Is the Indian EVM & VVPAT System free, fair, fit for elections or can it be manipulated?

A pertinent question that a Citizens Commission on Elections (Volume 1) headed by Justice (retired) Madan Lokur, former Supreme Court Judge, asks as it examines the erosion of autonomous powers of the Election Commission of India (ECI) and also warns of the absence of thorough monitoring and independent hardware and software systems within

The analysis in the extensive report which is an ‘Inquiry into India’s Election System’ demonstrates clearly that the decision mak ing processes within the Election Commission of India (ECI) need to be much more logical, rigorous and principled compared to what it was for the 2019 parliamentary elections. Ad hoc systems and processes without adequate analysis of the properties and the guarantees need to be avoided. Only then can elections using electronic means adhere to standard democratic principles, appear to be free and fair, and engender confidence in election outcomes.

The Citizen’s Commission on Elections was headed by Justice Lokur as Chairperson with Wajahat Habibullah, former Chief Information Commissioner as Vice-Chairperson and members: Justice (retd) Hariparanthaman, former Madras High Court Judge, Prof. Arun Kumar, Malcolm S. Adiseshiah Chair Professor, Institute of Social Sciences , Subhashis Banerjee, Professor of Computer Science and Engineering, IIT Delhi Pamela Philipose, Senior Journalist Dr John Dayal, Writer and Activist. The Covenor and Coordinator were Sundar Burra, former Secretary, Government of Maharashtra and M. G. Devasahayam, IAS (retd) respectively.

In its extensive report that explores the various aspects of the EVM and VPAT system as it exists, the Commission makes the following broad recommendations:

Software and hardware independence

The electronic voting system should be re-designed to be software and hardware independent in order to be verifiable or auditable. EVMs cannot be assumed to be tamper-proof. As defined by Rivest [9], a voting system is software (hardware) independent if an undetected change in software (hardware) cannot lead to an undetectable change in the election outcome. Any solution that relies crucially on the correctness of the EVM is not software and hardware independent.

End-to-end (E2E) verifiability

One way to achieve software and hardware independence is to use E2E verifiable systems with provable guarantees of correctness. The overall correctness of voting is established by the correctness of three steps: cast-as-intended indicating that the voting machine has registered the vote correctly, recorded-as-cast indicating the cast vote is correctly included in the final tally, and counted-as recorded indicating that final tally is correctly computed. There must also be guarantees against spurious vote injection. These guarantees should be publicly verifiable.

ECI should explore the possibility of using an E2E verifiable system [2].

Re-design of the VVPAT system

The VVPAT system should be re-designed to be fully voter-verified [18, 11, 12]. The voter should be able to approve the VVPAT printout before the vote is finally cast, and be able to cancel if there is an error.

Moreover, in case a voter disputes that the vote has been incorrectly recorded, there must be a clear method of determination either in favour of the voter or in f a v o u r o f the authorities [12]. This may not be possible in a pure DRE based system like the ECI’s EVM, because the machine may not make the same error when tested and because it is not possible to determine, without doubt, whether it did originally make the error. In this case, the voter cannot be penalized.

End-of-poll audits

To be compliant with democratic principles there is a definite need to move away from certification of voting equipment and processes and demonstrate that the out- come of an election is correct irrespective of machines and custody chains of EVMs. Two ways to do this are by adopting rigorous and well established strategies for compliance and risk limiting audits [6, 17, 2] or by using a provably end-to-end verifiable cryptographic protocol, or both [2, 18, 12]. In any case, the ECI needs to change the currently prescribed policy for VVPAT based audit with more rigorous risk-limiting audit based sampling strategies [6] before the results are announced.

Also there must be a clear pre-announced protocol for deciding the outcome – including possible re-polling – if there is a mismatch between the VVPAT and the electronic tallies [3].

Legislation

There has to be legislation to deal with the cases when the audit, and subsequent recount, reveal a problem. Legislation will also be required to regulate when, and if, a candidate can request a hand count. Best practices suggest that such legislation be based on established statistical principles, as opposed to the judgment of individual election officials, to the extent possible [18].

Independent review

The voting system design should be subjected to independent (of the government and ECI) review and the integrity of the election process should be subjected to independent audit.

The findings should be made public.

Transparent processes

Finally, the election processes need to be completely transparent and should not have too many requirements of trust on authorities and experts, including on ECI [3, 10, 18, 12, 11]. All design details should be publicly available. Also, there should be more public consultations, and public and civil society concerns should be transparently and fairly handled.

Finally, if we opt for electronic elections and bring computer science and statistics into public life, then we cannot leave their disciplinary rigour behind.

Specific Recommendations:

Specifically the report released on January 26, 2024 recommends:

