Saturday, 8 August 2009

The EVM controversy: old allegations revisited

























by Ajai Shukla
Business Standard, 7th Aug 09

Today, the BJP and the Shiv Sena appeared before the Election Commission to allege that Electronic Voting Machines (EVMs), which are now used for all Indian elections, can be manipulated to favour a candidate. But old-timers from Bharat Electronics Limited (BEL), who perfected the EVMs in the late 1980s, say that all the current allegations have been raised before, and comprehensively disproved.

Colonel HS Shankar, former Director (R&D) at BEL says that EVMs came under fire soon after BEL demonstrated them to Prime Minister Rajiv Gandhi in mid-1989. Shankar, who attended that meeting, recalls that an impressed Rajiv Gandhi suggested the use of EVMs in 150 constituencies during the 1989 general elections.

The first challenge came swiftly. On 15th October 1989, at a dramatic press conference in New Delhi, Janata Dal chief, Vishwanath Pratap Singh and George Fernandes produced a “computer consultant” to prove that EVMs could easily be rigged. Before a crowd of journalists, the consultant keyed in “3 + 3” into a computer, pressed “Enter” and showed the answer to the crowd. It was 9.

In the charged atmosphere of 1989, the Election Commission scrapped the plan to use EVMs that year. But when VP Singh became PM, BEL launched a campaign to prove the reliability of electronic voting. Eventually, the government created an experts committee to examine whether EVMs could be “fiddled”.

Professor S Sampath of the Defence R&D Organisation headed the committee, which included Dr PV Indiresan of IIT Delhi, and Dr C Rao Kasarabada, Director Electronic Research and Development Center, Trivandrum. Dr Indiresan gathered four of his brightest research students and gave them five days to subvert the EVM’s source code. Their only restriction: there should be no external damage to the EVM.

Colonel Shankar says that BEL gave Dr Indiresan’s team all the EVM circuit diagrams and design drawings; only the encryption-coded software was withheld. “After five days of struggling, they admitted that the EVM was tamper-proof.”

At the core of the EVM is a microcontroller chip, built by Hitachi of Japan, called an OTP-ROM (one-time programmable read-only memory). Onto this, the Indian EVM contractors --- BEL and Electronics Corporation of India (ECIL) --- “burn” the algorithm that makes it record votes. The microprocessor’s “non-volatile” memory ensures that, once the algorithm is written, it can never be overwritten or subverted, not even by the manufacturer.

The algorithm makes the EVM function as a vote counter. Each candidate is assigned a numbered button, according to the alphabetic order of the candidates’ names. Each time a voter presses, say, Button No 1, the software adds one vote to the account of Candidate No 1. And since, in each constituency, each political party’s candidate will have different serial numbers (determined by the candidate’s name) there is no possibility of installing a country-wide code that favours one party.

After failing to subvert the software, the Sampath Committee staged a mock election to try and subvert the procedure. Failing to do so, it strongly endorsed the EVM. Chief Election Commissioner, RVS Peri Sastry, discussed the test results with all the political party heads, including BJP President LK Advani, all of whom agreed to the use of EVMs in general elections.

“The reason why all parties accepted the EVM was simple”, explains Colonel Shankar, “We copied the simplicity and transparency of the earlier system, while doing away with its drawbacks.”

Besides the tedious counting of votes, the major drawback in the old system of paper voting was booth capturing. Party goons would take over voting booths and, in a couple of hours, stamp thousands of paper ballots in each booth and slip them into the boxes. EVMs mitigate the effects of booth capturing, since a delay circuit ensures only two votes can be recorded per minute. Even if a booth is captured for an hour, a maximum of 120 votes can be polled.

"Eventually, EVMs were used for the first time in general elections in 45 seats in 1999. Polling in the 2004 general elections was entirely on EVMs. This year, again, 671 million voters got the opportunity to vote on EVMs."

24 comments:

AK said...

There's a fatal flaw in all of the EVM testing till date. And that is the assumption that an attack on the EVM is possible only after candidates are programmed into the machine in preparation for voting.

