Now let's take a closer look at the electronic voting system used by world's

largest democracy. India is an incredibly [laugh] fascinating

place. It's, probably my favorite country in the

whole world to travel to. Every time I go to India I, I learn so

much about their culture, and, by reflection, so much about my own culture

too. In 2010 I got to go to India for a very

special purpose, though. I got to take part in what became

the first independent security evaluation of the country's DRE voting system.

I was joined in this study by Rop Gonggrijp, the, the Dutch hacker and

activist who was the man responsible for having the Nedap machines banned in the

Netherlands. Rop and I got to have a, a fantastic

adventure, and a deeply interesting research project as well.

So, these are India's voting machines. In India they're called EVMs or, for

Electronic Voting Machines. The machines are manufactured by a pair of

companies that are owned by the Indian government.

And they were introduced gradually over through the 1990's and then finally

adopted nationwide early in the 2000's. The Indian voting machines are most

interesting to me because they are just so different from the machines that are used

in the US and Europe. While the machines in the US and Europe

are very complex devices, the Indian machines could, could barely be simpler.

The machines that we use in the US, for instance, have a design and internal

structure and organization that's very similar to a full blown PC.

But the Indian machines are what, what we'd call an embedded system, a, a much

simpler version of a computer. Whereas there's been an incredible amount

of research by now, study after study showing security problems in machines used

by the U.S. And Europe, Countries like India have been

almost entirely ignored by the research community.

And yet the systems are so different, simple versus complex design, that it

turned out they had a lot to teach us. And in the research I'm about to tell you

about, we found that the machines used in India are also vulnerable.

But in different ways. So let me tell you a little bit more about

how the machines work but, but before I, I do I want you to think about some of the

engineering constraints, design constraints that the machines had to be

built to work under. How is voting in India different from

voting in the US and Europe and what sorts of things would engineers have to take in

to account while designing these machines? So I am going to give you a chance to

think about that before we come back. India's EVMs had to face some really

difficult challenges that are, are quite different from the situation in the U.S.

And Europe. One challenge is cost.

So the voting machines used in the US, the DREs typically cost several thousand

dollars apiece, but India needed to deploy 1.4 million of these machines in order to,

to have enough to count all those votes. There's no way that they could they could

handle the, the cost of, of deploying expensive US style machines.

And so the machines used in India were engineered at much lower cost.

The typical cost of one of these machines was less than $200.

Another constraint was availability of power.

So a lot of India is still off the grid, or has very unreliable power.

So these machines had to be engineered to work entirely off of internal batteries

for the whole electoral process. Another constraint is the environmental

conditions in which these machines are used, transported and stored.

They had to function correctly from the, the snows of the Himalayas, to, to

tropical jungle in the South. They had to be transported sometimes

thousands of miles over unimproved bumpy roads.

They had to deal with, with road dust, they had to deal with fungus and mold and

the documents for the design even mention attacks by vermin in the warehouses as

being a concern. They were stored in the, they're stored

under generally not climate controlled conditions in, in warehouses that go

through this whole extreme of clime. They also had to be portable, because they

had to be brought to polling places all over the country, including places that,

that were isolated from the road network. I'm told that they would ferry

EVM's up the river on a boat to bring them to villages in the jungle that weren't

reachable by roads. And these are amazing, amazing constraints

to have to work under. One of the more interesting constraints

though is literacy. The, the literacy rate in India right now

is, is about 66%. So a third of the citizens wouldn't be

able to read the names on the ballot. Complicating things further, there are

hundreds of different languages in use. And not all voters are going to be able to

read the script in which the names are printed, if you have just one set of names

and scripts on the ballot. So the answer to, to that problem was very

interesting. What the engineers decided to do was they

included the party symbol next to each candidate on the ballot and you can see

here a mockup of what a ballot might look like.

The candidates would advertise on their posters where the image of that symbol.

So the voters would have just to recognize it in the voting booth in order to make

the right choice. Another constraint is the technical

literacy of, of the voters and, and you have to imagine some voters in India are

living in places that don't have power. They don't own electronic devices.

The most sophisticated piece of computerized equipment that they ever

interact with is the voting machine brought in for the nationwide elections.

So the engineers who developed this EVM design used an incredibly simple user

interface. The voter walks into the voting booth,

presses the blue button next to the candidate they want to for and that's it.

It's one button press. The machine beeps and lights up the arrow

to let you know you voted and you move on. Amazingly, amazingly simple.

One final kind of problem that India has to deal with or, or had to historically

that, that isn't so common in the US and Europe is, is something called booth

capture. And this was a common problem in India

when they voted on paper ballots before the introduction of the EVMs.

What would happen was in, in a polling place a, a, a, a bunch of goons working

for a particular candidate would show up and they'd tell everyone at the polls to,

to just go home buddy, go home. With the implicit threat that you're going

to get hurt if you don't. Then they proceed to, to stuff the ballot

box with, with votes for the candidate they were working for.

