In the DEG, 211 thousand more people voted in the presidential elections than there were voters. What does this mean?
Introduction to the course of business
During the March presidential elections, I was an official observer of the federal electronic voting with access to the observation node. Together with my colleagues, we discovered that the number of votes in the official protocols was 211 thousand more than the number of voters uploaded to the DEG system. That is, in online voting, in some regions, the turnout exceeds 100 percent. How did this happen?
Who am I?
To understand what will be discussed further and what an observer of electronic voting does in the current reality, it is necessary to briefly explain the observation process. It is important not to confuse the federal DEG and the Moscow one, they have different architecture, so my criticism concerns only the federal system. If we omit the difficulties of obtaining official documents, then the observer is given access to two things – the portal and the observation node.
Observation Portal — is a website on the Internet where Rostelecom uploads data on the voting process, both in the form of a ready-made visualization and in the form of initial data on the operation of the DEG system (they are also dumps). It is not possible to check whether this data is directly related to the ongoing voting; it is assumed that the organizers are simply trusted. In addition, there were precedentswhen signed data dumps were replaced retroactively. There was even a court case on this topic, but you yourself understand what decision the Russian court made.
Observation Node — you are provided with a separate machine, where, roughly speaking, the blockchain operation log is transmitted unilaterally in online mode. The observer can follow the course of the elections or even download all transactions from the beginning of the system for subsequent analysis. It is not known for certain whether this data is related to direct voting, but, apparently, real information is sent there, since it is almost impossible to reliably fake it. In theory, the data from the portal and from the node should be the same.
I was working with a node at the time, downloading data from it for subsequent analysis to find anomalies. Since DEG had a major failure during its work on the presidential elections, all my attention was focused on it. And only a few months after the elections, Viktor Tolstoguzov attracted my attention to the fact that the data on the number of voters differs in the dumps of the work of electronic voting and in official documents. I dug deeper and was very surprised by what I found.
Let's get down to business!
It turned out that in the downloads from both the node and the portal there are 211 thousand more votes than voters, which makes the turnout in some regions higher than 100 percent. And an obvious question immediately arises: is this a ballot stuffing? After the investigation it turned out, as the classic said, that this is something better than a ballot stuffing – it is a ballot stuffing pattern.
Comparison table of the official number of voters from the protocol and in dumps for observation:
Region | Voters in the dump | Voters in the protocol | Difference |
Altai region | 238299 | 276808 | 38509 |
Kamchatka Krai | 5125 | 44042 | 38917 |
Kaliningrad region | 7684 | 67794 | 60110 |
Novosibirsk region | 188922 | 245767 | 56845 |
Tomsk region | 73048 | 90049 | 17001 |
Sum | 513078 | 724460 | 211382 |
The number of votes in the protocol and in the dumps is approximately the same, only the voters are different. For example, in Kamchatka there are only 5125 voters in the dump, which is 8.8 times less than stated in the final protocol. But if you look at the votes in the dumps, there are the same 40 thousand as in the official data. It seems that they did not add votes from above, but rather removed voters. But how is this possible?
It is highly likely that this was a banal technical error, and not an attempt at fraud. This is indicated by the relatively small volumes and local distribution of “disappeared” citizens by region. According to my inside information from the DEG developers, this was a failure to load the voter list into the blockchain; the program did not work correctly and simply did not upload part of the database. Should we believe this version? In fact, the answer to this question is not so important, we will not be able to reliably verify this, the most important and interesting thing here is something else.
The errors of the system often say much more about it than its documentation or statements by the developers. What does the fact that there may be more votes in the DEG than voters show us? This means that they exist separately from each other in the blockchain without any strong connections, since obviously a vote cannot come from nowhere without a voter. And this is already a very strong argument in favor of the fact that the real architecture of the DEG is not tied to a blockchain open to observers, which opens up space for hypotheses about interference in elections.
If there is no connection between the voter and his ballot, then theoretically it is possible to add votes or “dead souls” to the system, and it will be practically impossible for observers to catch this.
I built a diagram of the business processes of the federal DEG taking into account the revealed facts of the architecture in order to understand where the vulnerability might be.
To understand how to implement a real injection, I built a diagram of the DEG business processes, using my many years of experience interacting with it and external consultations with knowledgeable people. I deliberately did not resort to official documentation, because it can say anything, and it is unclear how it correlates with reality. Moreover, this is GOST 34, which, according to rumors, is not even fully written after many years of using the system. Therefore, reverse engineering is our everything.
It turned out that the blockchain works as if on the side: voters are loaded into it before voting and, in fact, it is not touched anymore, and all the work is done with the database inside Rostelecom. Voters can be added or removed from it, and an external observer will not be able to see this.
It is also important to note that the unique identifier (GUID) of the voter in the blockchain for the issued and returned ballot is generated from different places: in one case from the passport, in the other – from the SNILS. And this makes it impossible for the observer to compare the voter's identifiers and understand whether the voter voted with the same ballot that he received.
Taking into account all these circumstances, there is a wide scope for hidden interference by organizers in the elections.
Instructions for throwing in
I consulted with several DEG analysts and developers of similar systems and came up with the following scheme of potential vote stuffing, based on the above-described facts. Informally, I was confirmed that such a manipulation scheme is theoretically possible.
Important! I am not claiming that such a leak occurred; I am only saying that it is technically possible.
Real voters are loaded into the blockchain and the Rostelecom database, voting begins, people vote, but suddenly the turnout is insufficient for the management. To solve this problem, additional voters are loaded into Rostelecom's internal database, who vote for the right person. In order to completely hide the evidence and avoid confusion in the numbers, the same number of real voters who did not vote can be additionally deleted. It is impossible for observers to understand that the votes are not coming from the people who were originally on the lists. As a result, it turns out that the turnout is at the required level, and in the voter lists available for observation, the non-conflicting number of voters and votes is less than 100 percent. Everyone is happy.
To make it clearer, I will give an example:
Let's imagine that we have elections with 10 real voters. This number is uploaded to the blockchain and to the Rostelecom database. Voting begins, but out of these 10, only 5 vote, i.e. the turnout is 50 percent. These 5 votes are visible to observers in the blockchain. To correct the results, someone adds 5 more voters to the RTK database, and they also vote, i.e. the turnout is already 100 percent. From the blockchain side, it is impossible to detect interference due to the lack of connection between the vote and the voter, i.e. we do not understand whether the vote came from a voter who was on the lists initially or not. The required turnout is achieved, but in fact there are 15 voters in total, not 10. In order to leave no traces at all, you can remove the same number of non-voters from the list of voters before adding “dead souls”.
Well, here are the conclusions:
The main conclusion is banal and has been repeated many times: the system is not transparent for observation, and all power over it is in the hands of one person, who can manipulate the voting process as they wish. And in the current conditions, it is unlikely that anything will change. Whether there are falsifications or not is not so important. If in theory they can be carried out, then the system is flawed.
To eliminate the possibility of this type of stuffing, it is necessary, at a minimum, to conduct all work with voters through the blockchain, and not through your internal database, which is not available for observation. And, of course, to generate voter identifiers (GUID) from one place, so that it can be understood that the same voter who received the ballot, voted with the same ballot. But these are all half measures.
To even begin to talk about the honesty of the DEG, we need, at a minimum, an open code and a guarantee that it is used during voting. But so far, neither the Moscow DEG nor the federal one have this.
Thank you for your attention!
