Hacking & Mobile Voting
One of the common concern people have against Mobile Voting is hacking. Most of the people do not even understand the meaning of the word, but love to use it as an argument against hacking.
Let's first understand what hacking means:
"Act of cutting into or gaining unauthorized access, esp. remotely, to a computer system or network"
Myth 1 - Hacking is possible only in online or networked world
As is clear from the above definition, hacking is act of getting unauthorized access. It need not necessarily means in networked environment. In fact, with wireless mobile technology network itself has a totally different meaning. Airwaves can be used to access an equipment which might not have been on the network. Once small hidden chip somewhere in a machine like EVM can make it part of the network, although user might be living with false assurance that the equipment is not part of any network.
In case of EVMs, paper ballot and postal ballot: The EVMs, ballot paper, ballot box, the postage travels through several hands across several geographies over and over several months. For example, in case of Lok Sabha elections in India, 1 crore plus people are involved, the process goes on for more than 2 months and these machines travel the length and breadth of country. Every person, every day, every geography adds to vulnerability of the system. Here the organization structure with 1 crore people is the vulnerable network. The logistical chain is the vulnerable network.
Supporters of EVMs and paper ballots argue that the impact of one hack might not be big enough. True, only if, it is not done at the equipment manufacturer level itself or at the level of result compilation. However, it should be remembered that impersonation, booth capturing, duplicate voting, postage hacking, counting frauds are common practice in physical voting and somehow, we are so used to it that we do not consider it as hacking or do not see it as a fatal problem. There are many regions in the country where such offline hacks are being done in systematic fashion at large scale and we decide to ignore it by blaming law and order system.
What people worry about mobile or internet voting is remote hacking. In case of offline equipment's like EVMs and EVMs with PPVAT also there is a possibility of remote hacking with help of magnetic field, light rays, sound waves, airwaves (Bluetooth, secret chip) etc. Considering these EVMs are built by only one or 2 suppliers and these equipments are still using decade old technologies the vulnerability of these machines is high. Due to lack of sophistication, the risk of remote hacking of current equipment is very low, however, the ease & risk of remote hacking with phantom chip is very high.
In case of mobile voting the concern is that system can be hacked from anywhere. Yes, that concern is valid but at the same time technologies have advanced substantially and enough technology exists to protect systems from online hacking. If that was not true; the stock exchanges, the banking systems, the traffic systems, the Air traffic control, railway systems and such other sensitive infrastructure would have been open to terrorist attacks and mankind would have never relied on them. Hacking in, for example, air traffic system can cost several lives which I suppose is more valuable than few votes. In comparison, in election system, in the worst case scenario, you can always nullify the voting and go for revote.
The points to be kept in mind about hacking is:
One, there are enough technologies to guard against hacking which include use of fire walls, encryptions etc.
Second, in instance of successful hack, there are enough methods to raise alert that system has been hacked leading to re-vote. These methods including duplicate data transfer from different routes, random routing, token counting and cross checking with tokens.
Hence, in case of mobile voting 100% accuracy and 100% hack proofing is possible which is not possible in offline voting systems like EVMs, paper ballot and postal ballot.
Myth 2: Online hacking can be done at a big scale leading to big impact unlike offline hacking
This again is a myth. The trick is to break the hacking space into small rooms with different walls. For example - In case of Lok Sabha elections in India 543 seats would be individually different election and it is not possible for one person to make one hack and appoint his own Prime Minister. At best, he would get one MP.
The art is to further break it down. In our platform, we use individual vote encryption. This means, a hacker with one successful hack can get only one vote. In a 12-hour election period he would have to do thousands of successful hacks to be able to move the needle. Even if he is successful in one or two hack, the duplicate data flow + random routing + cross checking + count checking plus audit trail would ensure that alarms would be raised.
And this is after he is able to penetrate several fire walls, decrypt the encryption, is able to encrypt it again. The system apart from having individual vote encryption also has end to end encryption which include the equipment level encryption, encryption during transmission and storage level encryption. Also the mother storage is offline and hence remote hacking is not possible.
Risk is a factor of time
Also note, the duration of mobile voting is just one day against several months in case of offline voting. This means, the hacker has to do all the hacking is those 12 hours. The limited time substantially reduces the risk of hacking. Unlike stock exchanges, banks, ATC, power systems which are always on, the voting systems are on for only few hours. It would be very difficult for a hacker to understand the system and do substantial hacking in that 12 hours.
Hacking is a risk that can be mitigated with proper preparation and use of technology. Hacking is not an unmanageable risk because of which mobile voting should be rejected. Mankind is too invested in internet now to raise hacking as an argument against voting. If hacking was such a risk, many critical activities which can put human lives at risk of hacking would not have moved to networked world. Mobile voting is an eventuality that is destined to happen. These arguments can delay the timelines but cannot change the destiny.