Maybe the police would arrive eventually, but the, the security situation was such

that wasn't likely to happen soon. So the EVM's were designed to guard

against that threat, too. They rate limit the number of votes you,

you can, you can cast in a period of time. I think it's, it's, they'll accept, I, I

think it's one vote every ten seconds. So even if you take over the polling

place, the theory goes, it'll still take you a very long time to significantly

change the outcome of the election. So let me show you a bit more about the,

the design and operation of these machines.

They really are an incredible work of engineering, to make something that would

work and work reliably, anyway, within those constraints.

So the voting machines consists of two parts, there is ballot unit you just saw

on the left and another piece called the control unit on the right.

The ballot unit is in the voting booth with the voter.

The control unit is attached by a cable a few feet away, on a table where the

election officials sit. Now the control unit is the part that

actually stores all the votes and it's amazing some of the design features here.

First, it's really, really simple. There is no memory card, there is no

printer. Those features in US style machines have

been eliminated. Instead there is a series of switches, and

the switches are guarded by those plastic doors you see there.

And the doors are amazing, this is a physical manifestation of the different

phases in the election procedures. So each door can be individually sealed

and guard the set of features that are necessary at each stage.

So, before an election the poll workers will clear the machine by pressing the

white button. Then they'll seal the doors that's going

to prepare the machine for the rest of the election cycle.

After that, every time a voter walks up, they press the big blue ballot button,

this allows the ballot unit to cast one vote.

At the end of the election, after everyone's voted, they'll unseal one of

the doors and press the black close button.

The prevents the machine from accepting any more votes.

After that, there's a delay. Maybe a couple of weeks will go by between

the time that votes are, are cast and when they're finally counted.

Now, this is because voting in India takes place in phases across the country, so the

machines have to be carefully guarded for this whole period.

When it's time finally to count them, they'll bring machines from all over the

district together in a room. And they'll, they'll go through the

counting process in front of an audience of, of, of observers and members of the

public. For each machine, when it's time to count

the votes, they'll open another door and press the yellow result button.

Then they'll hold the machine up for the whole audience to see, and on its display

screen, it will light up these digits to output the number of votes cast for each

candidate. So it will first show the total number of

votes, then the number of candidates, then for each candidates...

Candidate one, two, three and so forth, the number of votes they have received.

And everyone in the room can see and write this down and add them up on their own.

So it's an amazing design, this is really about as simple as you could make a voting

machine, and that it works reliably under the Indian constraints, is the a testament

to the quality of the engineers. But there is a separate question which is

whether these machines are actually secure and trustworthy.

And the answer to that is not so, so positive.

So election officials however, without, before any independent parties had been

allowed to analyze these machines, made a series of extremely strong security claims

about them. Officials said that the EVM's were

infallible, that they were perfect. That they were tamper-proof.

That there was no need for technical improvement.

Now after the lectures you've seen so far, you, you probably understand that there's,

there's not going to be a secure system that satisfies any of these claims.

These are just not the, the sort of claims that any knowledgeable person would make

about technology. But the Indian election officials did even

after many people in India started to have some doubts about whether the machines

were really perfect and infallible, particularly after one parliamentary

election, where some surprising results shocked a lot of people.

Finally after enough prodding from, from activists in, in India the Election

Commission of India, ECI, the nation's highest election authority which is a

separate constitutional branch of government, agreed to allow members of the

public to come in to their offices and demonstrate on an actual machine how they,

they allege an election could be stolen. So they, they actually held a kind of

public trial. This man was one of the people who

participated in the first one of these trials.

The man on the right, Harry Prasad. Harry is a self-educated engineer and

businessman from Hyderabad who has through an amazing sequence of events, now become

one of the country's leading experts on electronic voting.

But Harry at the time, took the ECI up on its public challenge and went into their

offices to, to demonstrate how he thought it might be possible to cheat.

Now he'd never seen the inside of one of these machines before.

So the first thing he and, and his, his colleagues, the engineers from his

company, did was they opened the machine, and started taking pictures and writing

down notes. The election officials standing nearby

started to hear them remarking oh my this is going to be much easier than we

thought. We don't have, we don't need all week we

will be done today and so forth. At this point the election officials

started to get worried and they immediately shut down the trial and kicked

everyone out of the building and said they were going to have to think about the

ground rules a little bit more. Sometime later they came back and

announced that there were new rules that were going to be in place.

Anyone who had, who wanted to demonstrate the possibility of fraud would have to

demonstrate quote unquote normal tampering.

Normal tampering was defined as tampering without opening up the machine.

So I'm not sure how anyone is going to figure out how to defeat the security of a

system like this without being able to know at least how it works, and you can

imagine countless possibilities for insider attacks where there'd be no such

obstacle to opening the machine and, and, and performing reverse engineering.

But that was the ground rule set by the ECI, and so there was no realistic

demonstration possible. Things changed however in the beginning of

2010 when Harry was approached by an anonymous source who offered to give him a

real Indian EVM to study. And this source, I understand, was someone who

had access to a machine legally, but had deep concerns of conscience about the

security of the machines, essentially a whistle-blower.

Harry accepted this offer and he and his engineers were based in Hyderabad, reached

out to me and Rop Gonggrijp. We joined them in India and proceeded to

study the machine.

India's EVMs

Securing Digital Democracy

Conoce a los instructores