Shameless plug: the city of San Francisco is trying to build an Open Source Voting System (officially!). Even the paper ballot scanners/tabulators in the US are running proprietary, hackable software.
If you live in the Bay Area and are interested in securing elections, now is a great time to get involved. There's a public meeting next week (sfgov.org/electionscommission).
I'm also happy to get coffee and catch anyone up on where the effort stands – email in profile.
EDIT: I should have clarified that the new system will remain a 100% paper ballot system. The software involved is to organize, print, tabulate, and tally ballots. There's a strong community that opposes inherently risky approaches involving things like digital storage and the internet (again, reach out if you're interested in joining!).
Having open source voting systems is a great thing, but electronic voting is inherehently flawed and is a terrible idea. There's no way to prove the checksum of your software is real unless you have root access to the voting machine and are assuming the OS is not compromised.
Decentralized electronic machines that print paper ballots for you (which you can physically verify), and submitting to a tabulator seem to be the safest option. But your paper ballot can be compromised in transit by a worker. I have also heard talks about using a blockchain-esque system for voting and verifying it online with a hash code.
The problem with that video is that it assumes that that the internet is involved at some stage. In India, that isn't the case.
EVMs are not internet enabled, neither are they "programmed" by sticking a USB in them. They come in huge sealed boxes to the centres, and are carried back the same away. The data never leaves these machines. If my knowledge is correct, the data can only be accessed by a high ranking election official called the RO.
Paper ballots were the norm in India for over 40 years before EVMs were introduced. Election fraud has been non-existent since then.
As Tom Scott points out in the video you're just moving the problem. They may not be connected to the Internet, but surely someone has programmed them. Who? And how do you know noone has changed the software? If they've been programmed at one point they can be programmed again.
I think it's disingenuous to ask for the proof of non-existence of something so obvious that if it existed, it would have caused a huge uproar.
There has been no proof of election fraud in Indian elections since EVMs were introduced, apart from the usual whining of the leaders who expectedly lost.
Well, there is currently a huge uproar in India about exactly this so I'm not sure if it's all that disingenuous.
Moreover, even a cursory search of electoral frauds in India throws up a huge gamut of complaints, ranging from 'ghost voters' to missing ballot boxes (and EVMs). Parking aside an another unsubstantiated claim that leaders who lost are just 'whining', I will still contest the claim that 'there have been no electoral frauds' since EVMs were introduced, as your original comment implied.
Considering that the media is always howling about how the results have been tampered with.. Election fraud in India with evms is like hiding a tree in a forest, no-one would know for sure with all the allegations flying around.
Thanks! Edited to clarify that it's still a paper ballot system. But you're certainly correct that there are many shades of gray here, with varying degrees of hypothetical and real danger of compromise.
It's important to have skilled engineers play a part in the design of the system to help identify and avoid these problems.
The city is putting together an Advisory Committee as we speak for this very purpose. I'd encourage anyone interested to apply.
> electronic voting is inherently flawed and is a terrible idea
I see this expressed a lot. But the argument always seems to actually be that electronic voting doesn't play nicely with anonymous voting.
It's possible that either might be a better choice than the other.
If you give people a way to prove that they voted a certain way, then the election is robust against rigging, but you've also allowed vote-selling as a side effect.
the vote-selling side effect is much larger than you'd like.
In Denmark someone made a study and found out that when voting changed from public (everyone could see who voted for who) to anonymous the workers parties gained votes to the tune of double digit percentages.
Presumably what happened before is that the landlords, owners and managers would tell the workers who it would be "best" to vote for if they'd like to keep their job or apartment. If I recall correctly this was around 1910 or so.
> the vote-selling side effect is much larger than you'd like.
> In Denmark someone made a study and found out that when voting changed from public (everyone could see who voted for who) to anonymous the workers parties gained votes to the tune of double digit percentages.
Are you asking whether it is a good thing for people to be able to vote their conscience vs. voting however someone with social/economic leverage over them would prefer?
If the most powerful people in society can bully everyone into voting for their preferred candidate under threat of forceful personal retaliation if they don’t, what’s the point of voting at all?
How do you define “make people better off”? Is political self-determination an end in itself, or is the whole political system just a means to material success for the ruling class?
Personally I think having a wider distribution of power in the society is itself a goal worth fighting for. In the long term it tends to make the society more just, more stable, and more prosperous, and bring the political process more into alignment with solving concrete problems affecting the citizenry.
I guess I'll expand a bit. There's no limit to how finely we can grade the amount of electoral power given to which groups. If you think the purpose of elections is to produce good outcomes, it is vanishingly unlikely that an ironclad one-man-one-vote system is close to the best we can do, no matter what your idea of a "good" outcome is.
