Archive | Non-cyber RSS feed for this section

“The EVM and its critics”

The latest issue of Pragati carries an article on the Electronic Voting Machine (EVM) by yours truly titled “The EVM and its critics“.

The EC would do well to institute a properly designed process to allow scientific scrutiny of its instruments, systems and processes, not merely in reaction to the current events, but as a general policy. That would do much more to bolster the legitimacy of India’s electoral system than the current defensive approach.

Comments { 0 }

eVoting expert arrested on charge of stealing the EVM he studied

According to a blog post by G.V.L. Narasimha Rao, “a leading election analyst and a political commentator”, Hari K. Prasad, one of the authors of the paper that describes hardware based attacks on Indian Electronic Voting Machines (EVMs), has been arrested by Maharashtra police for the “theft of EVM” that was used in the study.

Today, at wee hours Maharashtra police landed up at the residence of Hari Prasad in Hyderabad, a technologist and Technical coordinator of VeTA to arrest him. The arrest was made on the flimsy charge of ‘theft of EVM’ used for vulnerability demonstration by Hari Prasad and a team of security researchers that included Alex Halderman, professor of computer science, University of Michigan and Rop Gonggrijp, a security researcher from Netherlands along with a team of their colleagues.

Earlier, police came to Hyderabad in the first week of August and recorded a statement on the EVM they had used for exposing the vulnerability of EVMs. They summoned him to Mumbai for further questioning. Hari Prasad could not go as he was busy with his professional work. Then, the sudden arrest happened this morning.

While it is not right to speculate without further information on the matter, if is true, this is a very disturbing development. There are three possible motive behind the alleged arrest.

  1. Mr. Prasad did not answer to the summon and hence the police has taken him in for further questioning.
  2. Mr. Prasad is being being pressured to reveal the source that provided him with the EVM for the study and he refused to do so. The police is using scare tactics to flush out the information.
  3. Mr. Prasad is being harassed (at least indirectly by the Election Commission) for the study he helped conduct  that revealed flaws in the India EVM.

Of the three, while the third is the most sensational, it seems to be the least unlikely since the cat is out of the bag and actions like arrest will only provide more publicity to the work, not that there is any lack of it. According to Mr. Rao – “13 political parties had written to the ECI in April expressing concerns about the reliability of EVMs and urging the ECI to organize an All-party meeting.”

Following days will reveal the full story but for now suffice it to say that the news is disturbing and looks like an attack on independent critical analysis of Indian evoting system.

[Update (22nd August, 08:15)]: More info of the arrest from Alex Helderman, one of the co-authors of the paper along with Hari Prasad.

Comments { 1 }

Security of Indian Electronic Voting Machines

The security and integrity of electronic voting machines (EVMs) have been a point of debate for a long time. Various studies conducted in relation to EVM used in elections within the USA have shown time and time again that they are susceptible to both software as well as hardware based attacks. However, EVMs used in Indian elections have not been subjected to similar rigorous scrutiny, even though they have been used nationwide since 2004. Neither has the details of the inner working of the EVM been made public. Security and privacy have been cited as the main reason for this (pdf).

The Commission has not allowed reverse-engineering of the ECI-EVMs, inter-alia, for the reasons that manufacturers of ECI-EVMs, BEL & ECIL, have a patent on the machines and have objected to any attempt at reverse-engineering.

(…)

The Commission is concerned that commercial interests could use the route of reverse engineering which may compromise the security and sanctity of the entire election system. It is, therefore, not possible for the Commission to permit reverse-engineering of ECI-EVMs.

The two expert panel that have been tasked by the EC to verify the security of the EVM have had to do the job relying on presentations materials given by the vendors to the panel. In fact, experts for the EC have equated any questioning of the security of the EVMs to attack on the commission’s own impartiality and integrity [1] and have been quoted to have drawn parallelism between proving the security of the EVM and “asking Sita to prove her virginity [sic.] by having Agni Pariksha”!

All that until now. A team of researchers, led by Hari K. Prasad, Dr. J. Alex Halderman and Rop Gonggrijp have written a paper in which they describe two hardware based attacks they have been able to perform on an actual EVM given to them by an unnamed source. To quote from the site’s Q&A section:

First, we show how dishonest election insiders or other criminals could alter election results by replacing parts of the machines with malicious look-alike parts. Such attacks could be accomplished without the involvement of any local poll officials. Second, we show how attackers could use portable hardware devices to change the vote records stored in the machines. This attack could be carried out by local election officials without being detected by the national authorities or the EVM manufacturers.

The fact that these attacks were not even as a result of extracting and analysing the software (read the paper to know why) from the chip should alarm people.

This raises serious questions about the integrity of elections held in India. While it is unlikely that such attacks have already been conducted, it means that they are possible and now that it has been shown possible, there is likelihood of them being attempted by parties aiming to subvert the election process. The unhealthy attitude of the EC-associated experts of equating questions raised about the security of the EVM to attack on their impartiality and integrity nor that of the EC who has not insisted on the release of the software powering the machine, at least under a Non Disclosure Agreement, to competent security experts does not help either. Any company that does not open up the code and the inner working to such an expert group should not be allowed to provide machines to voting. Security through obscurity has been shown to not work – again and again and again.

A rigorous analysis of the security of both the hardware and the software used by the machines that enpower adult suffrage in the world’s largest democracy is an absolute necessity.

[1] Page 98 of  Democracy at Risk! (Book on Indian EVMs published by Citizens for Verifiability, Transparency & Accountability in Elections), New Delhi, 2010, by G. V. L. N. Rao.

Comments { 4 }