine using the fingerprint registry for each specific polling station. How does the system avoid correlating the order of arrival of voters, their fingerprint, their ID card and the votes casté Mario: Good morning, Shirley. The new voting system is essentially the same old voting system, with the same voting machines, to which this new biometric authentication device is being incorporated, called SAI by the CNE. This device just adds the function of having the voter placing his fingerprint on a reader before casting his vote. The first point that needs to be stressed is that the voting machine is completely isolated; in other words, when the voter gets to the polling station his fingerprint will be checked against a database in the deviceÂ´s memory, and the device only has the fingerprints of the voters assigned to that particular station. The device is not connected to any system; no online verification is taking place. The fingerprint capturing process precedes the actual voting, so the information is completely separate.
Capturing and voting are done in such a way that the information from each process is isolated from the other. This has been tested several times. We have audited this automated voting system since 2005. We have checked the voting code line by line, same with the machinesÂ´ source code. We have been very thorough; weÂ´ve checked the production system. And we have verified that the sequence in which the votes are written in the machine is always disrupted. It is our commitment during the next audits to guarantee that this will be the case, as it always has been, and the only record kept is that of the fingerprints. Shirley: LetÂ´s have a technical explanation. I want you to give people an explanation so they really trust that there is no correlation between the voterÂ´s identity (their personal data and ID numbers), the order of arrival to the station and their votes. How, technically speaking, is that sequence brokené Miguel: The voterÂ´s identity, namely his ID number and fingerprint, is stored in one section of the memory. The voting information, which is only the choice made by the voter, is in a different section of the memory.
We have verified that there is not a quot;third placequot; where this data is stored. WeÂ´ve also verified that the voting data is randomly shuffled so that the sequence of voting is lost. This has been verified and proven, and the code has been checked line by line; it works and has worked in all previous voting events. This random shuffle will also occur for the votersÂ´ information, so that the data from both processes (independently randomized) is impossible to correlate. The data will be completely isolated and shuffled. As IÂ´ve said, the shuffling works very well with the voting data, and the same method will be applied to the votersÂ´ personal information; weÂ´ll verify this during the audit. Shirley: The recorded votes are compiled into a registry thatÂ´s printed after the voting is closed, but the voting information still remains in the machine. Will the votersÂ´ personal info also be stored together with the voting information, or will they be stored separatelyé Mario: No, they will be stored completely separated. There is a guarantee that the personal information and the votes will be kept completely separate, and that the sequence in which the votes were saved in the machineÂ´s memory will be broken and shuffled.
The section in the memory where the votes are stored holds no information about the voters, and the section that stores personal info has no register of the choices made; the sequence in which the votes were cast is also broken. This data shuffling has been tested several times. Given this, there is no possible way of knowing which person voted for which candidate. There is no way. Shirley: The votes are encrypted. This has been made public knowledge. Now, people who question the CNE wonder if the voting data can be read by the CNE. Is that possibleé Mario: No, the answer is no. Let me explain it briefly: when a voter casts his vote, this information is encrypted and stored into the machineÂ´s memory. The encryption key is made up of little bits provided by all the auditors who participate in the software audit; the code is not generated by the CNE. The only way to reconstruct the encryption key is for each of the participants to provide their section of the code. The encryption code is known by the machine, but thereÂ´s an extremely sophisticated procedure (which weÂ´ve checked thoroughly) through which the code, despite being known by the machine, remains unknown to the CNE.
The CNE has no way to reproduce the encryption key unless every single software auditor provides his section of it. This is a very delicate procedure carried out with care, and every machine has a unique encryption key. Each of the ' thousand machines has its unique encryption key. Shirley: YouÂ´ve explained this before, what guarantees the secrecy of voting is that the time sequence of the procedure is randomized and therefore impossible to reconstruct. What people wonder is, is it possible at all to reconstruct ité Mario: No, absolutely not. Shirley: Why noté Mario: Because the algorithm used to write information in the memory has a standard random number generator.