If you think the purpose of elections is to realize the inherent moral virtue of voting your heart, I don't see why I should be encouraged to vote my heart when it tells me that it wants Robin Williams to be president, but not when it tells me that it doesn't really care whether John McCain or Barack Obama is president, but it does want ten dollars.
“Good outcomes” is a bit vague, depends on ideological preferences, and is hard to measure even when we can agree on criteria.
In my opinion the purpose of elections is to make the political system beholden, responsive, and accountable to the populace; to give the political system legitimacy so that it will be popularly supported; and to guarantee peaceful transitions of power and general political stability.
Those goals are undermined when a small number of powerful people can intimidate, cajole, or trick the public into voting how they prefer (usually against the interests of members of the public, and the nation’s interests in general). For this reason, I believe in constraints on campaign financing, election-season advertising, and believe that free, fair, and accessible elections should be a political priority in my country, alongside robust public education with instruction in civics and critical thinking, and a healthy independent media ecosystem.
I have no idea what “the inherent moral virtue of voting your heart” means. Feel free to vote for Robin Williams if you want, but realize that in most countries (including the USA) write-in votes for dead Americans are invalid.
> vanishingly unlikely that an ironclad one-man-one-vote system is close to the best we can do
I have no idea who you’re responding to, or what your point is. Nobody in this thread ever said anything about an “ironclad one-man-one-vote system”.
My main objection against electronic voting and in favour of paper voting is as follows:
Any village idiot can go and observe and verify paper voting. But it requires an expert to observe and verify electronic voting, if it's possible at all.
I'm surprised at the number of people here who think this is a bad idea. To quote Bruce Schneier,
"Security is a process. For software, that process is iterative. It involves defenders trying to build a secure system, attackers -- criminals, hackers, and researchers -- defeating the security, and defenders improving their system. This is how all mass-market software improves its security .... Smart security engineers open their systems to public scrutiny, because that’s how they improve. The truly awful engineers will not only hide their bad designs behind secrecy, but try to belittle any negative security results."
A couple of things to note here,
- This is not the first time. It was done before in 2009.
- It is in a physical location, and will be monitored by people.
- There are various "stages" involved, and I'm guessing anyone who's invited will be vetted.
So we have a monitored, time bound, physical access to device hack-day, open to people to try and break a system to learn it's possible flaws - if anything, the system is only going to get better not worse.
The likelihood of someone finding a vulnerability and not disclosing it is much more troublesome when they were the only people doing this. If the system is opened up to a large number of people, it is more likely that the vulnerability in question __will__ be found and fixed.
Imagine if you took a vote with paper ballots, and then went to every one of the tens (if not hundreds) of thousands of people who had a hand in creating a voting machine (think of the millions of lines of code in the OS and drivers, and the billions of transistors) and left the unsealed box of votes with each of them, alone, for several hours. That box would travel to people in many foreign countries, some working for intelligence agencies. Would you trust the votes after that?
It's possible to hide exploits in so many places - consider the obfuscated C contests, or the trojans that have been found in SSDs, or that hack a while ago where someone compromised a RNG by undetectably tweaked the dopant levels on a chip.
It takes very little to swing an election if you're strategic, sometimes less than 1% of the vote, and having the head of a state owe you a favour (not to mention the blackmail material), is well worth compromising one or more of the people involved in the production of the machine.
To make a demonstrably exploit-free voting machine, you'd have to design and manufacture every chip yourself and write every line of software (including the OS) yourself. Not only that, but everyone involved would have to be trusted to not be bribed, and to not make any mistakes that could lead to an external exploit. That's completely unrealistic, so countries are essentially saying "it's OK if there's a possibility for someone to take control of our country through fraud, because even though we know for sure that it's possible, we don't think it will happen to us".
Elections are too important to let the fools and charlatans who say things like "unhackable" to have influence over anyone with the the power to make decisions about electronic voting machines. Everything is hackable, given the resources and the motivations. Gaining control of an entire country is sufficient to have both.
> Elections are too important to let the fools and charlatans who say things like "unhackable"
Can there be process that can be guaranteed "unhackable".
The paper based Ballot Box election in India were subjected to an even higher degree of reported rigging/hack then EVMs.
They are not saying "our elections are unhackable" they are saying "our already manufactured machines as available to register votes are unhackable". It could be true today. But now that they have thrown open the challenge who knows if future such machines will be or not. IIRC the machines are hardware with no installable software.
The issues you raise about chip and firmware vulnerabilities remain. And the Govt of India have painted a target on their backs for the foreseeable future and way beyond.
