These machines need to be tested for any possible security flaws — that is a standard operating procedure which is carried out by the world’s biggest technical conglomerates to make their systems foolproof
An interesting incident regarding Electronic Voting Machines (EVMs) has hit the headlines in recent days. Hari Prasad, managing director of Hyderabad-based Net India Private Limited, was arrested for 'stealing' an EVM.
He 'stole' the machine to demonstrate that the EVM can be tampered with. In fact, he - along with a University of Michigan professor and a Dutch security researcher - has even published a research paper on the vulnerability of the EVM.
In today's world of security, hacking into a system in a lab environment to show its vulnerabilities is an accepted practice. It is called by various names such as ethical hacking, or penetration testing. The only difference in this case is because of the way in which Mr Prasad acquired the machine to test the hacking techniques. Mr Prasad's claim is that he had approached the Election Commission (EC) with a request to allow him access to the machine, but they refused to do so; at the same time
the EC claimed that the EVMs are foolproof and secure. Finding no other way to address an issue which is at the heart of India's democracy, namely free and fair elections, Mr Prasad acquired the machine by other means.
Mr Prasad in my opinion has done a great service to the nation. By showing that the EVMs can be tampered with, he has opened up a dialogue on the vulnerability of the EVMs. The EC on the other hand is blatantly misleading the Indian people saying that these machines are secure. Further, they refused to allow access to these machines to security professionals. If indeed the machines are secure as they claim, why not allow access to security professionals?
In fact, the EC should have hired ethical hackers themselves to find vulnerabilities in their machines.That is the practice followed worldwide by companies whose products can be potentially hacked. The behaviour of the EC reeks of ignorance of current security practices.
That the implications of their behaviour hit at the crux of India's 'free and fair' elections makes that an act against the nation's wellbeing itself.
Our EC has over the years gained a good reputation for conducting the world's largest free and fair elections. But this act nullifies at least some of it. It is high time the EC opens up the machines to public and professional security. There is nothing wrong with having security vulnerabilities provided one has an open mind and they are fixed. Right from Google to Microsoft's products, no popular product in the world has escaped security holes. It is by fixing the security holes that the product keeps becoming more and more secure.
Meanwhile, today's reports indicate that some of the top officials in India have claimed that there is a political conspiracy to discredit India's election process via this hacking attempt. Politicising everything is the nature of India's politicians. It is irrelevant to the discussion whether there is a political angle behind Mr Prasad's act or not. That certainly does not absolve the EC of its lack of attention to security vulnerabilities in the machine. It is also interesting that the EC is not concentrating much on the technical aspects of the vulnerabilities disclosed by Mr Prasad. At least, getting into a deeper technical dialogue on that front and openly showing that the vulnerabilities disclosed by Mr Prasad are not critical would give more credibility to their response.
It is high time this country wakes up to this and fixes the vulnerabilities in EVMs lest politicians take advantage of the vulnerabilities and doctor the elections, assuming they have already not done so in the last elections.
(The author has a B Tech from IIT Bombay, and a PhD from Columbia University, New York. He currently runs a start-up, Teknotrends Software Pvt Ltd that does cutting-edge work in the area of network security).