Alex Halderman, and India’s assault on academic freedom

Five years ago, not long after the founding of Shtetl-Optimized, I blogged about Alex Halderman: my best friend since seventh grade at Newtown Junior High School, now a famous security researcher and a computer science professor at the University of Michigan, and someone whose exploits seem to be worrying at least one government as much as Julian Assange’s.

In the past, Alex has demonstrated the futility of copy-protection schemes for music CDs, helped force the state of California to change its standards for electronic voting machines, and led a spectacular attack against an Internet voting pilot in Washington DC.  But Alex’s latest project is probably his most important and politically-riskiest yet.  Alex, Hari Prasad of India, and Rop Gonggrijp of the Netherlands demonstrated massive security problems with electronic voting machines in India (which are used by about 400 million people in each election, making them the most widely-used voting system on earth).  As a result of this work, Hari was arrested in his home and jailed by the Indian authorities, who threatened not to release him until he revealed the source of the voting machine that he, Alex, and Rop had analyzed.  After finally being released by a sympathetic judge, Hari flew to the United States, where he received the Electronic Frontier Foundation’s 2010 Pioneer Award.  I had the honor of meeting Hari at MIT during his and Alex’s subsequent US lecture tour.

But the story continues.  Earlier this week, after flying into India to give a talk at the International Conference on Information Systems Security (ICISS’2010) in Gandhinagar, Alex and Rop were detained at the New Delhi airport and threatened with deportation from India.  No explanation was given, even though the story became front-page news in India.  Finally, after refusing to board planes out of New Delhi without being given a reason in writing for their deportation, Alex and Rop were allowed to enter India, but only on the condition that they did so as “tourists.”  In particular, they were banned from presenting their research on electronic voting machines, and the relevant conference session was cancelled.

To those in the Indian government responsible for the harassment of Alex Halderman and Rop Gonggrijp and (more seriously) the imprisonment of Hari Prasad: shame on you!  And to Alex, Hari, and Rop: let the well-wishes of this blog be like a small, nerdy wind beneath your wings.

32 Responses to “Alex Halderman, and India’s assault on academic freedom”

  1. wolfgang Says:

    It really seems that the stupidity of governments is turning into a worldwide illness. You just wrote about the YouCut nonsense, there is this case in India, in Europe politicians are as silly as one can imagine…

    I suspect the Aliens are coming and use some sort of death rays to destroy the brains of our leaders. There is no other explanation that makes sense …

  2. John Sidles Says:

    All who defend the integrity of the voting process, the freedom of speech that is the foundation of democracy, and the respect for rational debate that makes democracy function as informed choice …. are heroes to me.

    Thank you, Scott, for informing us that Alex Halderman, Hari Prasad, and Rop Gonggrijp are three heroes of democracy.

  3. Raoul Ohio Says:

    I totally agree on the ludacrisness of the situation, but I also don’t think the Indian government is just a bunch of evil jerks.

    The impact of the ever increasing rate of new technology on governments in general, and democracies in particular, is bewildering for those trying to keep things running, and pretty much everyone else. So I don’t find it at all surprising that governments don’t respond very gracefully to events that blindside them on a regular basis.

    This issue is in the main stream of the topics in Bruce Shneier’s “cryptogram” newsletter: http://www.schneier.com/crypto-gram.html
    which EVERYONE would be wise to read. As much as I admire Bruce and what he does, I have one problem with it. Every month he reports on dozens of dumb things various officials are doing about security, voting in particular. But these are hard problems, and he does not suggest how they could do it better, he just makes fun of them because they are not as smart as he is. But hardly anybody knows as much about that stuff as Bruce.

    I think Bruce invented the term “Security Theater”, which is a pretty good concept. Unfortunately, it has now become a buzzword for doofusses on Fox News, etc. One could actually argue that Security Theater works pretty well. Lots of the enforcement of the norms of society is largely theater. So what?