> It takes very little to swing an election if you're strategic, sometimes less than 1% of the vote
Good points. I'd add that the potential attackers include national intelligence agencies and other very well-resourced groups, including criminal organizations, corporations, and others. For them, the value of controlling the outcome of an election can be many billions of dollars or existential.
It doesn't matter if it takes a little or a lot; the cost is unlikely to be a deterrent to those types of attackers.
This. You are basing the bedrock of your democracy/country on an illusion.
I have had countless discussions with my colleagues and not one of them understands the gravity of closed EVM machines instead believe in security by obscurity. It makes me sad that if the very people who work in technology are like ostriches with their heads buried in sand, how can you expect the lay person to understand the argument for implementing a verifiable system. Its an anathema.
Anyone who argues for this is either a case of sour grapes or anti-government/anti-democracy.
Also can anyone please clarify how one one can go about taking part in this process, wasn't clear to me from the article.
Even if it was possible to guarantee that the machines were not hackable. What is stopping a undemocratic candidate to cry foul. It is just too easy to blame it on the technology. People do it even for paper systems where it is evident even for a lay person to know that fraud cannot be done at a large scale, that needs to involved hundreds or thousands of accomplices.
Wouldn't a reliable safeguard be to have people vote and then verify their vote using an entirely separate system with an entirely separate database... then compare the two and identify any possible mismatches.
You'd then require a hack to comprise entirely different systems of hardware & software simultaneously. No one hardware vendor could control it?
That theoretically makes the hack harder (you've got to hack two systems/vendors), but we're talking about attackers with potentially state-level resources.
The bigger problem is that it can be used to verify that a coerced voter cast their ballot the way that the coercer wanted.
My question is: why go through all this incredible effort, and take such huge risks, when paper ballots do the job just fine?
I'm guessing you only need to hack one system to throw doubts on the election process, and maybe start some sort of narrative that influences people to vote the other way in the repeat election. Also, the second verification database, mey be needed to be guarded more securely for a longer time in order to give people a chance to verify their votes.
The electronic voting machines are not much different from a paper ballot system in that they are just boxes that hold vote counts, in bits rather than bits of paper. They are not network connected and to my knowledge they are not easily programmable once deployed in the field. i.e, they would require collusion of a large number of local officials, including that of the central election commission officer deployed in order to facilitate reprogramming.
Elections if rigged are done so by people, so the threat comes from the vast numbers of government employees who are deputed from their day jobs to perform election duty. These people hold the power to rig elections by miscounting the paper votes. If the counting process is digitized using dumb machines, then that would maybe take care of the malicious counting problem.
Ultimately any system would rely on the integrity of the actors involved to function properly. In a country with levels of corruption that India faces, it is easier to keep an eye on the few direct employees of the election council rather than every person deputed for election duty.
This is not a technical issue. This is pure ly a political issue. Allow me to explain why I say so.
This purported "open challenge" is an response to the current political drama staged by the opposition parties crying foul over lost elections.
In UP, the current ruling party sweeped with a thumping majority. (325/403)
But, the same Congress and AAP that were defeated to nil in UP, got significant and in fact leading number of seats in Punjab - 77/117 and went on to form the government. AAP got to form the Govt in Delhi in the last elections.
In Manipur and Goa - Congress got 28 and 17 respectively and was the single largest party. It is another story that they were not able to muster enough strength to form the government. [1]
So, basically, they cry foul in UP accusing the machines were rigged. But, they happily accept the same machines' verdict in Punjab and form the govt and conveniently ignore the fact that in two other states the same machines gave them the single largest party status.
What election commission is trying to do is to prove their parity across parties, which you can see from the above results. Election Commission is an independent body in India and cannot be influenced or rigged towards one or other party of which the opposition is accusing them of unfairly.
Having said that, yes, any system is hackable may be, people can try. But, hey, at least EC is open about it and cannot be accused of favouring any one entity. It can be thought of as a hackathon and if someone finds a bug, they will fix it.
Chiming in about Punjab. There was a VERY strong anti-incumbency wave against the ruling SAD-BJP combine (they have been in power for 10 years). The two main opposition parties were Congress (another 100 year old party) and AAP (a new party backed mostly by millenials challenging the establishment). AAP had a strong wave in its favour. People were flocking to their political rallies. Both SAD-BJP and Congress were determined to make sure that AAP loses, so that they can continue to their old ritual of 5 years for me, 5 years for you. If SAD-BJP had won, there would have been riots in the streets, because everyone would know that its impossible without fraud. So, there are conspiracy theories that instead of rigging the machines in their favour, the current ruling party (BJP) rigged it in Congress's favour, to make sure that AAP loses.
