The 2000 US Presidential Election became a farce when a large number of paper ballots in Florida were spoilt by improper punching. Indians smirked at the shenanigans because the world’s largest democracy had by then moved on from dead-tree balloting to electronic voting.
Electronic voting machines (EVMs) are quicker and more convenient. According to the Election Commission of India (EC), they are also tamper-proof. Undoubtedly they make traditional rigging methods difficult by cutting down the efficacy of booth-capturing and ballot-stuffing.
They also speed up mind-boggling logistics. In the 2009 elections, the EC appointed over 5 million personnel to service 670 million voters. About 13.78 lakh EVMs were deployed in five phases. EVMs not only reduce voting time, they miraculously speed up counting, with few challenges or recounts.
However, while technology can eliminate some abuses, it always brings new dangers. Can EVMs be electronically-captured? The EC claims EVMs can’t be tampered with undetectably, going so far as to make an open challenge to security experts (in 2009).
The machines are manufactured in facilities that are easy to access. They use antiquated, 1980s’ technology. A key chip has embedded software that cannot be verified once installed, even by the manufacturers. Millions of people (including polling agents and party workers) have physical access to EVMs, including access in-between elections, when they are stored in warehouses.
India possesses an ample supply of tech-savvy people capable of hacks. For years, various political parties have insisted EVM hacks are possible. Those protestations have been dismissed as disingenuous since any political party that did develop an EVM-hack would probably quietly implement it, rather than scream about theoretical possibilities. Nevertheless, the basic point — that EVM-hacks are possible — must be taken seriously.
In April 2010, three researchers (Hari Prasad, J Alex Halderman and Rop Gonggrijp) released a paper, Security Analysis of India’s Electronic Voting Machines, that proved EVMs can be hacked. In a video, they showed that cheap off-the-shelf hardware could be used to tamper with EVMs.
One demo replaced EVM displays with maliciously programmed lookalike chips. Another demo used bluetooth cellphones to extract and alter stored EVM data from physically sealed machines.
The trio is a white hat with solid credentials. Professor Halderman, of Michigan University, wrote the first demonstration computer virus targeting voting machines. Gonggrijp owns a Dutch ISP and was responsible for the Netherlands banning EVMs, after he demonstrated various EVM-hacks. Prasad is the managing director of Hyderabad-based Netindia, an IT and networking R&D outfit, which is consulting with two NGOs attempting to validate India’s electoral processes.
There was some history to the paper. In 2009, when the EC issued its public challenge, it refused to allow researchers physical access to EVMs. The logic seemed, you cannot hack a computer if you don’t know how it works and can’t get hold of it. This is unrealistic — far too many people have access anyhow. Prasad and Co did get hold of an EVM, which they claim was supplied by an EC insider. With over 14 lakh EVMs floating around, it’s not too tough to gain physical access.
The EC has not, thus far, responded publicly to the specific highlighted flaws. Instead, the establishment seems bent on shooting the messenger. There have been allegations that this is all a plot to discredit the EVM technology, thugs crippling Indian plans to export EVMs. If so, it was successful. Anybody who’s seen the video (available on several sites, including Youtube) will prefer physical ballots.
Prasad has been arrested (four months after the paper was published) and charged with stealing an EVM. He is being interrogated and has, so far, refused to reveal his source. The arrest is ludicrous. Prasad and his collaborators deserve a medal, not interrogation. Their research merely cast doubts on electoral processes. The response casts doubts on India’s democratic credentials.