Karisma–MOE Colombian electoral software audit protocol (2018–ongoing)

In February 2018 Fundación Karisma and the Misión de Observación Electoral (MOE) publicly committed to a joint protocol for independent civil-society audit of the counting-and-consolidation software (software de escrutinio y consolidación) used in Colombian elections. The protocol — published as an MOE civil-society document in April 2018 and authored by Karisma's K+LAB digital-security laboratory — was Colombia's first dedicated civil-society protocol for technical audit of state-deployed electoral algorithmic systems, and the campaign that has carried it since has produced three formal rounds of technical observation, in the 2018 congressional and presidential elections, the 2022 presidential first round, and the 2023 regional elections. Within the corpus's frame, the campaign is the first Colombian civil-society algorithmic-accountability vehicle to be tracked and the principal Latin American electoral-software auditing case complementing the Brazilian and Mexican algorithmic-accountability anchors that the wider Al Sur consortium field carries.

Origins: the Consejo de Estado MIRA ruling and the commissioning of Karisma by MOE

The campaign's proximate triggering event was the 8–9 February 2018 ruling of the Consejo de Estado annulling the election of three 2014–2018 senators and awarding those seats to the Movimiento Independiente de Renovación Absoluta (MIRA) movement — Alexandra Moreno Piraquive, Manuel Antonio Virgúez Piraquive, and Carlos Alberto Baena. Forensic experts attached to the Fiscalía found evidence of sabotage in 3,630 records across 1,412 voting tables, but were unable to determine the full extent or precise mechanism because the RNEC's contractor had, by mandate of the procurement contract, deleted the original electoral-data files three months after the 2014 elections. The ruling — which had been preceded by similar Consejo de Estado annulments of the 2002–2006 and 2006–2010 Senate elections, each delivered three to five years after the contested vote — supplied the campaign's substantive demonstration that the Colombian electoral counting-and-consolidation software supply chain was producing a recurring pattern of post-hoc judicial annulments rather than ex-ante operational accountability.

MOE — Colombia's principal civil-society electoral-observation organisation, led by Director Alejandra Barrios Cabrera — had already, before the ruling, commissioned Karisma to develop the audit protocol. When Karisma's team — coordinated through K+LAB and led under the executive direction of Carolina Botero — began the technical work, they found, in the campaign's own framing, "poco o nada" — little or nothing — on the public record about how the Colombian escrutinio system worked, and were obliged to draw the substantive content of the protocol from international electoral-technology standards rather than from a domestic body of audit precedent. The combination of the Consejo de Estado ruling and Karisma's own findings on the supply-chain opacity articulated the campaign's working position: the escrutinio software is vulnerable, has not been designed to be controllable or auditable, and no independent audit of the scrutiny system has ever been conducted.

The protocol: international standards, audit tests, and costed scenarios

The April 2018 protocol is structured in four substantive sections. First, it recapitulates the recommendations of international electoral-technology bodies on the use of information and communications technologies in election administration — the Council of Europe, the OAS, the Organization for Security and Co-operation in Europe (OSCE/ODIHR), and the United Nations Development Programme's framework on hybrid electoral-administration systems. Second, it analyses international comparator cases — Germany's 2009 constitutional prohibition on electronic voting followed by the Chaos Computer Club's 2017 findings on the German scrutiny software, the Netherlands' retreat from electronic voting and subsequent civil-society findings on its escrutinio software, Mexico's 2006 preliminary-results software with documented inconsistencies between manual count and software output, and Argentina's 2017 sole-proponent contract with a multinational the campaign characterises as enveloped in serious scandals — extracting from each the standards of transparency, source-code availability, and independent-audit access that the Colombian case was failing to match. Third, it proposes a battery of audit tests — including reproducibility of the consolidation process, behaviour under adversarial input, isolation of contractor-modified code paths, and continuity of digital-evidence preservation across the post-election destruction window — calibrated to the Colombian escrutinio operational context. Fourth, it costs out alternative audit scenarios — at depths and scopes that political parties and observation organisations of differing technical capacity could plausibly execute — so that the protocol's adoption could be calibrated to the resources of the adopting party.

The protocol's stipulated mínimos necesarios for an audit-capable engagement — the documentation and training the contractor must hand over, the manuals of use and development the contractor has produced, independent certifications of the system, the RNEC's own internal-audit reports, the source code, and a test environment running the software — are themselves the campaign's articulation of the access regime the Colombian electoral-technology supply chain was failing to provide. Where the protocol functions in subsequent rounds is as the document against which the actual access conditions of each election cycle are measured, with the gap between the protocol's stipulations and the realised access becoming the campaign's recurring empirical finding.