> So, basically, they cry foul in UP accusing the machines were rigged. But, they happily accept the same machines' verdict in Punjab and form the govt and conveniently ignore the fact that in two other states the same machines gave them the single largest party status.
I have no dog in this fight, so this is not political but purely a response on the reasoning.
Questioning the security of a system doesn't mean you believe all such systems have been compromised.
Minor correction: AAP had no candidates in UP, so they did not lose there. They got 20/117 in Punjab and a NIL in Goa.
Political parties crying after losing elections is nothing new in India. BJP cried after the 2009 Lok Sabha results. See this speech in the matter by Subramanian Swamy (a senior BJP leader): https://www.youtube.com/watch?v=AXpPRbQx1WI
Agree on AAP. I was meaning to write they did not cry when they won in Delhi.
For Subramanyan Swamy, if I remember correctly, he did not stop at crying foul. he went to Supreme court and got the VVPAT installed. It is another matter if VVPAT makes it foolproof though, but definitely helps.
I am not supporting this party or that party - all I am saying is that - 1. EC cannot be blamed for partiality as it is made out by the opposition parties and media 2. This is more of a politically driven issue than a majorly technical exercise.
> Election Commission is an independent body in India and cannot be influenced or rigged towards one or other party of which the opposition is accusing them of unfairly.
Yes. In India Election Commission has a very special status and rights - in many ways, it's power subsumes the actual government at the time of the election.
Of course it is possible to go to great lengths to rig the system to destroy this situation as well but any sensible person/group will understand that the impartiality of the EC is in the larger favour of everybody.
Better than in Argentina where a guy reported to the company that built the voting machines about some SSL certificates being leaked and they raided his home and then sued him.
In a national law to introduce voting machines nation-wide the law sets up to five years IRLC if someone does an unauthorized audit. Luckily the law was repealed last year but the current government is still pushing voting machines province by province.
Booth Capturing and Ballot Stuffing were violent practices esp. in 80s and 90s in some places during Election. People actually died for every election cycle either perpetrating or protesting these kind of things.
Given the logistics, introduction of EVMs have reduced these kind of election day events, even though Election day violence is more clashes between supporters, the polling booths are much safer now than couple of decades ago.
I would argue that the methods of electoral fraud have changed. Now a days its more of "may I have your voter id card, why do you want to go out and vote, who knows what may happen, may be you will get a broken leg, may be your child will get one. Let me help you, I will cast the vote for you. You dont even need to show up....you know the broken leg and all...why take the risk"
Because it has changed. The EC actually works. If you knew anything about elections even 3 decades ago, the fact that India has managed to give most people an election which works, is fucking amazing. It's a fact woefully lost on the generations born after a certain point.
I won't say voting machines are the magic to it all, but it did help a country with labor and service delivery issues to manage it better.
EVMs were always hackable, but the critical man power and tech orientation in political parties to take advantage of this hasn't been there.
This may only recently have changed. Even then I doubt it, there's other ways to win elections.
Sorry that's absolute bull. Apart from an exception or two ECs have been sycophantic puppets, ever ready to grovel. It seems you weren't born yesterday, neither was I, so you would know this.
Even if EC intends to do good, he/she cant do much until there is a formal complaint raised by the district magistrate (many are simply bought out). So even if the opposition cries itself hoarse, EC does zilch.
I am not making any claims about the EVMs, just that the electoral process is no where close to as clean many of its proponents claim it to be. Tech alone cannot solve this problem. What we have here is the analogue of rubber hose decryption.
> Sorry that's absolute bull. Apart from an exception or two ECs have been sycophantic puppets, ever ready to grovel.
I strongly disagree with your assessment. The mechanics of what happens when polling starts as I remember it,
- The EC assumes complete control over all civil services, including transferring people in response to independent assessment and complaints.
- Courts in India can't interfere with the EC. The government is disallowed interference as well. The constitution guarantees this and has been upheld by judgments in the past years.
- The chief EC commissioner can only be removed by impeachment in Parliament. The other two election commissioners can only be done so by the CEC's recommendation.
- Senior officials from different states are election observers in other states - and they are liable to be suspended even if phone calls are recorded between them and a political appointee.
- All paramilitary and police forces come under the command of the EC. As a result, they are free of machinations from the home ministry which is usually responsible for their control.
- Candidates make multiple reports during the campaign process and the EC does strict accounting for all this. It bans liquor sales and drafts banks to report any overt cash transactions.
