tl;dr – What is the state of EVMs in India?

• The security procedures and deployment practices of EVMs in India have not been subject to public scrutiny.
• Closed audits of the EVMs were conducted but were staffed by researchers with no background in EVM security.
• The executive committee of researchers were also made to produce a judgment on the safety of the machines based only on literature produced by the manufacturers of the EVMs (notice the conflict of interest).
• A security audit of the source code running on the EVM micro-controllers has never been conducted (or at least ones whose results were made public).
• In spite of reports having been published that demonstrate vulnerabilities in the EVM, the attacks have not been addressed.
• Various reports that have demonstrated attacks show that even rudimentary cryptography is not used to ensure that the votes cannot be tampered with between the time of the election poll date and the date of final counting.
• The sliver lining to this discussion is that the election commission has since added the functionality to conduct voter verified paper audit to the latest generation of the EVMs.

Electronic voting machines (EVMs) are devices that replace paper ballots used in elections. India’s love story with this technology began in the 1999 Lok Sabha (Parliamentary) elections and has used it in ever election since. EVMs come in two major varieties: the first of which involves the voter marking the choice in a paper ballot and using the EVM to “count” the vote, and the second type removes the need for the paper ballot entirely. India has been using the latter variety of EVMs in it’s elections. In more detail, the vote is registered on the device and remains within the device until it is totaled at a central location.

EVMs are a god send to the election commission (“the magic box” as ex-chief election commissioner Quraishi put it at a recent talk at Berkeley). Not requiring paper ballots makes transport easier and significantly reduces costs, allow instant counting of votes, reduce “errored” ballots since only a single choice can be made, etc. Wikipedia does a fabulous job at describing the benefits of EVMs.

In April 2010, a group of researchers including Hari Prasad, Rop Gonggrijp, and J. Alex Halderman released a website and an associated technical report that demonstrated security vulnerabilities in the EVMs used in India. The website describes the attacks as (In the mean time, one of the primary authors of the report; Hari Prasad was persecuted for being in possession of an EVM which is illegal and later acquitted. This was clearly a bad move by the election commission as it brought even more publicity to the matter as well as a mass following to free Hari Prasad):

One attack involves replacing a small part of the machine with a look-alike component that can be silently instructed to steal a percentage of the votes in favor of a chosen candidate. These instructions can be sent wirelessly from a mobile phone. Another attack uses a pocket-sized device to change the votes stored in the EVM between the election and the public counting session, which in India can be weeks later.

These attacks are neither complicated nor difficult to perform, but they would be hard to detect or defend against. The best way to prevent them is to count votes using paper ballots that voters can see.

This was not the first time the election commission was made aware of the security issues in the EVMs. Omesh Saigal, an IAS officer had demonstrated vulnerabilities in the EVM software. This raised serious questions about the 2009 election results. Note that the election commission in India has always claimed that the EVMs are absolutely “tamper-proof” although the Delhi High Court has judged that these devices require additional work to be hardened. An excerpt from the report reads (emphasis mine):

There may be security issues as well. Though, there is no evidence that such things (election fraud) have happened so far and it is not even suggested by Dr. Swamy, the Election Commission had itself started the exercise of experimenting this and to improve the system to make it foolproof. For certain reasons that is abandoned midway.

The Indian EVMs were security reviewed twice before the 2009 elections. Both reviews recommended a few changes to the EVMs but “unanimously certified that the system is tamperproof in the intended environment”. Hari Prasad’s report further notes that none the members of the executive committee that reviewed the EVMs had any prior security experience – C. Rao Kasarbada, P.V. Indiresan, and S. Sampath in the first review and A.K. Agarwala, D.T. Shahani, and P.V. Indiresan in the second. To add to the handicap of limited experience in the subject matter, they were also not provided with the source code to the EVM but instead were forced to judge the security preparedness of the system based on presentations and demos by the manufacturer of the EVM. To this date, the Indian EVMs continue to remain a black box whose code base has not been audited neither by an executive committee nor publicly.

