EVMs unsafe and VVPATS need more robust safeguards

Voter Verifiable Paper Audit Trail (VVPAT) is useless unless a statistically significant number of VVPATS are manually counted after the election to ascertain that they functioned properly, say two American computer scientists who believe that the only safe election technology is the ‘paper ballot’. In other words, the Election Commission’s provision of testing VVPATs at just ONE polling booth in each constituency is not good enough to inspire confidence.

National Herald on Sunday asked two pioneers engaged in advocacy for election integrity in the United States, Barbara Simons and Mark Halvorson to comment on the controversy over Electronic Voting Machines in India. While Simons, a computer scientist who worked for IBM, was one of the founders of the non-profit Verified Voting (verifiedvoting.org), Halvorson continues to be on its board of advisors. He was also the founder and former director of Citizens for Election Integrity, Minnesota (US) and helped organize the first national Audit Summit in the United States in 2007.

Election Commission of India is of the firm opinion that Electronic Voting Machines cannot be tampered. How would you react?

We disagree. EVMs are computers, and all computers can be tampered with. They really should be called “voting computers” to avoid any misunderstanding.

To address concerns, ECI has introduced a paper trail which is called Voter Verifiable Paper Audit Trail (VVPAT) in which a voter having pressed the EVM can look at a slip and verify that his vote has gone to his chosen party or candidate. Is this safeguard sufficient?

VVPATs can increase the security of voting, but only if the following two conditions hold: 1) VVPATs must be universal, namely every EVM must have a VVPAT, and 2) routine Risk Limiting Audits and manual post-election audits are conducted on those VVPATs before the results are certified. The reason for condition 1) is that if the attacker knows which EVMs have VVPATs and which do not, the attacker will focus on those machines without VVPATs. Condition 2) is critical, because the VVPATs provide essentially no security unless they are used to check the machines. A Risk Limiting Audit is a manual audit that examines a statistically significant number of VVPATs to check that the machines are recording and counting the votes correctly.

Reports have surfaced from different states in India over the last few years that during demonstrations, whichever button of the EVM was pressed, the vote seemed to go to the ruling party. Could this be due to malfunctioning, poor maintenance or factors such as heat or poor storage?

Such behaviour could be due to any of the above conditions, or due to software bugs in the voting computers (EVNs), or vote-rigging software in the voting computer.

One of the reasons why ECI refuses to accept that EVMs can be hacked or tampered is its claim that it had often challenged people to hack the EVMs but nobody has been able to do it. The critics claim that the ECI did not allow them to choose EVMs at random and the time allowed was too short. Which argument will you buy?

The claim is incorrect. These machines have been hacked by white hat hackers. See https://indiaevm.org/

With India using EVMs for more than a decade and a half, ECI believes that sufficient safeguards have been put in place including checking of the machines at three different levels on different days, CCTV cameras and allowing representatives of political parties inside the polling booth. Could there still be cause for concern?

None of these safeguards addresses the underlying threats to the software in the machines. A term that is sometimes used for such types of security displays is “security theatre”.

Saurav Bharadwaj, a member of a political party and a former software engineer demonstrated in Delhi Assembly how an EVM could be hacked. Any one masquerading as a voter, he claimed, could change the mother board in 90 seconds. Was it an idle boast or is it possible?

Technically speaking, Mr. Bharadwaj’s point is correct. If the EC has procedures in place to prevent opening of the EVM once the election has begun, the procedures might prevent undetected access to the motherboard, but such an exchange is possible earlier in the process for anyone with access.

“There is no machine in the world that can’t be rigged. The next election is in Gujarat...give us the EVMs for just three hours...and I challenge that you (BJP) will not win even a single seat,” is what Bharadwaj had said in Delhi Assembly. Would you endorse his sentiment?

We believe that Mr. Bharadwaj could succeed. The best way to confirm or disprove his claim is for the ECI to provide him the opportunity to prove his claim in a mock election.

At what stage can the EVM be tampered? During manufacturing, transport, storage, at the booth or even after it is sealed after polling?

The software or hardware in the EVM is vulnerable to tampering during manufacturing, transport, storage and at the booth. Depending on the security of how it is sealed after polling, it most likely is vulnerable then too.

Can an Electronic Voting Machine be hacked by remote from a distance?

There is the risk of a supply chain attack that could insert back doors, and physical hardware attacks that exploit the low-cost nature of the EVMs to introduce low-cost malicious hardware. See Security Analysis of India’s Electronic Voting Machine . That paper demonstrates that the hardware could be tampered with in a way that adds a low-power radio and would allow subsequent elections to be tampered with from a smartphone.

ECI holds that since no two EVMs are connected to either the Internet or to each other and since thousands, even millions of EVMs are involved in an Indian election, it is practically impossible to tamper with them. Is this comforting enough?

While the EVMs are not connected to the internet, they are stored in large rooms between elections, with possibly a thousand machines in a single location. It is easy to imagine how an attacker could gain access to a large number of machines and physically manipulate them without being detected. Supply chain attacks, similarly, could add backdoors to large numbers of machines, and these attacks would be exceedingly difficult to detect, given the secrecy surrounding the design and testing procedures that the ECI applies.

Is it possible to programme the machine in such a way that it works perfectly well till a given time and then record votes for only a single party?

Yes, because all computers have clocks. Election rigging software can be told when the election will occur, and the software can track that date on its internal clock. The software can tell the computer in the voting machine to behave correctly until the election. During the election the software can instruct the voting machine to change votes, and then after the election it can revert to correct behaviour. It is not difficult to write such software.