I don't know where you're getting your information from, when you were born, why you think the EC is sycophantic, or how that would even help - but the EC's role in the Indian elections is more like a safe maker trying to hoodwink the safe cracker - it will never be perfect, but given its many constitutionally guaranteed rights, it is agile enough to try and stay a few steps ahead of the curve. It is this very flexibility via which the ECI can even think about opening something like this up to a challenge.
> I don't know where you're getting your information from,
Using eyes and ears and just being aware of my surroundings.
Trivial counterpoint. Pickup a state, say West Bengal. Count the number of egregious incidents of violence and intimidation reported by competing political parties and the media, including live videos. What action has the EC taken and what has that changed.
> - The EC assumes complete control over all civil services, including transferring people in response to independent assessment and complaints.
... and then does what ? You are being completely naïve in the open bedfellows relationship with IAS and politicians. There are exceptions, but rare.
> Using eyes and ears and just being aware of my surroundings.
Hmm, not quite the best sources of information then. Have you talked to anyone on the ground? Have you been an election observer or volunteered in any? Have you read the independent reviews of the EC? Talked in any detail to senior officers in any branch of the executive who may offer perspective?
> Trivial counterpoint. Pickup a state, say West Bengal. Count the number of egregious incidents of violence and intimidation reported by competing political parties and the media, including live videos. What action has the EC taken and what has that changed.
Hardly trivial. This is a law and order situation, and is dealt with appropriately.
> ... and then does what ? You are being completely naïve in the open bedfellows relationship with IAS and politicians. There are exceptions, but rare.
Naïveté is an easy thing to call upon in cases when information isn't easily accessible. Your statement, to me, makes it appear that not only could you have wrong or incomplete information shaped by public media - you're not willing to even consider that this may be the case!
> Hmm, not quite the best sources of information then.
Well, when I am standing in a queue to vote, I trust my eyes and ears more than what some report says about things that happened while I was standing there.
> This is a law and order situation, and is dealt with appropriately.
All that law and order violations were a means to an end and the end is tampering with the mandate and that is exactly where the EC has to step in. If all they can do is pass the buck and let the tampered mandate be counted as real, well it is not serving its one and only purpose. I am being charitable here in assuming goodfaith on EC's behalf.
> Have you talked to anyone on the ground?
yes many
> Have you been an election observer or volunteered in any?
volunteered yes, but not formally as an election observer and not as a part of any political outfit.
> Have you read the independent reviews of the EC? Talked
in any detail to senior officers in any branch of the executive who may offer perspective?
some of it runs in the family so I do have some insiders perspective plus volunteerism does give me opportunities to interact with IAS officers in the field.
And public media especially TV is crap, newspapers are somewhat better. There are one or two decent ones that I treat with some respect, rest are tabloid'ish garbage. But to the larger point, no, my opinions have very little to do with what goes on the popular media.
That it has improved I will wholeheartedly agree. Much more is needed. I think one of the biggest contributions of EV has been to bring the costs of an election down (modulo normalization for inflation, population etc.).
I dont have as much a respect for the EC as you seem to have. My disdain is targeted less towards "EC the institution", more towards the lack of a functional vertebra of the chief ECs that we have had (barring exceptions of course)
However, we are still far far away from the ideal that every election in the country are free and fair.
...and finally thanks all for the discussion we had here.
This is India man. The achievement of the EC is so phenomenal, that it's respect will endure. And the issues with the EC, from what I remember, were manufactured. Optics to deal with a strong EC. And I've been through the dacoit, booth capturing end of Indian history, it's genuinely an accomplishment, its nuts that it even worked (works) at the time it began to work.
Edit: similarly with the SC. Both of these were institutions which were beyond reproach, and I pretty clearly remember the times they both got dragged into the political limelight. The issues were largely to deal with their growing power over the political class. And this is something which you'll see had support on all sides of the political aisle.
Funny that you and I keep discussing here when we are pretty sure everybody has left the building. An institution that I find absolutely remarkable is the Indian army (I am clubbing navy and air force in the same bucket). What I find striking and particularly especially so when compared to the defense forces of countries that were born under similar circumstances (no not just Pakistan) is that it has never exerted its political will. Sadly things are changing now with the army taking on clearly politically motivated stances. Govts are making politically charged appointments. The govt and the forces have started to play a tango and tat is not a good development.
I know. And with the net/social media/whatsapp - stupid things which could once die down, now echo for much longer and start collecting momentum. Where they would once have just died down and been forgotten. Recent case in point is the national language row. Now thats breaking into a potential north/south identity divide.
People are playing with fire, and damn the consequences.