  4. Scott Says:

    Raoul: In the case of electronic voting machines, you have smart people proposing things like a voter-verified paper audit trail that would
    (a) be trivial to implement and
    (b) dramatically improve the trustworthiness of elections, which is a fundamental prerequisite for a free society. (Even Iran and North Korea hold sham elections.)

    And then you have people in power who not only don’t listen to the smart people, but are actually arresting and imprisoning them for trying to improve things.

    You’re asking for greater sympathy for the people in power, on the grounds that they aren’t smart enough to understand.

    I have to say, it reminds me of those camp counselors and elementary school teachers who were always urging sympathy for the bullies who made my life miserable. It made me wonder: why do people with power but not intelligence inherently deserve more sympathy than those with intelligence but not power?

  5. Job Says:

    I’m guessing they were concerned about an eventual attempt at manipulating the results of the voting system, perhaps a US backed ploy to cunningly replace the country’s leadership.

    Maybe they just don’t like looking stupid, so they put people in jail. It happens. It’s the old “if i’m so stupid how come you’re in jail?” tactic.

  6. Job Says:

    Why do people with power but not intelligence inherently deserve more sympathy than those with intelligence but not power?

    Intelligence yields sympathy. Power yields stupidity.

  7. Raoul Ohio Says:

    Consider the following points:

    1. My knowledge of problems with voting systems comes largely from reading “cryptogram”, but that is a pretty good source. I think a fair assessment is that, as of 2010, NO voting system is anywhere near foolproof. Furthermore, every new proposal for an improved system is promptly shown to lots of shortcomings.

    2. Consider now the worldwide implementation of whatever system you prefer. Designing and manufacturing the equipment would cost (millions? billions? trillions?) and take years. Likewise training the poll workers. Likewise teaching the population how it works. Add in patents, lawsuits, etc.

    3. There is at least a 50% chance that before long the new system would be shown to have severe vulnerabilities.

    4. Those setting up voting systems are in the real world, not academia. They are not assessed by peer review by smart people. They are harangued by crackpots on talk radio, answer to voters, and highly adverse to fiascoes.

    5. Thus, I don’t find it surprising that officials have not implemented a (perfect? workable?) system, and overreact to new threats to the existing system.

    If you understand why governments do dumb stuff, you have a better chance of improving things.

  8. Indus-stan-i Says:

    Thanks for pointing us to these links Scott.

    The government of India and governments all over the world need to change. Please, become cool and open and get things done. Don’t just wank around and put people in jail.

  9. Avinash Says:

    As an Indian, I am indeed sorry that Halderman and others were subjected to such treatment. However I would like to add some points to this story:
    1. Elections in India are conducted by an Election commission that is universally accepted as autonomous and professional. Moreover presence of an independent media and division of power implies that probability of manipulation is negligible. Any comparison with N-Korea or Iran is far-fetched. Well conceptually anything might happen; one may even find a linear-time algorithm for a NP-complete problem but……..
    2. According to the Govt. these machines have been vetted by a committee of academics, mainly from IIT’s, which are normally not considered to be part of the govt. They seem to be giving more weightage to their report.
    3. These machines have actually been used twice in the electoral process at national level. Naturally an adverse reference to these machines will affect the credibility of the incumbents. In the current highly volatile political situation in India, govt probably wanted to avoid a controversy. Reportedly final airport clearance for H. came after the intervention of the PMO itself.
    4. EVM’s have been a showpiece of ‘smart governance’ in an otherwise lethargic bureaucracy and they wanted to avoid a controversy as another mega-project, with serious security issues, UID is in the pipeline.
    5. Visa regulations, particularly dealing with academic visits, are anyways archaic and relic of past . Just have a look at the following interesting piece.
    http://www.thehindu.com/opinion/columns/siddharth-varadarajan/article110920.ece

    I just hope that this incident gets the attention it deserves in India. Thanks Scott for blogging about it.