After the furore created by Hari Prasad’s report, the election commission appointed another executive committee once again chaired by Prof P.V. Indiresan. This time it was decided that the EVMs should follow a voter-verified paper audit trail that prints out a paper with the symbol of the political party that the voter register his/her vote for. The voter can thus verify that the vote was in fact counted towards the right candidate and voids attacks such as the “dishonest display attack” described in the paper.

I debated with a few friends about the security problems in EVMs and the discussion always boils down to our own definition of what is a reasonable level of security that should be enforced. In the area of systems security, it is an accepted notion that perfect security is impossible, but the job of security researchers is to raise the bar for attacking the system sufficiently high enough that it would no longer make financial sense for the attacker to take on the risk. Lets look at some of the statistics for the Indian election.

• India has the largest electorate in the world totaling to over 750 million eligible voters. They are serviced by recruiting 11 million personnel for the job.
• There are over 1.3 million electronic voting machines (each costing between 200-250 USD) deployed across 800,000 polling stations.
• The cost of conducting each election is close to 200 million USD. This means that the cost of the EVMs consume a huge fraction of the election budget.
• This should be compared against the cost of a systematic election fraud being exposed:
  • That would be a step down from democracy itself since we can no longer claim to have held ‘free and fair elections’. The reason why the election commission was made into a federal body with overarching powers during election time was precisely to conduct its mission of holding free and fair elections.
  • India’s international image would be extremely hit.
  • By having the wrong party in power, the responsibility for their mistakes should be attributed to the fraudulent election. For the sake of argument if say the 2009 elections India was tampered with (I am not saying they were), now would the loss to the exchequer based on all of the scams that were exposed would be attributable to flaws in EVMs.
  • We can try to estimate the value the EC places on each vote. The EC even maintains polling stations with areas that have a single registered voter. If this is in fact the value of a single vote, can we imagine the cost of a systematically manipulated election?

I hope I have managed to convince you of the importance of “free and fair elections” (which is really the pillar of a functioning democracy). Unlike isolated human errors that creep in during the counting phase, a flaw (malicious or not) in the EVM would be a systematic fault that could cause much more wide spread problems. Now the question to answer is whether the EC has taken sufficient steps to ensure the integrity of the EVMs. Let us start by looking at other security audits done around the world and how they treated their reports:

• Bugs in computer programs are everywhere. Bruce Schneier (a very prominent computer security researcher) says this in his 2004 blogpost:
  
  

  In Fairfax County, VA, in 2003, a programming error in the electronic voting machines caused them to mysteriously subtract 100 votes from one particular candidates’ totals.

  In San Bernardino County, CA in 2001, a programming error caused the computer to look for votes in the wrong portion of the ballot in 33 local elections, which meant that no votes registered on those ballots for that election. A recount was done by hand.

  In Volusia County, FL in 2000, an electronic voting machine gave Al Gore a final vote count of negative 16,022 votes.

  The 2003 election in Boone County, IA, had the electronic vote-counting equipment showing that more than 140,000 votes had been cast in the Nov. 4 municipal elections. The county has only 50,000 residents and less than half of them were eligible to vote in this election.

  There are literally hundreds of similar stories.

• Usability problems have restricted the adoption of EVMs including in Ireland and Finland. This is an even larger issue in India with it’s large illiteracy rates, multi-lingual and multi-cultural society. Kudos to the EC for having taken care of this situation very well. The use of the political party symbols in the ballot in addition to the candidate names is one of the amazingly simple but game changing innovations.
• In 2009, Germany’s court system banned electronic voting until the election procedure was made available for public scrutiny. The Dutch had also banned electronic voting a little earlier.
• Australia which also uses EVMs has publicly made available the source code to the machine in order to allow scrutiny.
• The EVMs made by various EVM manufacturers was studied by teams from Princeton and UC Berkeley which exposed many significant flaws in the system. This led to the decertification of three of the tested machines.