You are obviously a troll with zero intention to contribute to any meaningful conversation. Voter impersonation is not that easy with all ID card requirements. If it were we would have more difficult problems than a simple choice between paper ballot boxes an electronic voting machines and this conversation would be moot.
> Voter impersonation is not that easy with all ID card requirements.
I would make a far stronger claim, its actual non-trivially hard. But when the executive branch has been bought out by the incumbent govt (which is frequently the rule rather than the exception in many states) those technological and procedural hurdles dont amount to much. As I said it is not a technological problem.
> You are obviously a troll with zero intention to contribute to any meaningful conversation
I wish it was that. Sadly these are things that deeply affect human lives and their potential, and I dont know what to do about it
Both articles state that the researchers were arrested for stealing (or taking possession of) a voting machine. Quote from the Wired article: "Halderman says the researchers believe the person who gave them the voting machine had legal access to it and provided it in the interest of transparency and scientific study."
That's a little different than being arrested for finding bugs in the software or hardware. Prima-facie, it does seem like stealing government property without proper written authorization. Arrest still seems excessive, but the circumstances seem to be a bit more nuanced.
The guy who got arrested and I are second cousins. He is not a researcher, he is a businessman. He also has close ties with one of the regional political parties in India.
Looks more like a media stunt by the Election commission to save its face. If they are real serious then they should pay security researchers to find a bug in the EVMs, Like bug bounties with real money prizes. As a computer programmer I find it hard to believe that EVMs cannot be hacked.
Even better political parties which are claiming about machines fallacy should show some better evidence than 'Only because of machines we lost' bullshit.
The burden of proof (or at least of showing good evidence) rests on those deciding to deploy the equipment. If the best response they can offer is to assert "that did not happen", the system is not ready for deployment.
Ignorant question, do these kinds of challenges open up risk to someone being able to test the system, find vulnerabilities and then not disclose them so that they can be exploited when the election actually comes around?
And how do we know the machines no-one was able to (publicly) hack are the same ones, running the same code, that are then used in the elections? That no on-chip memories were re-flashed, that no secret hardware bug/backdoor was used? No matter how open source/open hardware/open audit you go, in the voting booth they're still black boxes that could have been tampered with.
I'm not saying these machines are unhackable, but with the addition of additional constraints they are _almost_ perfectly secure.
For ex., On election day, mock voting and counting is done in the presence of all party representatives - the results are then erased before the actual counting. And representatives of all parties are mostly around when these machines are moved around and counted. Also, the way party symbols are listed is not pre-determined etc. and hence cannot be predicted by someone wanting to add votes to a particular party.
Source - my mom has been a presiding officer during elections a couple of times, and I've looked at the training manuals..
Mock voting can only detect malfunctions, not backdoors. Randomization of candidate ordering is a trivial challenge to overcome for a backdoored EVM. Don't fall for EC's PR.
Here is an example: Is NOTA ("None of the above") option's location also randomized? If not, a backdoor would listen for this sequence: NOTA, NOTA, NOTA, X, NOTA, NOTA, NOTA, X. And then it would start re-assigning votes in favor of X with say 60% probability. It doesn't matter where X is located. The backdoor might trigger only after a few 100's or 1000's votes have been given. How will mock voting or randomization help here?
The sad thing is that all these weaknesses have already been detailed in Hari Prasad's original paper. But EC continues to dish out the same flawed defense: https://indiaevm.org/evm_tr2010-jul29.pdf
Such a challenge could be a huge disaster for the EC of India
Can a single EVM be hacked? when its not connected to internet - With sophisticated tech (and engineers) - Yes. Its digital electronics after all
Can that be done consistently across machines under different ambient environments? - Higher than 50% accuracy, but not 100%.
Can it be done at scale? No - that would be too costly even for the political parties with a higher probability of it becoming a widely known technique
But the answer to the first question is enough for the opposition political parties to force India into paper ballot voting. And paper ballot in India is easily hackable for political parties - just spend money, hire bullies and prevention is ensured not to work at this scale.
Can anybody share a complete set of images (from every angle) of electronic voting machine used in India. How many ports does it have (USB?, UART (RS232)?, any other?). Its working details, etc?
Consider what happens if an attack is detected after an election:
As HN readers know, even if you know your systems have been penetrated it can be very difficult to detect the extent of the damage: Which records have been changed? Deleted? Added? And what authority decides? We can expect that every party will produce experts who make claims in their parties' interests.
Probably, we wouldn't know the accurate election results. What then? Rerun the election?
* Is there a legal provision for that? What authority gets to decide that the democratic will of the people, the ultimate authority, is invalid and should be tested again? That is a very dangerous path to go down.
