[Documents menu] Documents menu

Sender: owner-gnet@dhvx20.csudh.edu
Date: Thu, 27 Apr 95 10:15:34 EDT
From: Frank da Cruz <fdc@watsun.cc.columbia.edu>
To: hw45473@is1.bfu.vub.ac.be (VAN DE VELDE CHANTAL)
Message-ID: <CMM.>

Kermit in the Brazilian elections

By Fernando Cabral, CEO, PADRAO iX Sistemas Abertos, Brasilia, [27 April 1995]

KERMIT SOFTWARE PLAYED A CRUCIAL ROLE in Brazil's general election of October 3, 1994, almost certainly the world's largest and most complex election ever. At stake in this country of 180 million were the presidency, all of the 28 state governorships, two-thirds (or 56) of the Federal Senate seats, and almost 600 Federal and 1000 State Representatives.

To cope with this task, the Tribunal Superior Eleitoral (Superior Electoral Court), or TSE, a specialized court of law dedicated to supervising all elections in the country, decided to take on the challenge of automating the process as much as possible, and to do it with a single stroke.

Introducing automation into a nationwide election in a huge country like Brazil, the same size as the continental USA, was fraught with hazards and obstacles. First, long-established regional oligarchies of conservative landowners would resist automation as a threat to their previous control over elections; second, the state data processing bureaus, which usually operate in the black only during election years, would be open to automation only if the bureaus could provide--and profit from--the automation instead of the TSE; and finally, the TSE staff's own lack of experience and know-how could threaten the success of the project.


While China, the USA, Russia, and India have electorates comparable to Brazil's, none of them ever had to cope with an election involving such large numbers, either because their elections are conducted differently or because their legislative and executive elections on both the state and federal level do not coincide as they did in Brazil in 1994.

VOTING IS MANDATORY in Brazil for everyone aged 18 to 65. 96 million votors, starting at age 16, elect their government officials directly, not through an electoral college as in the USA. The widely-anticipated election involved 27 states, the Federal District, 300,000 ballot boxes, eight presidential candidates, 231 Federal Senate candidates, 3164 candidates for seats in the Federal House of Representatives, 7977 to a seat in one of the 600 seats in 27 states plus the federal district; and 134 candidates for 28 governorships. Altogether we are talking of 501,456,916 votes in the first round alone. And all of them, checked and double-checked, were transferred with Kermit software.

The chairman judge in charge of the TSE, Minister Sepulveda Pertence, and the court's director-general, Alysson Mitraud, did not take these numbers lightly. Despite the risks of failure and the uncertainty of gaining widespread support for their decision, the two officials decided to proceed with the automation. The single most important factor to the venture's success was close and effective partnerships with software and hardware vendors.

Among the software providers were Kermit developer Frank da Cruz of Columbia University, and his collaborator, Joe Doupnik of Utah State University, who both worked with the TSE to make everything run as smoothly as possible.

Old-Style Elections

The Brazilian electorate has evolved since the country's first election in the mid-19th century. At that time, only the richest could vote. The richest men, that is -- women could not vote. Eventually the standard for elegible voters was universalized. This meant that every man could vote, as long as he could read and write amd was older that 21.

Not until the early 1930s did a modified constitution give women the right to vote. Unfortunately, a dictatorship quickly took control of Brazil and no elections were held until after World War II. So in fact, women voted for the first time in 1945. However, only in 1988 did the right to vote become truly universal. Gender, property, literacy, and other excluding criteria were eliminated and the minimum voting age was lowered to sixteen.

Brazilian elections prior to 1994 were susceptible to many different kinds of manipulation and fraud. Most have become parts of Brazilian folklore and have revealing names like the tip-of-the-pen vote, where the result desired by the local landowner was simply recorded on the document listing the tabulation of each ballot box. There was also the lunchbox vote where the local plantation coronel[In Brazil, originally a title of honor which could be awarded by -- or bought from -- the federal government. Eventually the title took a derogatory meaning when used to identify landowners, industry barons, and other rich and powerful people who used their money and influence to force common people and lesser politicians to do what they wanted. When refering to elections, the term always means the rich, influential, and conservative persons who use their power and money to allure or coerce poor voters.] would fill out the ballots before delivering them to the awaiting voters in a closed, or lunch, box. Not even the voters knew who they were voting for. The term corral vote means that the landowner kept his workers in his own corral, like cattle, and told them who to vote for. Like cattle, they obeyed. Not to be forgotten is the phantom vote, when the dead arose to cast their ballots. Of course, these ghosts existed in name only -- on their voter ID cards, their polling site signatures, and on their tombstones.

The 1989 Election

In October of 1960, a military coup and subsequent military dictatorships postponed Brazil's democracy and elections for 30 years. In 1989, Brazil held its first presidential election after three decades of opression. This was the first election after the adoption of a new constitution in 1988, the first to have a second runoff election for close races, the first to have television coverage, the first to have candidates use computers to handle huge amounts of information, and the first to broadcast live debates. And it was also the first time the electoral courts would try their hands at automation.

