Ten Questions Worth Asking About EVM Tampering

There are as many flaws with the technology as there are with the processes used to secure the EVMs, the laws that create the sanctions and, as always, with the people involved.

On May 9, Saurabh Bhardwaj, an MLA of the Aam Aadmi Party, stood up in the Delhi Assembly and attempted to demonstrate how an electronic voting machine, such as one used by the Election Commission (EC) of India, could be tampered with to produce vote-counts incommensurate with how the electorate may have cast its votes. The demonstration was broadcast live on Facebook.

The commission has been using electronic voting machines (EVMs) since 2000. Each EVM has a lifespan of 15 years from the time of manufacture. The Indian government purchases them from two manufacturers, the Electronics Corporation of India, Ltd. (ECIL) and Bharat Electronics, Ltd. (BEL). The former is a PSU under the Department of Atomic Energy and the latter, under the Ministry of Defence. The components of each EVM are sourced from companies in Japan and the US; the EC has claimed that this is done without compromising the EVMs in any way.

Nonetheless, Bhardwaj’s demonstration has raised some questions worth asking. These aren’t questions that haven’t been answered as much as questions whose answers, if available, should be kept in mind.

1. The EC doesn’t provide its EVMs for testing, so what is the provenance of the machine used by the AAP MLA? More importantly, what weaknesses did it possess before the live demonstration in the Delhi Assembly began? How did these pre-existing weaknesses contribute to what the MLA was demonstrating?

2. Since at least 2006, when the EC last conducted a supposedly independent review of its EVMs, the commission has asserted that its machines are “tamper-proof”. But as has been pointed out, none of the people who conducted that review were computer security experts – while the machines’ manufacturers (ECIL and BEL) were also involved in the checks. Why then is the EC so guarded about the EVMs, continuing to refuse independent checks? What’s there to lose?

3. A vulnerability analysis of a ‘genuine’ EVM (obtained by computer security scholars through an anonymous source; see 1) in 2010 revealed that there were no cryptographic mechanisms encoded into the central processing unit (CPU) of the machine. Such mechanisms are simple to incorporate, yet their non-inclusion means that the CPU can be replaced with a doppelgänger before being integrated with the machine and the EC would be none the wiser. Why was such a glaring loophole left unattended? Also of relevance: this analysis had been conducted with help from Bharatiya Janata Party spokesperson G.V.L. Narasimhan.

4. The EVMs themselves use simple algorithms to dispense their functions. However, each EVM colloquially constitutes the ballot unit. The ballot unit is used to receive the votes. A second unit, called the control unit, is used by EC officials to count the votes. The two devices are connected by a cable over which encrypted data-transfer happens. So, despite its simplicity, an EVM has three distinct components that can be manipulated. To reduce the system’s susceptibility to attacks, why aren’t all functions be handled within a single unit that would be easier to guard? Also, what are the security features of the control unit? Moreover, as the 2010 analysts wrote in their paper:

When designs are overly simple, they may make it impossible to apply certain defences, such as cryptographic integrity and confidentiality protections. Very simple and cheap hardware designs allow for easier reverse engineering and simple, inexpensive hardware tampering.

5. During every election overseen by the EC, a ‘first-level check’ happens before the actual polling begins, according to a presentation (PPT) prepared in January 2014. This happens in the presence of representatives of the relevant political parties, and is performed by BEL/ECIL engineers. The catch is that only 5% of all machines are randomly selected for at least 1,000 mock-votes to be polled as well as from which sequential printouts of every vote polled will be available. In all other machines, at least 50 mock-votes should be polled and where sequential printouts are not required to be showed. Additionally, it is the political representatives who make the selections. How are these choices controlled by the EC to ensure that no possibly faulty machine escapes testing?

6. Are the EVMs subjected to integrity tests after polling ends and before counting begins?

7. As the performers of the 2010 analysis have pointed out, most attacks on EVMs would require officials on the inside to be complicit in them. But the EC has also refused to submit to demands that the body be more transparent in its efforts to secure the EVMs. What makes the issue worse is this: the law has made no explicit room for benign agents, such as scholars and white-hat hackers, to tampering with EVMs even in an effort to improve the security of the trusted computing bases. Why not edit this clause and make it easier to proactively invite hackers to do their worst, just like many corporates from time to time do?

8. The EVMs used in local body polls are not purchased or handled by the EC but are by the state-level ECs. According to Zaidi, the Municipal Corporation of Delhi (MCD) is one such body. Why then is the AAP blaming the EC for faulty EVMs used in the MCD polls? Also, does this mean the security measures the EC claims to have implemented for machines overseen by its officials will not carry over to the machines overseen by the state-level ECs? (Note: The incumbent Delhi state election commissioner is S.K. Srivastava. Delhi CM Arvind Kejriwal had written to the Ministry of Home Affairs in 2013 to have Srivastava appointed the capital’s chief secretary.)

9. On March 26, 2017, the EC stated that it was going to examine a new model of EVM, designated M3, in April. And should it be satisfied, the EC would place orders for over a million units, at a cost of Rs 1,940 crore, for use in the 2019 Lok Sabha elections. Nasim Zaidi, the body’s chief, has said that an M3 would stop working if it was able to detect any inconsistencies in its internal composition (e.g., “If an EVM is stolen and even if a small bolt is removed, the software will stop working”). However, if the M3 will also have the cryptographic security missing in the CPUs of the previous iterations is unknown. According to another source, the EC has already placed an order for 1.6 million EVMs equipped with voter-verified paper-audit trails (VVPATs) and 0.4 million EVMs for the 2019 Lok Sabha polls. No independent record of these machines’ reliability is available.

10. Kejriwal, Bahujan Samaj Party chief Mayawati, members of the Congress and the Samajwadi Party have all alleged that EVMs have been tampered with in various areas. It is possible that the EC is absolutely sure about the integrity of its EVMs – but wouldn’t that provide all the more reason to submit their machines to an independent, expert check to quell dissatisfaction among the politicians? Hopefully the open challenge the EC has thrown open for May will be it. Although… Will the EC allow participants to physically probe the machine? They didn’t in 2009. This should become clearer on May 12.

Evidently, there are as many flaws with the technology as there are with the processes the EC claims to use to secure the EVMs, the laws that create the sanctions for this security and, as always, with the people involved. Ensuring that pan-India elections happen smoothly, without complaints of widespread voter-fraud, is no mean feat and the EC has had a track record of having been meticulous. But has it been meticulous enough given what is at stake? Many hold that the Supreme Court’s two-time-insistence, most recently in January 2017, that elections be conducted with EVMs alongside VVPATs is the way to go. As of last week, the EC had enough money to implement VVPATs in 52,000 devices and awaited Rs 3,400 crore for the remaining ~948,000.

At the end of it all, there is a chance that some will find even VVPATs to not be good enough, betraying a possibility that the ongoing crisis is one of faith and confidence. Then again, while it may be of faith ultimately, a commonly agreed upon technical standard is necessary. This has not been yet achieved.