* If the results change, you can imagine the response from the new losers and their supporters.
* Who is to say the second election is valid? If the same machines are used, will the public trust them? Is there time to create a new national election infrastructure?
Reporting a possible attack to the public could destabilize democracy and have no real resolution. As has been reported, intelligence agencies such as the Russian FSB may be more interested in destabilizing things than in a particular result. They could even purposely leave evidence of an attack, without carrying through with it (and of course hiding the true perpetrators).
Based on that reasoning, it is absolutely essential that we prevent attacks. My very strong opinion is that a purely paper election is the only solution.
"The Commission had announced a similar challenge in 2009 and it claimed no one could hack its EVMs."
No one can hack them, or nobody has had long enough with just "a week or 10 days". Hardware and software reverse engineering can take significantly longer, depending on the complexity of the machine. It's likely they will also be limited in what they are allowed to use. If they are so confident, open source the designs and let researchers take a look.
Another reason for why their claim may be false, is the value of somebody freely giving their hack away. Sure, a moments national glory as you get a targeted painted on you for publicly embarrassing your government - or - lots of bit coin on the black market to the highest bidder.
Ideas:
* Simply place a piece of pink paper over the top to change the details, so the buttons no longer correlate to their correct vote. Enough people in enough provinces would make a serious difference. At the end of the day, have somebody take the paper back off before the poll closes so that the evidence of tampering is gone.
* Large electro magnet to device, making all votes erased. Using statistical data from previous elections, as well as popularity polls from previous elections, predict which machines will be worth taking out to sway the vote. These devices are electronic, therefore likely to use some form of memory that is electromagnetically erasable or corruptible.
* Hack the device that retrieves the data from the machines.
* Social engineering, through bribery or blackmail.
It is not some powerless hackers/individuals who claimed machines are hackable. These claims are made by powerful political parties with resources, government in various states and large cadre etc.
So your points are not applicable in this case. Hacking machines should be much easily provable than random generic political charges like 'govt/politicians are corrupt' or officialdom is lazy etc.
In some of the U.S. states they do keep paper ballots, but when they did an audit and saw some significant discrepancies, they threw their hands up in the air and said that it's probably nothing nefarious - just machines being glitchy and all.
So paper ballots are nice, but it's certainly not enough. You need a system put in place so that when there's an audit and the numbers don't match, a revote is automatic, and the commission can't just excuse the issue away with "glitches." Or at the very least, you recount all the paper ballots and go with those results.
But this process needs to be guaranteed under the law somehow. You can't leave it up to the those in charge of the elections, who may happen to benefit from a result, to decide whether there should be a recount or revote. And the punishments should be drastic otherwise (we are talking about maintaining the integrity of the democracy after all - slaps on the wrist shouldn't happen punishments need to be handed).
There was an election recount that found a significant difference between the paper count and machine count? I'd like to read more. Do you have a link?
Brazil had some events like this but all of them were façades. They are designed to validate the decision to deploy electronic voting machines and nothing else so only a carefully selected group of people will be invited, there will an impossible time limit and machines should be handled like black boxes (they were not considering some group stealing a voting machine in order to study it).
At one particular event[1] an engineer detected RF noise leaking from the keyboard (Van Eck Phreaking) but the government dismissed it as not being a practical attack. In a country where politicians literally buy votes in poor regions, vote secrecy is a big concern.
The problem with voting machines is so much deeper than 'hacking the machine'. It's a matter of trust of the code and perhaps more importantly, all of the people and process that are involved in the software, hardware, and running the actual election.
Is the source open, and has it been audited? Has the tool chain been audited (eg: the attack described in Reflections on Trusting Trust [1])? Are they using reproducible builds[2]?
This includes not just the software loaded on the machine itself, but the tallying software used to count all the results.
Even if you can verify the code contains nothing like a "defeat device" [3] (eg: detect it's actually election day and only then enable vote-stealing mode), how do you know what's actually being used?
How does a voter verify that the build running on the machine is actually valid and the expected one? Even if the voter has to trust the people running the election, how do those people verify it? If all the polling stations load software onto the machines on election day (to ensure it's the right software), that opens up the possibility of someone injecting their own bad software. If they have to rely on a central organization loading the machines, there's a whole delegation of trust happening and being concentrated in one place -- easier to verify, in some ways, but also easier to compromise.
So the only way to run a valid contest is to provide access to the entire process. Can I modify the software used to tabulate? Can I act like I working at the company providing the software/hardware and have access to the code, build process and signing keys?