In conclusion, EVMs are extremely useful for conducting elections, which is a grand challenge given the diversity and scale of the Indian population (I am a Ph.D. student in computer science, you didn’t expect me to diss technology did you?). However, multiple events have demonstrated many shortcoming of EVMs. The EVMs used in India however does not appear to have been awarded scrutiny at the same level as those afforded by other countries. Transparency and auditability of elections is a key aspect of holding free and fair elections. The current level of auditing performed on the Indian EVMs leaves much to discuss on the table.

A couple of interesting quotes from the India EVM exploit paper:

We have had direct experience with attempted fraud. Hari Prasad, a coauthor of this report, was approached in October 2009 by representatives of a prominent regional party who offered to pay for his technical assistance fixing elections. They were promptly and sternly refused.

In 2009, the Election Commission of India publicly challenged Prasad to demonstrate that India’s EVMs could be tampered with, only to withhold access to the machines at the last minute.

Social networks such as Facebook have intricate information regarding your tastes, friends, locations visited, photos, etc. Online commerce aggregation websites like Amazon on the other hand have information about the type of merchandise you look for and what type of shopper you are. Search engines like Google on the other hand have a wider information base about different items you are interested in and more importantly are actively looking for. Note that while I paint this information collection in a dim light, this in fact is the very reason how Internet services have grown to be much more efficient and useful. Amazon uses data mining to recommend products that you would like to buy thereby reducing the users’ effort for shopping. If Google is able to tailor its advertising to match your exact needs, the paid listing might perhaps give you much better deals. Imagine a scenario where you are searching for information on Hawaii; Google recognizes that you are searching from San Franciso thus that you are probably a tourist planning a trip to Hawaii. Google can now readily provide you with flight details, hotel accommodation deals and tourist packages.

While this rich collection of information can be used very productively, they also offer a privacy threat. This is however, a tricker notion to explain. Part of the reason is that everyone has different expectations of their own privacy. People often think about the tradeoff between utility and privacy as a line graph where, at one extreme is all data classified as public and having high utility and at the other end would be each data object being isolated for one another sporting drastically reduced utility for the user. In reality there are a great many more axes to this trade off. For example, not all application require sharing to provide their fundamental utility. Take the example of a tax application. This application clearly does not need to share your financial information with your neighbors to generate your filing forms. But perhaps, if I considered my financial information less sensitive, I might like to have the application automatically learn from other users’ tax filings how I can invest my money to reduce my tax burden.

This conundrum is the basic challenge of all privacy research. Different solutions justify choosing different points in the privacy-utility tradeoff space. There is no single point that is acceptable to most people. As the example above showcased, depending upon the utility of the application itself, I might price the value of my privacy differently.

Lets look at what the privacy issue in sharing data is. The basic premise of all privacy research is that users want to share as little information as possible to obtain a certain expected level of utility. If data must be shared, users are more comfortable sharing data with “trusted” entities (think banks, government agencies, or even large corporates such as Google and Microsoft). However users are most unhappy about sharing their data with “untrusted” entities that might potentially re-share this data or might use the data in a manner that is detrimental the user’s interests. Note that what differentiates the trusted entities from the untrusted entities is their neutrality towards the data. For instance, I wouldn’t want to share my smoking and drinking habits with insurance companies unless I am required to by law or I am compensated for good behavior by the insurance agency. On the other hand, if I had a smoking habit, I would probably want to share this information with my shopping websites since they can now tailor their deals and recommendations with me based on this information (it is conceivable that the commerce service can use this information to perform price gouging, but in this case I assume that free market dynamics will nullify the effect).

There are two major topics I have not brought up that I intend to cover in depth in a future post. You might have noticed that I have been talking about privacy in the abstract. We assumed that the user makes an informed choice when choosing to trade data for utility. The reality of course is that this is not true. Academics however have come up with a number of different definitions and metrics for privacy such as k-anonymity, l-diversity, t-closeness and differential privacy. There are a number of merits and faults with each of them that I will go into in the next post.

