|« Back to article||Print this article|
J Alex Halderman, leading electronic voting security expert tells rediff.com's Vicky Nanjappa what the problems with India's voting machines are and how to fix them
The arrest and the subsequent release on bail of e-voting researcher Hari Prasad has opened a Pandora box regarding India's Electronic Voting Machines. India's Election Commission, the researchers said, was reluctant to come forward and debate the issue, prompting them to dermonstrate how the machines could be tampered with.
Halderman, assistant professor of electrical engineering and computer science,at the University of Michigan, who has worked along with Hari Prasad in exposing the flaws in this machine, says they are extremely vulnerable.
Could you explain to us how an EVM can be tampered with?
Far from being 'tamper proof', EVMs are vulnerable to most of the same security problems as the paper ballot boxes they replaced, including an electronic form of booth capturing. Furthermore, unlike the old paper ballot boxes, EVMs can be tampered with long before elections take place to cause fraudulent results months or years later.
The methods of tampering we uncovered fall into three categories. The first category is that dishonest insiders or other criminals can manipulate the EVM to change the votes stored inside. This could happen during polling or in the time between polling and counting. One way to do this involves attaching an electronic device to the memory chips inside the machine, which holds the digital record of each vote. This device could then rewrite the vote data to favour a given candidate. We created such a device to demonstrate how easy this manipulation could be: a criminal could just open the EVM and clip the tiny device to the memory chips in a moment.
Memory manipulator devices could also be used for booth capturing, because they bypass the EVM's ability to control how quickly votes are cast. Not only is the device we demonstrated discreet and simple to use, but also cheap enough for a criminal to hand out to a squad of goons.
Can EVMs be rigged a long time in advance or is it done just before the elections?
That brings us to the other two categories of tampering that we found. The second category of tampering is that criminals could replace parts of the EVMs (or even whole machines) with look-alikes that behave dishonestly. This would allow criminals to tamper with machines while they are in storage and rig them to cheat in future elections. Many parts of the system could be replaced, but our study focussed on the LED display -- a small circuit inside the machine that is used during counting to indicate how many votes each candidate received. As a demonstration, we built a dishonest display that looks just like the real one but contains a hidden chip that substitutes fraudulent vote totals. Look-alike displays can be installed with only brief physical access to the machines. The usual pre-election mock polls wouldn't catch this cheating, because the display only cheats after hundreds of votes are cast.
Such attacks might seem high tech, but they're straightforward for anyone with an electronics background. One of my students built our first dishonest display in less than five days. India has no shortage of skilled electrical engineers who would need even less time.
The third category, and perhaps most worrying, has to do with the software, which controls almost all aspects of the EVM's functioning. EC expert committee chairman P V Indiresan has said that only 3 to 4 junior officials at the EVM manufacturers know what is in the software code, and that even he and the EC have never seen it. If some of these officials are dishonest, they could add a 'back door' to the code that would steal votes upon receiving a secret combination of key presses or other signal. The back door would then be built into every EVM that is manufactured.
Dishonest officials would face a low risk of being caught, because the EVM design makes it extremely hard for anyone, even the EC, to read or inspect the software once the machines are assembled. Perhaps these officials are honest, but voters have no choice except to trust them. If some of these junior officials at the EVM manufacturers are dishonest, they can compromise the entire national election system.
Some of the tampering methods our study describes require physical access to the machines, but insiders regularly have such access when the machines are in storage and during routine maintenance. Others might be able to get access in places where machines are stored with lax security. There is well-documented precedent for these kinds of attacks in a similar security-critical technology: casino gambling machines. Despite sophisticated security controls and intensive government oversight, there have been many cases in the US where gambling machines have been electronically rigged, most often by dishonest insiders at the companies that manufactured and serviced them.
Do you have any material to show that the machines used in Indian elections were rigged?
Our study does not even attempt to establish that any past election was stolen. Nobody can reasonably claim, based solely on the results we have published, that an election result now settled should be overturned. Proving actual fraud would require more evidence and a different kind of investigation.
Hari Prasad asked Rop Gonggrijp and me to participate in the study because we are established researchers in the electronic voting security field. Rop lives in the Netherlands, and he discovered serious security problems in EVMs used there. This led his country to switch back to paper ballots.
I co-authored the first academic security analysis of a deployed electronic voting machine. Since then I have co-authored security reviews that found flaws in many other kinds of EVMs, including a state-wide voting system review commissioned by the California government.
Rop and me agreed to help study the Indian EVMs out of scientific curiosity, and because we believe voting security is of fundamental importance to all democracies. The EVMs have an unusual design, but the EC has never permitted Indian researchers or anybody else to complete a rigorous, independent security evaluation.
In cases around the world, every time a manufacturer or government maintained that an EVM was fully secure without allowing independent scientific review, there turned out to be serious undisclosed weaknesses.
Do you see a political conspiracy in the Hari Prasad case?
What happened to Hari Prasad is extremely troubling. The arresting officers told him they were acting under 'pressure from the top', and the circumstances strongly suggest that this was more than a routine investigation.
The case against Hari Prasad is all the more troubling because it distracts from the primary problem: India's electronic voting machines have fundamental security flaws, and do not provide the transparency necessary for voters to have confidence in elections.
To fix these problems, the Election Commission will need help from India's technical community. Arresting and interrogating a key member of that community is enormously counterproductive.
Could you tell us a solution to this problem?
The Election Commission should stop pretending that the EVMs are perfect and start working to create a voting system that provides the transparency voters need in order to have confidence.
Many democracies have adopted and then abandoned electronic voting as science's understanding of the risks progressed. Others have adopted systems that provide transparency and redundant security by combining paper ballots with electronic scanners.
I hope the EC will work closely with India's academic and technical communities -- people like Hari Prasad -- to evaluate the strengths and risks of a range of options and find the best voting system for India.