Unsafe electronic voting machines: Shooting the messenger (Comment)
By Prasanto K. Roy, IANSTuesday, August 24, 2010
Over the weekend, the Indian establishment demonstrated how bizarre the mix of political insecurity, intolerance to criticism, and sheer stupidity could be. Mumbai police arrested Hari K. Prasad, chief of Indian research and development firm Netindia.
The reason: Prasad is member of a team of security researchers, including American computer scientist J. Alex Halderman, who have been working to show that India’s electronic voting machines (EVMs), like those in the US and elsewhere, are flawed, and can be hacked, altering election results.
In 2009, the Election Commission of India (ECI) publicly challenged Prasad to show that India’s voting machines could be compromised. But incredibly, they did not give him access to a machine. Prasad’s team managed to acquire an EVM from a source earlier this year, and soon proceeded to expose security flaws.
Prasad was arrested August 21 for refusing to disclose the identity of the source from whom the EVM was secured for the tests. Halderman wrote in his blog that early Saturday morning, at 5:30 hrs, 10 police officers arrived at Prasad’s home in Hyderabad. They questioned him until 8 a.m., then placed him under arrest and drove him to Mumbai, over 14 hours away by road.
Hari K. Prasad, J. Alex Halderman and Rop Gonggrijp have been working on an “independent scientific study of the security of India’s EVMs”. On the project’s website at indiaevm.org, the team reports that the ECI has spoken of India’s EVMs as “infallible and perfect”.
Yet, similar machines used around the world have been shown to suffer from serious security problems. India’s EVMs had never been subjected to credible independent research, says the site. An attacker with brief access to EVMs can tamper with votes and potentially change election outcomes.
This could be done two ways. One, by replacing parts of the machines with look-alike parts without the involvement of any local poll official. Two, by using portable hardware devices to change the vote records stored in the machines. The latter may involve local election officials, but still be undetected by national authorities or the EVM manufacturers.
In one experiment the team added a Bluetooth module, to be able to swing the EVM’s votes wirelessly. The EVMs are “sealed by stickers, string, and red wax”, which are hardly any barrier to an attacker.
The team also says that the EC-appointed expert committee, which certified the EVMs as secure comprised people with no apparent EVM security credentials, who did a superficial study based on presentations and site visits. Prasad’s team worked with a real machine and demonstrated working attacks.
The team notes that real criminals would probably have less difficulty in accessing one or more of India’s 1.4 million EVMs than this research team did. And the real criminals would not be working to inform the public about the security problems.
There are two ways to handle the scientific critic, or the messenger of bad news.
In July, in the world’s premier security conference Defcon, security researcher Chris Paget demonstrated how easy it was, using $1,500 of equipment, to intercept GSM mobile phone calls. The US government and FCC could have arrested him. They did not. The demo has been taken as a wake-up call for telecom security.
On the other hand, in China, a critic who demonstrates that a government system is flawed will get an early morning visit from the police, and will likely disappear without a trace.
Are we getting dangerously close to the China model?
There is enough evidence from global research now that there are serious concerns about EVM security. The Netherlands, once fully onto EVMs, has switched back fully to paper ballots, and other nations are contemplating following suit.
It is past time for India to open up EVM security to serious scientific scrutiny, on an urgent basis. In the process, the ECI should apologise to Hari K. Prasad and his team, and appoint them as consultants in beefing us security for electronic voting.
If it does not do this, I have to suspect the ulterior motives of the Election Commission of India, which has been working so hard to suppress information about security flaws in its EVMs, rather than find out how to fix them.
(24.8.2010-Prasanto K. Roy is chief editor at CyberMedia, and can be found on twitter.com/prasanto or www.pkr.in)