Can EVM vulnerabilities be used to game the Indian election?
The electoral process is undoubtedly one of the most important exercises of a democratic nation, and the rite of casting a vote is one of the most significant parts of this process. Around the world, stakeholders have repeatedly put into question the integrity and reliability of electronic voting solutions. In India, too, use and adoption of the electronic voting machine (“EVM”) has been a matter of contention since initial adoption decades ago. Across the world, those in opposition to electronic voting cite technological malleability of both existing and proposed solutions — which are proven in some cases and hypothesized in others — as a case for either returning to the paper ballot, or further advancing to the use of more sophisticated technologies.
As India concludes with the last phase of the 2019 general elections, political commentators, election analysts and spectators alike seem to have already begun broadcasting their speculation on the vote shares of each party, in what can only be called a very enthused attempt to foretell the impending fate of the country. While allegations of voting machine tampering have been a feature of almost every modern Indian election — both by political parties and citizens alike — several political parties have started preempting potential losses, and are hinting at the likelihood of a rigged election.
As citizens of the country await the outcome of the 2019 general elections — and with it the outcome of what the next five years will bring — this article attempts to take a look at the malleability of the Indian voting infrastructure, especially with regard to vulnerabilities in the electronic voting machine, and whether it would be possible to abuse them in such a way where the overall result of the elections is manipulated.
In 2010, Indian technologist Hari Prasad and his colleagues Alex Halderman and Rop Gonggrijp demonstrated two methods of attacking an authentic Indian electronic voting machine. The team published an extensive paper documenting their discoveries, shortly after which Prasad was apprehended from his Hyderabad residence under suspicion of having voluntarily received an EVM that was presumed to be stolen. At any rate, the flaws that had been documented by the team made it clear that the machine itself was vulnerable to certain attacks, namely, an attack on the display unit of the machine — which could be used to present a dishonest result favouring a particular candidate — and another which could be used for altering recorded votes and undermining the secrecy of the ballot.
Prasad and others also theorized that these attacks could be carried out at the supply chain level, which would then mean that each machine wouldn’t have to be tampered with separately in order to produce favourable results. At the time, when the report was published in 2010, the Election Commission was extremely apprehensive about even the slightest mention of possible security issues prevailing in Indian voting machines; which, as it turns out, is a practice the commission continues to date.
The Election Commission has since then — albeit several years later, and due to direction by the Supreme Court — introduced the voter verifiable paper audit trail (“VVPAT”) to the Indian voting ecosystem — as a mechanism intended to verify votes and provide increased transparency and accountability. However, the procedures and guidelines dictating the use of VVPAT machines themselves have been a topic of concern for several political parties. Stakeholders are worried that the current cross-verification of votes on the EVM control unit and corresponding VVPAT is not enough. In response to a joint petition filed in the Supreme Court by a coalition of 21 political parties, the highest court of the country refused to order an increase in the total number of votes that would have to be cross-verified in correlation with votes recorded using the VVPAT system.
Can EVM vulnerabilities be used to game the Indian election?
At first glance, it may seem like an easy deduction to make; that if the machines used for casting votes are themselves technologically vulnerable, then naturally, the entire electoral process must also be vulnerable too, by extension. However, when considering the overall impact of technical vulnerabilities in the EVM, one must also consider the ecosystem which surrounds the overarching electoral process. Procedural safeguards and guidelines laid out by the Election Commission of India, if enforced correctly, would play a significant part in ensuring that the electoral process and surrounding ecosystem is both tolerant to and accommodative of flaws.
For instance, as part of the “First Level Check” procedure, engineers from BEL or ECIL are supposed to carry out a series of tests which confirm that all internal components of the control and ballot units which make up the EVM are original, have not been tampered with, and effectively are in order; this is then certified by said engineers through a form known as ‘Annexure 5’. At this point, any voting machines which are found to have malfunctioned or are otherwise deemed a cause for concern are flagged and put aside for further review and action. Voting machines are also subjected to a two-step randomization process which makes performing correlation of which constituency any given machine would end up in a particularly daunting task. Other measures which have been put in place are detailed extensively in the handbooks published by the Election Commission of India. With the amount of checks and balances there are in place, the Indian voting infrastructure should ideally be immutable to large-scale manipulation.
Again, it must be reiterated that only if these measures are enforced correctly would it be possible to ensure to a satisfiable degree that technological vulnerabilities in the machines itself do not result in an election that has been gamed. Regardless, a belief in the immutability of the electoral infrastructure and the layers of protection that come with it still does not provide enough reason to continue the use of technology that has been proven almost a decade ago to not be satisfiably secure. Further, the Election Commission could also leverage the expertise of computer security experts to fix both pre-existing and undiscovered security vulnerabilities by providing them with unfettered access to voting machines.
At any rate, the 2019 general elections also brought with it reports of mass voter deletions, which could potentially be weaponized to suppress votes at scale by using prior knowledge of the political inclination of a set of given electors. It should also be noted that both in current as well as previous elections, there have been dozens of reported cases of seemingly unplanned malfunctions and glitches affecting the operations of EVMs. Other issues which relate to election fraud — including booth hijacking or the practice of trading cash for votes — are still prevalent, too, and should not be excluded from the center stage when the overall integrity of the electoral process is being discussed. Following the conclusion of the last phase of voting, the 2019 general elections have also witnessed reports of what has been described as ‘suspicious movements’ of voting machines. It has been surmised that malicious entities and political parties have been attempting to either tamper with or altogether replace voting machines that have been used for carrying out the elections. In the midst of this electoral uncertainty, citizens have also called for increased scrutiny and release of data relating to the GPS tracking of voting machines in hopes of ensuring that no foul play has occurred with the EVMs in use.
To answer the questions raised in this article: is it possible to tamper with an isolated electronic voting machine? Certainly — and apart from tampering with an original machine, one could also create an ‘evil twin’ replica of the EVM, that which is almost identical in nature, as means to achieve their ends. Another question that was raised was: is it possible to carry this out in practice during an election? Given a large enough pool of resources, it may be possible, even if only to a minor extent. Irregularities in the transportation and storage of EVMs may even hint at the possibility of such an event having taking place. However, unless every single individual (or at least a sizeable amount of them) along the electoral chain of command have been — by way of an elaborate, planned scheme — replaced with bribable, subservient pawns — it would be highly unlikely that such an event could conspire at a scale large enough to alter the overall result culminating from the electoral process. However yet, it should still be noted that an attack targeting voting machines in swing constituencies or swing polling stations may very well have the potential to impact overall results — and attacks such as those may be harder to detect sheerly due to their ‘needle in a haystack’ scale.
In any case — despite of the scrutiny and enforcement practiced by the Election Commission throughout the elections cycle — a thorough and bipartisan post-facto audit and analysis of all recorded complaints, violations and irregularities — both proven and alleged — is of utmost necessity and importance to ensure to a satisfiable degree — both political parties and the public — that the electoral process has not been subverted by those who seek to come to power.
Karan Saini is a security researcher and policy officer with the Centre for Internet and Society, India. The views expressed in this article are solely those of the author.