Hacking "Electronic Voting Machines"
The other day I gave a talk at the Boston Bar Camp 2010 about the work we are doing at TrustTheVote. Over the year or so I've been involved I've collected some good stories and surprising anecdotes about how elections work and don't work in the US.
After the talk a fellow came over to me and said, how about adopting the way voting is done in India? He was from India and we had a long talk as he described a pretty simple, low tech 'vote machine' and process for casting and counting votes.
After all India is the most populous democracy and, he said, the vote there goes smoothly and people trust the process. Why not here in the US? I am not an expert on Indian voting or democracy so I accepted his information at face value and stored it away for some future cocktail party.
And this morning I got this in my email: "India's EVMs are Vulnerable to Fraud", a detailed article plus pretty convincing video showing how 'easily' hacked India's Electronic Voting Machines are:
"In the video above, we demonstrate two kinds of attacks against a real Indian EVM. One attack involves replacing a small part of the machine with a look-alike component that can be silently instructed to steal a percentage of the votes in favour of a chosen candidate. These instructions can be sent wirelessly from a mobile phone. Another attack uses a pocket-sized device to change the votes stored in the EVM between the election and the public counting session, which in India can be weeks later.These attacks are neither complicated nor difficult to perform, but they would be hard to detect or defend against. The best way to prevent them is to count votes using paper ballots that voters can see." (from India's EVMs are Vulnerable to Fraud)
This raises a few interesting points I would like to make:
- Since I said I don't know anything about India's voting system, and I don't really know these researchers, and the paper is on a site I never heard of, who even knows if this article and content is credible at all? For all I know it's some elaborate psychological manipulation for who knows what purpose.
- As I discussed in my "Security by Obscurity" rant the other day, is this kind of revelation a good idea? Let's just grant that the video and paper are legitimate and it shows a real Indian EVM being hacked in a workable way, is it a good idea to publish it in this kind of detail. Will it give ideas to the large number of people who have the motive and ability to execute it? Or is revealing it useful because it will eventually lead to an improvement in the security?
- Finally, and no surprise to people who read this blog, but isn't it amazing how an apparently simple thing like voting is subject to so many wheels within wheels of complexity. And the stakes are so high, whether it involves the Indian democracy or our own here in the USA.