2018: the protocol applied and the K+LAB findings

Karisma's K+LAB applied the protocol in the 2018 elections and published its findings. The substantive conclusion was that the escrutinio software was vulnerable, had not been designed to be controllable or auditable, and that no independent audit of the scrutiny system had ever been conducted; that the RNEC's source-code deposit regime, under which the source code is deposited only with the Fiscalía, structurally excludes the political parties and civil-society observers the protocol contemplates as audit principals; and that the September-2023 finding on DISPROEL contractor non-disclosure agreements had its 2018 precursor in equivalent contractor information-control practices. MOE published a post-election audit-analysis volume in November 2018 recording the protocol's operational application across the 2018 congressional and presidential observation, and Karisma's executive director Carolina Botero argued in Colombian mainstream press the case for independent audit ahead of the 2018 presidential election.

2022: the second round, Karisma's two-system observation, and the institutional-capacity finding

The campaign's second formal observation round was the 2022 Colombian presidential election, in which Karisma applied the protocol to the two scrutiny-software systems the RNEC deployed and published its Segundo informe de observación electoral on the first round. The 2022 round added a substantive line of finding the 2018 protocol had not anchored: K+LAB's lead Pilar Sáenz argued in El Espectador that neither the RNEC nor the Consejo Nacional Electoral has the technical capacity to scrutinise the electoral-technology supply chain it procures, and that the institutional-capacity gap is the underlying structural condition the protocol's access-regime stipulations alone cannot remedy. The framing of the institutional-capacity gap as itself a campaign target — rather than a presumed background condition — distinguished the 2022 round from the 2018 round and shaped the campaign's subsequent direction into the 2023 cycle.

2023: the regional elections and the DISPROEL non-disclosure-agreement barrier

In the 2023 Colombian regional elections Karisma's K+LAB issued press release 01 of the technical-observation cycle documenting a sharpened version of the access problem: civil-society observers were now being required by the RNEC's contractor DISPROEL to sign non-disclosure agreements as a condition of access to the scrutiny software at all. The DISPROEL non-disclosure-agreement requirement is the campaign's clearest documented instance of an access regime that, on its face, would prevent the protocol's mínimos necesarios from being delivered into the public record on which civil-society audit depends. The campaign's 2023 framing — that the access barriers have persisted across three election cycles, that the institutional-capacity gap has compounded them, and that the contractor regime has hardened — is the most recent articulation of the substantive demand the campaign carries.

Coalition shape and the Karisma–MOE collaboration

The campaign's coalition vehicle is a bilateral collaboration between two Colombian civil-society organisations. Fundación Karisma supplies the substantive technical content — through K+LAB, the only dedicated civil-society digital-security and privacy laboratory in Colombia — and the digital-rights, algorithmic-transparency, and citizen-participation methodological frame that runs through Karisma's wider AI-and-public-policy work. MOE supplies the electoral-observation institutional architecture: the standing relationship with Colombian electoral authorities, the methodological frame for technical and political observation of Colombian elections, and the publishing infrastructure through which the protocol and its application-round volumes are routed into the Colombian public sphere. Neither organisation alone could carry the campaign as constituted — Karisma without MOE has neither the standing observation status nor the established credibility in Colombian electoral debate the protocol's wider adoption presupposes, and MOE without Karisma has neither the technical capacity nor the international electoral-technology standards literacy the protocol's substantive content draws on. The bilateral architecture is the campaign's distinctive coalition shape, and is what distinguishes it from the broader multi-organisation civil-society campaigns the corpus has elsewhere recorded.

Place in the make-AI-good movement

The campaign matters to the wider make-AI-good corpus on three connected counts. First, it is the corpus's first Colombian civil-society algorithmic-accountability campaign, and the only currently tracked Latin American campaign that addresses the algorithmic-audit problem at the operational layer of state-deployed software whose outputs are democratically load-bearing — distinct in target from the Coding Rights anti-facial-recognition Brazil campaign (Brazilian sub-national legislative architecture against police biometric surveillance) and from the Derechos Digitales IACHR AI hearing (Inter-American human-rights system on AI-and-human-rights generally). The Colombian electoral-software audit case is the corpus's clearest documented instance of a civil-society campaign treating state-deployed software as a target of independent technical scrutiny in the same register that strategic-litigation organisations elsewhere apply to administrative decisions. Second, the campaign's substantive demand — that the mínimos necesarios of source code, contractor documentation, internal audit reports, system certifications, and test environments be made available to civil-society observers across recurring election cycles — operationalises the corpus's working principle that people outside AI must be engaged in shaping how AI is built and used against a Colombian state algorithmic system whose outputs determine the composition of the Colombian legislature. Third, the campaign's institutional-capacity finding — that the RNEC and Consejo Nacional Electoral lack the technical capacity to scrutinise the supply chain they procure — names a structural condition that is plausibly present across many Latin American state algorithmic-system contexts and that the wider Al Sur field is likely to encounter as it extends its algorithmic-accountability work into national electoral systems, public-administration decision-making, and biometric-identification infrastructure.