Jury still out on error-proof and error-prone EVMs

After the election fiasco in 2000, the US passed the ‘Help America Vote’ Act, which encouraged the use of electronic voting machines (EVMs). Several companies, mainly Diebold Election Systems, Election Systems & Software, Hart InterCivic, Sequoia Voting Systems, Advanced Voting Solutions, and Unilect, manufactured EVMs which were used in local and state elections in the US.

Prominent technologists, mainly Peter Neumann of Stanford Research Institute, David Dill of Stanford University, Avi Rubin of Johns Hopkins University, Rebecca Mercuri of Harvard University’s Kennedy School of Government, and Erik Nilsson of the Computer Professionals for Social Responsibility, launched public campaigns questioning the reliability of EVMs manufactured by these companies. They proved that all these EVMs had serious flaws and could be used to rig elections without being detected.

In an election in Dallas, EVMs made by Election Systems & Software failed to count 44,000 votes. In a local election in Iowa, EVMs made by Election Systems & Software produced a count of 4 million votes in a polling booth of 300 people. In Indiana, an EVM recorded more than 1,44,000 votes for an electorate of 19,000.

Diebold’s EVMs turned out to be a major scandal with allegations of bribery. Diebold sold its EVMs to state and local governments even though it knew that there was no security on its tabulation software to prevent someone from changing votes and erasing any trace of the activity in the audit log. Anyone with access to the tabulation programme during an election – Diebold’s employees, election staff or even hackers – could change votes and alter the log to erase all evidence.

Even without deliberate tampering, embedded software and real-time control software can behave very weirdly when they encounter situations that their programmers had not envisaged might occur.

Any experienced engineer would tell you that electronic equipment containing firmware or embedded software frequently behaves one way during a short trial, and totally differently in actual field conditions.

• For instance, I can write a software module which would pass all trials but manipulate the results of actual voting. I could programme the EVM to accurately record votes for three hours. I could instruct it to then assign 70% of all subsequent votes cast to whichever candidate was leading at the end of the first three hours, irrespective of whichever buttons the later voters actually push. Since trials and demonstrations would reasonably be expected to last less than three hours, my EVM would successfully pass all such tests. I could then have my favoured candidate get all his supporters to cast their votes first thing in the morning, so that he would be the leader after three hours of polling. This was alleged to have been done in a local election in the US but could not be proved since the audit trails had also been erased.
• Or I could programme the EVM so that at the end of five hours of polling, it would transfer 60% of the votes of the 10 lowest candidates to my favoured candidate.
• Or I could programme it so that it would, say, transfer every fourth vote for the Congress to the BJP.
• Or I could manipulate the backend databases during the counting process, as was done in the Diebold cases where it was proved that any election could be rigged, totally without detection, by tampering with the back-end databases after the votes were cast.
• Moreover, the EVMs could be broken into remotely after the election but before the counting. All electronic circuits are subject to electromagnetic interference. Even when the EVMs are kept physically sealed in a strong room, an expert who knows the resonant frequencies of the circuits could remotely send signals to the EVMs from several kilometres away. It is highly unlikely that polling officials would continuously transport and store each and every EVM in electromagnetically shielded Faraday cages.
• It is also not known what vibrations and physical shocks the EVMs can withstand. After the voting, when the EVMs are being transported over bumpy rural roads, the electromechanical components (especially registers and switches), relays, and physical connectors could be reset due to the jerks.

The Election Commission should pay heed to the warnings issued by the dozens of distinguished technologists who formed the Verified Voting Foundation in the US, which had this to say:

“Computerised voting equipment is inherently subject to programming error, equipment malfunction, and malicious tampering. All computer systems are subject to subtle errors. Moreover, computer systems can be deliberately corrupted at any stage of their design, manufacture, and use. The methods used to do this can be extremely difficult to foresee and detect…

Unfortunately, there is insufficient awareness that these machines pose an unacceptable risk that errors or deliberate election-rigging will go undetected, since they do not provide a way for the voters to verify independently that the machine correctly records and counts the votes they have cast. Moreover, if problems are detected after an election, there is no way to determine the correct outcome of the election short of a revote…

It is therefore crucial that voting equipment provide a voter-verifiable audit trail, by which we mean a permanent record of each vote that can be checked for accuracy by the voter before the vote is submitted, and is difficult or impossible to alter after it has been checked…

Without a voter-verifiable audit trail, it is not practical to provide reasonable assurance of the integrity of these voting systems by any combination of design review, inspection, testing, logical analysis, or control of the system development process. For example, a programmer working for the machine vendor could modify the machine software to mis-record a few votes for party A as votes for party B, and this change could be triggered only during the actual election, not during testing…

Most importantly, there is no reliable way to detect errors in recording votes or deliberate election rigging with these machines. Hence, the results of any election conducted using these machines are open to question…

At this time, the only tried-and-true technology for providing a voter-verified audit trail is a paper ballot, where the votes recorded can be easily read and checked.”

(end of quote from VerifiedVoting.org)

Based on the three criteria of:

(a) Lack of a verifiable paper/ manual audit trail

(b) BEL and ECIL not having provided the algorithms, source codes, embedded firmware, integrated circuit schematics, board designs and electronic component specifications, to neutral experts for independent assessments

(c) Meagre evidence in actual field conditions, as opposed to short demonstrations in laboratory conditions

it cannot be unequivocally asserted that the EVMs made by BEL and ECIL are accurate and reliable.

Thousands of hours of testing need to be done, under actual field conditions, before their reliability can be proven beyond reasonable doubt.

The Institute of Electrical and Electronics Engineers is currently formulating standards that EVMs should satisfy. The Open Voting Consortium, an international group of researchers, has spent over four years developing open-source voting systems. They intend to give away their technology for free.

The switch from manual voting to EVMs might turn out to be exchanging the known flaws of booth capturing, ballot stuffing, multiple voting, etc for as yet unknown vulnerabilities.

The EVMs manufactured by the public sector, Bharat Electronics Limited and Electronics Corporation of India Limited, could contain the following flaws, which would be practically undetectable without extensive testing by experts:

• Faulty logic, incorrect algorithms, and erroneous data flows.
• Errors in circuit design.
• Mistakes in the software code, especially in the embedded software.
• Mistakes, or malicious backdoors, in databases.
• Malicious trapdoors in the code to enable rigging.

Requests to the Election Commission, BEL and ECIL to provide the entire circuit schematics, source codes, and test vectors for scrutiny by neutral experts merely elicited the following laconic response: “The EVM is designed to be totally tamper proof. Each EVM comes with a sophisticated programme in assembly language: a software fully sealed against outside influence. And the programme is itself fused on to a customised microprocessor chip at the manufacturer’s end. This ensures that the programme is rendered tamper proof and inaccessible.”

A subsequent request brought the terse reply that even the Japanese manufacturer of the circuits would not be able to tamper with the voting or find out who voted for whom.