Election Integrity

Background

Mr  Hari K. Prasad, a voting system security researcher, had conducted a study on Electronic Voting Machines (EVMs) along with collaborators—including Prof. Alex Halderman of the University of Michigan, Ann Arbor and Mr  Rop Gonggrijp of the Netherlands — which found that "an attacker with brief access to EVMs can tamper with votes and potentially change election outcomes".

Mr  Prasad was arrested last Saturday by Mumbai police on charges of breaking into a Customs House godown to steal the EVM that he used for his research. He has consistently maintained that he did not steal the machine and was given it by an election official who was concerned about EVM vulnerabilities and requested anonymity. In the past, VeTA, the NGO Mr  Prasad is affiliated with, has made efforts to obtain, from the Election Commission, access to an EVM for research purposes. These efforts are described in detail here.

Much has been said following the unjustified arrest. Political parties have latched onto it and the debate is in danger of being reduced to a political tamasha. I believe the politics provide a distraction, and would like to bring the focus back to the serious scientifically-substantiated concerns about Indian EVMs. It is important to address these concerns so that India's voting technology meets the highest standards of transparency and verifiability.

Before we proceed, it is appropriate to emphasize that, while votes can be tampered with, there is no scientific evidence or scientific claim of actual vote manipulation in any of the elections held so far. In a recent blog post Prof. Halderman emphasizes this:

"Our study does not even attempt to show that any past election result is invalid. Nobody can reasonably claim, based solely on the results we've presented, that an election now settled should be overturned".

It is, however, the potential for vote tampering that should be addressed in order to ensure secure elections.

Even before presentation, the paper has already received much attention in the voting system security community and was the topic of a panel discussion at the world's most prestigious voting system security conference, EVT/WOTE 2010. The video of the panel is here. The Election Commission's point of view, that the EVMs are secure, was presented by Deputy Election Commissioner Mr  Alok Shukla and Chair, Expert Committee, Prof. Indiresan. Following the panel, some members of the audience of international voting system security experts have written a letter to the Election Commission saying that they have "significant concerns about the security, verifiability, and transparency of India's EVMs". The letter urges the Election Commission to "explore other forms of voting that are suitable to the Indian context and that do provide adequate transparency, verifiability, and security". It ends with: "Our research community has been involved in this process around the world, and you are welcome to draw on our collective experience and expertise as you see fit".

The Computer Security Approach

To understand what Mr  Prasad's work and the EC's response means in the context of voting system research, let us now turn to what is known about the science of computer security and what the general approach in this field is.

First, "security by obscurity" — the idea that hiding information on system design protects the system — has been completely discredited. It is unreasonable to assume that those who wish to manipulate votes will not be able to find out details. Hence, keeping the system design secret only prevents the good guys from studying the system, but does not prevent the bad guys from exploiting it. On the other hand, the scrutiny of a public design by experts from all over the world greatly increases the chances of finding flaws and reduces the risk of someone quietly exploiting an unknown flaw. Sunlight, though harsh, is a great disinfectant.

Second, security studies have a model of the adversary: a model of who might attack the system, and what their capabilities might be. The adversary is a thinking adversary and tests that don't take this into consideration have limited utility. For example, the mock elections conducted by the Election Commission (where a few votes are cast on EVMs just before the election to check the machines) will not detect a dishonest computer program which knows, from the small number of votes cast, that it is being checked. This program will simply provide the correct total at this time.

Third, the adversary can be an insider. This is particularly true when many thousands of individuals have access to Indian EVMs, which are maintained by technically competent private contractors. Your house might have all the best locks in the world, and each door and window might be locked, but if someone inside lets the adversary in, the locks are not much use.

Fourth, adversaries are not likely to risk jail by boasting about a rigged election. So we cannot assume we will find out if an adversary is manipulating the system, and, conversely, that if there is no proof of manipulated elections, the elections were fair. On the contrary, we must actively provide strong security arguments for why there cannot be an adversary quietly rigging the election, and we must actively look for what an adversary might do.

You might say that no system can be completely secure. And you would be right. Which brings us to the next point.

Fifth, a voting system must allow for an election audit. This is because one can never predict and prevent all possible attempts to change vote totals, and because one can never be completely sure that the system evaluated was indeed the one used. It must be possible for voters to audit an election and determine, with high confidence, that this particular election was not rigged. And they must be able to do this for every election.

File Photo: A technician checks EVMs at a warehouse in Ahmedabad

Election auditability is not a trivial problem in voting system design, because the audit should not reveal how individual voters voted. Other democracies enable audits through the use of paper ballots or paper audit trails, and there have also been small elections held with cryptographic voting systems that provide the possibility of independent audits while protecting ballot secrecy. In a sense, the light shines not only on the voting system, before the election, but on the election itself. This is very important with electronic systems. Human election observers cannot see the data inside the electronic voting machine, even if they can examine the same machine before the election, unless an effort is made to provide a digital or paper audit trail. With the current EVM, which does not allow for an audit as a simple matter of process, it is not possible to determine if, for example, the top two vote counts were exchanged.

Thus, the point is to have an ongoing cycle of independent security evaluation followed by improvement of the basic technology, coupled with the ability to audit elections.

What This Means for Indian Elections

The cycle of ongoing improvement is only possible if system designers are prepared to let the systems be examined and assessed for vulnerabilities. Additionally, system designers must be willing to address a flaw when it is detected. Finally, system designers must actively seek to improve their systems through consultation with the entire security community. Indian elections are complex, and one cannot say offhand what the best system might be for India. The Indian election must be described and studied carefully with security experts to determine the appropriate solution.

This sounds like a lot of hard work, you say. And you would be right. But why shouldn't it be? This is the way e-commerce systems that let you pay your bills online are developed and maintained. Is not voting at least as important as paying your bills online? In the world's largest democracy?

It has been almost twenty years since EVMs were first used. Much has been learnt by the security community since then, and it is indeed time to re-examine any assumptions made at the time of their design, to perform a thorough security evaluation and to act on its findings. The Election Commission's current approach of severely limiting access to the EVM and its code may be intended to protect voting system security. But the experience of computer security experts tells us that this is misguided. The EC approach, instead, denies the Indian voter the cycle of constant evaluation and improvement and the ability to audit elections while being guaranteed ballot secrecy.

The Election Commission has, to date, contributed greatly to a fair electoral process. EVMs are delivered in remote areas across a wide variety of geographical terrain and climate. Law enforcement is used well to enhance voter safety. And Indian voters trust that their elections are fair — they show up in large numbers, quite unlike those in most other democracies. It is up to the EC to rise to this occasion as well.

Instead of encouraging researchers to shine a light on our voting systems, we seem more concerned with arresting and ludicrously charging them with a "conspiracy to discredit India's election process".

Poorvi L. Vora is Associate Professor of Computer Science at The George Washington University (GW) in Washington DC, USA. She has a B. Tech (EE) from IIT Bombay (now Mumbai), M.S. (Mathematics) from Cornell University, and M.S. and Phd (ECE) from North Carolina State University. Prof. Vora works on voting system design and was recently involved in a multi-university voting system project where voters were able to independently audit a municipal election without being required to trust voting machines or election officials. In the past, she has worked at Hewlett-Packard Co, and has also been on the faculty of IIT-Bombay (now Mumbai) and IIT-Delhi. Any opinions expressed in this article are the author's alone and may not be attributed to her employers (past or present) or organizations and projects she is, or has been, affiliated with.