September 2, 2010
A version of this appeared on rediff.com in two parts on Sep 1 and Sep 2, 2001.
The real issue with Electronic Voting Machines
Rajeev Srinivasan on how EVM problems are much bigger than technology or politics
I have been doubtful about electronic voting machines for quite some time based on what one might call a healthy engineering skepticism. To put it bluntly, I don’t trust computers. This comes from, at a point in the past, working with operating system innards and security. Since operating systems are the software that we implicitly trust to run most mission-critical systems, I have noticed that we are basically just one or two bugs away from disaster.
Even though there are rules of thumb and safety factors in software development just as there are in other engineering disciplines, software is still an art, not a science. And even the more mature engineering areas, much closer to science, like civil engineering, are still not perfect – the occasional bridge does collapse, albeit rarely.
Therefore the touching faith we repose in computers – and this is especially true in India – is misplaced. It would be a really bad idea to not have a backup mechanism that is not computer-based, especially when we are talking about embedded systems, the relatively primitive machines that run all sorts of devices such as refrigerators, microwaves, ATMs, etc. This, of course, was the rationale behind the famous Y2K panic, as people worried about whether planes would fall out of the sky as the result of an obscure software practice – years were coded in two digits, not four (ie. 48, not 1948).
Looked at from first principles, then, Electronic Voting Machines are inherently not the most reliable systems available. Nevertheless, they have undisputable advantages: for one, it is not possible to do physical ‘booth-capturing’. Besides, votes are converted into digital impulses that can be manipulated easily, so that all sorts of things can be done with them – counting can be lightning-fast; and statistical data collection, analysis, data mining, and so on can all be done with great facility.
Unfortunately, that strength is also, ironically, the Achilles heel of EVMs. Since there is no physical audit trail of the vote, once you have cast your vote, you cannot verify that your choice of candidate has been honored. It is a relatively minor task for a software-savvy criminal to fix an election, with nobody being the wiser.
I made a primitive demonstration of this sort of activity when I ran an Internet poll on my blog about who India’s best prime minister was. 300 people voted, and there was a clear winner, and some others got very few votes. But I found that if I took the real results, and applied a simple algorithm to it: that is, such as diverting 1/3rd of each person’s votes to a third candidate, I could at will have anybody ‘win’, even someone who got just 1 vote. And the pattern of votes ‘gained’ did not look particularly suspicious.
Furthermore, in an eerie reminder of the way real electronic voting works, even after the poll ‘closed’ with 292 votes, it still accepted 8 more votes. I have no idea how or why it did that, and since I do not have the source code, there is no way I could figure it out, either. That is another important problem – unless third parties are able to verify beyond reasonable doubt that the system is trustworthy, in effect the system is completely untrustworthy.
There is one major aspect – the human factor. Related to it is a process issue – what are the checks and balances to ensure that human error or malfeasance will not have catastrophic effects? In many critical systems, we have evolved elaborate fail-safe mechanisms that ensure it takes the co-operation of several individuals believed to be highly reliable. There are ways of vetting people to ensure that deserve the highest level of trust – this is the theory behind security clearances for access to sensitive information, and so we have people with TOP SECRET clearances whom we trust with extremely confidential information and the ability to perform critical acts.
We have seen in innumerable Hollywood films (for instance “The Hunt for Red October”) how the order to launch American nuclear missiles from a submarine has to be authorized independently by two very competent people, who each carry one of the keys needed. If they do not agree, the missile is not launched. Even in a more mundane setting, the safe deposit box in India, typically a bank manager and the customer each has to insert their keys simultaneously for the locker to open.
Thus, technical systems, human factors, and process issues need to work in perfect synchronicity for a complex system to work in ways that are provably correct.
Now let us move from the abstract to the concrete. How do electronic voting machines do on some basic measures of correctness of technology, human factors and processes? The track record, alas, is not that great. In 2009, I did a survey of the literature: EVMs had been found severely wanting in case after case, and several counties had ceased to use them. I am sure there is more information since about a year ago, but here is an excerpt from my essay which was published in “New Perspectives Monthly”:
- United States (data from www.electionfraud2004.org and others as indicated):
o In April 2004, California banned 14,000 EVMs because the manufacturer (Diebold Election Systems) had installed uncertified software that had never been tested, and then lied to state officials about the machines. The machines were decertified and criminal prosecution initiated against the manufacturer.
