Redesign EVMs and VVPAT and provide for auditing, recommends Citizens’ Commission on Elections

Electronic Voter Machines cannot be assumed to be tamper-proof and there is no way to guarantee that the vote cast by a voter has been recorded in the EVM as intended by the person, states a report released on Saturday by the Citizens' Commission on Elections.

The Citizens Commission on Elections was formed in 2020 after several citizens bodies drew public attention to the lack of integrity of EVM voting and the ECI’s departure from neutrality. The committee is chaired by former Supreme Court judge Madan Lokur and comprises former chief information commissioner Wajahat Habibullah, former Madras High Court judge Hari Paranthaman, economist Arun Kumar, activist John Dayal, senior journalist Pamela Philipose, IIT-Delhi professor Subhashis Banerjee and former IAS officer Sundar Burra. Former IAS officer MG Devasahayam was the coordinator of the commission.

The report underscores that if the correctness of an EVM cannot be established then it is impossible to predict whether an EVM can be hacked or not. “In particular, that an EVM has not yet been hacked provides no guarantee whatsoever that it cannot be hacked. Thus elections must be conducted assuming that the electronic voting machines may possibly be tampered with,” highlighted the report titled ‘Is the Indian EVM and VVPAT System Fit for Democratic Elections?

The Election Commission of India (ECI), members of its technical committee, namely Professors D. T. Shahani (IIT Delhi), Rajat Moona (IIT Bhilai) and D. K. Sharma (IIT Bombay) and barring one former Chief Election Commissioner none of the former CECs responded to the invitation of collaboration with the inquiry. Several Indian and international experts on the subject, however, deposed before the Commission.

The report sums up the findings and says:

A. Due to the absence of End-to-End (E2E) verifiability, the present EVM/VVAPAT system is not verifiable and therefore is unfit for democratic elections.

B. That an EVM has not yet been detected to have been hacked provides no guarantee that it cannot be hacked. Thus, elections must be conducted assuming that the EVMs may possibly be tampered with.

C. In practice, it may be necessary to test more EVMs than even what the civil society and the political parties demand (30% and 50% respectively) to ensure verification and reliable ascertainment of results.

D. There must be stringent pre-audit of the electronic vote count before the results are declared. The audit may in some cases - depending on the margin of victory - require a full manual counting of VVPAT slips.

E. The electronic voting system should be re-designed to be software and hardware independent in order to be verifiable or auditable.

Among the domain knowledge holders who submitted their deposition before this CCE group were Ronald L. Rivest of the Massachusetts Institute of Technology, Cambridge, USA; Alex Halderman of the University of Michigan, USA; Poorvi L. Vora and Bhagirath Narahari of George Washington University, USA; Alok Choudhary of North-western University, USA, Sandeep Shukla, Professor, Computer Science and Engineering, IIT Kanpur; Douglas W. Jones of the University of Iowa, USA; Nasir Memon of New York University (Brooklyn), USA; Philip B. Stark of the University of California, Berkeley and Vanessa Teague, Associate Professor, School of Computing and Information Systems, University of Melbourne, Cyber security, Australia.

MG Devasahayam, former civil servant, Bappa Sinha of Free Software Movement of India, Subodh Sharma of Computer Science and Engineering and of the School of Public Policy, IIT, Delhi; S Prasanna, Advocate, Delhi, Venkatesh Nayak, RTI activist, KV Subrahmanyam, Professor, Computer Science, Chennai Mathematical Institute, Chennai, Poonam Agarwal, media-person and Anupam Saraph, Professor and Future Designer besides Dr Sanjiva Prasad and Dr Subhashis Banerjee of IIT, Delhi assisted in the investigation.

“Further examination is possible only when the ECI makes the EVM design and prototype available for public technical audit. It is noted that none of the ECI’s experts has credentials in computer security and the Commission reposing trust in many other external entities and organisations, that could lend themselves to breach of complete security. After tracking the various stages of the EVM’s movement within the election setup — before and during polls, subsequent storage, counting and declaration of results — the report opines that there are certain intervals during which the machines could be accessed without authority or tampered with,” the report concludes

The committee has suggested that there was a need to redesign the VVPAT system to be fully voter-verified. Voters should be able to approve the VVPAT printout before the vote is finally cast and be able to cancel if there is an error.

The CCE expert group examined technical details and the engineering design of the current EVMs as also the stage-by-stage processes they undergo during elections and highlighted that the Election Commission of India did not appear to safeguard the EVM against the possibilities of hacking electronic devices through electromagnetic and other methods.

The group suggested that Voter-verifiable Paper Audit Trail (VVPAT) was one of the possible ways to make the voting system auditable. Using VVPAT a voter can in principle verify that her vote is cast as intended, and a suitably designed end-of-poll statistical audit can possibly determine that the collection and counting are correct.

This is, however, dependent on the fact that the VVPAT system is truly voter-verified. The correct VVPAT protocol is to allow a voter to approve the VVPAT slip before the vote is cast, and to provide an option to cancel her vote if a discrepancy is noticed.

The report underscores that there is the need for a clear protocol for dispute resolution if a voter complains that a VVPAT printout is incorrect. “The ECI’s VVPAT system is not truly voter-verified because it does not provide the necessary agency to a voter to cancel her vote if she thinks it has been recorded incorrectly,” explained the report.

The committee also pointed out that in case the voter raises a dispute, there was no way for her to prove that she was not lying. So, penalising a voter in such a situation is not the correct approach, states the report.

The committee has called for compliance audit, which can be verified by all candidates and the public, to ensure the integrity of the VVPAT slips. The VVPAT slips may be trustworthy at the time of voting, but it is necessary to ensure that they remain trustworthy later while auditing. Only then a subsequent statistical audit can establish the correctness of the voting process. There has to be sufficient guarantees against spurious injection or deletion of votes after polling and before counting when the EVMs and VVPATs are in custody of ECI, without requiring any trust assumptions. Otherwise, the mere agreement of electronic and VVPAT counts cannot rule out spurious vote injections or deletions in both, maintained the committee.

The Committee has recommended that the decision-making process in the ECI had to be much more logical rigorous and principled compared to what it was for the 2019 parliamentary elections as EVMS cannot be considered tamper proof. The electronic voting system should be redesigned to be software and hardware independent in order to be verifiable or auditable.

There should be legislation to decide what is to be done if the audits reveal a problem, underscored the members of the committee. Such legislation should ideally be based on well-established statistical procedures and not on subjective decision of a few officials.

Former judges have suggested that elections must be conducted assuming that the electronic voting machines could possibly be tampered with and were worried about the overall lack of transparency and public auditability, which are crucial for democratic principles of public elections.

The Supreme Court’s decision to cross-check only 5 EVMs per assembly constituency against manual VVPAT counts was never explained. It does not seem to have any statistical basis, pointed out the committee, while suggesting that the Supreme Court failed to direct what ‘decision rules’ must be followed by the ECI in the event of discrepancies between manual counting and electronic counting.