Figure 1: Schematic of ECI’s EVM
Encrypted Communication between CU, VVPAT, and ballot unit
Source: Original diagram from ECI’s EVM and VVPAT manual (ECI 2021).Citizens’ Commission on Elections’ Report on EVMs and VVPAT
The authors thank all those who have deposed as well as Sanjiva Prasad (Computer Science and Engineering, IIT Delhi), who has mentored this study. The authors also thank all those who participated in the many discussions and provided input and insight.
Madan Lokur is a former Supreme Court judge. Wajahat Habibullah is a former Chief Information Commissioner of India. Hariparanthaman is a former Madras High Court judge. Arun Kumar is the Malcolm S Adiseshiah Chair Professor at the Institute of Social Sciences, New Delhi. Subashis Banerjee is professor of computer science at Ashoka University, Haryana (on leave from IIT Delhi). Pamela Philipose is a senior journalist. John Dayal is a writer and activist. Sundar Burra is the former secretary to the Government of Maharashtra. M G Devasahayam is a former officer of the Indian Administrative Service.
- The Citizens’ Commission on Elections was set up in March 2020 to critically analyse India’s electoral processes in accordance with democratic principles. Based on the first volume of the commission’s report, an analysis of the Electronic Voting Machine and the Voter verified Paper Audit Trail system is presented. The main recommendations of the report are to modify the current design of the VVPAT system to make it truly “voter-verified.”
India’s parliamentary election is the largest in the world, with 543 constituencies and an average of well over 1 million voters per constituency, and voting has been conducted electronically since 2004. However, there is considerable doubt about the integrity of the Electronic Voting Machines (EVMs) used by the Election Commission of India (ECI) and the verifiability of compliance with democratic principles. This inevitably generated disquiet during the elections, especially during the 2019 parliamentary elections.
In what follows, we present an analysis based on the available literature and written depositions from concerned citizens and experts (Agarwal 2020; Devasahayam 2020; Nayak 2020; Prasanna 2020; Saraph 2020; Sharma 2020; Shukla 2020; Sinha 2020; Vora et al 2020). Depositions were also invited from the ECI and the members of its technical committee; however, there was no response from them. The Citizens’ Commission on Elections (CCE 2020) also sent a questionnaire to the ECI, members of its technical committee, and some former chief election commissioners; only one response was received (Gopalaswami 2020).
EVM-based Voting and Democratic Principles
We first briefly capture the current EVM design and the ECI’s processes for conducting the elections and then examine and analyse the concerns with the EVM design. The deposition by Bappa Sinha (2020) summarises the ECI’s EVM design and the associated processes (Figure 1).
The main features of the EVM design are as follows. It is a direct recording electronic (DRE) voting protocol. The EVM consists of a control unit that is placed on the presiding officer’s desk. The control unit is connected to the voter-verified paper audit trail (VVPAT) printer, which is then connected to the ballot unit. The VVPAT printer and the ballot unit are kept in the voter booth. The VVPAT status dis- play unit (VSDU) is kept with the presiding officer and displays the status of the VVPAT printer. The different components authenticate each other using digital certificates. The system is designed to stop functioning if paired with unauthorised components.
The communication between components is encrypted. It is a stand-alone system with supposedly no external communication channels, either wired or through radio. It only has designated interfaces for input and output of data according to specific protocols. As per the ECI mandate, it should be stand-alone — that is, not computer-controlled — and “one-time programmable” (OTP).
Voting Process
A voter is allowed to proceed to the voting booth after eligibility and identity checks by polling officials. For a vote to be cast, the presiding officer must first enable the ballot unit by pressing a button on the control unit. The voter casts the vote by pressing a button on the ballot unit, selecting a candidate. Once a button is pressed, a light-emitting diode (LED) next to the button lights up and there is a long beep indicating that the vote has been recorded. The VVPAT simultaneously prints a small slip of paper that carries the symbol, name, and serial number of the candidate selected by the voter. This slip is visible for seven seconds in the viewing window after which it drops off into a secure box. Once a vote has been cast, the ballot unit becomes inactive and does not respond to any more button presses until the presiding officer schedules the next vote by again ena- bling the ballot unit from the control unit. There is a mandatory 12-second delay before the control unit can enable the next vote to be cast. The casting of votes with key-presses is time-stamped.