If that's possible, and you can still detect cheating, then that's great, but I also fear it's an arms race with no end, and it's just a matter of one-upping the other side.
If you believe in democracy and have the skill set to do the deed, please give this a go. I believe this is a non internet connected device. For the recent state elections, voting happened months before the results were announced. Even exit polls were deemed a criminal activity. The machines were sitting with "officials" in a "lockdown" for months till they were counted. You have to prove that you could somehow alter the count when you have the machine for 1-2 months while also having any cryptographic keys necessary in your procession. One current chief minister(The elected leader in state) and 3 former chief ministers suspect the elections were rigged in Uttar Pradesh, a state with 220 million population with 20% Muslim population and the election installed a right wing Islamophobic leader who could be the leader when another Gujarat style riot happens(2000 Muslims and 800 Hindus got killed while our current prime minister was the chief minister there. He was cleared of all wrong doing by supreme court as no proof existed of direct collusion. Some call this a genocide.)
For starters, the newly minted Uttar Pradesh government installed a Anti Romeo squad to prevent what's called "Love Jihad", roving gangs of young muslim men trying to get Hindu girls to marry in a sinister plot to increase the Muslim population. As per Indian constitution, you can have 4 legal wives if you are Muslim and divorce anyone with three utterances of the word "talaq". Uttar Pradesh government also has an anti beef squad to prevent killing of holy cows. Recently 4 men transporting cattle in a vehicle were apprehended and assaulted. One of them died because of the heavy beating he received. These "squads" are employed by state in a quasi legal manner. There's also talks of reviving a demand to build a Hindu temple on Babri Masjid, a 14'th century mosque that was demolished in 90s by the current constituents of government causing nation wide riots. The mosque was demolished as vengeance for an alleged demolition of an early Hindu temple on the same area during the time of the first Muslim emperor in India in 14th century.
Babur is not first Muslim ruler, first battle of panipat was 1527 (or near that year), he fought against Delhi Sultanate, which is already Muslim.
Babur was king of Fergana Valley, and half-turkic and half-mongol, who lost his kingdom because of logistic blunder and was invited to India by a Prince and thus started his campaign in South Asia.
He did destroy a Temple (which already survived about 5 centuries of Islamic rulers) and built the mosque, the mosque was not being used since 1949 or so, and Hindus were praying on the grounds since mid-80s.
If you want to say, Babur was first Muslim Emperor of India, bring the argument with references. Tuglak had bigger Empire than Babur, and he was well into Deccan and even moved the capital there. This was 200 years before Babur.
Obligatory Computerphile/Tom Scott video on why voting machines are an awful idea; if you haven't seen it, it's a great watch: https://youtu.be/w3_0x6oaDmI
In all honesty, I like the implementation Estonia is doing.
In effect, your identity card allows you to vote as many times as you wish. You cannot see your vote, but the newest vote overwrites the previous vote.
This means, that if you are coerced to vote a certain way, you can simply make another vote and wipe out the previous one.
The only downside is this would require a national ID program, which many religious extremists are very much against.
Many not-religious-extremists are against it too. Given the abysmal security record of the federal government, putting all the things in one database instead of having it distributed among 50 just makes it a bigger target.
That, and knowing the federal government, such a system would cost a ton, be an overwrought mess of spaghetti code created by some Enterprise Software(c) firm, barely work, and most importantly, be rolled out primarily to benefit the government, rather than the citizens paying for it.
Having a smartcard and having a single database are two completely orthogonal issues. In my country, we have the former without the latter - in fact, we still have different IDs for different services¹. The smartcard serves as a single authentication device, much like you can have a single SSH key for many servers.
¹ Using a single ID for each person is forbidden by our constitution, in the article regarding the usage of IT.
Fair enough, but that still doesn't obviate the cost and competence concerns. Knowing the state of fed IT, it would probably wind up being a 5-year-old RSA dongle variant that uses RC4 or some such.
For those who are unaware in some recent state level elections in India some political parties were roundly defeated. So as part of introspection about campaign and policies they decided to blame it on voting machines.
I am not sure that voting machines are unhackable but when today's losing parties were winning in past years they seemed pretty sure that win was all due to overwhelming public support and not some rigged machines.
If you live in the Bay Area and are interested in securing elections, now is a great time to get involved. There's a public meeting next week (sfgov.org/electionscommission).
I'm also happy to get coffee and catch anyone up on where the effort stands – email in profile.
EDIT: I should have clarified that the new system will remain a 100% paper ballot system. The software involved is to organize, print, tabulate, and tally ballots. There's a strong community that opposes inherently risky approaches involving things like digital storage and the internet (again, reach out if you're interested in joining!).