  1. The decision making processes within the ECI need to be much more logical, rigorous and principled compared to what it was for the 2019 parliamentary
  2. EVMs cannot be assumed to be tamper-proof. The electronic voting system should be redesigned to be software and hardware independent in order to be verifiable or This does not imply that software or hardware cannot be used, but that the correctness of the election outcome cannot be entirely dependent on their working correctly.
  3. The VVPAT system should be re-designed to be fully voter-verified. The voter should be able to approve the VVPAT printout before the vote is finally cast, and be able to cancel if there is an
  4. The integrity of the VVPAT slips and the EVM machines during the entire time after polling and before counting and auditing must be ensured in a manner that is verifiable by all (and especially the candidates). There should be no trust requirement on the custody
  5. There must be stringent audit of the electronic vote count before the results are The audit should not be based on ad hoc methods but by counting a statistically significant sample of the VVPAT slips according to rigorous and well established statistical audit techniques. The audit may in some cases – depending on the margin of victory – require a full manual counting of VVPAT slips.
  6. There should be legislation to decide what is to be done if the audits reveal a Such legislation should ideally be based on well-established statistical procedures and not on subjective decision of a few officials.
  7. There is a definite need to move away from certification of voting equipment and processes and demonstrate that the outcome of an election is correct irrespective of machines and trust on custody chains of EVMs. Two ways to do this are by adopt ing rigorous and well established strategies for risk-limiting audits or by using a provably end-to-end verifiable cryptographic protocol, or The ECI should explore the possibilities.
  8. Finally, the voting system design should be subjected to independent (of the government and ECI) review and the integrity of the election process should be subjected to independent The findings should be made public. In particular, all design details should be transparent and publicly available.

Report may be read here:



References
 

  1. Poonam Deposition by Poonam Agarwal. https://drive.google.com/drive/ folders/ 1dGsIwgA4HPgootDLdFx8M2Clp4RjDJ3?usp=sharing.
  2. Matthew Bernhard, Josh Benaloh, Alex Halderman, Ronald L. Rivest, Peter Y.
  3. Ryan, Philip B. Stark, Vanessa Teague, Poorvi L. Vora, and Dan S. Wallach. Public evidence from secret ballots. In Electronic Voting – Second International Joint Conference,

E-Vote-ID 2017, Bregenz, Austria, October 24-27, 2017, Proceedings, pages 84–109, 2017.

  1. G. Devasahayam. Deposition by M G Devasahayam.
    https://drive.google.com/drive/folders/ 1Ziff77jliZls-gr-dw2Gx0HRxe7xMVOY?usp=sharing.
  1. Andy Hacker Lexicon: What Is a Side Channel Attack?
    https://www.wired.com/story/ what-is-side-channel-attack/, 2020. [Online June 21, 2020].
  1. Alex Security Problems in India’s Electronic Voting System. https://crcs. seas.harvard.edu/event/alex-halderman-security-problems-india%E2%80%99s-electron- icvoting-system, 2011.
  2. Mark Lindeman, Philip B. Stark, and Vincent S. Yates. BRAVO: Ballot-polling risk- limiting audits to verify outcomes. In 2012 Electronic Voting Technology Workshop/Work- shop on Trustworthy Elections (EVT/WOTE 12), Bellevue, WA, August USENIX As- sociation.
  3. Venkatesh Deposition by Venkatesh Nayak.
    https://drive.google.com/drive/folders/ 1633FLITVd0d4F-Ra6viROFdkCURfsO4?usp=sharing.
  1. Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Varys: Protecting SGX enclaves from practical side-channel attacks. In 2018 USENIX Annual Technical Conference (USENIX ATC 18), pages 227–240, Boston, MA, July 2018. USENIX Association.
  2. Ronald Rivest. On the notion of software independence in voting systems. Phil- osophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, 366(1881):3759–3767, 2008.
  3. Prasanna Deposition by Prasanna S.
    https://drive.google.com/drive/folders/ 14BvRxi0PItAdA3EYXm2qrZSC9rz7pdm?usp=sharing.
  1. Anupam Deposition by Anupam Saraph.
    https://drive.google.com/drive/folders/
    10In9T1iL9oTUov1k7ncpWE-1ixMfTF8g?usp=sharing.
  1. Subodh Deposition by Subodh Sharma. https://drive.google.com/drive/fold

ers/1u5qjNmqNJM77SK6qlc5utfHmi5jTTBo?usp=sharing.

  1. Ashok Vardhan Shetty. Winning Voter Confidence: Fixing India’s Faulty VVPAT-based Audit of EVMs. https://www.thehinducentre.com/publications/policy-watch/ article25607027.ece.
  2. Sandeep Deposition by Sandeep Shukla.
    https://drive.google.com/drive/folders/1YPQHYw5ozmNWkekKlFNyTDfe1V0sseq?usp=sharing.
  1. Sandeep Shukla. Editorial: To use or not to? Embedded systems for voting. ACM Trans. Embed. Comput. Syst., 17(3):58:1–58:2, May 2018.
  1. Bappa Deposition by Bappa Sinha.
    https://drive.google.com/drive/folders/1ZADKm2Ciryu4Gmo m7qO-MMyf8ECSKib?usp=sharing.
  1. Philip Stark and David A. Wagner. Evidence-based elections. IEEE Secur. Priv., 10(5):33–41, 2012.
  2. Poorvi L. Vora, Alok Choudhary, J. Alex Halderman, Douglas W. Jones, Nasir Memon, Bhagirath Narahari, R. Ramanujam, Ronald L. Rivest, Philip B. Stark, K. V. Subrahmanyam, and Vanessa Teague. Deposition by Poorvi Vora et al. https://drive. com/drive/folders/ 1x00pJHVhR1K7uLCdFuPIsiTDKp4cuQ2?usp=sharing.


Related:

Massive protest in Delhi by Bharat Mukti Morcha with one demand- REMOVE EVMs, SAVE DEMOCRACY

EVMs for urban bodies, paper ballot for panchayat elections: MP Election Commission

EVM security: Whose responsibility is it anyway?

Trending

IN FOCUS

Related Articles

ALL STORIES

ALL STORIES