|New Venezuelan Voting Machine (Photo source: venezuelanalysis.com)|
The Foundation for Democratic Advancement is grateful to Smartmatic for its prompt and thorough answers. Smartmatic responded with the following information:
"1) Specifically, how do your machines maintain the anonymity of the electronic ballots?
Smartmatic's voting technology guarantees vote secrecy at all times. Registered votes are stored randomly in the voting machine’s memory, making it impossible to reconstruct the voting sequence. Prior to storing, votes are also encrypted, so that only certified systems can decrypt, extract and use (that is, totalize) the information stored in each machine. It is technically impossible to reconstruct the sequence.
2) How high is the risk of voters being identified with their cast ballots?
There is absolutely no risk. First of all, the voting machine stores no information whatsoever about the identity of voters. In other words, the record layout of registered votes does not include any personal identification of whoever has voted. Thus, the only way to theoretically link any given vote record with a person would have to rely on information which, in short, isn't there. In order to know the choice(s) made by any given voter, these two conditions involving the time factor should be met:
There should be an exact registry of the order in which every vote was cast in a given voting machine.
Additionally, there should also be an exact registry of the order in which every voter used the machine.
Regarding the first condition, no voting machines used in Venezuela keeps any time or sequence record of the votes whatsoever.
Regarding the second condition, we know that the manual voting logs used in Venezuela do not register the time when the elector voted, hence making them useless to reconstruct a sequence of the voting process. Moreover, fingerprint readers are used to validate and identify the voters when they enter the assigned voting station, but such fingerprint readers don’t keep a time/date registry of the voters, either.
Even if it were possible to somehow have the sequence in which the voters entered the polling station, one would need the voting machine to register the order in which the votes were cast, so both sequences could be matched and the choices cast by each voter determined. To prevent the reconstruction of the sequence, the Smartmatic system used in Venezuela employs techniques that make said reconstruction impossible from both software and physical standpoints.
At the software level, the date/time data related to the creation/modification/access to the votes is handled in a non-sequential way, modifying the attributes of the Master File Table.
At the physical level, every time a file with information about the vote is saved into memory, a “random noise” is generated. That makes it impossible to reconstruct the exact creation order of the files, even with “data recovery” tools. In fact, if one compares the contents of the internal memory vs. the external one, they will have the same votes but their physical sequence will be different. In plain English, it’s not possible to reconstruct the order of registry of the votes using the machine’s operating system or any other external tool.
With these measures in place, it’s not feasible to know the voting sequence registry in the machines. Voters can be sure about the secrecy and the confidentiality of their choices.
How do these risks compare to a paper-ballot system?
A paper-ballot system, at least the one used in Venezuela before automation, did not have the capability to protect voter confidentiality. In Venezuela, votes could be easily traced back to voters, as each paper-ballot had a unique number that could be linked to the voter. Also, prior to counting ballots were stored in cardboard boxes, vulnerable to human manipulation or damage during storage."
The FDA followed up with Smartmatic about the safeguards to protect the integrity of vote totals. Samira from Smartmatic (on October 2, 2012) responded:
"The key used to encrypt and decrypt the information in the voting machine is unique per voting machine. In order to have access to it you require an trusted application, for an application to be trusted it must be compiled with a master key that is generated by the input or partial keys produced by each political party and the CNE. The compilation process uses an special application (whose patent is being introduced by Smartmatic) that is audited by the political parties and the CNE; this application combines the partial keys in a secure manner and produces the trusted application.
The application used to decrypt the information stored within the voting machine is only generated if there is a reported mismatch in the several audits that the system undergoes, including the 53% sample audit that verifies the exactitude of the printed vote receipts against the results reported by the machine –who are both printed in paper with copies for each party and transmitted over secure lines to the national tabulation center. As of now, the audits have been completely accurate so there has been no requests to produce the decryption application.
In short the answer is no, neither the Government, nor the CNE and even less Smartmatic have the capability to decrypt the information stored in the voting machines without the concourse of all political parties."
According to the Smartmatic response, vote total tampering is prevented by the encryption of votes, so that only certified systems can decrypt, extract and use (that is, totalize) the information stored in each machine. In addition, there are 14 different audits on the Venezuelan automated machines and observers of the audits. Further, vote totals recorded in machines are crosschecked with vouchers. This process is subject to observation by political representatives, and tally sheets are signed by electors and witnesses.
From the 2012 FDA Electoral Fairness Report on Venezuela:
Every aspect of the Venezuelan automated ballot system via computers is subject to 14 audits, including software and closing vote totals (Electoral technology in Venezuela, 2012).
After voting, the voting machine issues a voucher to the elector that s/he deposits in a box. The results recorded on the voting machines are crosschecked with the vouchers (Electoral technology in Venezuela, 2012).
Voters who use voting machines have their fingers stained with a dye that sticks to the skin and cannot be removed by any product for a period of time (Electoral technology in Venezuela, 2012).
Venezuelan automated ballot system subject to observation by political representatives (Electoral technology in Venezuela. 2012).
Political representatives are permitted to ink their fingers and test different soluble substances to verify reliability of ink used in elections (Electoral Technology in Venezuela, 2012).
At polling stations, the Electoral Board allows the local presence of electors and electoral witnesses with no limitation other than the local physical capacity and security of the election (Election Law, Article 140).
The tally sheet of election results shall be legible and be signed by the electors and witnesses present (Election Law, Articles 142-143).
Political organizations, groups of electors, candidates or the candidates on their own initiative and indigenous communities and organizations have the right to have witnesses to the electoral bodies’ subordinates (Election Law, Article 157).
Witnesses will not be inhibited in performing their duties by members of the electoral bodies (Election Law, Article 158).
The automated electoral system has an electoral audit and verification audit by citizens. Electoral audit ensures the system is fully functional and reliable. Electors receive voting receipts to confirm that they voted as they intended (Election Law, Articles 159-162).
Smartmatic letter to the FDA
2012 FDA Global Electoral Fairness Report on Venezuela