The other topic I intend to cover but have not discussed today is the area of data security and how it fits into data privacy. If data is ill-managed, malicious entities could exploit this to extract information about individual users. Note that I am not referring only to cases where the data server itself is compromised and the raw data being exposed. There has been cases where data that was thought to be anonymized was made public and has been used in conjunction with other data sets to expose data that the users had originally not intended to share publicly. These sensitive information sets that can be traced back to individual users are termed ‘Personally Identifiable Information’ or PII.

AquaMacs comes bundled with the super awesome AUCTeX package and RefTeX. RefTeX is a package that lets you easily access references and citations from your bib file. I don’t use it well enough to talk about it, but I hear it is a
must know tool! I use flyspell-mode by default which uses aspell (?) underneath to perform spell checking.

XeLaTeX

XeLaTeX is a progression of LaTeX with more advanced typography features. I don’t use it much but for my resume in which I use the very nice ‘Linux Libertine’ font. To actually use the font include the following snippet in your LaTeX preamble. Note that you will now need to compile with XeLaTeX and not LaTeX (both of which are bundled with
MacTeX).

% FONTS
\usepackage{fontspec} 
\usepackage[usenames,dvipsnames]{color}
\usepackage{xunicode}
\usepackage{xltxtra}
\defaultfontfeatures{Mapping=tex-text}
\setromanfont [Ligatures={Common}, Numbers={OldStyle}, Variant=01]{Linux Libertine O}
\setmonofont[Scale=0.8]{Monaco}

I also like to compile my LaTeX project from inside emacs and not depend upon sketchy Makefiles. If you use the key combination ‘C-c
C-c’ it will give you options to run LaTeX and Viewing the output. Use ‘C-c C-l’ to see the output of the latex command and if there are any errors in the compilation you can cycle through them using ‘C-c C-`’.

If you choose to use XeLaTeX, AUCTeX does not come preconfigured with an option to run the right commands. You can create a new option by using the below snippet.

(custom-set-variables
 '(TeX-command-list (quote (("XeLaTeX_SyncteX" "%`xelatex --synctex=1%(mode)%' %t" TeX-run-TeX nil (latex-mode doctex-mode) :help "Run XeLaTeX") ("TeX" "%(PDF)%(tex) %`%S%(PDFout)%(mode)%' %t" TeX-run-TeX nil (plain-tex-mode texinfo-mode ams-tex-mode) :help "Run plain TeX") ("LaTeX" "%`%l%(mode)%' %t" TeX-run-TeX nil (latex-mode doctex-mode) :help "Run LaTeX") ("Makeinfo" "makeinfo %t" TeX-run-compile nil (texinfo-mode) :help "Run Makeinfo with Info output") ("Makeinfo HTML" "makeinfo --html %t" TeX-run-compile nil (texinfo-mode) :help "Run Makeinfo with HTML output") ("AmSTeX" "%(PDF)amstex %`%S%(PDFout)%(mode)%' %t" TeX-run-TeX nil (ams-tex-mode) :help "Run AMSTeX") ("ConTeXt" "texexec --once --texutil %(execopts)%t" TeX-run-TeX nil (context-mode) :help "Run ConTeXt once") ("ConTeXt Full" "texexec %(execopts)%t" TeX-run-TeX nil (context-mode) :help "Run ConTeXt until completion") ("BibTeX" "bibtex %s" TeX-run-BibTeX nil t :help "Run BibTeX") ("View" "%V" TeX-run-discard-or-function nil t :help "Run Viewer") ("Print" "%p" TeX-run-command t t :help "Print the file") ("Queue" "%q" TeX-run-background nil t :help "View the printer queue" :visible TeX-queue-command) ("File" "%(o?)dvips %d -o %f " TeX-run-command t t :help "Generate PostScript file") ("Index" "makeindex %s" TeX-run-command nil t :help "Create index file") ("Check" "lacheck %s" TeX-run-compile nil (latex-mode) :help "Check LaTeX file for correctness") ("Spell" "(TeX-ispell-document \"\")" TeX-run-function nil t :help "Spell-check the document") ("Clean" "TeX-clean" TeX-run-function nil t :help "Delete generated intermediate files") ("Clean All" "(TeX-clean t)" TeX-run-function nil t :help "Delete generated intermediate and output files") ("Other" "" TeX-run-command t t :help "Run an arbitrary command") ("Jump to PDF" "%V" TeX-run-discard-or-function nil t :help "Run Viewer"))))
 '(TeX-modes (quote (tex-mode plain-tex-mode texinfo-mode latex-mode doctex-mode)))
)

