Rajeev Srinivasan on how EVM problems are much bigger than technology or politics. Second and final part of the series.
Based on precedents elsewhere, it is hard to believe that Indian Electronic Voting Machines, alone, through some extraordinary luck or brilliant planning -- do I detect shades of some 'Indian exceptionalism' from people who otherwise are rather unimpressed with India and Indians? -- are immune to these problems.
In particular, the German criticism is telling. The German courts have struck EVMs down because they discovered that current EVMs do not allow a voter to be certain that his choice has been registered. This is a constitutional issue, because the will of the voter is considered sacrosanct in democracies.
If there is reasonable doubt that the voter's choice may not be reflected in the results emitted by the EVM, it violates the Constitution. This is as true of India as it is of Germany. The wise thing would be to ban the use of EVMs until they can be proven to be constitutional, and the onus should be on the EVM manufacturers -- which is precisely what the German supreme court did.
It is in this context that we need to see the recent arrest of an Indian EVM researcher, Hari Prasad, on August 21. In the Indian case, things are slightly worse. Instead of challenging the EVM manufacturer to demonstrate that the machines are, in fact, trustworthy, the constitutional authority, the Election Commission of India, has acted as the spokesman of the EVM manufacturers. The ECI has claimed on several occasions that EVMs are 'foolproof', 'perfect' and so on, as though this were self-evident.
Hari and fellow-researchers put together a proof-of-concept, wherein they demonstrated a hack on some other hardware. The EC, correctly, pointed that this was not on one of the Indian EVMs, and therefore not quite applicable. But when the researchers, reasonably, requested that the EC provide them with an actual EVM, it appears the EC refused, or insisted that they tamper with the EVM without actually touching them, a feat of magic which, alas, software developers are unable to pull off.
The EC has also emphasised over and over again how secure their systems and processes are, how the machines are sealed in high-security currency-quality paper, sealed with wax and kept under lock and key in warehouses all over the country in the custody of reliable officials.
Which is quite interesting, considering that the researchers got an EVM from one of the EC's warehouses, and were able to hack it and demonstrate several ways of tampering with it, including the use of radio-aware chips that would enable a Bluetooth-based cellphone outside a booth to manipulate the machines. The vaunted process of the EC was, however, not even aware of the missing machine for several months! If was only by looking at the serial number on a videotape of the hacked machine that the EC identified which warehouse that EVM came from. This puts in doubt the physical security of the devices.
In any case, the fact that a gentleman named Abdul Karim Telgi was allegedly able to copy high-security stamp paper to the tune of tens of thousands of crores, the fact that high-quality counterfeit Indian currency printed in Pakistan has been intercepted in container loads, and the fact that an entire shipment of currency inks is 'missing', it is hard to feel comforted that paper-based measures would be entirely foolproof.
Computer scientists, especially those in the area of security, are not convinced, either. I listened carefully to the podcast of a session at the recent USENIX (Advanced Computing Systems Association) conference recently wherein two representatives of the ECI, Professor P V Indiresan, and Dr Alok Shukla, a deputy EC, squared off against GVLN Rao, an election forecaster, and Dr Alex Halderman, a computer science professor at the University of Michigan. The EC folks were bested in the discussions, which were attended by well-known security researchers.
I was disappointed to hear from Messrs Indiresan and Shukla that the foolproof measures that the EC is so proud of boil down to some kind of 'security by obscurity' -- that is, a complex process that is expected to be harder to break into -- and faith in a small number of software types at firms that the EC did not identify, and which may not even be Indian, and thus beyond the ken of Indian law.
There is a remarkable case study available on the Internet, about 'Gunfire at Sea', a chronicle of how the US Navy bureaucracy stonewalled and pooh-poohed a very interesting suggestion for improving the accuracy of naval guns, some time in the 19th century. I'm afraid that the EC's reaction seemed much like the US Navy's bluster, misplaced confidence in their abilities, and a tendency to shoot the messenger.
Instead of lauding Hari Prasad as a well-intentioned white-hat researcher whose suggestions for improvement should have been welcomed with open arms by the EC, the latter seeks to demonise him, terrorise him, and book him so that they could worm from him the identity of the person who had passed on the EVM to him for research. This is counter-productive.
Thus, on several counts, including constitutionality, the reaction to whistleblowers, and the large-scale implications on the country's democracy, this is a fascinating case, and the EC should redeem itself by working with these researchers. The next set of people who break into the EVMs may not be quite so well-intentioned. (In passing, there is the interesting parallel story that the American responsible for the recent WikiLeaks publication of 92,000 confidential documents has been accused of rape in Sweden, and then the charges were dropped; he claimed he had been warned the Pentagon was 'after him'. Clearly, whistleblowers have to watch out these days.)
Very distressingly, there is another other pillar of society that did not distinguish itself in this whole EVM fracas. It is the media. So far as I can tell, the entire English-language media has chosen to bury this story: no anchor or editor is excited about it, although a few stray op-eds have been written. It has certainly received less attention than the hoo-haa over some Sri Lankan cricketer doing something unsportsmanlike.
This is a serious dereliction of the media's presumed duty as the watchdog of society. If an election is fixed, it is in essence a bloodless constitutional coup, and the media should be on the trail of this story like bloodhounds. The fact that the media is not doing so implies something serious about its integrity and ethics.
Thus, two of the independent institutions in India that should impose checks and balances on the executive have abdicated their responsibility. This is a cause for extreme concern; this is a sign of a State whose machinery is breaking down. And that is the crux of the matter in l'affaire EVM.
Usenix Panel Discussion on EVMs in India (audio podcast)