Video recording is a mandatory part of the machine authentication procedure. This is stated by the Deputy Minister of e-Government Mihail Stoinov.
BGNES Agency publishes the full text of his statement sent to the media:
"As it has already become clear, less than 24 hours before the day of reflection, the machine vote that protects the election result from hundreds of thousands of invalid votes was attacked. The attack also targeted me personally, in my capacity as the person responsible for the coordination and control of the process - my task is to sign the decision to authenticate or deauthenticate the machines. Scandalous false information was used against the Ministry of eGovernment (MEG) and me in particular. Now that I am no longer at risk of being accused of election day interference, I make the following clarifications :
Why am I responsible for authenticating the machines?
The Electoral Code specifies the Ministry of e-Governance as the responsible institution that certifies the voting machines.
I, as Deputy Minister, have been designated by order of Minister Alexander Iolovski to be responsible for the coordination and control of the machine authentication process in the part in which the Ministry of e-Government is responsible. I have appointed the Director of the Network and Information Security Directorate, who is the MEU's most senior civil servant in the field of information security and is also the National Cyber Security Coordinator, to lead the group that certifies the security of the machine vote.
I have the full legal right and, above all, the obligation to lead this process, to participate in all its stages and to sign all documents, including the final act, with which the certification process ends.
I handled all correspondence with the Central Election Commission (CEC) related to this process, participated in workshops with the CEC, and at no time before the active action against the fair vote began did the CEC question the legitimacy of my actions.
I recall that during the parliamentary elections in October 2022 and April 2023, all the activities that I perform were also delegated to deputy ministers of e-government. Without any objections from the CEC. Including when a former Deputy Minister of e-Government signs a decision to authenticate the machines.
Why have I ordered another source code build on October 25th?
I did not order. I have the right, and I wanted to follow from beginning to end an important step in the authentication process - configuring a machine and test voting with it. The source code is not involved in this process, and this process has nothing to do with the trusted source code build. Trust building is by definition a process that is carried out by the CEC. And it happens only once – on October 20, under the leadership of the CEC, on a CEC laptop. MEU and the representatives of 4 parliamentary parties and coalitions were only present and observed. At no time did the MEU have access to the trusted code build. At the October 20 event, the CEC also generated the key for the machines, on their laptop. From that moment on, no one but the CEC can "touch the code" for the elections and change anything in the trusted software. And the task of their expert (Assoc. Zlatogor Minchev from BAS) is to ensure that only the CEC has access to the generated keys.
The end result of the trusted build of the source code on the CEC laptop was captured on multiple cell phone video cameras – by CEC representatives and almost all parties – a fact that apparently caused no concern to the services that attended the event. At this same event, a voting machine was configured, which was not forbidden to be photographed (and no one demanded the videos of the representatives of the CEC and the parties) - the same process, but in a test environment, I also filmed, a few days later . That is, the installation of the source code can be captured freely, but when we perform tests - it can't?
The work of the MEU on the authentication of the machines continues even after the entrusted construction of the source code - because of the very short time frame in which we have to deal with it after receiving the source materials from the CEC (16.10). This is the process I am responsible for. Its purpose is to test the correct operation of the hardware and software end-to-end by simulating the processes to be performed by each sectional election commission on election day.
And in previous elections, the authentication process continues after the trusted code build. Why? Because in order to complete the authentication of the machines, the MEU must receive a number of documents, information, smart cards from the CEC. In all elections, including the current one, these documents arrive late.
On October 25th, I proceeded with the final pre-certification testing – provisioning and configuring a test machine with test software, in person in front of me as the legally authorized person responsible for the process. As I said before, it doesn't matter at all whether the testing ends before or after the trusted code build. If it mattered, DANS and CEC would have reacted and objected in the previous elections as well.
Why is this video recording needed on October 25th and what is it?
Video recording is a mandatory part of the machine authentication procedure. No part of this process is secret.
According to the internal rules of the MEU, the application of photos and video material to the documents certifying that the machines are tested and suitable for voting is mandatory. The recordings I made on October 25th do not contain any parts of source code, other code, private keys, certificates, or any sensitive or secret information. Only test software on a test machine.
In front of the cameras in the hall, I transferred the footage and photos to a password-protected flash drive, which I handed over to the head of the authentication team.
After the flash drive transfer, I deleted all photos and videos from the phone. This can be confirmed by DANS, who have the phone that I voluntarily left with them to assist in establishing the facts.
None of the materials created can be installed on the voting machines, as they are not signed with the CEC key, but with a test key generated in the MEU for testing purposes, on test machines.
Why did the MEU certify the machines so late?
As in all previous elections, the CEC provided the necessary materials to the MEU with a huge delay. Some had to be re-claimed by the CEC because of discovered errors.
We received the CEC flash drive with the resources of the machines only on the evening of October 16, due to which the MEU's time for verification was once again significantly shortened compared to the 20 working days stipulated in the Election Code.
Being held up for questioning at DANS for over 4 hours on the day we were ready to certify the machines further delayed the process - so the machines were certified late in the evening on October 27th. But again before the deadline, which is October 28th, 5:00 p.m.
What is the "DANS report" sent to institutions on October 26, 2023?
The DANS report of October 26th is full of unverified and false statements about my work on the final testing before the machines are certified.
DANS suggests that I exported sensitive information to a flash drive - this is a lie that is even technically impossible. Claims that I saved the source code "to look at and play with" are not only false (easily verified by the video), but also practically impossible - the source code is over 500,000 lines of text that cannot be captured on camera.
All the events described in the DANS report took place in the official machine authentication room at the Ministry of e-Government. The hall is equipped with cameras and an access control system. I have worked only in the presence of the members of the working group and not for a moment in "warehouses and dark rooms", nor in rooms where there are machines intended for voting in the elections. There was no machine that could be used to vote in the MEU. We only have six non-voting test machines.
Contrary to the statements in the DANS report, none of those present in the hall forbade me to take pictures.
Before the DANS report is sent to the institutions, I am not wanted by DANS, even for oral questions. I am not aware that DANS representatives have carried out an on-site inspection at the MEU.
DANS has not reacted in any way to absolutely identical processes and situations conducted during previous elections.
All facts can be checked in the internal documents of the Ministry, in the official certification documents and in the correspondence with the Central Election Commission. /BGNES
