Prof. Vora is part of a team of 31 highly qualified scientists and engineers that recently raised a range of issues related to EVM security. She speaks to The Hindu about EVMs and their vulnerabilities.

Electronic Voting Machine (EVM) cannot be perfectly secure. However, it is possible to hold transparent elections by making the design public, getting expert opinion on its vulnerabilities, addressing them through a public process and using VVPAT, with the correct protocol, for each EVM in every election with public audits, says the George Washington University Professor (Computer Science) Poorvi L. Vora.

Prof. Vora is part of a team of 31 highly qualified scientists and engineers that recently — through an open letter to Chief Election Commissioner Nasim Zaidi — raised a range of issues related to EVM security.

What are the ways in which all or most of the stand-alone EVMs used in India can be tampered with, given the present SoP for machine handling and pre-poll testing, as laid down by the Election Commission?

Generally speaking, in any computer software or hardware, there is the possibility of the individual modules being changed without detection, or being erroneous. Additionally, we are never certain that we can check for all possible problems in software or hardware and detect, through testing, if something is wrong. So it is not that the EVM is badly designed and hence it is vulnerable. In fact, there are several aspects of its design that are unique and interesting to researchers. (See my response to your later question for detail). It is just that all computerised voting technology has problems of this kind.

Specifically, for the EVM, the computer chips in the hardware can be replaced with others at any time in the entire life cycle of the EVM, as it goes through many stages. These chips can be designed to do something other than report the correct vote count. For example, they could be altered to:

* Exchange the highest number of votes with another, so that the winner always loses OR

* Respond to a signal emitted by a cell phone, which indicates what is the number of the candidate who should win, then manipulate all other votes to avoid detection as far as possible; do nothing if there is no signal, and hence avoid detection in tests and mock polls

* Respond to a particular code entered into the EVM: first button, then seventh button, then eight, etc.; this could come from real voters who are waiting in line, allowing EVMs to behave perfectly when tested, and to misbehave once they receive the signal to do so. This signal can also include the number of the candidate who should win

There are likely other steps too.

The EC seals EVMs at a certain stage in the pre-election process after which it becomes considerably harder to tamper with them, because the papers tapes used to seal the EVMs are signed by observers from different parties. Additionally, at another stage in the pre-election process, the EVMs are stored in a locked storage room and parties can put their own seals on the locks. Thus any changes in EVM hardware would have to be made before this sealing and locked storage.

EVMs are tested through mock polls before they are sealed and stored in this manner. However, the tests, as I mentioned earlier, may not detect the problems, and, in fact, a competent adversary manipulating the EVM before this can avoid recognition. For example, only 5% of the EVMs are put through a test of a thousand votes in the mock poll; there is no requirement that I have seen about how many votes should be cast for the other 95%. Suppose it is 200 votes. If, say, 25% of EVMs are manipulated to begin miscounting after 200 votes, only 5% of these, about 1.25%, will be detected as having problems, but the other 24% or so will not be detected.

Additionally, the sealing of EVMs happens before the candidate list is decided, so an attacker would not know which button corresponds to the candidate they want to ensure wins the election. But there are ways the attacker can overcome this problem.

There are two particular attacks described by researchers (S. Wolchok [the University of Michigan] et al, and Amaldev) that I am aware of that are plausible.

* Wolchok et al describe and demonstrate how the circuit board used to display the vote totals can be changed so that the new circuitry will display a desirable total, and how the dishonest new board can include a receiver for signals sent by, for example, a phone, re: what is the order of the candidates.

* Amaldev describes how the circuitry need not be changed in the EVM, but circuitry can be attached to the cable used to connect the EVM's ballot unit (which the voter uses to vote on) to its control unit (which allows a voter to cast a vote, and displays the totals at the end). This new cable can be the one used on election day. Amaldev described the attack in response to the EC asking for descriptions of attacks on EVMs, but there is no demonstration of this attack.

The EC has variously indicated that it uses cryptography to avoid the above attacks. While they have not yet made the design public, cryptography requires a secret key, and this could be probed by the attacker. Additionally, data can be changed before it is encrypted or after decryption once the adversary knows where it is being encrypted and decrypted. Though the designs are not public, physical possession of a single EVM can enable an attacker to learn a lot about how it operates, and what the secret keys are.

The EC also describes randomisation: which EVM is allocated to which particular booth is determined by randomisation software. Randomisation software generally uses a starting value, known as a seed, to generated lots of "pseudo-random" numbers. I do not know if the EC uses a process where the seed is publicly-verifiable to be random and is generated right before the randomisation process, and whether the algorithm is public so anyone can verify the resulting list of pseudo-random numbers; this is the secure way to do it, but I have not see such a description. If it is not done in this manner, anyone who knows the seed will know the list of these numbers.

Additionally, the software can be manipulated to not use the randomisation approach at all, and to just output an entire list of pre-determined numbers.

I think the main flaws in the reasoning of the EC are:

(a) The EVM is hardware and firmware-based and so nothing in the research literature on voting technology applies to EVMs.

This is false, because the general points:

Modules can be changed without detection. Testing cannot guarantee detection of all problems.

These are true for all computerised equipment, whether hardware or software.

(b) The sealing of EVMs before the announcement of candidate lists is sufficient to protect against attempts to manipulate it because the adversary would not know which button corresponded to which candidate.

