Give Us Full Access to EVMs, Experts Tell Election Commission

Scientists and engineers taking up the Election Commission's EVM challenge have said to understand what kind of tampering is possible, it is important to perform actions that insiders or criminals may attempt.

New Delhi: A group of trained engineers and scientists, from India and abroad (drawn primarily from IITs and other premier science institutes), have, in response to the Election Commission’s EVM challenge, urged chief election commissioner Nasim Zaidi to allow them an opportunity participate in the exercise fully and fairly to assess the security strengths and weaknesses in the security of the electronic voter machines.

However, the 27-member group has said that for a truly objective and fair assessment of the machines and “to understand what kind of tampering is possible, actions that might be performed by an insider in the process, or a criminal, should be allowed during the challenge.”

In this regard, the group noted that the EC had in 2009 prevented some type of access – when it disallowed physical tampering – and therefore “it should explain why an insider or a criminal would not have that kind of access”.

Incidentally, after allegations of EVM tampering were raised by several parties, including the Aam Aadmi Party, the Congress and Bahujan Samaj Party, the EC had issued a detailed statement on the subject.

In light of similar allegations having been raised in the past, it had written:

“In an extraordinary measure, the Commission invited those who had expressed reservations about the Electronic Voting Machine (EVM) to come and demonstrate the points made in their allegations from 3rd to 8th August 2009. Those invited included political parties, petitioners before various courts and some individuals who had been writing to the Commission on this issue. One hundred EVMs brought from ten states namely, Andhra Pradesh, Delhi, Gujarat, Karnataka, Madhya Pradesh, Maharashtra, Punjab, Rajasthan, Tamil Nadu and Uttar Pradesh, were kept at the Commission’s office in readiness for scrutiny and for any application to establish its alleged fallibility.

The EVMs were offered for such demonstration in the presence of a technical experts group as well as engineers representing the EVM manufacturers, BEL and ECIL. The outcome of this exercise is that none of the persons, who were given the opportunity, could actually demonstrate any tamper ability of the ECI-EVMs. They either failed or chose not to demonstrate.

Some activists then showed on TV channel a ‘machine’ which they claimed can be manipulated. ECI countered allegation that the ‘machine’ was stolen from EVM warehouse in Mumbai, subjected to changes by activists and thus it was no longer the ‘machine’ used by ECI.”

In this backdrop, the group has demanded proper access to the machines to evaluate their security.

Poorvi L. Vora, professor of computer science at the George Washington University and a member of the group, wrote in an article that “the Election Commission should allow experts a reasonable amount of time to examine machines whose entire design has been secret for so many years. The experts should be able to work in a laboratory space of their choosing, with the freedom to fully explore the system and its vulnerabilities, including physical tampering, as any attacker with some access to a single storage locker might have.”

For its part, the group said, “from a technical perspective, such allegations are best addressed by auditing VVPAT records where they exist.” Additionally, it said, “independent of the outcome of the challenge, the EC should check the outcome of each election by creating, maintaining and auditing VVPAT records.”

The group said, “independent of the outcome of the EVM challenge, the EC should enable the creation of VVPAT records, ensure their secure storage separate from the EVMs, and conduct regular VVPAT audits for each election.” The audits, it said, should involve the examination of a randomly-chosen subset of the VVPAT records.

The scientists and engineers also spelt out how they would like the EVM challenge to proceed to enable proper understanding of “EVM security strengths and weaknesses”.

The group has suggested that individuals should be allowed to choose their instruments and to physically tamper with an EVM and they should be provided with design documents and test descriptions and results, as well as information about the security procedures in place, for each generation of EVM currently in use.

It also demanded that the results obtained by each team examining the EVMs should be made public; a longer term test by a team with in-depth expertise in computer security and voting system security should be performed; and finally a team of experts should be tasked with preparing recommendations to address each important security vulnerability discovered during the challenge.

Holding that it was almost impossible to “determine with certainty that EVMs are tamper-proof,” no matter what the qualification of an individual, the group wrote that since “electronic devices can be designed to detect when they are being tested, and it is practically impossible to test for every possible configuration and scenario,” therefore if the EVM challenge does not detect a problem, it certainly would “not mean that election outcomes are guaranteed to be secure in the future”. In this regard, it said, only “regular VVPAT audits can help address this issue.”

Giving out their “position in EVM security,” the scientists and engineers wrote that “electronic devices cannot be guaranteed to be immune from tampering when there are a large number of insiders with access and non-insiders with malicious intent, attempting to subvert the device’s functioning. These include everyone who may have access to the EVM over the cycle of design, manufacture, testing, storage, maintenance, calibration and deployment.”

Their letter also pointed to the uniqueness of the Indian EVM. It said this device is “interesting from a design perspective because it is a single-purpose device, unlike most other voting machines developed elsewhere, and its functionality is achieved through a combination of hardware and firmware. The prescribed process for its use does not require wireless communication and it is not fitted with hardware to enable such communication. Thus, it is not immediately vulnerable to exactly the same attacks that work on other voting machines.”

However, the design by itself, the group said, is not sufficient to protect the EVM from tampering or error. “A general class of vulnerabilities is common to both the western machines and the EVM.  These vulnerabilities arise because of the difficulty of determining exactly what a given electronic machine will do in every scenario, and because those with physical access can change and probe aspects of the hardware or software (for example, they can fit the machine with a wireless receiver, swap out a ROM, or determine the key used to provide cryptographic security).”

The group said there is no clarity on how secure these EVMs are because while “the EC has announced several times that it believes that the EVM is tamper-proof because of certain design aspects, there has been no release of any detailed information about these design features.”

In light of all these aspects, the group said, the EVM challenge, beginning on May 1, 2017, should be treated as a means through which voters in the world’s largest democracy may understand the security strengths and weaknesses of their voting technology. “It would be a waste of time and energy if the EVM Challenge is executed as a superficial exercise without full access and transparency,” the letter said, adding that a “genuinely open and substantial” exercise would enhance the trustworthiness of the  elections and the vibrant nature of Indian democracy.