b1a2a139affbaa24f2b65767b8b9d3d650b6de64

Qualitative Study of India's Voting System with Special Emphasis on its Distinctive Structure, Usability, Security and Technological Vulnerabilities

Subhadeep Basu

1st September, 2020

Abstract

India made the switch from paper ballots to paperless electronic voting in phases through the late 1990s to early 2000s and has been using it in all general and state elections since 2004 to meet the global standards of modernization in the electoral process (ref. Applying International Election Standards, National Democratic Institute). Their answer to electronic voting was the indigenously created Electronic Voting Machines (EVM). These machines had to meet a plethora of prerequisites and constraints within which it had to operate in terms of usability, accessibility, portability in addition to the salient requirements of the electoral process. While India’s EVM is revered for its simplicity and functionality in certain aspects, there are glaring inefficiencies which have been highlighted in this paper. The electoral machinery has also garnered widespread criticism and flak from researchers and academicians from eminent institutions across the globe (ref. Resolution on Electronic Voting, Prof. David L. Dill). In addition, this paper also does a comparative study with Direct Recording Electronic (DRE) voting systems around the world, engineering loopholes and simulation of possible security attacks on its hardware and software. With general inputs on the entire electoral process, this study gives the reader a holistic overview of the shortcomings in the system and the possible improvements that can be made to improve it.


1. Introduction

“…that government of the people, by the people, for the people, shall not perish from the earth.” –these words from US President Abraham Lincoln’s immortalized Gettysburg Address has gone down in history as one of the steadfast pillars of democracy. India is the world’s largest democracy. In the 2019 General Elections, there were around 910.5 million registered voters and with a voter turnout of 67.4%, i.e., around 613.65 million votes registered. The entire electoral machinery is tested extensively and is made to function under multiple constraints based on its structural capabilities and other socio-economic differences of the population. The Election Commission of India (ECI) is the apex authority for conducting and administering elections in India which functions autonomously. The ECI throughout the years has made multiple claims about the versatility of the EVMs solely on the basis of its design and its simplicity though there is much ambiguity about its exact specifications. Its dodgy stance towards independent security reviews and its policy of ‘Security by Obscurity’ discredits their confidence on their machines and further add to the criticism from the machine’s users and the global community. In this study, we take a systematic approach to the process. First, we evaluate the machine’s roots; compare it with other DRE systems used in different countries, give a detailed account of the design and its evolution over the years. Second, we highlight the constraints which it has to function within and how it fares in general. Moreover, we show how easily these machines can be manipulated by software and hardware attacks by describing hypothetical offensive simulations. As a consequence, we discuss how the sanctity of the elections can be compromised by reviewing the process with its minimalist procedural safeguards. We also examine whether this system meets the basic necessities of a free and fair election. Lastly, we analyse all the criticism it has been subjected to from different researchers and the users. We also suggest solutions to make the systems more secure, user-friendly, and accessible and add transparency to the voting process.

 

This study establishes that the Indian voting system is not infallible and is prone to tampering and manipulations which endangers the democratic structure of the country by compromising on majoritarian voter’s intent and its reflection on the government and its policies.


2. Electronic Voting Machine (EVM) – The ‘Make in India’ DRE Voting System

 

2.1 Introduction to the EVMs

The simplest way of describing the EVMs of India is a Latin phrase sui generis which means ‘of its own kind’. These machines are the standardized tools for conducting electronic voting in the country. They are developed by the Election Commission of India in collaboration with two state-owned companies – the Electronics Corporation of India (ECIL) and Bharat Electronics Limited (BEL). The first prototype was developed in 1980s and was used on a test basis in a by-election in Kerala in1982. After multiple deliberations and court proceedings, the final model was developed in 1989. After multiple small-scale trials, it was first used on a wide-scale in the Assembly Elections of Goa in 1999. It was finally adopted for usage in the 2004 Lok Sabha elections and has been the backbone of the electoral process since. Over the years, the machine has been manufactured with minor tweaks and improvements in each generation.

 

These machines are acclaimed for their simplicity, usability and making technology accessible to the masses. Although they provide basic security and a lot of procedural safeguards are involved in the process, it is inadequate when it comes to modern malware and malicious attacks (ref. 17th ACM Conference on Computer and Communications Security (CCS ’10), Chicago, IL, October 2010).These machines have gained such widespread popularity and acclamation that these machines have been exported countries like Nepal, Bhutan, Namibia and Kenya and have been extensively used in conducting elections in those countries.

