The controversy over electronic voting machines refuses to die down. There continue to be allegations, claims and counter claims about election rigging. Some of the claims, we read, were due to misreporting or do not stand up to scrutiny. Every time a claim about malfunctioning EVMs is found to be false, it hurts public understanding of the real issue: elections that use EVMs are anything but transparent.
Sixteen opposition parties have written to the Election Commission asking to revert to the use of paper ballots, In turn, the Election Commission is said to have issued a challenge to political parties, scientists and technical experts to prove that EVMs could be tampered with.
This could be a step in the right direction. But it cannot be all.
Let’s not forget that such a so-called challenge was also given in 2009. The examination of EVMs should be treated as an opportunity to make the process more transparent and open. In 2009, however, when the Election Commission allowed the public to examine EVMs, the examination was hugely circumscribed so as to prevent anyone from carrying out any substantive – albeit practical – attack.
If this offer of EVM examination is simply a cosmetic offer as in 2009, and not intended to allow for a complete analysis, the trust deficit between the Indian public and Indian elections will continue to grow.
The Election Commission should demonstrate that their claims of EVM security do not rest on the very fragile assumption that all insiders with access to the EVM can be trusted. To understand what an insider with access can achieve if they try to tamper with the systems, they should provide the experts with design documents and details of the tests used to verify the design and security properties. The Election Commission’s approach so far, of keeping design details secret, is termed “security through obscurity” by computer security experts, and was debunked as far back as the late 1800s by Dutch cryptographer Auguste Kerckhoffs.
The Election Commission should allow experts a reasonable amount of time to examine machines whose entire design has been secret for so many years. The experts should be able to work in a laboratory space of their choosing, with the freedom to fully explore the system and its vulnerabilities, including physical tampering, as any attacker with some access to a single storage locker might have.
If the Election Commission circumscribes the testing, it should justify such limits by explaining why a few of the many insiders with access to EVMs could not carry out the attack that they are disallowing in the test.
The purpose of the testing should be for the public to learn about EVM design and vulnerabilities, and those examining the machines should be required to make summary findings public. Additionally, while quick exploration may be performed in the short term, longer term independent testing by well-known voting system security experts is essential; one outstanding example of such testing is the Top-To-Bottom-Review ordered by the Secretary of State of California, USA, in 2007, followed by similar requests from Secretaries of other states.
Thorough, independent testing of the EVMs can expose obvious problems and allow us the opportunity to fix them. If no problems are detected, however, we cannot assume that none exist.
The way forward
In addition to the transparency provided by public testing of EVMs before elections, there is a role for transparency after the election as well. Even if one were to believe that EVMs are tamper proof, every election outcome must be checked to ensure that the unexpected did not happen, that “mock drill data” (votes due to key presses during testing) was erased as it is supposed to be, and did not contribute to the count, that errors did not affect the outcome, that the EVMs were correctly calibrated, that somebody did not try to change the outcome and succeed, and so on.
If the VVPAT record is verified by the voter to be a faithful reproduction of the vote, is stored securely separate from the EVMs, and is publicly audited after the election, it provides strong independent confirmation that the outcome is correct.
It is not sufficient to simply print VVPAT records, nor is it sufficient for voters to carefully check them. A correctly printed VVPAT record indicates merely that the machine correctly understood the vote. It does not indicate that the vote was correctly recorded or counted. A public audit needs to be performed to determine that the VVPAT records are consistent with the declared election outcome.
A VVPAT audit is not a full hand count. It requires the examination of VVPAT records chosen at random to determine that the records support the declared election outcome. The number of VVPAT records that need to be examined depends on the margin between the winner and the candidate with the second-highest number of votes. Only when this margin is small will the audit correspond to a full hand count.
The workload of an audit is hence not equivalent to that of a full hand count, and the efficiency benefits of the electronic count are not in vain.
What is missing right now?
Today, however, we do not have independent public testing of EVMS.
Additionally, most of our EVMs are not capable of producing VVPAT records. Even in constituencies with paper records, in the states where the recent election outcomes have been questioned by candidates, the Election Commission has no plans for an audit. If we do not use the existing VVPAT records as the serious tools for detecting problems that they are, our election outcomes will continue to generate suspicion among all except those who support the declared winners, as continues to happen in recent controversies.
Therefore, it needs to be pointed out to the Election Commission, respectfully, that the absence of election audits and the unreliable nature of the VVPAT is already a large enough problem. It is not up to candidates to look for security vulnerabilities in the secretly-designed EVMs to prove that our electoral processes and technology must be improved. It is up to the Election Commission to implement process and technology improvements to increase transparency, so that after each election, the Election Commission can itself prove – using public audits of securely-stored VVPAT – that the outcome is correct.
Regular audits will not require voters and their candidates to have blind faith in insider processes and the insides of an electronic machine, and will provide considerable disincentive to anyone contemplating manipulating an election outcome.
The real challenge
Many of the candidates with concerns have received a very large number of votes in the recent elections. Together, they represent a very large number of voters. If, after every election, every candidate except the declared winner is (understandably) suspicious of the outcome, that is a large number of voters whose trust in our democracy is jeopardised.
This trust is easily lost when taken for granted, but can be built through an unwavering commitment to transparency in election technology and process.
India has an enviable reputation as the world’s largest democracy with a large number of enthusiastic voters. This reputation transfers to our elected leaders too, because world leaders understand that they are negotiating with leaders legitimately chosen by an engaged citizenry. The Election Commission and its independent role in enabling peaceful and fair elections is well-known. The Election Commission could further enhance both reputations by making available EVMs for unrestricted independent examination, auditing any VVPAT available for the recently concluded elections and allowing paper ballots in elections in the near term where candidates request them or it is not possible to print VVPAT records, store them securely and audit them.
In the medium term, it should institute procedures for regular audits of securely-stored VVPAT records. It could look forward to the long term by updating EVM design to enable more flexible and secure audits, perhaps by using end-to-end independently-verifiable approaches, which represent the gold standard of what is possible in secure auditable voting systems.
Civil society groups and candidates, on their part, must educate voters about the importance of reviewing the VVPAT record for their own vote to ensure it is correct and to continue to engage in, and advocate for, public auditing of all electoral processes. Concerns about unfair elections must be raised when necessary, but this must be done with care for the facts, as election integrity loses out when false claims begin to dominate the news.
Poorvi L Vora is Professor of Computer Science at The George Washington University, Washington DC, USA.