Are electronic voting machines tamper-proof?

Allegations of vote-rigging are misplaced

IS ANY device, electronic or not, tamper-proof? The answer, of course, is, no, it is not. Given enough technical, logistical, and human resources, one can tamper any device. This is as true of a laptop, as it is of a “black box” flight recorder, or the Indian electronic voting machine (EVM). Whether one should worry about a device being tamper-proof depends not on the theoretical feasibility of tampering, but on the practical realities of pulling it off without detection—and the gains to be had by such tampering.

The results of the 2009 parliamentary elections in India seem to have surprised everyone, including the victorious UPA coalition. The NDA’s shock of losing has also been huge, and a hunt for reasons for the defeat is on.

It is basic human nature to externalise blame for a loss, at least in a short-term, knee-jerk fashion. Students blame out-of-syllabus questions for their failure in a test, and not their own lack of preparation. Cricket teams blame incompetent or partisan umpires for a defeat, and not their own sloppy performance. Civil servants blame “the system” for poor delivery of civic services, and not their own incompetence. With some exceptions, most BJP politicians, and BJP supporters, are doing the same in their post-election analysis of reasons for the defeat.

One of the reasons being pushed—mercifully  only by a fringe of serious commentators—is that the EVMs were “hacked” by the ruling coalition, and the results were manipulated.

Subramanian Swamy (June 17, The Hindu) and Rajeev Srinivasan (May 17, have tried to make the integrity of Indian EVMs an issue. While Mr Srinivasan’s article bordered on paranoid schizophrenia (“I do not trust computers”—a direct quote, and a reasonable summary of his fears) and can be dismissed as mere rumour-mongering, Mr Swamy’s critique is baffling, to say the least.

He cites an article (“Trustworthy Voting: From Machine to System”, Computer, 42:5, pp 23-29, May 2009) that described a nine-step process to ensure free and fair elections. These steps are:

Step 1: Generate & distribute precinct master keys

Step 2: Create voter registration records

Step 3: Mail proof of registration to voters

Step 4: Prepare voting machines

Step 5: Assemble key pairs at precincts

Step 6: Check in voters

Step 7: Have voters cast their votes

Step 8: Tabulate votes

Step 9: Publish results

One would be forgiven for assuming that Mr Swamy has not read the article he cited, because he writes “None of these nine safeguards, however, is in place in Indian EVMs.” However, the Election Commission of India does indeed create voter registration records, allow voters to check registration, prepare voting machines, check-in voters at the polling booth, has them cast their votes, tabulate votes, and publish results. Steps 1 and 5, which pertain to technical operation of EVMs, are not applicable to Indian EVMs, but are meant for much more sophisticated EVMs used in the west, specifically, in the United States. The same effect is achieved in the Indian electoral system in a much less software-intensive way. Mr Srinivasan, who distrusts computers, should in fact like the paper and people based system used in India.

Most Indian EVMs have been reused since their first widespread use in 1999,  when a BJP-led coalition won the general elections, without any evidence of tampering having surfaced. Given the manpower-heavy nature of Indian elections (local police personnel, central paramilitary personnel, official observers from outside the state, micro-observers, independent videographers and photographers, media personnel, and hundreds of voters at every booth) and the low capacity of individual EVMs (a maximum  of 3840 votes can be recorded in one machine and a polling station typically has only 1500 registered voters), it will take an army of highly-motivated, centrally mobilised but constituency co-ordinated, election-riggers to influence the outcome at even one constituency.

Deploying such an army would  reduce to zero the chances of keeping everything completely secret. Let us not forget that state secrets, known to a select few who undergo regular scrutiny by intelligence agencies, leak with alarming regularity in India. If any ruling coalition had the capability to pull such a thing off, it would also be able to deliver good governance of the kind that would render such election-rigging unnecessary.

Some important security features of the Indian electoral system, and EVMs, are:

1. Labels of the names of contestants/parties are attached at constituency level. This rules out systemic fraud at the manufacturing stage. Even if a political party can somehow ensure that EVMs will assign disproportionate votes to, say, the number 5 slot, it has no way of ensuring that its candidates will be assigned the number 5 slot in constituencies.

2. Agents of political parties are present at every stage of handling EVMs. This rules out systemic fraud at the constituency level. Sample voting is carried out to show the agents that EVMs are counting the votes correctly, and the agents verify that EVMs are empty of votes before polling begins. Electoral rolls are not linked to EVMs, and the agents verify that the number of votes cast is equal to the number of votes counted by every EVM.

3. EVMs are designed to record a maximum of 5 votes per minute. This virtually eliminates the kind of booth-capturing prevalent in the days of paper ballots. Even if some goons manage to take control of a booth, they can do no better than casting 5 votes per minute. At this rate, they’ll get about 300 votes in an hour. That is more than enough time for security reinforcements to arrive from elsewhere, who can be alerted immediately in our mobile phone era. In fact, an alert polling official can simply terminate the polling process by flicking a switch as soon as he senses a booth-capturing attempt in progress. Thereafter, no amount of muscle power can reopen polling at that booth.

There is only one valid point made by the critics of the Indian EVMs: the embedded software used in them is not available for public scrutiny. However, this only leaves open the possibility of malfunctioning EVMs, not ones that can be tampered systemically. It is not something that should keep people awake at night, agonising about the election having been stolen. A simple right to information (RTI) application, or a public interest litigation (PIL) petition, ought to address this shortcoming easily.