The ECI is so confident about their indigenous machine that they have associated the adjectives ‘infallible’, ‘tamperproof’ and ‘perfect’ with it. Nobody can discredit its achievements in making the application of such a complex procedure in such a minimalist design which is truly an engineering marvel in its own essence. But in trying to meet these criteria, it has cut costs in terms of securing maximum security for this procedure. 

 

The EVMs use an embedded system and is composed of two units-the Control Unit and the Ballot Unit. Voter Verifiable Paper Audit Trail (VVPAT) machines were introduced recently to make the process more transparent. The other technical and structural aspects are discussed in detail in the following sections of this study.

 

The EVMs simplify the basic construction of DRE machines which makes it hand-crafted for the Indian masses and thus, upholds accessibility, availability and enfranchisement. In catering to such a large population, these machines need to be produced in large numbers. The minimalist design brings down the manufacturing costs.

 

2.2 Comparative Study with DREs in Other Countries

Direct Recording Electronic (DRE) voting machines have been widely used in many countries across the world because it made the entire electoral process more versatile and much less burdensome. Earlier processes like the paper ballot, Lever Voting Machines, Optical Scan Voting Machines, etc. involved other tertiary processes like printing out and distributing adequate and user-friendly ballots which support multiple languages and also, be accessible to the physically challenged, followed by the safe and secure transport and storage of those ballots. All these processes were tasking from a administrative point of view. The DRE machines seemed to solve all these administrative and logistical issues and digitized the entire process and found natural acceptance from the global community. These machines marked the introduction of computers into the voting process and made significant changes to the status quo. The Netherlands used the NEDAP DREs and so did Germany for a brief period of time. Diebold made multiple DRE machines like The Accuvote TS which were used in extensively in the US and other countries like Brazil. All these paperless DREs had their fair share of issues which shall be discussed later on.

 

The Indian EVMs are paperless DRE voting machines by nature but they are a much simpler application of the basic functionality of DREs. The basic differences of DRE machines from US/Europe and India’s EVM are as follows:

  • The DREs used in US /Europe are complex machines. They have multiple functionalities and come in with higher forms of technology like touch-screen displays, multiple buttons, etc. Multiple functionalities add more features to the machine but affect its accessibility which is uncompromising when it comes to the Indian EVMs. The Indian EVMs are simple machines and when come with very minimal functionalities and reduces the probability of things going wrong.

 

  • The DREs used in US/Europe have a PC (Personal Computer)-like design while the Indian EVMs have an embedded system.

 

2.3 The Design and Structure of the EVMs

The EVMs in India were designed primarily on the basis of a paperless DRE. These machines are manufactured by the Electronics Corporation of India (ECIL) and Bharat Electronics Limited (BEL). The machines have two main components – the Ballot Unit and the Control Unit. The EVM is internally powered by batteries in the Control Unit.

The Ballot Unit is the component that the voters have access to. It’s the simplest implementation of electronic voting and is truly an engineering masterclass. It consists of 16 candidate buttons and has flexibility in terms of the number of candidates. For less than 16 candidates, a single ballot unit is used with the extra buttons masked with plastic tabs while for more than 16 candidates; we can link up ballot units in a chain so as to allow up to 64 candidates. Each button is associated with a candidate and the symbol associated with them or the party they belong to, making the process of casting votes extremely easy. The Ballot units are connected to the Control Unit with the help of a cable.

The Control Unit is the component that the election authorities and volunteers have access to. It is the unit that holds the most significance in the machine as it stores the software for running the entire process and the memory for storing the votes. This unit is responsible for counting the votes and displaying the result on its 7-segment panel LED display board. It has controls to set the candidates, allow voters to cast only one vote, start and stop the process and tally the results. 

 

This simple machine was used extensively before it started to be criticized for its issues with transparency, system integrity, design flaws and other such vulnerabilities just like other paperless DREs worldwide. This led to the addition of a Voter Verifiable Paper/Physical Audit Trail (VVPAT) unit in the third generation of these machines according to the instructions of the Supreme Court of India. They were implemented in the 2014 Lok Sabha election in a few constituencies on a trial basis. However, in the 2019 Lok Sabha elections, VVPAT systems were introduced in all assembly and constituencies and 2% of EVMs had their results tallied and verified before the declaration of results.

 

Internally, the EVM consists of the Control Unit Main Board, divided into the main Logic Board and the daughter board for the display unit, and it also, houses the memory and the software in the EPROM chips and the Microcontroller, the Control Unit Display Board, the Ballot Unit Board and the Ballot Board Communication Channels.