As the article states, all testing done till date discounts the fact that the software that is burned into the EVM can be compromised before it is burnt in. If such compromised software assigns votes to the top 2 or 3 candidates on the ballot in equal measure, then results for a constituency can be skewed by using these compromised machines in strongholds of one party or the other. The only knowledge required for this attack is to know which lot of EVMs has been compromised - and such knowledge can be derived from the external appearance, model number of other identifying characteristics found on the exterior of the EVM.

The only way to prevent this attack is to have high security in the manufacturing process with periodic verification of code as it is burnt into the EVMs. For that matter, any tools and people that are used for this verification may themselves be compromised and hence will need high security procedures as well.

AK said...

I believe the renewed controversy over the EVMs is to an extent caused by the breakdown of trust in the political establishment. Due to the vulnerability of the EVMs in the manufacturing process posted above, it is necessary to have confidence in fair play by various arms of the government such as the Election Commission and the manufacturers BEL and ECIL. While things have been different in the past, such trust and confidence is in short supply these days as seen with the controvery over the appointment of the CEC.

Broadsword said...

AK, you've not read the entire article, or not understood it correctly.

The article mentions that, in each constituency, the serial numbers of the candidates are determined by their individual names, in alphabetical order. The serial numbers are not determined by the names, the size or the success of their parties.

That means that each party has a different EVM serial number in each constituency. The EVMs, however, are manufactured and distributed in bulk. So do let me know how, say, you, sitting in the factory and not knowing which EVM is going to which constituency... nor knowing what each party's serial number is going to be in that constituency... can compromise the EVM?

A huge amount of thought has gone into the electronic voting procedure and it is entirely fool-proof.

If you, or anyone else, can think up a way of subverting this process, do post it.

Arjit said...

Ajay,

I think we are even having this controversy because of the way the current CEC was appointed to his post with all his controversial background and the way an earlier CEC has been appointed as a minister in the upa cabinet.

Earlier the Election commission was beyond reproach but not anymore.so you will not get anywhere if you keep on harping about the technical details of the machines. the machines are ofcourse immune to outside manipulation like booth capturing etc... but what if its an inside job? what if hypothetically speaking the CEC himself who has the keys to the machines, figuratively speaking, manipulates the process to payback the poltical favours or in expectation of future appointments to cushy posts like governor or minister?

J said...

@Arjit: Again. After knowing the way the machines function, how exactly would the CEC be able to tamper with it in the hypothetical situation you mentioned.

I am sure that if the machines have been put in use in all constituencies, there's a good reason for such level of confidence.

If not the politicians/ bureaucrats, then have a little faith in that IIT team atleast.

AK said...
This comment has been removed by the author.
AK said...

So do let me know how, say, you, sitting in the factory and not knowing which EVM is going to which constituency... nor knowing what each party's serial number is going to be in that constituency... can compromise the EVM?

The people in the factory do not need to have any knowledge of how EVMs are going to be assigned to polling booths.

The attack I posted would work as below -

1. Assume that the OTPROM is programmed with unfair code. This can be done if either the programming and verification tools or the people involved in the manufacturing are compromised in any way. Depending on how this is done, this can be compromised using just 1-2 people. If it is the programming and verification tools that are compromised, then no one at the manufacturer would even realise that they are producing EVMs with unfair code.

2. All that the unfair EVMs do is to split all votes polled at the EVM to n candidates on the ballot either in equal proportion or some approximation of an equal proportion.

3. Assume that these unfair EVMs can be identified using external appearance or markings. It is essential that polling staff be able to discriminate unfair EVMs from fair EVMs for this attack to succeed.

4. Now, the polling staff that assigns EVMs to booths can assign the unfair EVMs to strongholds of the candidate who is to be disadvantaged.

5. When the voting takes places, the candidate targetted under this scheme will lose as she will be unable to gain the advantage she usually gains from her strongholds.

