Even Tom Scott's video about electronic voting shows in Brazil with a warning saying that "electronic voting is safe" (the same type of warning that shows up for conspiracy theories).
We had no problems with those machines since 1996. My take is that he does that to mobilize his support base.
One curious thing is that the centralized voting counting is done with an Oracle system. Some politicians questioned the contracts value, and why AWS or Google cloud weren't considered - authorities argued that only Oracle supported Oracle's cloud : )
13 elections in one of the largest countries in the world and not a single issue has surfaced. Probability says issues have happened but the fact that none have surfaced suggests they're negligible.
It's also nice to note that there have been already security audits on the current system, TPS (The public security test for TSE the Superior Electoral Court) happens every year addressing the security of e-voting in Brazil, for example, on TPS 2017, people managed to find arbitrary code execution in the Urna Eletronica (That's how we call the e-voting system here)
Each party has delegates present during vote counting, in state and city level. That only became an issue recently. That said, I do believe that the system would be better if physical counting could be performed as well, to increase public trust and to avoid the same situation in 82 fraud against Brizola.
You have the total of votes per machine. In looking at these locations local candidates have a good notion on how well their party is going to perform. Things that call their attention are the "bumps" like the one by the end of last US election. When that happens, they can signal the voting machine to be isolated and call in an electoral judge.
Sounds easy to evade. Once a machine has recorded 10+ votes since the last time it outputted a count, it could start giving a small probabilistic advantage to a preferred candidate, at the expense of other candidates. There would be no bumps, and the results would never differ by more than, say, relative 20% from the real count. E.g. if preferred candidate got 10% on one voting machine, it would give him 12%, taking the other 2% from all other candidates.
No bumps or disproportionate popularity in traditionally unpopular regions to raise suspicion.
You're suggesting large scale compromise of millions of voting machines. These machines are heavily guarded and secure. They are audited by members of parties and the civil society. I'm not saying such a thing is impossible but it more or less is.
Or the compromise (or cooperation) of a few of the software supply chain components used to program the chipset of the voting machines. Or the development machines used to write and upload the voting software. Or the foundry used to cast the chips. You think if e.g. China devoted ~5 years of their best hacking group's time to this, they couldn't do it? Because that's a very low price to pay to sway the election of a country such as Brazil.
> They are audited by members of parties and the civil society.
Audited how? Do they plug in a USB, download the software, and verify that it matches the (hopefully open-source, ideally formally verified) code it's supposed to be running?
Let's say it matches - how can they trust that the code the USB port emitted, is what is actually running?
they seize random voting machines from polling sessions and input a known amount of votes for each candidate and match them with the ending totals. (just one kind of audit they do)
VW was able to detect when an emissions test was being done, so there may be ways to detect this as well. E.g. by the unusually fast rate at which votes are being cast, or if this "seizure" involves moving the machine, reconnecting power to it, or any other kind of abnormal interaction.
Why make things so complicated when manual counting works perfectly well??
With auditing being so difficult, you're not even saving any labor.
Clearly you have no idea what you're talking about.
Manual counting does not work well. I cannot stress this enough.
Manual counting in the past has meant much work, rework, terror, confusion and rampant fraud and miscounting. Brazil is a gigantic country with over 150 million electors spread across an area larger than western Europe and with a population much more diverse than that.
The labour and the complexity involved in producing the machines and auditing is nothing compared to what manual counting was.
Can you be more specific? I know that population or geographic size alone has no effect on counting complexity - the number of people counting is proportional to the number of votes to be counted. Communicating the vote totals from electoral districts can be done through the same medium as the voting machines would use, and producing final sums takes only O(log n) parallel steps.
So where does the terror, confusion, and rampant fraud come from, and what is it about Brazil that causes them, when so many other countries manage to avoid them?
> the number of people counting is proportional to the number of votes to be counted
Each new person is a new liability. Complexity and likelihood of mistakes do grow with number of votes.
People tick ambiguous boxes for executive functions (somehwere between 2 candidates). How do you count that?
People write numbers or names of legislative candidates. Sometimes it's illegible. Sometimes more than one candidate share the same first name or surname and the voter only wrote one. How do you count that?
The people counting the votes are members of the civil society. They're working for free in horrible conditions (hot and humid, hard chairs, pressure to finish and go back home). They're tired. They're hungry. They're thirsty. They've been many hours speaking only with a bunch of other people whom they've only met in the day and some of them are fervorously against their ideology. They make mistakes. A lot of times they miscount on purpose.
In certain regions, the "colonel" (like a local caudillo, usually a big farmer with a lot of properties and the entire town dependent on him) will not let people leave the counting place until his candidate has an acceptable count.
People leave boxes blank. The person counting ticks their favourite candidate and scores a new vote.
Fiscals from parties question decisions about all the above. Sometimes there's need to recount. The problems above compound.
Criteria for counting ambiguous votes may change during the course of the counting. Do you recount everything? Do you just pretend it's ok to change criteria depending on what results you have this far?
It also makes everything messier and take much longer. There's a reason we move away from paper-based ledgers. Those reasons also apply here but at much larger scale.
This is just a glimpse of the problems. They're much larger and deeper than I could convey in a forum post.
Of all the problems you listed, only the "colonel" is ~unique to Brazil. Every single one of the others is something a country of any size has also faced, and solved, without introducing black boxes into the system.
Well, since I took the time to answer your previous question with many examples of issues and you seem to think they have been solved, why don't you go through my list and explain how you would solve each of them, or how you have seen them solved?
That would be helpful, and would be the polite thing to do. Simply saying they have isn't.
Also please note the last paragraph on my post. It's an important one.
Also remember, the black box is heavily audited and signed off by all interested parties. There's plenty of space for improvement, but it's not only good enough but it's also much better than what I observe everywhere else and our own past.
I believe they also have a button to spit out current vote count for each candidate, obviously still possible for the code to detect when that button is being used a lot to check if it's counting properly.
It's tricky because votes are meant to be secret (and voters aren't allowed to have proof of who they voted for, so they can't be coerced into revealing it), while at the same time you want the system to be secure.
Security audits and supervisors from all parties in all steps for starters.
The voting machine prints a total for that machine at the same time that the votes are transferred to the central counting, this process is public, the supervisor from each party get a copy of the total, and one copy is publicly affixed at the voting place, so parallel aggregating from the partial counts is possible (and has been done by sampling).
Internal counting on the voting machine is somewhat validated by picking random voting machines out of the voting places and conducting a parallel voting, publicly broadcasted, on which known amount of votes for each candidate are input and the result from the machine is compared to the expected. Only thing missing that I can think of is actually doing this parallel voting on the same time and place the voting was expected to take place.