 

3. Security Review – The Hits and Misses, Attack Simulations

 

3.1 Challenges tackled by the EVM

The Electronic Voting Machines of India tackled a lot of the constraints that they had to work within. The simple design added to the usability, portability and accessibility of the voting process. 

 

Cost Effective Being the world’s largest democracy, the EVMs had to be mass produced to reach out to the public and make exercising their voting rights more accessible. DRE voting machines in other parts of the world are extremely expensive and have high maintenance costs. The simple design and the limited functionalities make the process more cost-efficient and cheap to maintain.

Portability and Power The EVMs have to be accessible to people in different parts of the country. India has an array of different climatic conditions and these machines have to be functional in the deserts of Rajasthan, to the Himalayas in the North, the rainfall of Cherrapunji, the forests of Jharkhand to the coastal areas. From the metropolitan cities to the remotest of villages, they also to have function in a wide variety of socio-geographic locations. Moreover, they cannot spend extensively on the storage of these machines in climate-controlled warehouses which would pile up the cost. These machines are able to withstand such climatic diversity and also function with their own internal power.

Usability and Accessibility According to the Census of 2011, Indian has a literacy rate of 74.04%, 82.14% for males and 65.46% for females. In 2012, the Reserve bank of India estimated that around 21.92% percent of the population was Below Poverty Line. A large portion of the population also lives in rural areas devoid of modern technological amenities. Considering these circumstances and the different socio-economic strata the entire population is divided into, the machine had the challenge to be simple and accessible to people who did not have the technical know-how to operate complex machines or read and understand a difficult set of instructions. Thus, the simple design with minimal operations, user-friendly interface with recognizable election symbols makes the electoral more accessible to the masses. 

Public Vote Counting The entire counting process is carried out in front of a viewing gallery and the results are displayed on the screen for everyone to see. Thus, it alleviates any ambiguity regarding tampering with the results after the counting process. Though any changes to software can still go undetected, there is still a lot of clarity regarding any insider corruption post the generation of results. 

Protection against Tampering These machines are at high risk when it comes to tampering and malicious attacks and the ECI has applied multiple protective mechanisms to tackle with such scenarios. Such safeguards involve the protective casing of the VVPAT to prevent the printing process from being hindered, using tamper-evident seals, one-time readable software uploads and mock elections. There are also some procedural safeguards such as voter authentication with government-issued identity proofs, the voter registration database and application of indelible ink to discourage multiple voting. Time restrictions on the number of votes with respect to time also acts as a deterrent to the phenomenon of booth capture, where goons or politically motivated aggressors take control of the polling station and try to stuff the ballot and effectively alter the outcome of the elections.

Though these provide protection to some extent, they are short-sighted, ineffective and can easily be by-passed. In doing so, the attempts at tampering can go undetected in most cases and thus, endangering the integrity of the elections and the depiction of voter’s intent.

3.2 Analysis of Security Vulnerability and Attack Simulations

Electronic voting, in general, has been criticized for being prone to nefarious attacks. The EVMs seemed to have tackled those challenges by their simple software and embedded design. However, in adhering to the constraints of usability, simplicity, accessibility and cost-efficiency, the machine has cut costs not only in monetary terms but in terms of the security of the process. The machine’s integrity and in turn, that of the election can be easily compromised by simple or complex engineering hacks. This paper has analysed proper methods in which the vulnerability of these machines can be exposed and how the safeguards at place are ineffective and can be easily by-passed.

Secret Commercial Off-The-Shelf Software The Election Commission of India does not own the source code of the software that is used in their EVMs and has no access to it. This form of secret, unapproved and uncertified software endangers the integrity of the elections as the heuristics of the process remain unknown to the public and the authorities. Moreover, the one-time uploading approach taken for the software means that it cannot be verified whether the actual source code is being used and thus, adds on to the cost of manufacturing new machines in case of any suspicion. 

Weak Procedural Safeguards The election authorities use several procedural safeguards to make it a fairer process. They use extremely weak Tamper Evident Seals such as melted wax for documents and strings on the machine which can be easily tampered with and easily manipulated by insiders. Moreover, the entire authentication process runs the risk of disenfranchisement and can dissuade people from voting making availability an issue. 

Ghost and Absentee Voting Another procedural safeguard of authentication with the Voter’s Registration Database (VRD) is inherently flawed. The VRD is not updated frequently and even when it is, there are many loopholes in it. Thus, there have been several instances of votes being cast with the credentials of individuals of died, who aren’t able to vote or with the old credentials of the same individual. This highlights the risk of multiple voting and insider corruption in the process.