SyncTeX

The newer versions of LaTeX and XeLaTeX includes a ‘synctex’ option that provides PDF viewers with an option to correlate the postscript text with the LaTeX source. You will however need to modify the latex command that AUCTeX runs in order to include the synctex option that will generate the filename.synctex.gz file. You can also force the synctex option by including ‘\synctex=1′ in the latex file. To above snippet for XeLaTeX already includes creation of the synctex file. For LaTeX:

(custom-set-variables
 '(LaTeX-command "latex -synctex=1")
 '(TeX-view-program-list (quote (("Skim" "/Applications/Skim.app/Contents/SharedSupport/displayline %n %o %b") ("Preview" "open -a Preview.app %o"))))
)
(setq TeX-source-correlate-method 'synctex)
(add-hook 'LaTeX-mode-hook 'TeX-source-correlate-mode)

Everything is set for SyncTeX forward search, i.e. now when you run ‘C-c C-c’ from a certain line in emacs, Skim (in my case) will open up highlighting the current line in the PDF. Note the extra arguments passed to the ‘displayline’ utility that ships with Skim. You will need to install Skim separately.

In order to setup backward search, you will need to configure your PDF viewer (Skim in this case). emacs-server needs to be running in order not to open up many different Aquamacs instances. The below snippet will start the server at aquamacs startup. In order to make the socket file exist at a constant location, you can force emacs server to use a TCP socket which will put the server socket in ~/Library/Application\ Support/Aquamacs\ Emacs/server/server. Open up Skim.app’s preferences pane and go to “Sync”, choose the preset as Custom (Darn it why won’t out of the box solutions ever work!), set the command to ‘emacsclient’ (without the quotes) and the arguments to ‘-f ~/Library/Application\ Support/Aquamacs\ Emacs/server/server +%line “%file”‘ (again without the outer quotes). And now, include the below lines into your .emacs:

(setq server-use-tcp t)
(server-start)

The final step is to make emacsclient point to the correct version. Run the following from your terminal:

$ sudo mv /usr/bin/emacsclient /usr/bin/emacsclient.bak
$ sudo ln -s /Applications/Aquamacs.app/Contents/MacOS/bin/emacsclient /usr/bin/emacsclient

Backward search is now set up. You can use Command + Shift + left click on the Skim reader to open up the file in the right location on emacs.

Multifile setup

I use LaTeX mostly for writing papers and put it on a central versioning system for easy collaboration. Partitioning the paper sections into multiple files make merging of changes very easy. But Aquamacs does not easily understand multifile latex setups. You will need to add TeX variables in each of the latex files for AUCTeX to correctly parse your setup (for proper compilation). In the main file add:

%%% Local Variables:
%%% TeX-master: t
%%% End:

in all other included files add (assuming master.tex is the main file)

%%% Local Variables:
%%% TeX-master: "master"
%%% End:

WYSIWYG

I don’t particularly fancy the WYSIWYG editing within Emacs. But you can enable that using preview-latex (which is also bundled). Make sure to load preview-latex.el and run ‘M-x preview-buffer’.

Files

• Source for my .emacs
• prash-latex.el
• prash-org.el

Emacs Variant

I use a variant of Emacs — AquaMacs which slightly more in conformance to the OSX HIG. You can very well use CarbonMacs. And oh be warned that the nice features of AquaMacs like `aquamacs-toggle-full-frame’ are actually quite buggy.

Emacs Options

I use my Command key as an additional meta key. Also, I remap my caps lock key to function as an additional left control key. Mac OSX lets you do this in a global fashion under the “Modifer keys” dialog in the keyboard preferences pane.