  10. Indus-stan-i Says:

    Avinash: Umm … isn’t it good that the UID fails because of this attention to the EVMs? And shouldn’t the credibility of the elections be questioned given that they were based on these machines? While I admit that a vote fraud on a massive scale is unlikely, it is not clear to me how you can assume that vote fraud on a smaller (local) scale couldn’t have already happened. In this case, the credibility of the incumbents ought to be questioned. The problem is not with the questioning, but the associated violent protests and other crap—that’s what the jails should be for, NOT Hari Prasad! So IITs vetted the machines … uh-huh … and where’s their report? Is it openly available? Does it refute the findings of this report? What is the significance of your point here? Yes, comparisons to N-Korea and Iran might be an exaggeration, but the line between exaggeration and the truth is sometimes osmotically fine. I cannot rule out the likelihood that on a smaller local scale there could have been all kinds of fraud. There isn’t a paucity of hacking talent in India and this could easily be exploited on the local under-the-radar scale.

  11. Aaron Says:

    Paper and ink is actually a remarkable workable system. There is no pressing need to have them be electronic or even mechanical.

  12. Sunkhiroes Says:

    How to make full proof fraud free voting system by net?

  13. Avinash Says:

    @indus
    ….It is not clear to me how you can assume that vote fraud on a smaller (local) scale couldn’t have already happened.
    This is precisely what can not happen. An exact answer will be long: but this simply isn’t feasible. Large-scale centralized manipulation at least is conceivable, provided you are willing to accept a grand collusion of political actors, three election commissioners-who have constitutionally mandated autonomy, usually are men(till now) of integrity and are appointed after bipartisan consultations, officials of the BHEL and ECIL that actually manufacture the machines and have the access to hardware, the Indian academics who routinely vet those machines, all this while maintaining absolute secrecy, avoiding very intrusive media and risking prosecution for criminal conspiracy and ruined personal and institutional reputation. I at least don’t think this has a reasonable chance. Main defenses therefore are institutional, not technological in nature. That said there is growing consensus, following the work of Halderman et al, that there are issues with the existing system and need to be fixed.
    As regards the arrest of Prasad, the fact is that machine he used was illegally obtained and the police was duty bound to register a case. I think people are overlooking the fact that he was promptly presented to court and was granted bail, without any conditions related to travel etc. Finally their research is just a click away for anybody interested and the handling of their case if anything has given it publicity. I agree that this was handled quite clumsily, but you can’t compare this to China, Iran etc.
    … isn’t it good that the UID fails because of this attention to the EVMs?
    NO…. UID which is very much similar to social security system number in US is a major initiative that is expected to fix the leaky social security schemes in India. One of the intended beneficiaries of the program is food distribution: a huge programme with estimated 70% leakage, one of the prime reasons why India has such a poor human development record despite impressive growth and corresponding increase in govt expenditure. Also important for financial inclusion etc.
    Again I must say emphatically that I am as much of supporter of academic freedom and exchange of ideas as anybody else; have absolutely no problem with criticism of the govt, and am actually sickened by the ridiculous travel restrictions that Indian govt imposes on the academic visits. But just didn’t want anybody to leave the blog with the impression that Indian democracy was in danger of becoming N-Korea or Iran, as Scott regrettably suggested.

  14. anon Says:

    I don’t know about NK, but contrary to media reports and claims of Iranian opposition groups I have not seen any hard evidence for a massive fraud in the Iranian election. The result seems to match the polls conducted by reputable western organizations before the election. Take a look at: http://en.wikipedia.org/wiki/Iranian_presidential_election,_2009

    The articles and reports by western media during the weeks before the election gave the feeling that this election was one of the most free polls in Iran ever (though way below standards in west).

    See this:
    http://iran2009presidentialelection.blogspot.com/

    I believe the situation in Iran is similar to what we see in other countries like Venezuela, a minority elite group with western and liberal ideals against a conservative anti-western majority who vote for the populist.

