Are electronic voting machines tamper-proof(article in The Hindu by Dr. Subramanian Swamy, June 17, 2009)
Dr. Subramanian Swamy article on EVM’s in ‘The Hindu’ on June 17, 2009
(Full article is also given below).
|No, argues the author, because each step in the life cycle of a voting machine involves different people gaining access to the machines, often installing new software. But there are many ways of preventing EVM fraud.|
Is there a possibility of rigging electoral outcomes in a general election to the Lok Sabha? This question has arisen not only because of the unexpected number of seats won or lost by some parties in the recent contest. It is accentuated by the recent spate of articles published in reputed computer engineering journals and in the popular international press, which raise doubts about the integrity of Electronic Voting Machines (EVMs).
For example, the respected International Electrical & Electronics Engineering Journal (IEEE, May 2009, p.23) has published an article by two eminent professors of computer science, titled “Trustworthy Voting.” They conclude that although electronic voting machines do offer a myriad of benefits, these cannot be reaped unless nine suggested safeguards are put in place for protecting the integrity of the outcome. None of these nine safeguards, however, is in place in Indian EVMs. Hence, electronic voting machines in India today do not meet the standard of national integrity or safeguard the sanctity of our democracy.
Newsweek (issue of June 1, 2009) has published an interesting article by Evgeny Morozov, who points out that when Ireland embarked on an ambitious e-voting scheme in 2006, such as touch-screen voting machines, the innovation was widely welcomed. Three years and 51 million euros later, the government scrapped the entire initiative. What doomed the effort was a lack of people’s trust in the machines. Voters just didn’t like that the machines would record their votes as mere electronic blips, with no tangible record.
Mr. Morozov points out that, as most PC-users know, computers can be hacked. While we are not unwilling to accept this security risk in banking, shopping, and e-mailing (since the fraud is at the micro-level and of individual consequence, which in most cases is rectifiable), the ballot box is sacred. It needs to be perfectly safeguarded because of the monumental consequence of a rigged or faulty vote recording. It is of macro-significance, in the nature of an e-coup d’etat. At least that’s what voters across Europe seem to have said loud and clear.
Thus, a backlash against e-voting is brewing across the European continent. After nearly two years of deliberation, Germany’s Supreme Court ruled last March that e-voting was unconstitutional because the average citizen could not be expected to understand the exact steps involved in the recording and tallying of votes. Ulrich Wiesner, a software consultant who holds a Ph.D. in physics and who filed the initial lawsuit, said in an interview with the German magazine Der Spiegel that the Dutch Nedap machines used in Germany were even less secure than mobile phones!
In fact, the Dutch public-interest group ‘Wij Vertrouwen Stemcomputers Niet’ (‘We Do Not Trust Voting Machines’) produced a video showing how quickly the Nedap machines could be hacked without voters or election officials being aware (it took just five minutes). After the clip was broadcast on Dutch national television in October 2006, the Netherlands banned all electronic voting machines from use in elections.
Numerous electronic voting inconsistencies in developing countries, where governments are often all too eager to manipulate votes, have only fuelled the controversy. After Hugo Chavez won the 2004 election in Venezuela, it came out that the government owned 28 per cent of Bizta, the company that manufactured the voting machines. On the eve of the 2009 elections in India, I raised the issue at a press conference in Chennai, pointing out that a political party just before the elections had recruited those who had been convicted in the U.S. for hacking bank accounts on the Internet and credit cards.
In the U.S. too, there is a significant controversy on Elms. In fact, the Secretary of State of California has set up a full-fledged inquiry into EVMs, after staying all further use.
Why are the EVMs so vulnerable? Each step in the life cycle of a voting machine — from the time it is developed and installed to when the votes are recorded and the data transferred to a central repository for tallying — involves different people gaining access to the machines, often installing new software. It wouldn’t be hard for, say, an election official to paint a parallel programme under another password on one or many voting machines that would, before voters arrived at the poll stations, ensure a pre-determined outcome.
The Election Commission of India has known of these dangers since 2000. Dr M. S. Gill, the then CEC, had arranged at my initiative for Professor Sanjay Sarma, the father of RFID software fame at the Massachusetts Institute of Technology (MIT), and his wife Dr Gitanjali Swamy of Harvard, to demonstrate how unsafeguarded the chips in EVMs were. Some changes in procedure were made subsequently by the EC. But the fundamental flaws, which made them compliant to hacking, remained.
In 2004, the Supreme Court’s First Bench, comprising Chief Justice V. N. Khare and Justices Babu and Kapadia, directed the Election Commission to consider the technical flaws in EVMs put forward by Satinath Choudhary, a U.S.-based software engineer, in a PIL. But the EC has failed to consider his representation.
