by Mala Jay
To quote a spokesperson of the National Election Defense Coalition in the US, “It is a lie to assert that voting machines or voting systems can’t be hacked by remote attackers because they are ‘not connected to the internet’.
Electronic voting machines (EVMs) can indeed be rigged. Contrary to the Election Commission of India’s stonewalling and denials, new research and experiments by American computer scientists have established that electronic voting systems can be manipulated in a variety of ways.
Some of the new evidence has been published in a New York Times article ‘The Myth of the Hacker-Proof Voting Machine’, which provides startling details backed by technical findings and expert interviews.
The intense research being conducted in America is due to domestic controversies about whether the 2016 presidential election was free and fair. However, the insights into EVM vulnerability are both relevant and timely for India.
Many political analysts are convinced that the outcome of the 2019 Lok Sabha elections would hinge not so much on the mood of the electorate but on whether polling is conducted through EVMs or the old system of paper ballots and manual counting of votes.
Although this might appear to be needlessly suspicious or cynical, the latest US research indicates that blind trust in EVMs might be misplaced.
Opposition parties in India would, therefore, be well advised to redouble their efforts to demand paper balloting in the 2019 elections by confronting the election body with the latest technical research and findings of globally renowned computer scientists and experts.
Whenever allegations of EVM manipulation have been raised, the Election Commission has invariably come out with two standard assertions: one, that the machines used in India are fully secure and tamper-proof; and two, that the EVMs are “stand-alone” devices unconnected to the Internet and hence immune from remote interference.
Both these claims can now be challenged. The third argument that the machines used in Indian elections are manufactured under strict supervision by reputed public sector enterprises can also no longer be accepted at face value for two reasons: a) recent Right to Information data has thrown up troubling questions about the logistics of EVM transport and distribution; and b) the US findings point to potential for serious mischief at the manufacturing stage itself.
Some of the startling findings:
1 – Technology analyst Kim Zetter, who has won four awards for her writing on how e-voting affects democracies, has collated facts and figures to cast series doubts about the reliability of EVMs even when attached to a paper verification unit.
2 – Professor David A Eckhardt of Carnegie Mellon University was asked by election authorities in Pennsylvania to examine complaints of “vote flipping”—meaning that when some voters touched the screen to choose a candidate, the screen showed a different candidate selected. Eckhardt found to his surprise that remote-access software had been installed on the machines, which were supposed to be “air-gapped” — disconnected from the internet and other machines that might be connected to the internet.
3 – Several reports by independent computer scientists pointed to a shocking and categorical conclusion—that despite claims by authorities nearly every make and model of voting machine is vulnerable to hacking. One reason for this is that the systems were not originally designed with robust security in mind. Just as in India, the tendency in America has been for voting machine manufacturers and election officials to stoutly deny that the machines can be remotely hacked. EVMs are tamper-proof, say the election officials. Voting machines are stand-alone devices, EC repeats for the umpteenth time. It is impossible to send outside signals through Wi-Fi or Bluetooth. The frightening reality, as the new findings show, is far more complicated.
4 – The top US manufacturer, ES&S, has admitted that it has sometimes sold its election-management system with remote-access software preinstalled. Even when such software was not preloaded, the company advised election officials to install it so that ES&S technicians could remotely access the systems via modem. Computer experts now say that Installing remote-access software and modems on systems that program voting machines and tally final results is undoubtedly a serious security issue.
5 – But there is an even more fundamental way that many voting machines themselves are being connected to the Internet and put at risk of hacking. The beauty of it is that even election officials at the state or central level are usually unaware the risk exists. After voting is over, booth level election officials transmit the vote count to their state election offices via modems embedded in or connected to their voting machines. The election authorities insist that the modem transmissions are safe because the connections go over phone lines and not the Internet.
But, as security experts point out, many of the modems are cellular, which use radio signals to send calls and data to cell towers and routers belonging to mobile carriers — in India these are Airtel, Vodafone, etc. These routers are technically part of the internet. Even when landline analog modems are used instead of cellular ones, the calls are still likely pass through other routers, because phone companies have replaced much of their analog switching equipment in recent years with digital systems.
Because of this, potential hackers can easily intercept unofficial results as they’re transmitted on election night — or, worse, they can use the modem connections to reach back into election machines at either end and install malware or alter election software and the actual votes cast.
6 – There are other ways too. An expert hacker can subvert the telecom routers themselves to intercept and alter election results as they pass through telecom equipment. Like any other digital device, telecom routers have vulnerabilities, and they have become a prime target. For example, a few years ago, hackers from Britain’s official spy agency targeted routers belonging to the Belgian telecom Belgacom to intercept mobile traffic passing through them.
To quote a spokesperson of the National Election Defense Coalition in the US, “It is a lie to assert that voting machines or voting systems can’t be hacked by remote attackers because they are ‘not connected to the internet’. This isn’t just wrong, it’s damaging. This oft-repeated myth instills a false sense of security in the minds of the public, the parties and the officials. This complacency inhibits urgent action. There is no doubt whatsoever that use of voting machines should be stopped—all voting systems must use paper ballots and all elections must be robustly audited”.
The time has come for all those who want free and fair elections in India to forcefully say the same thing. Whether Opposition parties succeed in forging a joint front or not is not as critically important as coming together and demanding in one voice the reintroduction of paper ballots.
Article first published on Natinoal Herald India.