Cautiously, the TSE opted not to dive directly into automation. Instead, they contracted state-owned data processing bureaus to do the data entry of each state's votes. Then in Brasilia, SERPRO, the federal data processing bureau, was contracted and regally paid to tabulate this data. It was a timid but important first step into the realm of automation, and there was no turning back.

New times, new ways to commit fraud. The computer introduced new potential and real ways to manipulate election results, such as a variation on the the tip-of-the pen scheme: simply alter the numbers during the transcription of the official ballot box results from paper to computer. The easiest way to do this without attracting too much attention is to turn blank or invalidated ballots into valid ballots.

The 1994 Election

For the 1994 election, the TSE was ready to fully accept any challenge posed by total automation -- it wanted to take computer automation as far as possible. This included automating the voter and candidate registry and verification, data transfer among regional election courts supervising the elections and tabulating stations, public access to voting regulations, and dissemination of the results. The only phase not automated was the tabulation of individual ballot boxes--not surprisingly, the only phase to suffer fraud in the 1994 election, primarily in Rio.

The elements of election automation include hardware, operating system, networking software, database software, transmission lines, security software, terminal emulation and file transfer software. For each of these elements, the Electoral Court found a working partner. Hewlett Packard Company (and its Brazilian distributor Mito), for example, supplied servers, operating system, and networking software. Trusted Information Systems (TIS) and PADRAO iX supplied security software and consulting services. And Columbia University furnished Kermit for terminal emulation and file transfers.

The Electoral Network

The electoral computer network was composed of 33 HP RISC servers whose size varies from state to state according to population. Each machine runs HP-UX and includes both TCP/IP and X.25 networking. TCP/IP would suffice save that the only public network available in Brazil, RENPAC, is X.25-based. In fact, it is only the bare bones of a network, providing no services, not even transport. So having TCP/IP and being able to make it run on top of X.25 was a distinct advantage. The available X.25 infrastructure permitted TSE to build a virtual network connecting all the regional courts within just a few weeks, embodying functionality that TCP/IP users were familiar with.

The RISC servers installed at each regional electoral court ran HP-UX, Oracle database software (supplied by Oracle's Brazilian distributor, UNIMIX), Gauntlet security software from TIS, and Columbia University's C-Kermit communications software. Each machine was responsible for tallying all state ballots, including those for state and federal representatives and senators, and for transferring the results of the presidential race from each tabulating station to the Superior Electoral Court in Brasilia, and at the same time, offered any interested party, particularly the press, all information concerning the election, especially the numbers coming out of the ballots boxes.

Meanwhile 3,800 Digital Equipment Corporation DECpc personal computers with modems, special data entry software, and Columbia University's MS-DOS Kermit software were installed at 2,000 data entry and transmission sites in all parts of Brazil, some of them so remote that they could only be reached by boat or small plane.

Thus Kermit software linked together the two worlds: the world outside the network and the world inside it. In more than one sense Kermit was the bridge connecting the external, unprotected world to the internal, Gauntlet-protected world.

Election Day

On Election Day, the one and only day all Brazilians are equal -- they each have one vote -- the polls are open from 8am to 5pm. Because of the numerous races involved, the voting was conducted in two parts; the state and federal races each had a separate ballot. First the voter shows personal and voter identification and receives a white ballot. Then behind a screen, the voter chooses one presidential candidate and two federal senators, and then drops the folded ballot into the ballot box in view of the recipient committee, which includes common citizens as well as representatives of the political parties. Then the voter receives a second ballot for state races, this time yellow, and marks it behind a paper screen suspended over a counter, folds it, and deposits it in the ballot box in front of the committee. When the polls close, the ballot boxes are sealed and sent to the tabulating stations, along with an official report stating the number of people voting at that site.

The next morning, dozens of tabulating teams, under the close scrutiny of the political parties' representatives, break open the ballot boxes one by one and check the reported numbers of voters against the ballot count for the box. If there are discrepancies, or if there is any indication of tampering, the ballot box is declared invalid. If everything checks out, the tabulation proceeds.

The white and yellow ballots are separated into two piles. First the votes for the presidency and the federal senate are counted; then the votes for governor and federal and state representatives. This is a time-consuming process since each name or number has to be checked against a long list of valid numbers, names, nicknames, etc. After all the ballots are counted, an official statement is issued and signed by the committee, the parties' representatives, and the judge in charge of the regional electoral court.

Then this official statement is transcribed to the PC. This is the point where most of the fraud occurred; blank and invalidated ballots were transferred to a chosen candidate. Cross-checking can't prevent this type of fraud; only an attentive monitor can spot it. After the transcription, a computer report is printed and checked against the original statement. If the numbers are equal, the file can be transferred.

Enter Kermit

Once the file transfer is authorized, the file is encrypted and compressed. Then Kermit assumes control, making decisions about how to connect to the remote server at the TRE (Regional Electoral Court): dial-up, TCP/IP, or an X.25 connection with or without a PAD (Packet Assembler/Disassembler).