Design, Engineering, and Manufacturing
The EVM software was developed by a select group of engineers from Bharat Electronics Limited (BEL) and Electronics Corporation of India Limited (ECIL), in- dependent of each other, and the EVMs are sourced from both. Testing is done according to the software specification by multiple independent testing groups. The production group carries out pro- duction testing in the factory according to a quality assurance plan. Samples from production batches are tested by inde- pendent quality assurance groups. Both BEL and ECIL are responsible for packag- ing and shipping the EVM systems to the states as directed by the ECI. Container or sealed trucks with proper locking arrangements are used to transport the EVMs and VVPATs. Paper seals are put on the containers. All movement of EVMs are scheduled and monitored using an EVM Tracking Software (ETS), external to the machines, and based on global posi- tioning system (GPS). On receipt of the EVMs, the district election officers (DEOs) are supposed to videograph the process of receipt of EVMs and then store them in strong rooms at the district headquarters.
Administrative Processes
EVM preparation: The ECI allocates EVMs to the states 200 days prior to poll- ing. The EVMs are dispatched 180 days prior to polling and tracked using the GPS- based ETS software. There is a first-level checking of the EVMs three to six months prior to polling, where the internal parts are checked and the control unit is sealed. The EVMs are assigned to constituencies using a first-stage randomisation software three weeks prior to polling. In a second-stage randomisation, the EVMs are assigned to polling booths two weeks before polling. Finally, after the last date for candidate withdrawal, the ballot paper is fixed on the ballot unit, the candidate names are entered in an alphabetical order, a mock poll is conducted, and the ballot unit is sealed.
Polling-day processes: The serial numbers of the EVM components are shared with the candidates and the polling agents so that they can inspect before the commencement of the mock poll. A mock poll of at least 50 votes is conducted in each polling station and the EVM and VVPAT tallies are compared in the presence of the polling agents. After the mock polling has been completed, all the control unit buttons, other than those used for polling, are covered with paper seals which are signed by the polling agents.
Once polling is over, the presiding officer presses the close button, following which no votes can be cast. The complete EVM unit is sealed and signed. Polling agents are allowed to put their own seals. The representatives of the candidates are allowed to travel behind the vehicle that carries the EVMs to the counting storage rooms. The counting storage rooms are sealed and guarded by the Central Reserve Police Force (CRPF). Candidates are allowed to put their own seals on the strongroom.
Counting-day processes: First, the EVM serial numbers, seals, the start and end times as recorded are verified by both election officials and polling agents. The control units that do not display the result because they were not closed properly, or those where the total number of votes reported do not match that reported by the presiding officer are kept aside for scrutiny. After the announcement of the results, candidates or counting agents can apply for VVPAT counts to the returning officer, who has to take a decision on the matter.
Because of the above systems and processes, the ECI and several other commentators believe that electronic voting using the ECI’s EVM is safe (Sinha 2020). In particular, they believe that though there can be no formal guarantees against hacking, hacking is practically impossible because of the tight processes and the secure custody chain of control. Further, they believe that since an EVM is not connected to any network, it cannot be hacked remotely.
Concerns with EVMs
While banning electronic voting, the German Constitutional Court made the following observation:
The use of voting machines which electronically record the voters’ votes and electronically ascertain the election result only meets the constitutional requirements if the essential steps of the voting and of the ascertainment of the result can be examined reliably and without any specialist knowledge of the subject.
The legislature is not prevented from using electronic voting machines in elections if the possibility of a reliable examination of correctness, which is constitutionally prescribed, is safeguarded. A complementary examination by the voter, by the electoral bodies or the general public is possible for example with electronic voting machines in which the votes are recorded in another way beside electronic storage. (NDI 2009)
Several depositions have raised concerns that the EVM-based voting may not measure up to the standards laid down by the German Constitutional Court (Devasahayam 2020; Shukla 2020; Vora et al 2020; Sharma 2020; Saraph 2020; Prasanna 2020; Nayak 2020). Specifically, the democratic principles that any voting process for public elections should adhere to are as follows (Devasahayam 2020):
- The voting process should be transparent in a manner that the general pub- lic can be satisfied that their vote is correctly recorded and counted.
- The voting and counting process should be publicly auditable.
- Ordinary citizens should be able to check the essential steps in the voting process. If special expert knowledge is required then all should be able to select their own experts.
- There should be verifiability in the counting of votes and ascertainment of the results reliably without any special knowledge.
- An election process should not only be free and fair but also be seen to be free and fair.
- The Election Commission should be in full control of the entire voting process, and the public at large should be able to verify.
- Electronic processes, if they are to be used for voting, should be in sync with changing technologies and technological practices and be subject to public scrutiny/examination.
The compliance of the ECI’s EVM- and VVPAT-based voting system to the above principles hinges crucially on the verifiability of the EVM and the voting and counting process. Much of the elaborate and complex design, engineering and manufacturing processes as well as administrative process outlined above are required precisely because public verifiability of the election process is doubtful and the public has to inevitably trust various authorities.
Verifiability cannot be established by inviting people to hack the hardware system, as the ECI has done. The ECI’s challenge for demonstrating hacks is not meaningful not only because sufficient time and access to tools are denied but also because the fact that something has not yet been hacked provides no guarantee whatsoever that it cannot be hacked (Shukla 2020). Indeed, there are numerous examples of EVM hacking all over the world, including an earlier version of the Indian EVM (Shukla 2020; Halderman 2011). Besides, the onus should be on the ECI and their experts to convince people, beyond doubt, that their design is secure, rather than illogically claiming it to be secure because the system has not yet been hacked (Vora et al 2020; Vora 2020). That is not how computer security is conventionally defined.
It is well known that testing is never adequate to declare an electronic system, as complicated as an EVM, fail-safe and verified (Vora et al 2020; Sharma 2020). While testing can usually detect malfunctioning of an equipment, it is known to be inadequate for detection of backdoor Trojan attacks, simply because the possibilities are too many. An EVM system composed of its various components can exist in one of a very large number of internal states, which, almost surely, is an exponential function of the number of configuration parameters. Examination of such large systems is an intractable problem, which often compels the examiners to rely on weaker forms of verification, such as quality assurance methods — for instance, testing. However, well-documented studies have shown that such weak notions of verification can only detect a fraction of software errors (from this follows a common maxim that tests do not constitute a proof). In particular, it may be impossible to determine with reasonable amount of computation or testing whether such systems can ever reach a compromised state, perhaps due to hacking, where the democratic principles are violated (Sharma 2020). In addition to that, predetermined and preset test patterns are known to be inadequate for verification of the integrity of a hardware–software co-design of a system as complex as an EVM (Vora et al 2020).
The due diligence in the EVM design also appears to be lacking in several aspects. It appears that the possibilities of side-channel attacks have not even been considered (Greenberg 2020; Devasahayam 2020; Shukla 2020). There are numerous examples of hacking electronic devices through electromagnetic and other channels from all over the world, including of the Software Guard Extensions of sophisticated IntelTM processors (Greenberg 2020; Oleksenko et al 2018). In view of such possibilities, the claims that the EVM has no external communication channels appear to be naive, especially considering that so much is at stake. The OTP aspect of the EVM is also doubtful because, in a response to a right to information (RTI) query, it was revealed that the latest EVM uses the MK61FX512VMD12 microcontroller (from an US-based multinational), which has a programmable flash memory (Sinha 2020; Devasahayam 2020; Shukla 2020). However, Sandeep Shukla (2020) points out that it cannot be written to if the JTAG pins are fused and memory lock bit is set. Unfortunately, this is impossible to verify since the details are not publicly available, and as the EVM design and prototype has not been made available for public audit (Nayak 2020).
