Research and other random shit

Disclaimer: I am a security graduate student, but I have no experience in the security of EVMs. All material presented here is based on data obtained from the Internet. I have made my best attempts to ensure the authenticity of the data by going back to it’s primary sources, but if there are any discrepancies, leave me a note.

tl;dr – What is the state of EVMs in India?

• The security procedures and deployment practices of EVMs in India have not been subject to public scrutiny.
• Closed audits of the EVMs were conducted but were staffed by researchers with no background in EVM security.
• The executive committee of researchers were also made to produce a judgment on the safety of the machines based only on literature produced by the manufacturers of the EVMs (notice the conflict of interest).
• A security audit of the source code running on the EVM micro-controllers has never been conducted (or at least ones whose results were made public).
• In spite of reports having been published that demonstrate vulnerabilities in the EVM, the attacks have not been addressed.
• Various reports that have demonstrated attacks show that even rudimentary cryptography is not used to ensure that the votes cannot be tampered with between the time of the election poll date and the date of final counting.
• The sliver lining to this discussion is that the election commission has since added the functionality to conduct voter verified paper audit to the latest generation of the EVMs.

Electronic voting machines (EVMs) are devices that replace paper ballots used in elections. India’s love story with this technology began in the 1999 Lok Sabha (Parliamentary) elections and has used it in ever election since. EVMs come in two major varieties: the first of which involves the voter marking the choice in a paper ballot and using the EVM to “count” the vote, and the second type removes the need for the paper ballot entirely. India has been using the latter variety of EVMs in it’s elections. In more detail, the vote is registered on the device and remains within the device until it is totaled at a central location.

EVMs are a god send to the election commission (“the magic box” as ex-chief election commissioner Quraishi put it at a recent talk at Berkeley). Not requiring paper ballots makes transport easier and significantly reduces costs, allow instant counting of votes, reduce “errored” ballots since only a single choice can be made, etc. Wikipedia does a fabulous job at describing the benefits of EVMs.

In April 2010, a group of researchers including Hari Prasad, Rop Gonggrijp, and J. Alex Halderman released a website and an associated technical report that demonstrated security vulnerabilities in the EVMs used in India. The website describes the attacks as (In the mean time, one of the primary authors of the report; Hari Prasad was persecuted for being in possession of an EVM which is illegal and later acquitted. This was clearly a bad move by the election commission as it brought even more publicity to the matter as well as a mass following to free Hari Prasad):

One attack involves replacing a small part of the machine with a look-alike component that can be silently instructed to steal a percentage of the votes in favor of a chosen candidate. These instructions can be sent wirelessly from a mobile phone. Another attack uses a pocket-sized device to change the votes stored in the EVM between the election and the public counting session, which in India can be weeks later.

These attacks are neither complicated nor difficult to perform, but they would be hard to detect or defend against. The best way to prevent them is to count votes using paper ballots that voters can see.

This was not the first time the election commission was made aware of the security issues in the EVMs. Omesh Saigal, an IAS officer had demonstrated vulnerabilities in the EVM software. This raised serious questions about the 2009 election results. Note that the election commission in India has always claimed that the EVMs are absolutely “tamper-proof” although the Delhi High Court has judged that these devices require additional work to be hardened. An excerpt from the report reads (emphasis mine):

There may be security issues as well. Though, there is no evidence that such things (election fraud) have happened so far and it is not even suggested by Dr. Swamy, the Election Commission had itself started the exercise of experimenting this and to improve the system to make it foolproof. For certain reasons that is abandoned midway.

The Indian EVMs were security reviewed twice before the 2009 elections. Both reviews recommended a few changes to the EVMs but “unanimously certified that the system is tamperproof in the intended environment”. Hari Prasad’s report further notes that none the members of the executive committee that reviewed the EVMs had any prior security experience – C. Rao Kasarbada, P.V. Indiresan, and S. Sampath in the first review and A.K. Agarwala, D.T. Shahani, and P.V. Indiresan in the second. To add to the handicap of limited experience in the subject matter, they were also not provided with the source code to the EVM but instead were forced to judge the security preparedness of the system based on presentations and demos by the manufacturer of the EVM. To this date, the Indian EVMs continue to remain a black box whose code base has not been audited neither by an executive committee nor publicly.

After the furore created by Hari Prasad’s report, the election commission appointed another executive committee once again chaired by Prof P.V. Indiresan. This time it was decided that the EVMs should follow a voter-verified paper audit trail that prints out a paper with the symbol of the political party that the voter register his/her vote for. The voter can thus verify that the vote was in fact counted towards the right candidate and voids attacks such as the “dishonest display attack” described in the paper.