Then there is also the matter of the totalizer while is a new device used for counting votes from many EVMs at once. This device may be compromised as well, but there are few details available about it to build a plausible attack.

AK said...

Who the fuck is this fake guy AK who has my initials and is posting all bull crap. Abey saale himmat hai to apna khud ka naam bana, mera kyun chori kar raha hai. Ajai tell me the IP of this idiot so that I can trace him.

Anonymous said...

"Assume that these unfair EVMs can be identified using external appearance or markings. It is essential that polling staff be able to discriminate unfair EVMs from fair EVMs for this attack to succeed."

AK, all machines have the same codes / programme that is to be burned in by the CPU manufacturer. It's not like there are different codes for different machines. So to ask manufacturer to customize the burning process (i.e. 2 types of processes) would require a far greater influence over the manufacturer than 1 or 2 people. And that's why it's done independantly in Japan.

Anonymous said...

"Assume that these unfair EVMs can be identified using external appearance or markings. It is essential that polling staff be able to discriminate unfair EVMs from fair EVMs for this attack to succeed."

AK, all machines have the same codes / programme that is to be burned in by the CPU manufacturer. It's not like there are different codes for different machines. So to ask manufacturer to customize the burning process (i.e. 2 types of processes) would require a far greater influence over the manufacturer than 1 or 2 people. And that's why it's done independantly in Japan.

ak said...

Ajai, there are 2 assholes using my name. I am the actual AK but now these impersonators are trying to fool u and everyone. Please remove their comments, especially the chor on top -- 09 August 2009 14:54

AK said...

AJAI, I am the real AK. Please remember what happened to Prasun Sengupta some months ago. Same story. Please believe me.

-AK

AK said...

AJAI, I am the real AK. Please remember what happened to Prasun Sengupta some months ago. Same story. Please believe me.

-AK

SmarterOne said...

This whole controversy over EVMs by LK Advani & BJP simply implies that they have already conceded defeat for the next General Elections in 2014. When they won election after election EVMs were fair & tamper-proof but suddenly when they started loosing elections after elections EVMs are to be blamed. These BJP people will never admit their shortcomings but will always blame others for their defeat. This time it is the poor EVM. It is all done to take the focus away from the infighting & low morale in the BJP cadres & somehow tell the people that UPA won not because of popular choice but coz of fiddling with EVMs.
@ AK (top one)
To give one party a favor with the EVMs one need to have 544 different types of codes in a General election & that too when he exactly knows what the serial nos. are going to be (so it shud all hv 544 types of identifications too). EVMs are randomly distributed sealed in their packagings (these packagings too need to be tampered/coded with as to identify which machine is inside).
Once they arrive at the local electoral office they are checked thoroughly for ne defects or malfunction. Once satisfied the electoral office then fixs the label stating the candidates in that constituency.
The problem with polititians is not that an EVM can be compromised but it is that it can't be and therefore leaves no room for them to manipulate.
And the alternate voting process that Mr. Advani is suddenly favoring is more prone to manipulation.

AK said...

All machines have the same codes / programme that is to be burned in by the CPU manufacturer. So to ask manufacturer to customize the burning process (i.e. 2 types of processes) would require a far greater influence over the manufacturer than 1 or 2 people. And that's why it's done independantly in Japan.

I was assuming governmental level influence since the Indian manufacturers are PSUs. I mentioned that 1 or 2 people would suffice for this because that establishes how feasible it would be to put a lid on any such mischief. If the programming is done in Japan, then it's even more interesting because the CPUs may have been compromised without the Indian employees even knowing about it.

To give one party a favor with the EVMs one need to have 544 different types of codes in a General election & that too when he exactly knows what the serial nos. are going to be (so it shud all hv 544 types of identifications too).

No. All you need is two types of logic in the EVM. And it should be possible to identify what EVMs have the bad logic.

EVMs are randomly distributed sealed in their packagings (these packagings too need to be tampered/coded with as to identify which machine is inside).