  15. Anonymous Indian Coward Says:

    Scott,

    To be fair, the research in question was carried out using an electronic voting machine (EVM) which was government property obtained without permission (a.k.a stolen). When the work came out, an EVM was found missing and the work provided probable cause to arrest Mr. Prasad under suspicion of theft/receiving stolen property. Sure, these folks first asked for an EVM to do their research, but when the request was denied by the government, they went ahead and (illegally) obtained one anyway. Therefore, I think it is incorrect to say that Mr. Prasad was arrested for his work (and by implication for speech the government did not like). He was arrested on suspicion of theft. He is out on bail now, but the case is proceeding in court and he is getting due process under law. Indeed, as you note, he has even been allowed to travel out of the country.

    That being said, all three of them deserve our appreciation, gratitude and respect for this important and risky endeavor, which, I think, will lead to a more robust voting system and will ultimately strengthen our democracy. Perhaps, sometimes the path to better government passes through illegal actions.

    It is also heartening to see that Alex and Rip did manage to resist deportation. This suggests that academics in India can still exert some influence on the government. In fact, the Indian Prime Minister has a Ph.D. in Economics from Oxford and it has been reported that his office had a hand in preventing the deportation. I think the strong press coverage also helped. In contrast, there was a time, during the cold war, when Paul Erdős could not enter the United States for over 10 years.

  16. Sandeep Kashyap Says:

    @ Scott
    …It made me wonder: why do people with power but not intelligence inherently deserve more sympathy than those with intelligence but not power?
    People with power but not with intelligence, at least in India, deserve some sympathy for the following reasons:
    1. They are trying to leverage technology for making the life better for billion plus people.
    2. They are doing it in a country that is LARGE and a huge proportion thereof is illiterate, semi-literate technically challenged, unable to connect with technology due to linguistic barriers.
    3. They are doing so within the constraints imposed by democratic set-up and liberal parameters.

  17. Non Indian Says:

    I actually agree with the Indian commenters here. Mr. Prasad was arrested under suspicion of theft/receiving stolen property. And as far as I understand he doesn’t even claim innocent. So the government acted reasonably, and the case has little to do with academic freedom.

  18. Hopefully Anonymous Says:

    Sounds like a tricky topic as we see in the comments. I like that the prime minister of India (like the prime minister of Austria?) is a ph.d. economist. I think it’s better academic training than law school (and perhaps military officer academies) for governance.

    I don’t expect prof. Aaronson to be impartial -its his childhood best friend that was a bit harassed in India.

    In the spirit of Raoul, when an EVM goes missing, and then folks publish about results from researching an EVM, it’s a bit much to expect no law enforcement theatre, though I think it’s reasonable to say the India government took things too far considering the particulars, here.

    If I were an minister worried about a descent into chaos, I think I’d find it cheaper to buy out rare birds like Team Halderman and make them consultants to India’s EVM project, than to pick them as antagonists.

    But then again, I’m a person, not an organization. It often seems hard for organizations to overcome internal coordination problems in order to act as reasonable as many individual humans do.

  19. ano Says:

    There was not *one* EVM that “went missing”; if there had been exactly one, the police could have probably found who lent it to the researchers. There are in fact dozens of EVMs missing in India; they aren’t even being properly kept track of.

  20. Hopefully Anonymous Says:

    Ano,
    Well, with regards to your sourceless claim, that’s a problem that doesn’t require computer science professors to identify. On the other tentacle don’t know how bad it is for dozens of EVM’s to go missing in a nation of 400 million voters. Maybe very bad, maybe a rounding error -enter experts, please?

  21. Nilima Says:

    Thanks for blogging about this, Scott. As an academic and an Indian, I’m appalled. It’s ludicrous that the Indian government is worried enough about the theft of an EVM to do something about it. Heck, we’re watching nearly 40 billion dollars wash down the drain in the most recent corruption scandal to grace Indian newspapers, with no real repercussions.

    I think it is accurate that the prospect of this information becoming public, with it’s potential to embarrass the government, is what lead to the boneheaded treatment of 3 academics. C’mon, India.

  22. Indus-stan-i Says:

    To all who think the Govt. acted reasonably by arresting Prasad:

    There’s that old proverb: penny wise and pound foolish. Small fish. Etc.

