Saturday, December 16, 2017

Processing an Acta: Rules and Procedures

Amidst allegations of voting fraud, the Honduran Tribunal Supremo Electoral does itself no favors with its incapacity to explain what it does. For many outside observers, it may be worth reiterating that the TSE does not directly count ballots; even when voting irregularities are charged, they mainly return to and re-examine the summaries of votes at each polling place, or MER.

Even those of us who have been following contested TSE procedures through the last three electoral cycles can get confused about how the TSE processes these vote tally sheets (acta in Spanish). Some confusion about how the political parties obtain actas has been evident in blog posts and other coverage. Although what follows is dense, it is an attempt to make this more transparent.

There are published rules governing how actas are supposed to be generated and transmitted to the TSE. The rules are contained in a document issued by the Tribunal Supremo Electoral on November 21 and published in La Gaceta of November 24, 2017-- just two days before the election. They are titled "Reglamento del Sistema Integrado de Escrutinio y Divulgacion Electoral (SIEDE)" and describe both the hardware and software environment for the processing of vote tally sheets for the three elections held on November 26, 2017.

Here's how it was supposed to work:

First, there is a physical space in a voting center where there are two different kinds of "digitization kits". This is the ATX, the "area of transmission (area de transmisiĆ³n)". 

It contains a tablet kit, consisting of a tablet, a multifunction printer/scanner, and a GSM (cell phone) modem. It also contains the Operador de Mesa Receptora (OMR) kit, consisting of a tablet, multifunction printer/scanner, and 2 GSM modems, one for TIGO and one for CLARO, the two major cell phone providers in Honduras. 

Each OMR kit serves up to five MER (polling places). The modems are supposed to be connected to a Virtual Private Network (VPN) over the cell phone provider's data network, terminating in the TSE's computer center.

Each OMR kit is operated by a custodian who is designated and credentialed by the TSE.

On the day of the election, the TSE is supposed to reset its database, and all counts, to zero at 6 am and generate and sign a document that this occurred.

At 7am, the digitization kits are set up in the voting centers.  At that time the security envelope containing the login information for that specific kit is opened, and the operator logs in over the VPN to the TSE system to receive encryption keys, security certificates, digital signatures for each MER that that operator will support, and only for those MER. 

The operator then generates an "hoja de prueba" that is supposed to show that there are no images of actas stored on the tablet, print it, and sign it, then scan it and send it to the TSE.  This process is supposed to shut down the OMR kit, so that it cannot be used until after the voting center closes at 4 pm

At 4 PM, when the voting center closes, the software controls the transmission of the voting tally sheets. Voting tally sheets (actas) are generated at each MER for each of the three levels of election, in this order:  Presidential, Congressional, and then Municipal.  Actas are signed by representatives of each political parties present at the MER.

Then the President of the MER, along with any members who want to join in, take the vote tally sheets physically to the ATX area inside the voting center.

Once the acta is at the ATX, it is the responsibility of the ATX custodian to wake up the equipment, log in using the TSE supplied credentials, verify the ATX information (department, municipality, voting center, identification number of the ATX, number of the MER).

We can assume that all of this information is contained in the JSON information transmitted to the TSE.  We can also guess that this error-prone manual process is responsible for the actas in the TSE system today that have images of the tally sheet for a particular MER, but are filed within the system as if they are the tally for a different MER. This is acknowledging that there is the potential for operator error, which the system is supposed to have safeguards to prevent.  Once the information is entered into the tablet, the custodian is supposed to make sure the whole system is working (the procedure to do this is not specified).

Then the OMR custodian scans the actas in the ATX that serves the particular group of MERs.

The software works off a QR code on the acta and verifies it is for a MER assigned to this ATX and OMR kit.  Once scanned, the system displays the scan on the tablet for the custodian to verify the quality of the scan, that the information is legible, and that it is correctly scanned with no missing or obscured information.  If it is OK, they click a button on the screen to transmit it.  If its not OK, they click another button on the screen to rescan the acta.

Transmission occurs between the ATX and a receiving server in the TSE computing center, where it is then replicated to the servers of each of the political parties.

The political parties are responsible for installing a fiber optic network between their server and the TSE network. Each acta replicated is encrypted with a digital signature that guarantees its authenticity, as transmitted by the ATX.  The political parties and the TSE verify the digital signature of the acta to validate it.

There is a second check on poll tallies provided for the political parties. Back at the OMR, once an acta is transmitted up to the TSE, the custodian prints enough copies of the acta to give to each party's representative on the MER and stamps of the back of each one a rubber stamp that says it conforms to the original and is signed by the secretary of the MER.  This process is repeated for each of the OMR kit's MER for the actas for the Presidential, Congressional, and Municipal elections.

Obviously, if there isn't a party representative at a specific MER, this copy won't be received by the party. In general, when the parties cite their actas, they mean the ones transmitted by the TSE, but they may also have the paper copies.

Once transmission concludes for all actas, the custodian prints a receipt for his/her service as custodian and transmits the log files to the TSE.

Now here's one place where what happens introduces the fear of manipulation: all the actas scanned at the ATX centers are supposed to be scanned a second time in Tegucigalpa when the physical package of electoral materials (maletas in Spanish) arrives. The OAS report noted that some of these arrived without security, already open. Pictures of a truck backing up to a hotel in Tegucigalpa that appeared to show such packages raised the concern about some actas possibly being scanned outside the INFOP facilities. In both situations, there is concern that a substitute acta could have been inserted in place of the one scanned on election day at the ATX center.

The published rules make clear that at INFOP, as the documentation physically arrives, the actas are taken out and scanned a second time, and that those scans go into the TSE computers and are replicated to the party servers.

The scans produced in Tegucigalpa replace original scans transmitted from ATX centers. These scans are clearly done using different procedures with a different way of getting in to the system. INFOP does not use the ATX software. There are no documented security protocols to provide for the authenticity of the INFOP scans in the rules as printed by the government.

We presume that the scanner and software in the INFOP center is different than that used in the ATX centers. The images from scanning at the INFOP center (1) lack the time and date stamp at the top, and (2) don't clearly show the security tape applied to the acta to prevent alteration.

It is notable that the otherwise very specific rules from the TSE do a bunch of hand waving rather than documenting the scanning protocol at the INFOP warehouse. It is only by reading between the lines that we can infer that these scans replace the ATX transmitted scans in the TSE system.  A proper software/procedural audit would have questioned why there were no protocols described for this process, but the TSE didn't ask its audit firm, Audisis, for a pre-election audit.

What the published rules make clear is that each political party can receive both a physical certified copy of each acta from its representative on the MER, and a digitally transmitted, encrypted acta image from the ATX, replicated from the TSE receiving server. 

Each party also receives a scan of the acta made in the INFOP warehouse as each election package physically arrives back at the TSE warehouse and is opened and scanned. 

At no point does the TSE compare each of the scanned images with the paper original and the votes recorded in its computers to validate the results of the election. That simple procedure would detect some kinds of fraud that are suspected or rumored.

No comments: