Election Commission yet to decide between VVPAT slips and EVM count as primary data
In its interim report on EVMs, used in India, the Citizens’ Commission on Elections raises several questions which are yet to be answered by the Election Commission of India
While the Election Commission of India and its technical committee of experts refused to depose or answer questions to the Citizens’ Commission on Elections (CCE), the interim report makes a valuable addition to the growing literature on EVMs in India in one of the depositions to the CCE by Bappa Sinha of the Free Software Movement of India. In his 14-page submission, Sinha makes two points.
The Supreme Court in 2012 said that the “paper trail” is an indispensable requirement of free and fair elections. The confidence of the voters in the EVMs can be achieved only with the introduction of the paper trail.
This has led to the introduction of VVPAT terminals with every EVM in India. However, it still leaves open the question of what is the primary record, the electronic data or the paper trail? What happens if they do not match? This question has already been raised before the ECI. The ECI is yet to give a clear opinion.
Now that we have VVPATs with every EVM, we can consider the EVM as a printer of the voters’ ballot and also an electronic calculator. As a printer, it prints the ballot with the vote, and as a calculator, it totals up the vote. Legally, the ballot should be the VVPAT slip. In the case of a dispute, or a challenge by the defeated candidate, the VVPAT slips should be counted and the case decided on that basis.
Sinha also raises a technical issue with the EVMs used by EC. “The other key design principle as stated by the EC is that the software used in these machines is burnt into a ‘One Time Programmable’ chip which makes it impossible to alter or tamper with the software on these machines.
A ‘One Time Programmable’ chip can only be programmed once at the time of manufacture and cannot be reprogrammed subsequently. So, the software programmed in the chip cannot be modified without replacing the physical chip itself by another.
It turns out that the EVMs violate this design principle of the EC. In response to an RTI application, BEL responded stating that the EVMs it manufactured used the MK61FX512VMD12 Microcontroller from NXP, a multi-national semiconductor manufacturer.
The RTI response directed the reader to the NXP website for further information, which indeed does list this microcontroller. The Electronics Corporation of India Ltd (ECIL), the other public sector undertaking (PSU) that manufactures EVMs, refused to disclose the identity of the manufacturer of the microcontroller used in its EVMs and VVPATs, citing commercial confidence under Section 8(1)(d) of the RTI Act.
The data sheet for the MK61FX512VMD12 microcontroller on NXP’s website mentions that it is an ARM based microprocessor with 16Kbytes of EEPROM, 512KB of Flash and 128 KB of SRAM. EEPROM stands for “Electrically Erasable Programmable Read-only Memory” and as the name suggests this memory is electrically erasable and reprogrammable.
The data sheet says that the 512 KB of flash memory can be partitioned such that a part of this memory can be used for storing software code, and the remaining for data. This flash memory is also rewritable. Both NXP and other vendors provide development kits through which software can be developed for these chips and transferred to them.
In the EVMs, the software is stored in either the EEPROM or in the Flash Memory (or both), both of which it now turns out can be reprogrammed.
So, the ECI’s assertion that the EVM software is stored in an OTP chip is clearly incorrect. We need to pursue with the ECI why they have not followed the procedures they themselves claim to be following and what the Indirasen Committee Report on EVM, 2006 stated that BEL is following, namely “the fixed nature of the software which is fused to the processor which is effectively unalterable”.
The CCE interim report also poses 11 questions to former Chief Election Commissioners, the present CEC and Election Commissioners as well as the Members of the Technical Advisory Committee of ECI regarding the security and integrity of EVM voting and VVPAT counting. A few of them are cited here. The rest can be found at the website reclaimtherepublic.co.
• In view of the fact that electronic recording and counting are black-box (opaque) and hence non-transparent, what guarantees do the voters have that their votes are recorded as intended and counted as recorded? Are they able to examine and verify their votes and ascertain the results reliably, which is a fundamental requirement of electoral democracy?
• Security by obfuscation is not acceptable in modern computer security analysis. Why then is the EVM design and implementation not available for public scrutiny?
• Conventional wisdom on electronic voting suggests that elections relying on electronic voting machines should be conducted assuming the machines can be tampered with, and must rely on end-to-end verifiability and risk mitigating audits. There should be no need to repose trust in any single authority or custody chain for the correctness of elections in a democracy. Yet, not all of ECI’s processes are verifiable or publicly auditable. Why?
• There are several cryptography based electronic voting systems that are end-to-end verifiable and software independent. Why has the ECI not considered one such?
• The correct VVPAT protocol is to allow a voter to approve the VVPAT slip before the vote is cast and to cancel her vote if there is a discrepancy. The voter should be able to cancel the vote before it is cast without having to interact with anyone. The VVPAT system deployed by ECI does not follow the above principle– because there is no way to revoke the button press and destroy the VVPAT slip– and is hence not truly voter-verified. Does this not require urgent fixing?
• In case of a challenge the VVPAT system does not support unambiguous dispute resolution with a clear determination of whether a voter’s claim is correct or not, because an EVM can potentially behave differently when observed during further testing. In fact, there is no way to prove that it will not. Also, there is no way for the voter to establish that she is not lying. This protocol appears to be fundamentally flawed and violates principles of natural justice. In view of this, is stringent punishment for voters unable to prove a reported discrepancy not unsound?
• Matching the VVPAT tally and the electronic count for an EVM can only ensure parity, but cannot rule out the possibility of simultaneous spurious vote injection or deletion in both. Also, there can be no guarantee – without reposing faith in the custody chain – that every VVPAT slip that is counted indeed corresponds to a valid vote cast according to the protocol, or, conversely, that every valid slip is counted. Is this sound?
• Is the EC in full control of the entire electoral process like the design and manufacture of EVM/VVPAT, manufacture of microprocessor and their burning in to EVM, writing and installation of software, counting methods and other technical functions as envisaged under Article 324 of the Constitution of India?