Hacking plan reported to the CPI would not prove possible flaws in the ballot boxes; understand

RENATA GALF
SÃO PAULO, SP (FOLHAPRESS)

Even if put into practice, the alleged plan reported to the CPI on January 8 by programmer Walter Delgatti Neto, known as a Vaza Jato hacker, would not be able to prove that the electronic ballot boxes and the electoral process are fragile.

Specialists in computer engineering consulted by the report explain that, if implemented, the plan would at most have an effect on convincing a lay public.

Bolsonaro was recently convicted by the TSE (Superior Electoral Court) of lies and attacks on the electoral system, thus becoming ineligible for the next eight years.

Understand what was reported to the CPI and why this would not be evidence of the fragility of the electoral process.

What would the plan be?

According to Delgatti, the campaign of former president Jair Bolsonaro (PL) planned to make an electronic ballot box work with a false and adulterated source code to divert votes. The hoax would occur for display during the celebrations of September 7, 2022, less than 1 month before the election.

The idea would be as follows, as he stated: “They take an urn, borrowed from the OAB [Ordem dos Advogados do Brasil]I believe, so that I could put an application of mine there and show the population that it is possible to press one vote and leave another”.

“They wanted me to make my own source code, not the official one from the TSE, and in that source code I inserted these lines that they call malicious code, because its purpose is to deceive, to cast doubt on the election,” he said. .

Does the OAB have ballot boxes?

After Delgatti’s speech, the OAB released a note in which it states that it does not have electronic ballot boxes and that it did not have any election from the entity in 2022.

“In 2022, there was no election in the OAB system, and no electronic voting machine was used by the Order, which also did not request the loan of urns from the electoral courts”, says an excerpt from the note.

What is source code?

In the ballot box, the keyboard and display, all the parts that the voter can see and touch, constitute the hardware. What allows the ballot box to function and register votes are the applications inside it, also called software. They are programmed with instructions and commands in a specific language, a layer that is not seen by people, the so-called source code.

Could the plan prove some kind of fragility?

Experts heard by the report explain that the plan, even if put into practice, would prove nothing.

Even if Delgatti had access to a ballot box and managed to run a program that diverted votes, this would not be a demonstration that it could be reproduced in the real context of the election.

To rig the election, he would have to succeed in tampering with the ballot box code in the TSE and get none of the entities involved in monitoring the process to notice.

“Basically what he said was that he can program a computer”, says Eduardo Lopes Cominetti, who holds a master’s degree in computer engineering and is a cryptography and information security researcher at USP’s Computer Architecture and Networks Laboratory.

The laboratory has an agreement with the TSE, signed in 2021, which allows them to analyze the source code and carry out security tests on the ballot box.

“The complicated part of the source code in the electoral process is the following: for what he said to work, you would have to make this modification and this modification would have to go unnoticed by everyone who is auditing the system”, says Cominetti.

Lucas Lago, master of computer engineering and member of the Aaron Swartz Institute of Cyberactivism, also believes that the alleged plan would be innocuous in proving anything.

“From a technical point of view, it would be of no use”, he says. “Anyone with a computer, who knows how to program, can do the same thing he mentioned he would do,” he says.

“It would be quite simple to think that this would prove anything”, says Lago. “From a theatrical effect point of view, maybe it had some effect, yes. I understand that most people do not have this view that this would be just charlatanry.”

Can the urn’s source code be inspected?

Yes. In addition to being submitted to the so-called TPS (Public Security Test), in which the ballot box’s programming undergoes analysis by hackers enrolled in this TSE project, the code is available for auditing by inspection entities at the TSE. In this list are, for example, OAB, Federal Police and political parties.

Additionally, in the last election, the code was sent to partner universities for inspection.

In these analyses, it is possible to verify that the programming of the ballot box does what it is intended to do: register the votes, guaranteeing the secrecy of those who voted.

What happens after that?

The source code used in the election also undergoes a public ceremony, in which it is digitally signed, compiled and sealed. At the ceremony, entities check the source code to make sure it is the same as previously audited.

Codes are recorded on non-rewritable media and physically signed by those present. After that, they are sealed and stored in the TSE’s safe room.