What is most saddening about the discussions  surrounding this non-issue is that so many educated Indians still seem to have an inferiority complex about Indian capabilities. The derivative nature of the debate is clear when Mr Swamy and Mr Srinivasan, both highly educated people who have seen the world, compare Indian EVMs to American ones and conclude—without bothering to note the differences between them—that since the American EVMs are flawed, the Indian ones must also be so.

Those who insist on scaring the Indian electorate with EVM-tampering articles must be held to account, and asked to present credible supporting evidence for their views. Else, we are set to see a repeat of similar stories from fringe supporters of Congress Party when BJP wins an election somewhere, as it eventually must.

3 Replies to “Are electronic voting machines tamper-proof?”

  1. Pingback: Twitted by Acorn
  2. lulu

    EVM can be tampered by Uma Ballav Rath

    Plan – 1: Tampering of Control unit Chip / Source Code
    Control-units keep track of votes by recognising them only by their serial number on the list of candidates on the poll-units on which people vote. So any tampering of the control-unit chip has to be done only after the serial number of various candidates in the list of candidates appearing on poll-units have been assigned.
    Normally returning officers declare the serial number assignments after the last day of withdrawal of nominations, which happens about two weeks before polling. ROM chips with mischievous codes can be readied within hours after the candidates’ serial numbers are known. During the two weeks before polling, the malicious ROM chips, or the motherboard, or possibly the whole control-unit, whatever appears easier, may be caused to replace the original ones

    Plan – 2: How the EVMs could have been manipulated through Insertion of Trojan:

    It would not be extraordinarily difficult to install a programme with a Trojan Horse in it. To outward appearances and to ordinary testing, the programme would appear normal. However, when it is fed a sequence of keystrokes by the agent of the party committing the fraud, the Trojan Horse wakes up, and then, regardless of what buttons the voter actually presses, it can assign a certain (non-suspicious-looking) percentage (not 90% but, say 45%) to the preferred party. The Trojan Horse can even be programmed to quietly delete itself when the voting is over. Nobody would know any better, as there is no paper trail.

    Plan – 3: How the EVMs Could have been manipulated through remote control:
    To discuss this possible scenario, We need to assume that the wireless transmitter/emitter had been embedded in right at the manufacturing of the Chip itself. (Note: THe chip manufacturing happens at a different place, well before EVM production). There is a unique ID assigned to each EVM, and each of the EVM could be contacted separately, using this unique ID.
    Can such a wireless component be detected or traced?
    · The wireless componenet in a chip, cannot be detected, unless, it transmits or emits signals. The Chip might have been programmed to transmit data only upon receiving certain command through specific frequency. In this case, the receiver component might be in listen mode, waiting for a particular command, known only to a core expert group. So, in a normal circumstance, this wireless component will be in hidden mode.
    Can the architecture of the CHIP be verified?
    · To my knowledge, a chip’s internal circuitry cannot be verified after it is manufactured. In our case, the expert committee had verified only the approved architecture for use in production. However, it doesnt gaurantee, that all the Chips manufactured there are as per the original design.
    · The current architecture might have been obtained by the hackers, and additional wireless component introduced, and this new modified architecture might be produced at some different place and then used during the assembly of EVMs.
    · The size, apperance, and even the Unique ID of the Chip would be emulated as it is, and thus it is extremely difficult to verify, if the current Chip components used is indeed the original one. The EVMs are all despatched to the respective constituencies, and the high level “Rigging / hacking team”, will ensure that the EVM’s with wireless component is delievered to the appropriate constituency.Now, the election would be conducted regularly, and the EVMs are stored in a highly secured location in each constituency.Now, the core hacking team comes in to picture. We know that there are two days b/w last phase of voting and counting. In that time interval, the following is possible.
    · Using specially designed device, the core hacking team, can connect to each of the EVM’s through satellite connection, and obtain the voting data in to its computer. This is possible, since each EVM has a unique ID, and using that ID, they can connect to each and every EVM accurately.
    · All the data would be downloaded to a computer, according to EVM’s.
    · Now, in the selected constituencies, the votes are adjusted in each EVM’s used there, to increase the tally of the ruling party. Suppose, if there are 1500 boths in a constituency, and each booth having 1000 voters, with an average voting of 750 votes. If we could adjust, atleast 50 votes in each booth, it comes around 45,000 votes in all the 1500 booths. And this 50 votes need not be taken from any single party. For example, in a particular constituency, 20 votes from ADMK, 10 votes from DMDK, 5 votes from 4 other small parties/candidates, will total 50 votes. And these small adjustments are extremely difficult to detect and prove.
    · After the adjustments, these data could be uploaded to the corresponding EVMs automatically through an appropriate devices.
    · To give a familiar view of this process, its possible, to download all the data in an excel sheet along with EVM ID, adjust the values, and then upload these data back to the EVM, from this excel sheet itself. This is very much possible. Through automation, any number of EVMs could be manipulated in a short time.

  3. Jiggs

    Dear Vidur,

    While I agree with you in total, however, please do not discount this allegation by the people (and not the BJP) completely.

    I have personally spoken to certain people from TN, who claimed that the LIGHT lit to the wrong party inspite of them pressing the button for the other party.

    This when reported to the presiding officer was waved off. Apparently, Jaya TV showed a protest by about 200 voters and the subsequent clash with the workers from the ruling party.

    These results are too smooth to believe. There is something which is not good of these results.

Comments are closed.