Onus on EC to ensure EVM credibility: EVMs too need a physical record
Why do people want Electronic Voting Machines (EVMs)? People see computerisation as the solution to all our problems. It is the modern way to do things, the hi-tech way to do things. Many people are quite surprised when it turns out that computer scientists and security experts are among those most critical of EVMs.
When you take apart the problem you start asking: what are computers doing? What risks do they introduce?
It turns out that the benefits computers bring you are relatively small compared to the risks involved — primarily the risk of hacking, sabotage and system failure. In the US we had this very difficult election in 2000 between George Bush and Al Gore for President of the US. It ended up being delayed by more than a month because of the problems with certain ballots in Florida. The problem was that some areas of Florida were using this ancient, obsolete, voting technology based on punch cards from an old-fashioned computer. So we spent billions of dollars on new voting equipment. The new voting equipment was largely touch screen computers that are still very inferior to the EVMs India uses. They do not work all the time and are easy to hack into, don’t preserve a permanent record of the vote that couldn’t be hacked, and do not have a permanent physical record. This is a huge weakness because anyone who can tamper with electronics can tamper with computer software and can completely change the vote.
Since 2000, most of the US has reverted to machines that have some kind of paper record; either the voter is voting directly on the piece of paper which gets scanned by a computer to do a quick initial count, or computers that print a voter trail like the new EVMs designed in India. And today about 80 per cent of the country has that paper record. But the US is one of the more complicated cases because we are so big and diverse a country, though not as big or as diverse as India.
Many other countries, especially in Europe, have always voted on pieces of paper. Volunteers are involved in counting the ballot and it’s all just a very orderly direct process to go from the voters’ intent to the election results. In a smaller country with simpler ballots like most of Europe, it could work well. In the US, too, as you have experienced in India, once a system is introduced it is hard to change quickly everywhere. I think there is something fundamental about this. It makes a lot of sense that if you need a computer science degree, or you need specialised education, or you need to bring in experts to do inspections in order to have assurance that your vote is counted, then that is anti-democratic. There is something fundamental about understanding why our leaders have been elected, and what the process has been, and about that being transparent enough without the help of outside experts like me and Hari. The world has a complex diverse voting system but a strong trend amongst developed countries is to move back towards paper, and where many of them never gave up paper, it is motivated largely by the transparency idea and cybersecurity. Because what we found in computer sciences study after study after study is that electronic machines were susceptible to tampering and hacking.
EVMs do not get rid of all of those problems with elections — they just sweep them under the rug. Hari and I demonstrated in our study 10 years ago that with EVMs you can make a very simple electronic booth-capturing device, just clip it to the machine and it will do the booth-capture for you. It is more efficient than stuffing the booth ballots as you just need one techie to make these devices.
So any electronic record that a computer maintains can be changed by that computer; that’s just how computers work and in order to have a record that is not hackable, it has to ultimately be something physical which is outside the reach of the computer. That is why for very important kinds of documents and records we create an offline back-up we store somewhere.
The best thing we can do with modern technology is to have a parallel record; a paper record and an electronic record, and we can evaluate them to make sure they agree. Once we do that, an attacker, a criminal, who wants to change the results, needs to change the paper record and hack into the computers and so change both sets of records. That’s going to be harder than changing either the paper records or electronic records by themselves. That’s the best we can do. Most of the US already has this parallel record and gradually states have fallen into line. It is where India is able to get now that you are introducing the paper trail in so many parts of country. The important thing is to make sure that the paper trail is implemented everywhere. Because among other things the attacker knows where there is a paper trail and where there is not, and can just attack where there isn’t a paper trail.
If you have to declare election results, there should be a primary announcement. What we suggest is that the present voter verifiable paper trail is not completely secure; it cannot challenge the vote. The moment you press a button, in seconds it drops the ballot. We suggest a two-step mechanism where the user can first vote, then validate, and then drop into box. The ballot gets scanned by a computer and it gets dropped into a ballot box. So you end up with this computer scan, this electronic record, as well as the ballot box papers. Later you can go back to make sure the computer records and the paper ballots match. It is called optical scan voting and it is the most widely used system in the US.
(Dr Alderman is professor of Computer Science at the University of Michigan College of Engineering.)
(Hari Prasad is technology adviser to the Government of Andhra Pradesh. He was once briefly jailed for demonstrating security flaws in EVMs)