Over the weekend, the Indian
establishment demonstrated how bizarre the mix of political
insecurity, intolerance to criticism, and sheer stupidity could be.
Mumbai police arrested Hari K. Prasad, chief of Indian research and
development firm Netindia.
The reason: Prasad is member of a team of security researchers,
including American computer scientist J. Alex Halderman, who have
been working to show that India’s electronic voting machines (EVMs),
like those in the US and elsewhere, are flawed, and can be hacked,
altering election results.
In 2009, the Election Commission of India (ECI) publicly challenged
Prasad to show that India’s voting machines could be compromised.
But incredibly, they did not give him access to a machine. Prasad’s
team managed to acquire an EVM from a source earlier this year, and
soon proceeded to expose security flaws.
Prasad was arrested August 21 for refusing to disclose the identity
of the source from whom the EVM was secured for the tests. Halderman
wrote in his blog that early Saturday morning, at 5:30 hrs, 10
police officers arrived at Prasad’s home in Hyderabad. They
questioned him until 8 a.m., then placed him under arrest and drove
him to Mumbai, over 14 hours away by road.
Hari K. Prasad, J. Alex Halderman and Rop Gonggrijp have been
working on an “independent scientific study of the security of
India’s EVMs”. On the project’s website at indiaevm.org, the team
reports that the ECI has spoken of India’s EVMs as “infallible and
Yet, similar machines used around the world have been shown to
suffer from serious security problems. India’s EVMs had never been
subjected to credible independent research, says the site. An
attacker with brief access to EVMs can tamper with votes and
potentially change election outcomes.
This could be done two ways. One, by replacing parts of the machines
with look-alike parts without the involvement of any local poll
official. Two, by using portable hardware devices to change the vote
records stored in the machines. The latter may involve local
election officials, but still be undetected by national authorities
or the EVM manufacturers.
In one experiment the team added a Bluetooth module, to be able to
swing the EVM’s votes wirelessly. The EVMs are “sealed by stickers,
string, and red wax”, which are hardly any barrier to an attacker.
The team also says that the EC-appointed expert committee, which
certified the EVMs as secure comprised people with no apparent EVM
security credentials, who did a superficial study based on
presentations and site visits. Prasad’s team worked with a real
machine and demonstrated working attacks.
The team notes that real criminals would probably have less
difficulty in accessing one or more of India’s 1.4 million EVMs than
this research team did. And the real criminals would not be working
to inform the public about the security problems.
There are two ways to handle the scientific critic, or the messenger
of bad news.
In July, in the world’s premier security conference Defcon, security
researcher Chris Paget demonstrated how easy it was, using $1,500 of
equipment, to intercept GSM mobile phone calls. The US government
and FCC could have arrested him. They did not. The demo has been
taken as a wake-up call for telecom security.
On the other hand, in China, a critic who demonstrates that a
government system is flawed will get an early morning visit from the
police, and will likely disappear without a trace.
Are we getting dangerously close to the China model?
There is enough evidence from global research now that there are
serious concerns about EVM security. The Netherlands, once fully
onto EVMs, has switched back fully to paper ballots, and other
nations are contemplating following suit.
It is past time for India to open up EVM security to serious
scientific scrutiny, on an urgent basis. In the process, the ECI
should apologise to Hari K. Prasad and his team, and appoint them as
consultants in beefing us security for electronic voting.
If it does not do this, I have to suspect the ulterior motives of
the Election Commission of India, which has been working so hard to
suppress information about security flaws in its EVMs, rather than
find out how to fix them.
(Prasanto K. Roy
is chief editor at CyberMedia, and can be found on twitter.com/prasanto