I debated with a few friends about the security problems in EVMs and the discussion always boils down to our own definition of what is a reasonable level of security that should be enforced. In the area of systems security, it is an accepted notion that perfect security is impossible, but the job of security researchers is to raise the bar for attacking the system sufficiently high enough that it would no longer make financial sense for the attacker to take on the risk. Lets look at some of the statistics for the Indian election.

• India has the largest electorate in the world totaling to over 750 million eligible voters. They are serviced by recruiting 11 million personnel for the job.
• There are over 1.3 million electronic voting machines (each costing between 200-250 USD) deployed across 800,000 polling stations.
• The cost of conducting each election is close to 200 million USD. This means that the cost of the EVMs consume a huge fraction of the election budget.
• This should be compared against the cost of a systematic election fraud being exposed:
  • That would be a step down from democracy itself since we can no longer claim to have held ‘free and fair elections’. The reason why the election commission was made into a federal body with overarching powers during election time was precisely to conduct its mission of holding free and fair elections.
  • India’s international image would be extremely hit.
  • By having the wrong party in power, the responsibility for their mistakes should be attributed to the fraudulent election. For the sake of argument if say the 2009 elections India was tampered with (I am not saying they were), now would the loss to the exchequer based on all of the scams that were exposed would be attributable to flaws in EVMs.
  • We can try to estimate the value the EC places on each vote. The EC even maintains polling stations with areas that have a single registered voter. If this is in fact the value of a single vote, can we imagine the cost of a systematically manipulated election?

I hope I have managed to convince you of the importance of “free and fair elections” (which is really the pillar of a functioning democracy). Unlike isolated human errors that creep in during the counting phase, a flaw (malicious or not) in the EVM would be a systematic fault that could cause much more wide spread problems. Now the question to answer is whether the EC has taken sufficient steps to ensure the integrity of the EVMs. Let us start by looking at other security audits done around the world and how they treated their reports:

• Bugs in computer programs are everywhere. Bruce Schneier (a very prominent computer security researcher) says this in his 2004 blogpost:
  
  

  In Fairfax County, VA, in 2003, a programming error in the electronic voting machines caused them to mysteriously subtract 100 votes from one particular candidates’ totals.

  In San Bernardino County, CA in 2001, a programming error caused the computer to look for votes in the wrong portion of the ballot in 33 local elections, which meant that no votes registered on those ballots for that election. A recount was done by hand.

  In Volusia County, FL in 2000, an electronic voting machine gave Al Gore a final vote count of negative 16,022 votes.

  The 2003 election in Boone County, IA, had the electronic vote-counting equipment showing that more than 140,000 votes had been cast in the Nov. 4 municipal elections. The county has only 50,000 residents and less than half of them were eligible to vote in this election.

  There are literally hundreds of similar stories.

• Usability problems have restricted the adoption of EVMs including in Ireland and Finland. This is an even larger issue in India with it’s large illiteracy rates, multi-lingual and multi-cultural society. Kudos to the EC for having taken care of this situation very well. The use of the political party symbols in the ballot in addition to the candidate names is one of the amazingly simple but game changing innovations.
• In 2009, Germany’s court system banned electronic voting until the election procedure was made available for public scrutiny. The Dutch had also banned electronic voting a little earlier.
• Australia which also uses EVMs has publicly made available the source code to the machine in order to allow scrutiny.
• The EVMs made by various EVM manufacturers was studied by teams from Princeton and UC Berkeley which exposed many significant flaws in the system. This led to the decertification of three of the tested machines.

In conclusion, EVMs are extremely useful for conducting elections, which is a grand challenge given the diversity and scale of the Indian population (I am a Ph.D. student in computer science, you didn’t expect me to diss technology did you?). However, multiple events have demonstrated many shortcoming of EVMs. The EVMs used in India however does not appear to have been awarded scrutiny at the same level as those afforded by other countries. Transparency and auditability of elections is a key aspect of holding free and fair elections. The current level of auditing performed on the Indian EVMs leaves much to discuss on the table.

A couple of interesting quotes from the India EVM exploit paper:

We have had direct experience with attempted fraud. Hari Prasad, a coauthor of this report, was approached in October 2009 by representatives of a prominent regional party who offered to pay for his technical assistance fixing elections. They were promptly and sternly refused.

In 2009, the Election Commission of India publicly challenged Prasad to demonstrate that India’s EVMs could be tampered with, only to withhold access to the machines at the last minute.