o In the 2004 Presidential elections, in Gahanna, Ohio, where only 638 votes were cast, Bush received 4,258 votes to Kerry’s 260
o A study by UC Berkeley’s Quantitative Methods Research Team reported that irregularities associated with EVMs may have awarded 130,000 – 260,000 votes to Bush in Florida in 2004
o There have at least the following bills in the US legislature, all of which were the result of perceived problems with EVMs. (It is not known if any of them has passed; HR = House of Representatives, the lower house, and S = Senate, the upper house):
§ HR 550: Voter Confidence and Increased Accessibility Act of 2005
§ HR 774 and S 330: Voting Integrity and Verification Act of 2005
§ HR 939 and S 450: Count Every Vote Act of 2005
§ HR 533 and S 17: Voting Opportunity and Technology Enhancement Rights Act of 2005
§ HR 278: Know your Vote Counts Act of 2005
§ HR 5036: Emergency Assistance for Secure Elections Act of 2008
o In 2006, a team of Princeton University computer scientists studied Diebold Election Systems EVMs, and concluded that it was insecure and could be “installed with vote-stealing software in under a minute”, and that the machines could transmit viruses from one to another during normal pre- and post-election activity. Diebold, now Premier Election Systems, is the largest US manufacturer of EVMs
o In 2006, computer scientists from Stanford University, the University of Iowa and IBM suggested that Diebold had “included a ‘back door’ in its software, allowing anyone to change or modify the software… A malicious individual with access to the voting machine could rig the software without being detected”
- Germany (2009)
o The Federal Constitutional Court of Germany declared EVMs unconstitutional
- The Netherlands (2006)
o The ministry of the interior withdrew the licenses of 1187 voting machines because it was proven that one could eavesdrop on voting from up to 40 meters away. The suit was brought by a Dutch citizen’s group named “We Do Not Trust Voting Machines. This group demonstrated that in five minutes they could hack into the machines with neither voters nor election officials being aware of it.
- Finland (2009)
o The Supreme Court declared invalid the results of a pilot electronic vote in three municipalities.
- United Kingdom (2007)
o The Open Rights Group declared it could not express confidence in the results for the areas that it observed. Their report cites “problems with the procurement, planning, management and implementation of the systems concerned.”
- Ireland (2006)
o Ireland embarked on an ambitious e-voting scheme, but abandoned it due to public pressure
- Brazil (2006)
o There were serious discrepancies in the Diebold systems predominantly used in Brazil’s 2006 elections
Based on precedents elsewhere, it is hard to believe that Indian EVMs, alone, through some extraordinary luck or brilliant planning – do I detect shades of some ‘Indian exceptionalism’ from people who otherwise are rather unimpressed with India and Indians? – are immune to these problems.
In particular, the German criticism is telling. The German courts have struck EVMs down because they discovered that current EVMs do not allow a voter to be certain that his choice has been registered. This is a constitutional issue, because the will of the voter is considered sacrosanct in democracies. If there is reasonable doubt that the voter’s choice may not be reflected in the results emitted by the EVM, it violates the constitution. This is as true of India as it is of Germany. The wise thing would be to ban the use of EVMs until they can be proven to be constitutional, and the onus should be on the EVM manufacturers – which is precisely what the German Supreme Court did.
It is in this context that we need to see the recent arrest of an Indian EVM researcher, Hari Prasad, on August 21st. In the Indian case, things are slightly worse. Instead of challenging the EVM manufacturer to demonstrate that the machines are, in fact, trustworthy, the constitutional authority, the Election Commission of India (ECI), has acted as the spokesman of the EVM manufacturers. The ECI has claimed on several occasions that EVMs are “foolproof”, “perfect” and so on, as though this were self-evident.
Hari and fellow-researchers put together a proof-of-concept, wherein they demonstrated a hack on some other hardware. The EC, correctly, pointed that this was not on one of the Indian EVMs, and therefore not quite applicable. But when the researchers, reasonably, requested that the EC provide them with an actual EVM, it appears the EC refused, or insisted that they tamper with the EVM without actually touching them, a feat of magic which, alas, software developers are unable to pull off.
The EC has also emphasized over and over again how secure their systems and processes are, how the machines are sealed in high-security currency-quality paper, sealed with wax and kept under lock and key in warehouses all over the country in the custody of reliable officials.
Which is quite interesting, considering that the researchers got an EVM from one of the EC’s warehouses, and were able to hack it and demonstrate several ways of tampering with it, including the use of radio-aware chips that would enable a Bluetooth-based cellphone outside a booth to manipulate the machines. The vaunted process of the EC was, however, not even aware of the missing machine for several months! If was only by looking at the serial number on a videotape of the hacked machine that the EC identified which warehouse that EVM came from. This puts in doubt the physical security of the devices.