 

Issues with the VVPAT: The VVPAT was introduced as a defensive mechanism to the problems associated with paperless DRE machines and the questions it raises in terms of integrity and transparency of the system. Firstly, the system is not end-to-end verifiable, thus putting ballot secrecy at risk. Although it’s supposed to act as a check to DRE voting, it relies on the same proprietary software to produce the trail. Thus, any form of tampering with the software can go undetected as the VVPAT machines might receive instructions from the malicious software to do their bidding. 

Secondly, the entire basis for VVPAT machines is based on voter verification. However, it is not a compulsion for them to do so and therefore, the entire process becomes counter-productive. Thirdly, VVPAT is not designed to cater to disabled citizens making the process of verification not accessible to all. Fourthly, any malicious software could make the machine print while it is not being observed which may lead to a form of ballot stuffing.  Lastly, the VVPAT machines use cash-register style printers which are economical but not particularly reliable or permanent. These records fade away with exposure to sunlight. Thus, it makes the necessity of a paper record redundant and unachieved.

Mock Elections This safeguard which is deemed to be extremely important by the ECI is made completely pointless in case of software tampering. The ECI conducts a mock poll pre-election to test the machines before it is used in the real elections. This form of testing is suitable for detecting any form of non-malicious technical errors, very primitive form of discrepancies or procedural errors. However, any form of parallel testing, logic and accuracy testing, field testing or simulations cannot detect such issues with the machine based on the attacks that have been described in this paper. A machine running on fraudulent software can detect the difference between a real and a proxy election based on some checks like the number of votes cast, time taken to cast votes or could simply use a secret knock code to enable the cheating process.

 

Manufacture-time Insider Attacks There are different phases in the entire manufacturing process where any form of insider attack can turn out to be a wholesale attack. The software can be replaced by similar malicious software and with the ECI having no access to the source code, it can easily go undetected. The simple design of the machine means its individual components and the machine in its entirety like the CPU, the mother board or the entire machine.

Display Board Tampering The display board on the control unit is the sole output device that is concerned with the declaration of results. Replacing the original display unit with a fraudulent one having its own microcontroller just makes tampering in the elections even simpler. There are no changes to the entire process but simply, during the declaration of results, the microcontroller rearranges the votes of the candidates and thus, declares faulty results. This tampering can also be done in the manufacturing process or in the storage process.

Radio Communication with Bluetooth Chip Researchers have demonstrated how a simple malicious hardware like a clip-on device can endanger the entire process. The clip-on device when attached to the EPROM of the Control Unit can be controlled with the help of an application and any radio-transmitting device to alter the entire process and the functionality of the process with great versatility according to the whims and fancies of the attacker. This shows how predominantly software dependent the Indian EVMs are. 

The ECI follows an approach of ‘Security by Obscurity’ in order to safeguard the EVMs and the electoral process. The principle is postulated on the basis that keeping something secret on the assumption that doing otherwise would be a security problem. However, this practice is widely discredited and looked down upon in software development as it thinks that when something has to be kept secret to maintain its security just shows that on being leaked, it shall be the most vulnerable to different forms of attacks. Something that is considered to be robustly secure is based on the pretext that it is available to the attacker. The EVMs are exported to other countries. The ECI is extremely dodgy about independent security reviews of their machines but fail to realize that these machines could easily be evaluated by the countries they are being exported to and state-sponsored meddling in elections is not some folklore and distant imagination in this era. 

4. Conclusion- Criticism and Possible Improvements

4.1 Criticism of the EVMs

Multiple researchers and experts on voting procedures and cyber security have done extensive research on the Indian EVMs. 

Bev Harris, founder of BlackBoxVoting.org, highlights the imperfect nature of humans. She talks about how it is fundamentally incorrect to assume that people will not tamper with the elections. In fact, she talks about the insiders who are responsible for the security of the elections can also hinder the process. 

Rob Gonggrijp, computer expert from Netherlands, known for his research with the Nedap DRE and getting it banned in the Netherlands, ridicules the claims made by the ECI about the EVM. In fact, he goes on to claim that the Indian EVMs are “shockingly insecure”.

Prof. David L. Dill, Stanford University has authored the much-revered “Resolution on Electronic Voting” where he talks about how the application of computers to voting processes comes with its share of programming errors, hardware malfunctions and tampering. He has also stated that the Indian EVMs are also subjected to all the issues faced by paperless DREs. 

Kathleen Wynne, citizens’ right activist from the USA, has made comparisons   and draws a parallel between the Election Commission of India and the Election Assistance Commission in the USA. She believes that both these associations are feeding the public with misinformation and that they are being denied of their basic rights in some way.

