rediff.com

NewsApp (Free)

Read news as it happens
Download NewsApp

Available on  

Rediff News  All News 
Rediff.com  » News » How secure are the EVMs?

How secure are the EVMs?

May 15, 2014 09:44 IST

Whatever happens with this election, there is going to have to be a serious rethink of how the Election Commission, and elections, are run in India. There can't even be the whiff of impropriety. In a country that believes in democracy, EVM rigging isn't stealing an election, it's stealing the soul of a nation, says Cleo Paskal.

According to exit polls, Narendra Modi is likely to be declared the next prime minister of India. The only thing that might stand in his way is the electronic voting machine.

The problems with EVM security have been widely known since the large-scale irregularities in Florida during the 2000 US elections.

Many countries have moved to get rid of them. In 2006 Dutch TV aired a documentary showing how easy it was to hack the EVMs that were about to be used in their general election. The machines were subsequently withdrawn and the Netherlands went back to paper ballots.

Germany has declared EVMs unconstitutional.

And, after spending close to $75 million on its EVMs, Ireland found them to be so insecure they literally scrapped them.

In 2009, Steve Stigall, a CIA cybersecurity expert, told the US Election Assistance Commission there were concerns over electronic vote-rigging in Venezuela, Macedonia and Ukraine. According to the McClatchy report on his testimony: '(Stigall) said that elections also could be manipulated when votes were cast, when ballots were moved or transmitted to central collection points, when official results were tabulated and when the totals were posted on the Internet.'

Concerns about the Indian EVMs were raised during the 2009 election in part as a result of an astounding discovery on the Election Commission of India Web site. Dr Anupam Saraph, at the time chief information officer for the city of Pune, and Professor M D Nalapat, vice-chair of the Manipal Advanced Research Group, discovered files on the ECI Web site that seemed to show election results days before votes were actually cast and counted.

India's 2009 elections were held in five phases, running from April 16 to May 13. Counting was not supposed to begin until all the phases were complete. Before the voting started, Saraph and Nalapat decided to track the elections and create a wiki for constituencies and candidates, with data sourced from Excel files on the ECI Web site.

The ECI spreadsheet contained what you would expect: Candidate's name, gender, address, party, etc. But, starting May 6, the spreadsheets changed and something unexpected was added.

From May 6 onwards, the candidate's name was 'coded', based on their position on the EVM, and the number of 'votes polled' were added, even though voting had yet to take place in many constituencies and, even where voting had taken place, votes were yet to be counted. Even more confounding, the 'votes polled' numbers were adjusted in subsequent spreadsheets before the results were announced.

The team immediately alerted the National Informatics Centre and the ECI that it looked like their Web site was posting results before voting had been completed. The NIC responded within an hour confirming the observation and itself alerting the ECI. There was no response from the ECI.

On May 16, the election results were declared. On that day the spreadsheets on the ECI Web site contained the candidate's name, gender, address, party, etc just like on April 16, but with no votes polled data at all -- making pre- and post-election comparison with the peculiar 'votes polled' numbers impossible.

Subsequently, a team of IT specialists, including J Alex Halderman from the University of Michigan, Electronic Frontier Foundation Pioneer Award winner Hari K Prasad, and Dutch Internet pioneer Rop Gonggrijp, used an actual Indian EVM to demonstrate two ways they could be hacked.

As Florida voters (and watchers of Scandal know, often elections come down to just a few precincts in a few constituencies. Those wishing to swing an election need only manipulate a few well-chosen machines. Less than that if the goal is just to ensure specific people gain or maintain their seats.

Worried about the safety of their democracy, groups of concerned citizens got involved. Former Union minister Dr Subramanian Swamy took up the mantle and went to the Supreme Court of India, winning a ruling that the Indian EVMs would at least have to prove a paper trail.

However, only eight of 543 constituencies in this election have a Vote Verifier Paper Audit Trail system. And there have already been reports of serious EVM malfunction, with two machines reportedly transferring all votes cast to the Congress. This is apart from the separate issue of inaccurate voter lists, which saw lakhs of voters being disenfranchised, resulting in an apology from the Election Commission, but no revote.

Whatever happens with this election, there is going to have to be a serious rethink of how the ECI, and elections, are run in India. There can't even be the whiff of impropriety.

In a country that believes in democracy, EVM rigging isn't stealing an election, it's stealing the soul of a nation.

According to CIA cybersecurity expert Steve Stigall: 'Wherever the vote becomes an electron and touches a computer, that's an opportunity for a malicious actor potentially to... make bad things happen.'

India's democracy is a one of the wonders of the world. As in all democracies, the solemn act of vote casting is the one moment when everyone is equal, everyone is valued, everyone is part of the nation and everyone's voice gets heard.

If that voice is stifled or stolen, if that safety valve is closed, if that compact between the individual and the State is ruptured, then that delicate relationship is broken and the individual owes nothing to the State.

And that, as the man says, can make bad things happen.

Image: IT experts (from left) J Alex Halderman, Hari K Prasad, and Rop Gonggrijp holding the EVM that they hacked into in 2010 to show that the machines were not tamper-proof. Photograph: Indiaevm.org.

Cleo Paskal