There are many ways to prevent EVM fraud. One way to reduce the risk of fraud is to have machines print a paper record of each vote, which voters could then deposit into a conventional ballot box. While this procedure will ensure that each vote can be verified, using paper ballots defeats the purpose of electronic voting in the first place. Using two machines produced by different manufacturers decreases the risk of a security compromise, but doesn’t eliminate it.
A better way, it is argued in the IEEE article I have cited, is to expose the software behind electronic voting machines to public scrutiny. The root problem of popular electronic machines is that the computer programmes that run them are usually closely held trade secrets (it doesn’t help that the software often runs on the Microsoft Windows operating system, which is not the world’s most secure). Having the software closely examined and tested by experts not affiliated with the company would make it easier to close technical loopholes that hackers can exploit. Experience with web servers has shown that opening software to public scrutiny can uncover potential security breaches.
However, as the Newsweek article points out, the electronic voting machine industry argues that openness will hurt the competitive position of the current market leaders. A report released in April by the Election Technology Council, a U.S. trade association, says that disclosing information on known vulnerabilities might help would-be attackers more than those who would defend against such attacks. Some computer scientists have proposed that computer codes should be disclosed to a limited group of certified experts. Making such disclosure mandatory for all electronic voting machines will be a good first step for preventing vote fraud. It will also be consistent with openness in the electoral process.
Now several High Courts are hearing PILs on the EVMs. This is good news. I believe the time has arrived for the Supreme Court to transfer these cases to itself, and take a long, hard look at these riggable machines that favour a ruling party that can ensure a pliant Election Commission.
Else, elections will soon lose their credibility and the demise of democracy will be near. Hence evidence must now be collected by all political parties to determine the number of constituencies in which they suspect rigging. The number will not exceed 75, in my opinion. We can identify them as follows: any 2009 general election result in which the main losing candidate of a recognised party found that more than 10 per cent of the polling booths showed fewer than five votes per booth should be taken, prima facie, as a constituency in which rigging took place. This is because the main recognised parties usually have more than five party workers per booth, and hence with their families will poll a minimum of 25 votes per booth for their party candidate. If these 25 voters can give affidavits affirming who they voted for, the High Court can treat this as evidence and order a full inquiry.
(The writer is a former Union Law Minister.)
Newsweek article ‘We Do Not Trust Machines’ on EVM’s:
European E-Voting Machines cracked by Dutch Group
The Netherlands return to paper ballots and red pencils
The following section taken from a paper by ‘Open Rights Group’ based in UK:
e-Voting tales of woe from around the world
Electronic voting has been introduced in many countries worldwide, only for
serious doubts to be raised about the security, accuracy, reliability and verifiability
of electronic elections.
Italy has announced its intention to no longer pilot e-voting methods. Making
the announcement, Italian Minister of the Interior Guiulano Amato said that
“We decided to stop the electronic voting machine … It will be the triumph of
our ancestors … Let’s stick to voting and counting physically because [it is]
less easy to falsify.”9
Security researchers in The Netherlands have discovered serious flaws in a
model of e-voting machine widely used by the Dutch government and purchased
by the Irish. The flaws, which included being able to remotely detect
how a vote was cast from the machine’s radio emissions, were confirmed
by the Dutch Intelligence and Security Service. Subsequently a government
review led to the withdrawal from elections of e-voting machines from a competing
The Republic of Ireland has a moratorium on its e-voting machines after an
Independent Commission, created after repeated cross-party criticism,
uncovered serious technical and procedural flaws. One telling finding from
the Commission’s second report was that “the testing of the [e-voting] system
as a whole carried out to date, as well as the investigation, analysis and independent
testing and certification of its individual components, [was] insufficient
to provide a secure basis for the use of the system at elections
in Ireland.”11 According to Freedom of Information releases, Ireland spent
€110.4 million on e-voting between 2002 and May 2004.12
The Canadian province of Quebec has an indefinite moratorium on the use of
its e-voting machines following the investigation of troubled municipal elections.
Delivering his report on e-voting, Quebec’s Chief Electoral Officer said
that e-voting systems “[do] not offer sufficient guarantees of transparency
and security to ensure the integrity of the vote.”13
The United States, which has been a pioneer in using technology for elections,
has a long history of problems with e-voting, some of which raise doubts as
to the legitimacy of results. In 2004, a group of experts issued a report critical
of a planned internet voting system for US soldiers overseas, resulting in the
project being cancelled. They wrote that “the vulnerabilities … cannot be
fixed by design changes or bug fixes to [the system]. These vulnerabilities are
fundamental in the architecture of the internet and of the PC hardware and
software that is ubiquitous today. They cannot all be eliminated for the foreseeable
future without some unforeseen radical breakthrough.”14
In November 2006, America’s influential National Institute of Standards &
Technology stated that electronic voting machines “in practical terms cannot
be made secure.”15 This is a view shared in prominent journals by leading
computer science and elections academics around the world.