(setq mac-command-modifier 'meta) 
(setq mac-option-modifier 'meta) 

You might also want to optionally turn off the useless toolbar and start using emacs’ really powerful keyboard commands. Emacs poses the irritating “yes or no” questions which requires you to type upto 3 full characters!!. You can replace it with a shorter “y or n” prompt.

(fset 'yes-or-no-p 'y-or-n-p)

I like having line numbers on the left of my editor — whether it is coding or LaTeX or just my notes file.

(require 'linum)
(line-number-mode 1)
(column-number-mode 1)  ;; Line numbers on left most column
(global-linum-mode 1)

What a tramp!

Emacs is so powerful it actually lets you access remote directories using various access methods. I usually access everything over SSH. Just do “C-x C-f //user@remoteserver:remote-path” and voila! You just need to specify ssh as your default access method.

(setq tramp-default-method "ssh")

And oh and did you know that Emacs can open compressed files as well as tarballs like any other normal directory? All you need to do is add:

(auto-compression-mode 1)

Background Colour (Yes I spell colour with a ‘u’!)

The color-theme package has a number of inbuilt color themes you can use. A popular vim color theme — zenburn has been ported to emacs. However, I like my screen with a lot more contrast. I use the inbuilt ‘color-theme-clarity’ with a slightly modified highlighted line background color.

(require 'color-theme)
(color-theme-initialize)
(color-theme-clarity)
(defface hl-line '((t (:background "DarkSlateGrey")))
 "Face to use for `hl-line-face'." :group 'hl-line)
(setq hl-line-face 'hl-line)
(global-hl-line-mode t) ; turn it on for all modes by default

Templates

Emacs has a versatile template package that autofills new files for you. I hate the fact that it replaces the AUTHOR tag with my user-name@localhost-name, rather than my real e-mail address. To solve this I created a new variable with my website and modified template.el to use it. In your .emacs:

(setq user-mail-address "your-email-address@gmail.com")
(setq user-website "http://www.cs.berkeley.edu/~prmohan") ;; Manually modified AUCTeX to use this variable

In template.el add the following to template-default-expansion-alist. I also created a new expansion (WEBSITE) that is not shown here:

    ("AUTHOR" (insert (or (concat user-full-name "< " user-mail-address ">")	; author
			  (and (fboundp 'user-mail-address)
			       (user-mail-address))
			  (concat (user-login-name) "@" (system-name)))))

Coming up:

• LaTeX – Emacs integration setup
• Org-Mode setup

Files

• Source for my .emacs
• prash-latex.el
• prash-org.el

I also had an American friend tell me that he thought there is only ONE curry! I should introduce my American friends to the plethora of spices we use.

The Hindu which is renowned for it’s very impartial coverage of both National and International news without sensitizing otherwise useless news launched a counter aggression. Here are a slew of extremely hard-hitting (and funny at the same time) print and video ads they ran!

The Economist has a recent article that shows that India’s energy generation facilities are in fact not holding up to scale with its growth trajectory. While fossil fuel and nuclear fuel (which has met with significant local protests after the Fukushima incident) are the main expansion frontiers for India’s energy plan, the sourcing of nuclear fuel is subject to political pressures and the sourcing of coal as the article indicates is fraught with red tape. This has made solar power a very viable option. Companies are starting to find that investing in distributed solar generation is in fact cheaper than investing in diesel generators and energy storage which tries to fill in the gaps when grid energy is unavailable.

Another project of interest from the Indian context is the government’s commitment to add 20GW of solar energy by 2022.

1. Identifying how information technology can solve problems in the energy sector.
2. Designing technologies that safeguard the privacy of data stored in remote servers (my advisor hates the word "cloud").

Very preliminarily, I am thinking of applying to Microsoft Research and Google. What other places would be enticing for a graduate student? I am also deeply interested in possibly engaging in something entrepreneurial activity once I graduate. Would interning at a startup be helpful?