In any case, the fact that a gentleman named Telgi was allegedly able to copy high-security stamp paper to the tune of tens of thousands of crores, the fact that high-quality counterfeit Indian currency printed in Pakistan has been intercepted in containerloads, and the fact that an entire shipment of currency inks is ‘missing’, it is hard to feel comforted that paper-based measures would be entirely foolproof.
Computer scientists, especially those in the area of security, are not convinced, either. I listened carefully to the podcast of a session at the recent USENIX conference recently wherein two representatives of the ECI, Professor P V Indiresan, and Dr Alok Shukla, a deputy EC, squared off against GVLN Rao, an election forecaster, and Dr Alex Halderman, a computer science professor at the University of Michigan. The EC folks were bested in the discussions, which were attended by well-known security researchers.
I was disappointed to hear from Messrs Indiresan and Shukla that the foolproof measures that the EC is so proud of boil down to some kind of ‘security by obscurity’ – that is, a complex process that is expected to be harder to break into – and faith in a small number of software types at firms that the EC did not identify, and which may not even be Indian, and thus beyond the ken of Indian law.
There is a remarkable case study available on the Internet, about “Gunfire at Sea”, a chronicle of how the US Navy bureaucracy stonewalled and pooh-poohed a very interesting suggestion for improving the accuracy of naval guns, some time in the 19th century. I’m afraid that the EC’s reaction seemed much like the US Navy’s: bluster, misplaced confidence in their abilities, and a tendency to shoot the messenger.
Instead of lauding Hari Prasad as a well-intentioned white-hat researcher whose suggestions for improvement should have been welcomed with open arms by the EC, the latter seeks to demonize him, terrorize him, and book him so that they could worm from him the identity of the person who had passed on the EVM to him for research. This is counter-productive.
Thus, on several counts, including constitutionality, the reaction to whistleblowers, and the large-scale implications on the country’s democracy, this is a fascinating case, and the EC should redeem itself by working with these researchers. The next set of people who break into the EVMs may not be quite so well-intentioned. (In passing, there is the interesting parallel story that the American responsible for the recent WikiLeaks publication of 92,000 confidential documents has been accused of rape in Sweden, and then the charges were dropped; he claimed he had been warned the Pentagon was ‘after him’. Clearly, whistleblowers have to watch out these days.)
Very distressingly, there is another other pillar of society that did not distinguish itself in this whole EVM fracas. It is the media. So far as I can tell, the entire English-language media has chosen to bury this story: no anchor or editor is excited about it, although a few stray op-eds have been written. It has certainly received less attention than the hoo-haa over some Sri Lankan cricketer doing something unsportsmanlike. This is a serious dereliction of the media’s presumed duty as the watchdog of society. If an election is fixed, it is in essence a bloodless constitutional coup, and the media should be on the trail of this story like bloodhounds. The fact that the media is not doing so implies something serious about its integrity and ethics.
Thus, two of the independent institutions in India that should impose checks and balances on the executive have abdicated their responsibility. This is a cause for extreme concern; this is a sign of a State whose machinery is breaking down. And that is the crux of the matter in l’affaire EVM.
Usenix Panel Discussion on EVMs in India (audio podcast) https://www.dropbox.com/s/k0b2vib2mc1k6sy/indian-evm-panel-evtwote.mp3
Letter from Usenix Panel to the ECI, 12th August 2010, http://www.useRajeevnix.org/events/evtwote10/final-letter-eci.pdf
P V Indiresan, “Too much loose talk on EVMs”, The Hindu Business Line, 23rd August 2010, http://www.thehindubusinessline.com/2010/08/23/stories/2010082350480800.htm
Devangshu Datta, “EVMs are tamper-proof, eh?”, Business Standard, 28th August 2010,
Sandeep B, “Democracy Imperiled”, The Pioneer, 26th August 2010, http://www.dailypioneer.com/278669/Democracy-imperilled.html
Video from IndiaEVM.org on several ways EVMs can be tampered with http://www.youtube.com/watch?v=ZlCOj1dElDY
The researchers’ website indiaEVM.org
Rajeev Srinivasan, “Can Electronic Voting Machines subvert elections?”, September 2009, “Eternal India: A New Perspectives Monthly”, http://rajeev.posterous.com/can-electronic-voting-machines-subvert-electi
Elting E Morison, “Gunfire at Sea: A case study of innovation”, MIT, 1966, http://www.cs.gmu.edu/cne/pjd/TT/Sims/Sims.pdf
2600 words, 28th August 2010