Doubts over the veracity of election results in the United States — including
the 2000 Presidential count in Florida, the 2004 Presidential count in Ohio
and the 2006 mid-term elections —have all revolved around failings or manipulations
of e-voting systems. By January 2007 one Congressional seat was
still in limbo due to 18,000 questionable votes cast with an e-voting system16.
The flimsy e-voting certification process in the US has also been called into
question after one of the key testing labs was secretly suspended in 200617.
These international experiences have shown that when electronic and software
technologies are introduced into the election process, significant and
worrying problems arise.
e-Voting is a black box system
Voting technology is what is known as a ‘black box’: voters, candidates and
even officials cannot see the inner the workings of the machines. Only a small
group of technology experts has any hope of understanding how the election
is being conducted and counted. Because the votes are invisible, made up
of ones and zeroes, it is extremely difficult even for experts to be certain that
what vendors claim is happening really is happening.
Manipulating bits in a computer is much easier than copying paper ballots,
so there is potential for undetectable vote manipulation on a scale never seen
before: a hacker could hide a tiny piece of code in the voting software that
could invisibly, but significantly, modify an election’s results. But putting aside
undetectable hackers, vote stealing and other manipulations, we must also
remember that these systems are built by ordinary, fallible people.
Like all computers, e-voting systems go wrong and usually do so on election
day because this is the only time they are used. And the problems that come
to light are not trivial. There have been cases where selecting one candidate
stored a vote for another, or where the system failed completely, depriving
people of their right to vote. Problems are often not discovered until the election
is over, when it is impossible to say how the votes should have been cast.
Because the votes are stored as bits, there is nothing for election officials to
study when problems occur, as there is with paper ballots. There is nothing
to audit except some memory cards, which cannot shed any light upon what
happened but can only provide a final tally. There is no way for the voter, candidates
or officials to know whether the voter’s intent was accurately stored
and then correctly counted by the e-voting system. Everything happens
inside the black box.
With a paper ballot the voter can see their mark and has immediate feedback.
That mark is stored, unchangeable, in the ballot box until it is time to be
counted. If a recount is required, that ballot can be examined a second time.
It would be trivial for an e-voting system to report that it has stored a vote for
Ms X when in fact Mr Y gains one vote in the memory card. Under these circumstances,
a recount is no help, as the computer adds the same numbers
up again and will arrive at the same result each time. With paper, new people
can be called in to count and judges can debate each ballot paper, but with
e-voting the election is nothing but the numbers on the screen.
These fears are not just theoretical. Activists in the United States worked with
a Finnish computer security expert and a respected election official in Florida
to show how manipulation of a memory card before an election started
would allow results counted by an optical vote scanner to be altered without
trace. The successful manipulation is shown as the conclusion of Hacking
Democracy, a film documenting the many problems with e-voting based
elections in the United States18.
References (more in the article link given in the beginning)
9 See: http://www.jasonkitcat.com/?be_id=320
10 See: http://www.wijvertrouwenstemcomputersniet.nl/English
11 Source: http://www.cev.ie/htm/press/press040706.htm
12 Source: http://fiasco.ie/evoting/resources/CostofElectronicvotingAsOfMay.pdf
13 Source: http://www.electionsquebec.qc.ca/en/nouvelleDetail.asp?id=2153&typeN=2
14 Source: http://servesecurityreport.org/paper.pdf
15 Source: http://vote.nist.gov/DraftWhitePaperOnSIinVVSG2007-20061120.pdf
16 House Seat Hangs by a Byte, Kim Zetter, Wired News (11 Jan 2007)
17 Source: http://www.nytimes.com/2007/01/04/washington/04voting.html
18 Hacking Democracy, http://www.hbo.com/docs/programs/hackingdemocracy/
Wednesday 14th April 2010
By CARLOS H. CONDEThe New York Times
MANILA — It might have been an innocent enough error: the ultraviolet ink in the bar code on millions of ballots for the May elections was not dense enough to be detected by the computers programmed to authenticate them. But when officials reported their discovery last month, conspiracy theories and predictions of vote fraud ran rampant, especially after the Commission on Elections said it would deactivate this security feature and supplement the computers with manually operated ultraviolet ink readers, the kind used to check for counterfeit bank notes.
“The UV ink reader is one the most important security features of the P.C.O.S. machines as it ensures the authenticity of the ballots,” said Liza Maza, a senatorial candidate, referring to the Precinct Count Optical Scan, the computer at the heart of the automated elections. The commission’s decision to turn off the UV authentication feature, Ms. Maza said, “triples the chances for election fraud to occur in May.”
On May 10, for the first time, Filipinos will choose their local and national leaders through a totally automated election system. The intent is to usher in a new era of politics free of ballot tampering.