Much would depend on how they are randomly distributed. If the random assignment of EVMs to booths is centralised, then the person(s) doing the assignment would have to be compromised such that they send the unfair EVMs to the strongholds of the candidate to be disadvantaged.

Once they arrive at the local electoral office they are checked thoroughly for ne defects or malfunction.

This won't prevent the attack I posted. Presumably, this testing would involve polling just a few votes. And the unfair logic could be written to kick in only after a set number of votes, say 50, have been polled.

Anonymous said...

Hey Ajay

Can you post an article regarding out beloved Netas.Like how much they eat while in power and how much spoil the country?

sat said...

So, Mr Advani says that EVM's are not beyond tampering.

Mr Advani also went to Pakistan and said Mr Jinnah was a secular person. Do we believe that too?

This gentleman and the likes of him do not have any principles. They will say whatever suits them whenever it suits them.

Instead of accepting the people's verdict, go ahead and blame non-issues for your loss. Shame on you Mr Advani.

Anonymous said...

So, Mr Advani says that EVM's are not beyond tampering.

Hello, Congressmen are saying the same thing. It is unavoidable that the Opposition will have to rake up this issue since the Government will not like to admit it if something happened on it's watch.

http://www.dnaindia.com/india/report_congress-blames-bjd-of-evm-tampering-in-orissa_1265953

Anonymous said...

If not the politicians/ bureaucrats, then have a little faith in that IIT team atleast.

Right. Here is what the IIT team recommended (in 2006) for detection of Trojan activation sequences -

all key-presses are to be time-date-logged in the memory (as per advise of the committee), and a "repeat pattern" in all CU's at various booths can be easily visible, on post-election analysis.

So has this post-election analysis been completed? What is the result of this analysis?

sudeep said...

How can the integrity of the algorithm programmed in the ROM be ensured?

If the algorithm can be subverted, it can be designed to do things like, press certain keys in a sequence to assign a majority of the votes to the candidate assigned number X on the EVM.

Only the people incharge of the EVM programming, and people doing the subversion need to be aware of this - perhaps ~30-40 people in all can subvert an entire election with no trace of what went wrong.

From you article

>> only the encryption-coded software was withheld.

Ok, so is there a challenge-response verification mechanism inside the EVM to ensure that any modified sw would not run? (There may be, but then again, these are really simple pieces of hw)

>> At the core of the EVM is a microcontroller chip, built by Hitachi of Japan, called an OTP-ROM

Whats the big deal? Your washing machine probably has one. ROMs are usually not surface mounted on the PCBs, but in sockets. They are programmed (the algorithm "burn" part) on a different board and set in the PCB later. Is it possible for some EVMs to have their ROMs replaced - as simple as popping out one ROM and popping in another?

There is nothing in your article that proves/disproves anything, just some big names proclaiming that EVMs cant be tampered with.

sudeep said...

To be clear, I am not commenting on the politics of the last election, that is a separate issue, only on whether EVMs can be subverted or not.

My opinion is that it can be done in relatively straight forward ways if the manufacturer of the EVMs is suspect.

Anonymous said...

How does one buy EVMs from the government? I want to get hold of a few and check out a some theories.

Anonymous said...

All that needs to happen for a system to be tampered with is a trap door left open. Use the trap door - win the election. Since the Indian system does not use a paper backup (both paper and electronic copies of the vote are maintained) - it is so much easier for the above to be untraceable. Since the source code is not open and verifiable - no way to prove a modification to the code. The system used in US are tested multiple times, by multiple independent groups to ensure that they can't be compromised. I don't see any such mechanism in place for the Indian elections. Having recently been to a talk on this topic, it is amazing how easy it is to find ways to hack/engineer these systems.

Anonymous said...

All these arguments ignore one fact. You can replace the OTP ROM with another one bought from Hitachi.
Simple. Just because OTP ROM is one time programmable does not mean you cannot solder out one ROM with another. These are simple chips with small memory footprint. So small that they do not have too many pins. solder a chip out and neatly solder another chip