EVM challenge: Techies appeal to EC for transparency

A group of computer scientists, software engineers, consultants to software companies, security technologists and Professors of Computer Science have written to the Election Commission to ensure complete transparency while conducting the ‘EVM Challenge’.

The group, many of them IITians and associated with Harvard University, George Washington University, MIT, John Hopkins University, etc and software engineers from Bangalore, Mumbai and Pune maintain that the only security lies in mandatory audit of VVPAT (Voter Verifiable Paper Audit Trail) after every election; that it is not enough to create VVPAT and store it separately from the EVMs.

The letter is reproduced below:

EVM security is not political but a technical issue

“We are a group of well-wishers trained in engineering and the sciences. We understand that the EVM challenge has been initiated by the Election Commission as a response to allegations that the recent elections were rigged. From a technical perspective, such allegations are best addressed by auditing VVPAT records, where they exist. “

“The EC could, however, use this challenge as an opportunity to increase electoral process transparency. Additionally, independent of the outcome of the challenge, the EC should check the outcome of each election by creating, maintaining and auditing VVPAT records.”

“The issue of EVM security is not a political one, but a technical one. From a technical perspective, to understand what kind of tampering is possible, actions that might be performed by an insider in the process, or a criminal, should be allowed during the challenge. In the event that the EC prevents some type of access, (it disallowed physical tampering in 2009), it should explain why an insider or a criminal would not have that kind of access.”

Additionally, we believe the following are necessary to fully understand EVM security strengths and weaknesses:

1. Individuals should be allowed to choose their instruments and to physically tamper with an EVM.
2. They should be provided design documents and test descriptions and results, as well as information about the security procedures in place, for each generation of EVM currently in use.
3. The results obtained by each team examining the EVMs should be made public.
4. Longer term testing by a team with in-depth expertise in computer security and voting system security should be performed, and its results be similarly made public, in the manner of the Top-To-Bottom-Review ordered by the Secretary of State of California, USA, in 2007.
5. A team of experts should be tasked with preparing recommendations to address each important security vulnerability discovered during the challenge and the longer-term testing; their report and the decisions of the EC regarding timeline for addressing each issue should be made public. The process should be open, and comments from external experts should be solicited.

“The EC should note that it is virtually impossible, whatever the qualification of the individual examining the EVM, to determine with certainty that EVMs are tamper-proof.”

“Electronic devices can be designed to detect when they are being tested, and it is practically impossible to test for every possible configuration and scenario. Hence, if the EVM challenge does not detect a problem, this does not mean that election outcomes are guaranteed to be secure in the future; regular VVPAT audits can help address this issue.”

EVMs vulnerable at all stages

The letter also goes on to dwell on their own views on EVM security: “As engineers and scientists, we know that an electronic device, such as the EVM, is not transparent to the human voter. As such, the human voter does not know whether his or her vote was recorded or counted correctly. Further, our experience and education indicates to us that machine errors and human error in the processes of design, testing and deployment can result in an incorrect output.”

“Electronic devices cannot be guaranteed to be immune from tampering when there is a large number of insiders with access and non-insiders with mal-intent, attempting to subvert the device’s functioning. These include everyone who may have access to the EVM over the cycle of design, manufacture, testing, storage, maintenance, calibration and deployment.”

“The Indian EVM is interesting from a design perspective because it is a single-purpose device, unlike most other voting machines developed elsewhere, and its functionality is achieved through a combination of hardware and firmware. The prescribed process for its use does not require wireless communication and it is not fitted with hardware to enable such communication.”

Design alone not enough

“Thus, it is not immediately vulnerable to exactly the same attacks that work on other voting machines. However, the design by itself is not sufficient to protect the EVM from tampering or error. A general class of vulnerabilities is common to both the Western machines and the EVM.”

“These vulnerabilities arise because of the difficulty of determining exactly what a given electronic machine will do in every scenario, and because those with physical access can change and probe aspects of the hardware or software (for example, they can fit the machine with a wireless receiver, swap out a ROM, or determine the key used to provide cryptographic security).”