    I agree with Nilima above: the Govt. should go after the real criminals and not people who are actually trying to do good, like Prasad. The Govt might have acted according to the letter of the law, but it did so whenever it was easy and convenient for it to do so. The law is *for* the people and implemented by people; it is not a machine.

    Also most people don’t realize that now Prasad has a police record. This means that he can be harassed by the beaureaucracy that is India for the rest of his life. “Allowing” him bail and travel are silly beans compared to what’s in store for him for the rest of his life.

  23. Bharathi Says:

    @Scott:

    Firstly, I agree that governments are getting insane, Indian govt included. But consider these:

    1. How did he prove that EVMs are susceptible to fraud? By changing few chips inside EVM circuit.

    For god’s sake any electronic gadget (computers included) can be broken into, data stolen and used for fraud if the thief is given physical access and he changes whatever chips he wants to. Being an academician dealing with computers, you of all people should have known this.

    2. This brings us to second question. Did or did he(Hari) not steal the EVM? Can he file an affidavit stating how he got those machines? What’s wrong in arresting him?

    3. The only way for the chips in tens of thousands of EVMs to be changed and fraud committed is by having a mole very high up in Election Commission of India.(Not even booth officials can open the EVM. They have tamper proof seals.) In that case even a paper system can be subverted by that mole in ECI. And I assure you that ECI is manned by very good officers.

    Most importantly Americans delight at giving awards to any lunatic, who spits at India; whether he makes valid point are not.

  24. Scott Says:

    Hi Bharathi,

    (1) While I can’t speak for the EFF, I can tell you that “spitting at India” was the furthest thing from my mind. I had a wonderful time when I visited (and can’t wait to go back), a large fraction of my friends are Indian (not surprising for a theoretical computer scientist), and Indian food has been a staple of my diet since grad school. I support those in India who want a transparent election system for their country, just as I support this cause in the US and everywhere else (BTW, many US states have voting machine security problems that are as bad as or worse than India’s).

    (2) It’s simply not true that the attacks developed by Alex, Rop, and Hari only work if you have a mole high up in the Election Commission. They’ve demonstrated how to compromise a machine given only extremely brief physical access to it. See their FAQ for more.

    (3) Yes, you’re right that pretty much any electronic gadget can be compromised given physical access to it! It’s precisely for that reason that today, voting-security experts are essentially unanimous in recommending that EVMs either provide a voter-verifiable paper trail, or else be replaced by paper ballots entirely.

    (4) I hold this truth to be self-evident, that no voting system can or should be trusted unless independent experts are free to examine its workings (the counting procedure, the hardware, software source code if necessary, etc). This political/moral principle is not yet universally accepted—but I predict that in a few decades, it will be as obvious to everyone as it is to a small nerd community today. So in my opinion, the Indian election commission completely discredited itself when it invited Hari Prasad to examine the voting machines, but then halted the examination as soon as it became clear that he really could tamper with them, and refused thereafter to give him (or any other independent expert) access to a machine.

    (5) No, Prasad didn’t steal an EVM; he received one from an anonymous source who very likely had legitimate access to it. This isn’t “stealing” in any conventional sense: it’s obvious that Prasad would have paid for a machine if he could, but the Election Commission refused to make one available to him or anyone else, in violation of citizens’ fundamental right to know how their votes are being counted. (Note also that, after studying the machine, Alex, Hari, and Rop then returned it to the anonymous source in perfect working order, which was one of the source’s conditions. Had they been able to take the circuit boards apart, they no doubt could’ve found even more vulnerabilities than they did.) Since I’m not a lawyer (much less an Indian lawyer), I have no idea whether receiving the EVM put Hari or his anonymous source in violation of Indian law—but if it did, then this seems like an extremely clear-cut case of justified civil disobedience.

  25. Anonymous Indian Coward Says:

    Scott,

    I get that this was a case of civil disobedience by Hari Prasad.

    I was just disappointed that your post seemed to suggest that he was somehow unlawfully detained, threatened, did not receive due process etc and this implied that in India, if you say what the government doesn’t like, bad things could happen to you.

