0:00
Now let's take a closer look at the electronic voting system used by world's
largest democracy. India is an incredibly [laugh] fascinating
place. It's, probably my favorite country in the
whole world to travel to. Every time I go to India I, I learn so
much about their culture, and, by reflection, so much about my own culture
too. In 2010 I got to go to India for a very
special purpose, though. I got to take part in what became
the first independent security evaluation of the country's DRE voting system.
I was joined in this study by Rop Gonggrijp, the, the Dutch hacker and
activist who was the man responsible for having the Nedap machines banned in the
Netherlands. Rop and I got to have a, a fantastic
adventure, and a deeply interesting research project as well.
So, these are India's voting machines. In India they're called EVMs or, for
Electronic Voting Machines. The machines are manufactured by a pair of
companies that are owned by the Indian government.
And they were introduced gradually over through the 1990's and then finally
adopted nationwide early in the 2000's. The Indian voting machines are most
interesting to me because they are just so different from the machines that are used
in the US and Europe. While the machines in the US and Europe
are very complex devices, the Indian machines could, could barely be simpler.
The machines that we use in the US, for instance, have a design and internal
structure and organization that's very similar to a full blown PC.
But the Indian machines are what, what we'd call an embedded system, a, a much
simpler version of a computer. Whereas there's been an incredible amount
of research by now, study after study showing security problems in machines used
by the U.S. And Europe, Countries like India have been
almost entirely ignored by the research community.
And yet the systems are so different, simple versus complex design, that it
turned out they had a lot to teach us. And in the research I'm about to tell you
about, we found that the machines used in India are also vulnerable.
But in different ways. So let me tell you a little bit more about
how the machines work but, but before I, I do I want you to think about some of the
engineering constraints, design constraints that the machines had to be
built to work under. How is voting in India different from
voting in the US and Europe and what sorts of things would engineers have to take in
to account while designing these machines? So I am going to give you a chance to
think about that before we come back. India's EVMs had to face some really
difficult challenges that are, are quite different from the situation in the U.S.
And Europe. One challenge is cost.
So the voting machines used in the US, the DREs typically cost several thousand
dollars apiece, but India needed to deploy 1.4 million of these machines in order to,
to have enough to count all those votes. There's no way that they could they could
handle the, the cost of, of deploying expensive US style machines.
And so the machines used in India were engineered at much lower cost.
The typical cost of one of these machines was less than $200.
Another constraint was availability of power.
So a lot of India is still off the grid, or has very unreliable power.
So these machines had to be engineered to work entirely off of internal batteries
for the whole electoral process. Another constraint is the environmental
conditions in which these machines are used, transported and stored.
They had to function correctly from the, the snows of the Himalayas, to, to
tropical jungle in the South. They had to be transported sometimes
thousands of miles over unimproved bumpy roads.
They had to deal with, with road dust, they had to deal with fungus and mold and
the documents for the design even mention attacks by vermin in the warehouses as
being a concern. They were stored in the, they're stored
under generally not climate controlled conditions in, in warehouses that go
through this whole extreme of clime. They also had to be portable, because they
had to be brought to polling places all over the country, including places that,
that were isolated from the road network. I'm told that they would ferry
EVM's up the river on a boat to bring them to villages in the jungle that weren't
reachable by roads. And these are amazing, amazing constraints
to have to work under. One of the more interesting constraints
though is literacy. The, the literacy rate in India right now
is, is about 66%. So a third of the citizens wouldn't be
able to read the names on the ballot. Complicating things further, there are
hundreds of different languages in use. And not all voters are going to be able to
read the script in which the names are printed, if you have just one set of names
and scripts on the ballot. So the answer to, to that problem was very
interesting. What the engineers decided to do was they
included the party symbol next to each candidate on the ballot and you can see
here a mockup of what a ballot might look like.
The candidates would advertise on their posters where the image of that symbol.
So the voters would have just to recognize it in the voting booth in order to make
the right choice. Another constraint is the technical
literacy of, of the voters and, and you have to imagine some voters in India are
living in places that don't have power. They don't own electronic devices.
The most sophisticated piece of computerized equipment that they ever
interact with is the voting machine brought in for the nationwide elections.
So the engineers who developed this EVM design used an incredibly simple user
interface. The voter walks into the voting booth,
presses the blue button next to the candidate they want to for and that's it.
It's one button press. The machine beeps and lights up the arrow
to let you know you voted and you move on. Amazingly, amazingly simple.
7:14
One final kind of problem that India has to deal with or, or had to historically
that, that isn't so common in the US and Europe is, is something called booth
capture. And this was a common problem in India
when they voted on paper ballots before the introduction of the EVMs.
What would happen was in, in a polling place a, a, a, a bunch of goons working
for a particular candidate would show up and they'd tell everyone at the polls to,
to just go home buddy, go home. With the implicit threat that you're going
to get hurt if you don't. Then they proceed to, to stuff the ballot
box with, with votes for the candidate they were working for.
