Now let's take a closer look at the electronic voting system used by world's largest democracy. India is an incredibly [laugh] fascinating place. It's, probably my favorite country in the whole world to travel to. Every time I go to India I, I learn so much about their culture, and, by reflection, so much about my own culture too. In 2010 I got to go to India for a very special purpose, though. I got to take part in what became the first independent security evaluation of the country's DRE voting system. I was joined in this study by Rop Gonggrijp, the, the Dutch hacker and activist who was the man responsible for having the Nedap machines banned in the Netherlands. Rop and I got to have a, a fantastic adventure, and a deeply interesting research project as well. So, these are India's voting machines. In India they're called EVMs or, for Electronic Voting Machines. The machines are manufactured by a pair of companies that are owned by the Indian government. And they were introduced gradually over through the 1990's and then finally adopted nationwide early in the 2000's. The Indian voting machines are most interesting to me because they are just so different from the machines that are used in the US and Europe. While the machines in the US and Europe are very complex devices, the Indian machines could, could barely be simpler. The machines that we use in the US, for instance, have a design and internal structure and organization that's very similar to a full blown PC. But the Indian machines are what, what we'd call an embedded system, a, a much simpler version of a computer. Whereas there's been an incredible amount of research by now, study after study showing security problems in machines used by the U.S. And Europe, Countries like India have been almost entirely ignored by the research community. And yet the systems are so different, simple versus complex design, that it turned out they had a lot to teach us. And in the research I'm about to tell you about, we found that the machines used in India are also vulnerable. But in different ways. So let me tell you a little bit more about how the machines work but, but before I, I do I want you to think about some of the engineering constraints, design constraints that the machines had to be built to work under. How is voting in India different from voting in the US and Europe and what sorts of things would engineers have to take in to account while designing these machines? So I am going to give you a chance to think about that before we come back. India's EVMs had to face some really difficult challenges that are, are quite different from the situation in the U.S. And Europe. One challenge is cost. So the voting machines used in the US, the DREs typically cost several thousand dollars apiece, but India needed to deploy 1.4 million of these machines in order to, to have enough to count all those votes. There's no way that they could they could handle the, the cost of, of deploying expensive US style machines. And so the machines used in India were engineered at much lower cost. The typical cost of one of these machines was less than $200. Another constraint was availability of power. So a lot of India is still off the grid, or has very unreliable power. So these machines had to be engineered to work entirely off of internal batteries for the whole electoral process. Another constraint is the environmental conditions in which these machines are used, transported and stored. They had to function correctly from the, the snows of the Himalayas, to, to tropical jungle in the South. They had to be transported sometimes thousands of miles over unimproved bumpy roads. They had to deal with, with road dust, they had to deal with fungus and mold and the documents for the design even mention attacks by vermin in the warehouses as being a concern. They were stored in the, they're stored under generally not climate controlled conditions in, in warehouses that go through this whole extreme of clime. They also had to be portable, because they had to be brought to polling places all over the country, including places that, that were isolated from the road network. I'm told that they would ferry EVM's up the river on a boat to bring them to villages in the jungle that weren't reachable by roads. And these are amazing, amazing constraints to have to work under. One of the more interesting constraints though is literacy. The, the literacy rate in India right now is, is about 66%. So a third of the citizens wouldn't be able to read the names on the ballot. Complicating things further, there are hundreds of different languages in use. And not all voters are going to be able to read the script in which the names are printed, if you have just one set of names and scripts on the ballot. So the answer to, to that problem was very interesting. What the engineers decided to do was they included the party symbol next to each candidate on the ballot and you can see here a mockup of what a ballot might look like. The candidates would advertise on their posters where the image of that symbol. So the voters would have just to recognize it in the voting booth in order to make the right choice. Another constraint is the technical literacy of, of the voters and, and you have to imagine some voters in India are living in places that don't have power. They don't own electronic devices. The most sophisticated piece of computerized equipment that they ever interact with is the voting machine brought in for the nationwide elections. So the engineers who developed this EVM design used an incredibly simple user interface. The voter walks into the voting booth, presses the blue button next to the candidate they want to for and that's it. It's one button press. The machine beeps and lights up the arrow to let you know you voted and you move on. Amazingly, amazingly simple.