    Specifically, you say: “As a result of this work, Hari was arrested in his home and jailed by the Indian authorities, who threatened not to release him until he revealed the source of the voting machine that he, Alex, and Rop had analyzed.”

    In fact, he was only arrested after the video demonstrating the EVM vulnerabilities which showed the EVM was out. An EVM was found missing by the government and the video provided probable cause for theft/possession of stolen property to arrest him. He is getting due process under law. He is out on bail and has even been allowed to travel out of the country.

    In particular, he wasn’t arrested because of speech the government did not like.

    I don’t see how things would work differently in any other liberal democracy and I hope you will acknowledge this.

  26. Scott Says:

    AIC: Obviously, Hari sees things a bit differently! He described what happened to him as blatant intimidation. Now, lots of liberal democracies do appalling things from time to time; it’s even been rumored that the US is one of them. But either Hari is lying, or else his treatment indeed ought to concern anyone who cares about democracy and civil liberties in India.

    A few points:

    (1) Each Indian EVM is worth ~$230 (indeed, the low cost is one of their big advantages). The idea that Hari would receive the treatment he did over a missing $230 item from a government warehouse—a dozen police officers converging on his house, daily questioning, etc.—strains credulity. (And indeed, it does appear that the arrest order came from high up in the government.)

    (2) As I mentioned, the EVM was returned in perfect working order anyway.

    (3) If this has nothing to do with speech, then why were Alex and Rop prevented from giving talks at a conference?

    I agree that India has an extremely free press (indeed, with a lot less self-censorship than the US press). That’s why the Indian public has been able to follow this story and express outrage over it.

  27. Universal Voting Machine Says:

    Why are supposedly liberal democracies trying to prevent the public inspection of voting machines? It gives me chills.

  28. LifeIsChill Says:

    India is a rather funny democracy. After independence in ’47, the union was established as a democratic republic in ’50 borrowing heavily from the model in UK and US. But do you know who they followed for policies for the running of the govt.. you have it right…. the Soviet Union… for close to 50 years. Now you know the kind of dummocrazy India is!

  29. Pulkit Says:

    great entry. governments, alas!

  30. Max Says:

    There is one trend in the pro Indian Government comments I’ve notice and find disturbing: That this is an us versus them issue. ie Indians against the West (or Whoever).

    People are not attacking the EVMs and the Government handling of the situation to make India or Indians look bad. They are attacking them because they want to protect the rights of Indians and voters everywhere!

    As has already been said the same problems have occurred in the US. Security researchers and “nerds” (using Scotts term) have attacked those issues with even more vehemence as far as I can tell.

    What it comes down to is:

    1) The integrity of the voting process is extremely important

    2) Electronic voting machines are not trustworthy

    3) Electronic voting machines are not necessary to implement an election

    ==> Do not use electronic voting machines! QED

  31. Rohit Says:

    I don’t get it. Can’t you just stuff ballot boxes with fake ‘paper’ votes? Used to happen a lot in India. A lot.
    FACT: Allegations of vote fraud have decreased a lot in India, after EVMs were used.
    India took a very low tech approach to these EVMs. An important factor in a poor country. We took a flawed system that allowed rampant fraud , to one that limited fraud to some extent. It may sound ‘únbelievable’, but a thousand or more fraud votes are not important. We did not care for the border cases. An approach that I think is the correct one. I don’t think that anybody needed to prove that the machines aren’t perfect. I thought everyone knew that. But the machine is a big improvement from the past.

    Has anyone ever tried thinking about counting 400 million votes?

  32. tubelite Says:

    India plans paper trail for electronic voting machines

    http://www.computerworld.com/s/article/9215940/India_plans_paper_trail_for_electronic_voting_machines

    “…
    By providing a verifiable paper trail, the requirement of transparency in the EVMs will have been met, said Hari Prasad, a security researcher, on Tuesday.

    The Election Commission is however consulting informally with Prasad and other researchers as it tries to offer a verifiable paper trail for its EVMs, Prasad said.
    …”

Leave a Reply