“The computerization of elections gives Filipinos an opportunity to make a break from the fraud-ridden elections of the past,” said Benito O. Lim, a political scientist at Ateneo de Manila University.
But such is the history of tainted elections here that many fear computerization may just provide even greater opportunities for disenfranchising voters.
Philippine elections have often been marked by chaos and violence, and this round is no exception. In November, 57 people were killed when a politician tried to stop a rival from filing candidacy papers. It was the country’s worst case of election bloodletting, but hardly a week goes by without news of a candidate or his supporters being attacked.
Allegations of fraud are common, whether in elections for village chieftains or for the presidency. Among the most notorious cases were the “snap elections” called by Ferdinand Marcos, the authoritarian president, in 1986, when he tried to use what are often referred to here as “guns, gold and goons” against his challenger, Corazon Aquino, and the 2004 election, which returned the current president, Gloria Macapagal Arroyo, to power through what the opposition asserted was widespread tampering with election tally sheets.
“Historically, our problem has always been because elections are done here manually,” said Ramon Casiple, executive director of the Consortium on Electoral Reforms, a nongovernmental group that has been advising the elections commission on the automation project. “I’m not saying automation is a panacea, but at least it could speed up the election process and minimize human intervention.”
In previous elections, paper ballots, on which voters wrote in the names of their preferred candidates and then dropped into boxes, were recorded and tallied manually on the spot. The tally sheets were then carried to town centers and then, in the case of national elections, to the capital, Manila, where they were counted once again. The process took many days, sometimes weeks. At times, tally sheets were padded, ballot boxes stolen at gunpoint and election workers harassed and even killed.
Under the new automated system, voters will receive ballots with the names of parties and candidates already inscribed. They will mark their preferences and feed the ballots into the P.C.O.S. machines. The final results are expected to be announced within two days.
But the road to automation has not been smooth. Questions were raised regarding the ability of the contractor, Smartmatic-TIM, to set up the system. In several tests conducted over the past few months, many of the P.C.O.S. machines malfunctioned and had problems relaying results — via mobile phone networks — to the main data center.
Last week, Smartmatic-TIM defended the automation project, saying that the machines had passed tests and that, while there may be problems, most of the security features are intact. Gene Gregorio, the company’s spokesman, had earlier allayed fears that the machines would be hacked or the transmission of results compromised, pointing out the several security layers in place.
The Center for People Empowerment in Governance, a nongovernmental group that is monitoring the automation process, has listed at least 30 vulnerabilities of the P.C.O.S. machines, among them the fact that the elections commission has not yet made public the source code of the program being used, as required by a 2007 law. This is to provide independent assurance that the source code has not been altered. The commission has said it would hold briefings for computer experts from political parties and independent election monitors.
The nongovernmental group Kontra Daya questions whether enough P.C.O.S. machines and election inspectors are being provided at polling stations to handle the expected 50 million voters. It also cites what it sees as a low level of public awareness, wondering if voters will be able to handle the new system.
“One of our greatest fears is that if these issues are not addressed in time for May 10, then we are headed for a trouble-filled Election Day with many disenfranchised voters,” the group said last month, a few days after participating in field tests of the machines.
The National Democratic Institute, which sent a mission to Manila last month to study preparations for automation, said that the elections commission had not yet released clear guidelines for conducting a random manual audit to check the automated results, which is “central to ensuring the integrity of the vote tabulation.”
“Electronic voting is often employed as a means to ensure the integrity of elections,” the institute, which is based in the United States, said in its report. “However, without proper safeguards, the use of automation can breed suspicion and be misused.”
Political parties said they are worried that the commission seems ill-prepared. The opposition Liberal Party, the party of the presidential front-runner Benigno S. Aquino III, said last month that it was alarmed that the commission had not made public the results of tests of the computers, servers, printers, batteries and power generators that will be used on Election Day.
Last weekend, when overseas Filipinos began casting absentee ballots, two of the P.C.O.S. machines in Hong Kong failed to work for an hour, a problem officials blamed on moisture. César Flores, a Smartmatic official, said Monday that the company anticipates glitches with up to 400 machines and will have 6,000 spare ones around the country on Election Day.
Rene Sarmiento, one of the election commissioners, said in an interview last week that contingency plans are still being worked out and that the commission is within its timetable to complete all these preparations by May 10.
Mr. Sarmiento pleaded for understanding, saying that this is the first fully automated election program in the region. “We’re doing our best to make this acceptable to the public,” he said.
Mr. Sarmiento said automation is necessary to make elections in the Philippines much more orderly and more reflective of the will of the people. “This will be a total breakaway from the past,” he said. “There will be glitches, sure, but we can do this.”
Regardless of the problems automation presents, “at least we are assured that the old ways of cheating and fraud will not be repeated,” said Mr. Lim, the political scientist. “But we have to make sure first that the integrity of the whole process is intact. That is a crucial first step.”