One final kind of problem that India has to deal with or, or had to historically that, that isn't so common in the US and Europe is, is something called booth capture. And this was a common problem in India when they voted on paper ballots before the introduction of the EVMs. What would happen was in, in a polling place a, a, a, a bunch of goons working for a particular candidate would show up and they'd tell everyone at the polls to, to just go home buddy, go home. With the implicit threat that you're going to get hurt if you don't. Then they proceed to, to stuff the ballot box with, with votes for the candidate they were working for. Maybe the police would arrive eventually, but the, the security situation was such that wasn't likely to happen soon. So the EVM's were designed to guard against that threat, too. They rate limit the number of votes you, you can, you can cast in a period of time. I think it's, it's, they'll accept, I, I think it's one vote every ten seconds. So even if you take over the polling place, the theory goes, it'll still take you a very long time to significantly change the outcome of the election. So let me show you a bit more about the, the design and operation of these machines. They really are an incredible work of engineering, to make something that would work and work reliably, anyway, within those constraints. So the voting machines consists of two parts, there is ballot unit you just saw on the left and another piece called the control unit on the right. The ballot unit is in the voting booth with the voter. The control unit is attached by a cable a few feet away, on a table where the election officials sit. Now the control unit is the part that actually stores all the votes and it's amazing some of the design features here. First, it's really, really simple. There is no memory card, there is no printer. Those features in US style machines have been eliminated. Instead there is a series of switches, and the switches are guarded by those plastic doors you see there. And the doors are amazing, this is a physical manifestation of the different phases in the election procedures. So each door can be individually sealed and guard the set of features that are necessary at each stage. So, before an election the poll workers will clear the machine by pressing the white button. Then they'll seal the doors that's going to prepare the machine for the rest of the election cycle. After that, every time a voter walks up, they press the big blue ballot button, this allows the ballot unit to cast one vote. At the end of the election, after everyone's voted, they'll unseal one of the doors and press the black close button. The prevents the machine from accepting any more votes. After that, there's a delay. Maybe a couple of weeks will go by between the time that votes are, are cast and when they're finally counted. Now, this is because voting in India takes place in phases across the country, so the machines have to be carefully guarded for this whole period. When it's time finally to count them, they'll bring machines from all over the district together in a room. And they'll, they'll go through the counting process in front of an audience of, of, of observers and members of the public. For each machine, when it's time to count the votes, they'll open another door and press the yellow result button. Then they'll hold the machine up for the whole audience to see, and on its display screen, it will light up these digits to output the number of votes cast for each candidate. So it will first show the total number of votes, then the number of candidates, then for each candidates... Candidate one, two, three and so forth, the number of votes they have received. And everyone in the room can see and write this down and add them up on their own. So it's an amazing design, this is really about as simple as you could make a voting machine, and that it works reliably under the Indian constraints, is the a testament to the quality of the engineers. But there is a separate question which is whether these machines are actually secure and trustworthy. And the answer to that is not so, so positive. So election officials however, without, before any independent parties had been allowed to analyze these machines, made a series of extremely strong security claims about them. Officials said that the EVM's were infallible, that they were perfect. That they were tamper-proof. That there was no need for technical improvement. Now after the lectures you've seen so far, you, you probably understand that there's, there's not going to be a secure system that satisfies any of these claims. These are just not the, the sort of claims that any knowledgeable person would make about technology. But the Indian election officials did even after many people in India started to have some doubts about whether the machines were really perfect and infallible, particularly after one parliamentary election, where some surprising results shocked a lot of people. Finally after enough prodding from, from activists in, in India the Election Commission of India, ECI, the nation's highest election authority which is a separate constitutional branch of government, agreed to allow members of the public to come in to their offices and demonstrate on an actual machine how they, they allege an election could be stolen. So they, they actually held a kind of public trial. This man was one of the people who participated in the first one of these trials. The man on the right, Harry Prasad. Harry is a self-educated engineer and businessman from Hyderabad who has through an amazing sequence of events, now become one of the country's leading experts on electronic voting. But Harry at the time, took the ECI up on its public challenge and went into their offices to, to demonstrate how he thought it might be possible to cheat. Now he'd never seen the inside of one of these machines before. So the first thing he and, and his, his colleagues, the engineers from his company, did was they opened the machine, and started taking pictures and writing down notes. The election officials standing nearby started to hear them remarking oh my this is going to be much easier than we thought. We don't have, we don't need all week we will be done today and so forth. At this point the election officials started to get worried and they immediately shut down the trial and kicked everyone out of the building and said they were going to have to think about the ground rules a little bit more. Sometime later they came back and announced that there were new rules that were going to be in place. Anyone who had, who wanted to demonstrate the possibility of fraud would have to demonstrate quote unquote normal tampering. Normal tampering was defined as tampering without opening up the machine. So I'm not sure how anyone is going to figure out how to defeat the security of a system like this without being able to know at least how it works, and you can imagine countless possibilities for insider attacks where there'd be no such obstacle to opening the machine and, and, and performing reverse engineering. But that was the ground rule set by the ECI, and so there was no realistic demonstration possible. Things changed however in the beginning of 2010 when Harry was approached by an anonymous source who offered to give him a real Indian EVM to study. And this source, I understand, was someone who had access to a machine legally, but had deep concerns of conscience about the security of the machines, essentially a whistle-blower. Harry accepted this offer and he and his engineers were based in Hyderabad, reached out to me and Rop Gonggrijp. We joined them in India and proceeded to study the machine.

India's EVMs

Securing Digital Democracy

Meet the Instructors