Maybe the police would arrive eventually, but the, the security situation was such
that wasn't likely to happen soon. So the EVM's were designed to guard
against that threat, too. They rate limit the number of votes you,
you can, you can cast in a period of time. I think it's, it's, they'll accept, I, I
think it's one vote every ten seconds. So even if you take over the polling
place, the theory goes, it'll still take you a very long time to significantly
change the outcome of the election. So let me show you a bit more about the,
the design and operation of these machines.
They really are an incredible work of engineering, to make something that would
work and work reliably, anyway, within those constraints.
So the voting machines consists of two parts, there is ballot unit you just saw
on the left and another piece called the control unit on the right.
The ballot unit is in the voting booth with the voter.
The control unit is attached by a cable a few feet away, on a table where the
election officials sit. Now the control unit is the part that
actually stores all the votes and it's amazing some of the design features here.
First, it's really, really simple. There is no memory card, there is no
printer. Those features in US style machines have
been eliminated. Instead there is a series of switches, and
the switches are guarded by those plastic doors you see there.
And the doors are amazing, this is a physical manifestation of the different
phases in the election procedures. So each door can be individually sealed
and guard the set of features that are necessary at each stage.
So, before an election the poll workers will clear the machine by pressing the
white button. Then they'll seal the doors that's going
to prepare the machine for the rest of the election cycle.
After that, every time a voter walks up, they press the big blue ballot button,
this allows the ballot unit to cast one vote.
At the end of the election, after everyone's voted, they'll unseal one of
the doors and press the black close button.
The prevents the machine from accepting any more votes.
After that, there's a delay. Maybe a couple of weeks will go by between
the time that votes are, are cast and when they're finally counted.
Now, this is because voting in India takes place in phases across the country, so the
machines have to be carefully guarded for this whole period.
When it's time finally to count them, they'll bring machines from all over the
district together in a room. And they'll, they'll go through the
counting process in front of an audience of, of, of observers and members of the
public. For each machine, when it's time to count
the votes, they'll open another door and press the yellow result button.
Then they'll hold the machine up for the whole audience to see, and on its display
screen, it will light up these digits to output the number of votes cast for each
candidate. So it will first show the total number of
votes, then the number of candidates, then for each candidates...
Candidate one, two, three and so forth, the number of votes they have received.
And everyone in the room can see and write this down and add them up on their own.
So it's an amazing design, this is really about as simple as you could make a voting
machine, and that it works reliably under the Indian constraints, is the a testament
to the quality of the engineers. But there is a separate question which is
whether these machines are actually secure and trustworthy.
And the answer to that is not so, so positive.
So election officials however, without, before any independent parties had been
allowed to analyze these machines, made a series of extremely strong security claims
about them. Officials said that the EVM's were
infallible, that they were perfect. That they were tamper-proof.
That there was no need for technical improvement.
Now after the lectures you've seen so far, you, you probably understand that there's,
there's not going to be a secure system that satisfies any of these claims.
These are just not the, the sort of claims that any knowledgeable person would make
about technology. But the Indian election officials did even
after many people in India started to have some doubts about whether the machines
were really perfect and infallible, particularly after one parliamentary
election, where some surprising results shocked a lot of people.
Finally after enough prodding from, from activists in, in India the Election
Commission of India, ECI, the nation's highest election authority which is a
separate constitutional branch of government, agreed to allow members of the
public to come in to their offices and demonstrate on an actual machine how they,
they allege an election could be stolen. So they, they actually held a kind of
public trial. This man was one of the people who
participated in the first one of these trials.
The man on the right, Harry Prasad. Harry is a self-educated engineer and
businessman from Hyderabad who has through an amazing sequence of events, now become
one of the country's leading experts on electronic voting.
But Harry at the time, took the ECI up on its public challenge and went into their
offices to, to demonstrate how he thought it might be possible to cheat.
Now he'd never seen the inside of one of these machines before.
So the first thing he and, and his, his colleagues, the engineers from his
company, did was they opened the machine, and started taking pictures and writing
down notes. The election officials standing nearby
started to hear them remarking oh my this is going to be much easier than we
thought. We don't have, we don't need all week we
will be done today and so forth. At this point the election officials
started to get worried and they immediately shut down the trial and kicked
everyone out of the building and said they were going to have to think about the
ground rules a little bit more. Sometime later they came back and
announced that there were new rules that were going to be in place.
Anyone who had, who wanted to demonstrate the possibility of fraud would have to
demonstrate quote unquote normal tampering.
Normal tampering was defined as tampering without opening up the machine.
So I'm not sure how anyone is going to figure out how to defeat the security of a
system like this without being able to know at least how it works, and you can
imagine countless possibilities for insider attacks where there'd be no such
obstacle to opening the machine and, and, and performing reverse engineering.
But that was the ground rule set by the ECI, and so there was no realistic
demonstration possible. Things changed however in the beginning of
2010 when Harry was approached by an anonymous source who offered to give him a
real Indian EVM to study. And this source, I understand, was someone who
had access to a machine legally, but had deep concerns of conscience about the
security of the machines, essentially a whistle-blower.
Harry accepted this offer and he and his engineers were based in Hyderabad, reached
out to me and Rop Gonggrijp. We joined them in India and proceeded to
study the machine.