This is false because the dishonest circuitry can exchange votes, it can also be signalled to about the order of candidates; also, one can change the cable, for example, and this can be done just before polling.

(c) Any flaw in the hardware can be determined by testing.

While it is great to have all kinds of exhaustive testing, it is not sufficient, because we cannot guarantee we have found all problems, and a machine's circuitry can be designed to actively avoid detection.

(d) The EVM is secure because it is stand-alone and does not connect to the internet or have wireless connectivity.

Much can be done with physical access in all the time that EVMs are sitting around in warehouses in between elections; much could have been done during manufacture and maintenance; dishonest circuitry can include receivers for signalling.

(e) Every time someone mentions an attack, the EC can patch it and declare the EVM tamper-proof

I think the efforts of the EC to patch the EVM and its procedures to detect tests are good, but the goal of having a tamper-proof device is not the correct one. The goal should be one of having a strong device with all flaws patched to the extent possible, and to have a robust audit to check every election outcome.

How different are the EVMs used by the Election Commission from the voting machines in other countries?

The Indian EVMs are different in following main ways:

1. They are hardware and firmware based, meaning that they rely almost directly on circuitry in computer chips to compute the result. All other computerised voting systems that I am aware of rely on computer software as well.

2. They are single-purpose: everything about the EVM was designed specifically for the purpose of the Indian election, for voting on a couple of contests. All other computerised voting systems that I am aware of are considerably more complex.

3. No part of the voting system is intended to be networked, and there is no connectivity circuitry at all.

The Indian EVM's stand-alone nature and its reliance on hardware implies that attempts to attack it would need to manipulate the hardware on the system, which is harder than manipulating software.

On the other hand, Indian EVMs are designed and manufactured by a couple of entities, which means that those are points of weakness in the chain.

Also, the simplicity of the EVM can itself lead to attacks being simple. For example, in the earlier EVMs, one can simply add a "man (circuit) in the middle" who changes votes as they go from the vote counting circuitry to the vote display circuitry. This can be done in an intelligent way to avoid detection in the pre-election tests. The EC has since announced that cryptography can avoid these attacks, but the simplicity and newness of the EVM means that there may be vulnerabilities in there that were not thought about.

Because the design is not public, we cannot say what protection is provided by the cryptography. Additionally, the use of cryptography does not prevent all attacks because the key can be found by probing.

So, because the EVM is new, and so different from everything else out there, it should be analyzed even more, not less; its security is not fully understood.

There is one other point about difference that may not be fully obvious. The Indian election is very, very different from any other election. We have almost half a billion voters (50 crore) and the EC is remarkably successful in getting to voters in remote areas in various types of geographies and with climate challenges. We have the problem of booth capture when we use paper ballots. So design constraints are necessarily different from those of other countries.

We should not be expected to use exactly what other countries use, but, as the world's largest democracy, with access to a significant population of technically-expert manpower, we should be able to ensure transparent and secure elections, whatever we use.

In the letter to the Chief Election Commissioner, your team has said EVM is not transparent to the human voter. Does the use of VVPATs resolve the issue beyond doubt?

When we study the security of any system, we study how it can be manipulated. If one system is harder to manipulate than another, we say it is more secure. The only system that is perfectly secure is one that is not used at all. So the EVM, if it is intended for use, cannot be perfectly secure. Similarly for the EVM + VVPAT.

However, VVPAT, when used in the best possible manner, increases considerably the security of elections compared to EVM-only use. However, the fact that the VVPAT slip has the correct vote does not mean the vote was recorded or counted correctly. VVPAT slips need to be stored securely separate from EVMs; their containers should be sealed in the manner similar to EVM sealing, where candidate representatives sign paper seals; and they should be audited after each election. An audit is a manual public examination of randomly-chosen paper slips to determine that the election outcome is correct, it need not be a full hand count.

Additionally, the correct VVPAT protocol is one where the voter looks at the slip, confirms it is correct, and only then is the slip deposited in the storage box, and the vote recorded by the EVM. If the voter finds the vote on the slip is not correct, they should try again. If this keeps happening, they should report it. If many voters make this complaint, it should be investigated, though it can be hard to detect the problem. Voters should have the opportunity to vote on another EVM. The current VVPAT protocol as I can see on the videos online is one where the slip is cast whether the voter agrees it is correct or not. The voter can then complain, but it is not possible to later know for sure whether the voter is honest or not. Strict punishment for false complaints does not work, because the voter could be telling the truth, and the EVM might know when it is being tested and behave honestly thereafter.

Should the Election Commission revert to the paper ballot system as demanded by several political parties?

I do not think one should take a hasty decision here. Paper ballots are better than VVPAT in some ways: for example, the paper ballot always correctly records the vote, but the VVPAT might not. But, on the other hand, EVMs with VVPAT will make it easier to reach remote areas than is possible with long paper ballots; additionally, EVMs are far more efficient in obtaining the vote counts.

I think it is possible to hold transparent elections by (a) making the design public, getting expert opinion on its vulnerabilities through a regular process, addressing these vulnerabilities also through a public process; and (b) using VVPAT, with the correct protocol described above, for each and every EVM in each and every election with public audits for each and every election.

There are also more advanced techniques that should be explored, including end-to-end-verifiable (E2E-V) EVMs and risk-limiting audits.