Once the connection is established, the TIS software, Gauntlet, sends a challenge to the calling machine. Using her Digital Pathways' SecureNet Keys (token generator), the user types in her PIN and then the challenge. The generator produces a number that is sent as an answer to the server. If all is OK, the Gauntlet firewall opens and the file is transferred.

Once at the regional machine, the federal (white) votes are dispatched for tabulation at the TSE, while the state (yellow) votes are tabulated locally. Small numbers flow in, big numbers flow out. The results of each ballot box are added to the total as they arrive. An exact copy of each individual box's result is kept so if any fraud eventually turns up in any ballot box, its votes can be deducted easily from the total.

Newspapers, TV and radio stations, poll takers, and other interested parties could access partial results using a number of methods. Here again, TIS's Gauntlet ensured that only cleared information flows out and no tampering is possible. And Kermit was there too, ensuring that the information that flowed in piece by piece can now flow out in aggregate.

Kermit's update feature allowed any user with read privileges to dial in and download the latest numbers without tying up valuable telephone lines unnecessarily if no updates had occurred since last time. Kermit's flexible scripting language eliminated the end-user contact with the file transfer mechanism: after automatically dialing, Kermit would check whether the remote file was newer than the local one, and transfer it only if it was. In any case the local application would proceed. This way no file was ever transferred twice, and no user had to control anything: Kermit took care of all this automatically.

Using Kermit's powerful scripting language, the results of each ballot box, as well as the aggregated results, were easily transferred from end to end--all complexities were hidden under Kermit's well-thought-out user interface.

Why Kermit Was Chosen

Kermit was chosen to connect the PCs at the tabulating stations to the regional courts because:

1. Columbia University's Kermit software and protocol are robust enough to work dependably even when using the poorest telephone lines--and in Brazil THERE ARE poor-quality telephone lines!

2. Kermit software was available for both MS-DOS and HP-UX.

3. Kermit's powerful scripting language could be used to automate most of the logon/transfer/logoff process. This was an important concern since 11,000 people would be using PCs, modems, and communication software for the first time in their lives. It was not realistic to expect them to understand and learn how to transfer files.

4. Kermit can also use TCP/IP, allowing its use in different communication environments with the same interface (and TSE would not be forced to teach FTP to some people and Kermit to others).

5. According to different local conditions, the line used could be dial-up, leased, or X.25 PAD. When an X.25 PAD comes into play, NO PROTOCOL BUT KERMIT does the job.

6. The Kermit team could be counted on to help out if the need arose. And it did. TSE needed screens with messages in Portuguese so any Brazilian operator could understand them. Joe Doupnik and Frank da Cruz inserted a Portuguese translation and delivered it within a day. Then, when the new Digital Equipment Corporation PCs arrived, they behaved strangely when the COMx ports were manipulated; Digital rushed a sample PC to Joe, who quickly updated MS-DOS Kermit for these new machines. The updated Kermit software was transferred to Brazil using Kermit itself via long-distance phone call. Too good to be true. Without this instant response, all the election automation could have been compromised.

People may wonder why didn't the TSE try other protocols like ZMODEM, YMODEM and akin beasts. Simple to answer in a nutshell (the long answer has been provided above): Kermit can be used with 7- or 8-bit lines, with leased, dial-up or PAD lines; the scripting language can be used to automate even the most complex operation; smooth operation in MS-DOS, MS-Windows, and HP-UX environments; and superb, unbeatable performance in all kinds of connections and line conditions. Finally, if anything bad happened, prompt and expert help was just a phone call or an e-mail away.

The Results

The election was marred by widespread fraud in Rio de Janeiro. But the automation helped detect it, allowed its extent to be assessed, and prompted measures to avoid it in round two. The time saved by the network was more than 75% in most states, the big exception being Rio, where bandits blocked entry of votes into the system (where they could not be altered) until after the ballots were forged.

But despite minor disturbances and a few major troubles, the election was considered a huge success. President-Elect Fernando Henrique Cardoso is recognized as a prudent person, an intellectual who has written dozens of books and taught sociology in the USA, England, France, and Chile. As the Economy Minister he reduced inflation from 48% per month to about 3% in less than five months. Since his election as President, inflation has dropped to under one percent per month, and the Real has gained value against the US dollar, which not even the wildest dreamer could have predicted a year ago. 85% of Brazilians are optimistic about the future and the economy is growing by leaps and bounds.

The Future

Today Brazilians seem to be ready and eager to have the next election in 1996 completely automated. The TSE conducted extensive studies not only of computer technology, but also of the Brazilian public's reactions to these new technologies to identify the right tools to provide a fully automated election within two years. In this upcoming election, when almost 5,000 mayors and 50,000 city representatives will be elected, 100 million Brazilians will touch a screen, not mark a piece of paper. There will be no transcription, therefore there will be no fraud. Unless we come to know some new kind of cyberfraud...