Rajeev Srinivasan on how EVM problems are much bigger than technology or politics. The first of a two-part series.
I have been doubtful about electronic voting machines for quite some time, based on what one might call a healthy engineering scepticism. To put it bluntly, I don't trust computers. This comes from, at a point in the past, working with operating system innards and security. Since operating systems are the software that we implicitly trust to run most mission-critical systems, I have noticed that we are basically just one or two bugs away from disaster.
Even though there are rules of thumb and safety factors in software development just as there are in other engineering disciplines, software is still an art, not a science. And even the more mature engineering areas, much closer to science, like civil engineering, are still not perfect -- the occasional bridge does collapse, albeit rarely.
Therefore, the touching faith we repose in computers -- and this is especially true in India -- is misplaced. It would be a really bad idea to not have a backup mechanism that is not computer-based, especially when we are talking about embedded systems, the relatively primitive machines that run all sorts of devices such as refrigerators, microwaves, ATMs, etc. This, of course, was the rationale behind the famous Y2K panic, as people worried about whether planes would fall out of the sky as the result of an obscure software practice -- years were coded in two digits, not four (48, not 1948).
Looked at from first principles, then, Electronic Voting Machines are inherently not the most reliable systems available. Nevertheless, they have indisputable advantages: for one, it is not possible to do physical 'booth-capturing'. Besides, votes are converted into digital impulses that can be manipulated easily, so that all sorts of things can be done with them -- counting can be lightning-fast; and statistical data collection, analysis, data mining, and so on can all be done with great facility.
Unfortunately, that strength is also, ironically, the Achilles heel of the EVMs. Since there is no physical audit trail of the vote, once you have cast your vote, you cannot verify that your choice of candidate has been honoured. It is a relatively minor task for a software-savvy criminal to fix an election, with nobody being the wiser.
I made a primitive demonstration of this sort of activity when I ran an Internet poll on my blog about who India's best prime minister was. 300 people voted, and there was a clear winner, and some others got very few votes. But I found that if I took the real results, and applied a simple algorithm to it: that is, such as diverting 1/3rd of each person's votes to a third candidate, I could at will have anybody 'win', even someone who got just one vote. And the pattern of votes 'gained' did not look particularly suspicious.
Furthermore, in an eerie reminder of the way real electronic voting works, even after the poll 'closed' with 292 votes, it still accepted eight more votes. I have no idea how or why it did that, and since I do not have the source code, there is no way I could figure it out, either. That is another important problem -- unless third parties are able to verify beyond reasonable doubt that the system is trustworthy, in effect the system is completely untrustworthy.
There is one major aspect -- the human factor. Related to it is a process issue -- what are the checks and balances to ensure that human error or malfeasance will not have catastrophic effects? In many critical systems, we have evolved elaborate fail-safe mechanisms that ensure it takes the co-operation of several individuals believed to be highly reliable. There are ways of vetting people to ensure that they deserve the highest level of trust -- this is the theory behind security clearances for access to sensitive information, and so we have people with top secret clearances whom we trust with extremely confidential information and the ability to perform critical acts.
We have seen in innumerable Hollywood films (for instance The Hunt for Red October) how the order to launch American nuclear missiles from a submarine has to be authorised independently by two very competent people, who each carry one of the keys needed. If they do not agree, the missile is not launched. Even in a more mundane setting, the safe deposit box in India, typically a bank manager and the customer each has to insert their keys simultaneously for the locker to open.
Thus, technical systems, human factors, and process issues need to work in perfect synchronicity for a complex system to work in ways that are provably correct.
Now let us move from the abstract to the concrete. How do electronic voting machines work on some basic measures of correctness of technology, human factors and processes? The track record, alas, is not that great. In 2009, I did a survey of the literature: EVMs had been found severely wanting in case after case, and several counties have ceased to use them. I am sure there is more information since about a year ago, but here is an excerpt from my essay which was published in New Perspectives Monthly:
United States (data from www.electionfraud2004.org and others as indicated):
- In April 2004, California banned 14,000 EVMs because the manufacturer (Diebold Election Systems) had installed uncertified software that had never been tested, and then lied to state officials about the machines. The machines were decertified and criminal prosecution initiated against the manufacturer.
- In the 2004 presidential elections, in Gahanna, Ohio, where only 638 votes were cast, George Bush received 4,258 votes to John Kerry's 260
- A study by UC Berkeley's Quantitative Methods Research Team reported that irregularities associated with EVMs may have awarded 130,000-260,000 votes to Bush in Florida in 2004
- There have been at least the following bills in the US legislature, all of which were the result of perceived problems with EVMs. (It is not known if any of them has passed; HR = House of Representatives, the lower house, and S = Senate, the upper house):
- HR 550: Voter Confidence and Increased Accessibility Act of 2005
- HR 774 and S 330: Voting Integrity and Verification Act of 2005
- HR 939 and S 450: Count Every Vote Act of 2005
- HR 533 and S 17: Voting Opportunity and Technology Enhancement Rights Act of 2005
- HR 278: Know your Vote Counts Act of 2005
- HR 5036: Emergency Assistance for Secure Elections Act of 2008
- In 2006, a team of Princeton University computer scientists studied Diebold Election Systems EVMs, and concluded that it was insecure and could be "installed with vote-stealing software in under a minute", and that the machines could transmit viruses from one to another during normal pre- and post-election activity. Diebold, now Premier Election Systems, is the largest US manufacturer of EVMs
- In 2006, computer scientists from Stanford University, the University of Iowa and IBM suggested that Diebold had "included a 'back door' in its software, allowing anyone to change or modify the software A malicious individual with access to the voting machine could rig the software without being detected".
- The Federal Constitutional Court of Germany declared EVMs unconstitutional.
The Netherlands (2006)
- The ministry of the interior withdrew the licenses of 1187 voting machines because it was proven that one could eavesdrop on voting from up to 40 metres away. The suit was brought by a Dutch citizen's group named 'We Do Not Trust Voting Machines'. This group demonstrated that in five minutes they could hack into the machines with neither voters nor election officials being aware of it.
- The Supreme Court declared invalid the results of a pilot electronic vote in three municipalities.
United Kingdom (2007)
- The Open Rights Group declared it could not express confidence in the results for the areas that it observed. Their report cites "problems with the procurement, planning, management and implementation of the systems concerned."
- Ireland embarked on an ambitious e-voting scheme, but abandoned it due to public pressure
- There were serious discrepancies in the Diebold systems predominantly used in Brazil's 2006 elections.