 

Other researchers like Vemuri Hari Prasad have also made valuable contributions in the security analysis of the EVMs. There have been multiple court proceedings regarding the EVMs across the country in different jurisdictions. The positive to such analysis is that it has helped the machines improve with each generation such as the introduction of VVPATs, etc.

4.2 Possible Structural and Procedural Improvements 

Several improvements can be made to the EVMs used in India in terms of its structure and the procedures involved in the electoral process. 

The main prerequisites that it should meet are:

Transparency Voters must be able to observe and understand the process. According to Joe Hall, ‘a fully transparent election system supports accountability as well as public oversight, comprehension and access to the entire process. 

Verifiability Voters must have means to convince themselves that the outcome of the elections is correct without having to blindly trust the technology or the authorities. 

 

Auditability The machine can be manually checked or the results can be tallied after the declaration of results to ensure clarity.

 

Software Independence According to Ron Rivest, American cryptographer known for the RSA Cryptosystem, a voting system is deemed to be software independent if an undetected change or error in its software cannot cause an undetectable change in the outcome of the elections.

The improvements that EVMs and the process can implement are:

Two Person Rule: This should be a minimal security requirement for the security of the machines during its storage and when it’s being transported.

Improved Tamper-evident Seals: According to Robert Johnson, head of the Vulnerability Assessment Team at Argonne National Lab, and Andrew Appel, computer scientist at Princeton University, who have done extensive research on seals, breaking highly advanced seals like Cup seals, Padlock seals, etc. is extremely simple. The strings and molten wax seals of India don’t stand a chance. Thus, they suggest a new Evidence and anti-evidence approach to the seals. 

Post-election auditing: Redundancy combined with different failure modes provides greater security. This involves using Statistical Risk-limiting Audits for the post election auditing process. Machine recount combined with Statistical Risk-limiting audits are considered to be the golden standard among election processes. 

End-to-End Voter Verifiability: This ascertains that an individual’s vote is cast as intended, the individual’s vote is counted as cast and all votes are counted as cast. In doing so, it must also maintain ballot secrecy by incorporating computer cryptography.

Furthermore, the ECI should consider  being more open to Open-Ended Testing and Realistic, Independent Security Reviews and Simulated Adversarial Testing to take an adversarial approach and detect exploitable vulnerabilities. The ECI can make changes for the better if it is open to Recommendations. The ECI can possibly aim for Strengthened Uniform Standards encompassing the election system to address the issues with the process and indulge in public reporting and accountability. Improved Election Administration and Routine Testing and Auditing can also be implemented. The ECI can ideally take a Conservative Approach to New Technology which must only be introduced if there is substantial improvement and an absolute need for it.


 

4.3 Concluding Remarks

This study shows that India’s EVMs are one of the best examples of engineering wherein it has simplified DRE voting machines to a considerably simpler and easy-to-use machine. It is cost-effective, accessible, portable, can withstand extremes of working conditions and bridges socio-economic and regional boundaries. It is considerably secure when it comes to very simple attacks or procedural errors.

But in trying to meet these criteria, it has cut costs in terms of securing maximum security for this procedure which in turn, makes the basis of an election counter-productive because the accessibility and availability will not bear fruit if the integrity of the process is lost.

This study proves that India’s EVMs are insecure and any form of tampering or fraud takes basic electronic skills. The fraud and tampering can go undetected and the safeguards at place aren’t adequate enough. This brings us to the conclusion that the Election Commission of India is blinded by the short-term successes of the EVMs and that facade has made them make unreasonable claims of the machines being ‘infallible’, ‘tamperproof’ and ‘perfect’. There is great potential for the improvement of these machines and we hope that these issues are addressed and not taken a blind eye to with the facade of being perfect.

 

References

[1] International Experts/ indianevm.com

[2] Publications-eci.gov.in

[3] “Resolution on Electronic Voting” by Prof. David L. Dill

[4] Selected Publication of J. Alex Halderman- jhalderm.com

[5] Applying International Election Standards -National Democratic Institute
[6] Srinivasa, K. (2019, September 11). View from India: Cyber security requires resilience. Retrieved September 01,  2020, from https://eandt.theiet.org/content/articles/2019/09/view-from-india-cyber-security-requires-resilience/

About the Author

Screenshot_20200821-194300__01 - Subhade

Subhadeep is a sophomore pursuing a major in Computer Sciences. He likes to describe himself as the human embodiment of the proverb, "Jack of all trades, master of none."