Further, experts declaring it safe does not make the EVM+VVPAT verifiable. Besides, none of the ECI’s experts have credentials in computer security; in fact, the majority of them are not even computer scientists (Shukla 2020). In addition to experts, the ECI seems to be reposing trust in many other entities and organisations — including hardware manufacturers, software developers and testers, system assemblers, and unmodelled custody chains — and is thus not entirely in control (Devasahayam 2020; Vora et al 2020; Saraph 2020).
The many claims of the ECI and its experts do not stand up to scrutiny. Some examples are: “EVM is unhackable,” “functionality tests and mock polls are sufficient,” “randomisation of EVM allocations makes the process safe,” “it is safe because candidate order is not known when EVM is sealed,” “mutual authentication of EVM components makes it safe,” “ECI’s procedures cannot be circumvented,’’ and “ECI’s VVPAT protocol makes the voting process verifiable;” all these claims have been convincingly challenged in the depositions received by the CCE (Shukla 2018, 2020; Vora et al 2020; Sharma 2020; Devasahayam 2020; Saraph 2020).
Thus, elections must be conducted assuming that the EVMs may possibly be tampered with (Vora et al 2020; Sharma 2020). After all, with modern data analytics, it may only require targeting EVMs in a few polling stations to swing the election results for a constituency (Shukla 2018, 2020; Vora et al 2020). The long-time window — over the cycle of design, implementation, manufacture, testing, maintenance, storage, and deployment — may provide ample opportunity for insiders or criminals to attempt other means of access (Vora et al 2020). There is an overwhelming requirement of trust on such custody chains; such (often implicit) assumptions of trust in various mechanisms make the election process unverifiable (Vora et al 2020; Sharma 2020; Saraph 2020).
Concerns with the VVPAT System
The ECI’s VVPAT system is not voter-verified in the true sense (Vora et al 2020; Sharma 2020; Saraph 2020). The correct VVPAT protocol should be to allow voters to approve the VVPAT slip before the vote is cast and provide an option to cancel their vote if they think there is a discrepancy (Vora et al 2020). There is no clear protocol for dispute resolution if a voter complains that a VVPAT print-out is incorrect, as there is no non-repudiation of a cast vote (Sharma 2020).
Moreover, there is no guarantee that every VVPAT slip that is finally counted has been verified by a legitimate voter (that is, there has been no vote stuffing) or that every voter-verified slip is finally counted (that is, there have been no deletion of votes). The VVPAT audit can, at best, ensure that the electronic and VVPAT tallies match, but that by itself — without a “compliance audit”-based protection against spurious vote addition or deletion in a manner verifiable by all candidates —provides no real guarantee (Stark and Wagner 2012; Sharma 2020; Vora et al 2020; Vora 2020; Saraph 2020).
Finally, since the VVPAT slips are not demonstrably in the one-to-one correspondence with the electronic records, it needs to be clearly defined which of the two is the legal definition of a vote. Basic logic demands that it should be the VVPAT slip, but the ECI seems to suggest that it is the electronic record.
The overall lack of transparency and public auditability, which are crucial for democratic principles of public elections, are worrisome (Sinha 2020; Devasahayam 2020; Shukla 2020; Vora et al 2020; Sharma 2020; Saraph 2020; Prasanna 2020). The non-verifiability of the EVM- and VVPAT-based voting protocol makes it impossible to rule out unpredictable manipulations by unpredictable entities, including foreign players. It is essential that all aspects of an election be observed, audited, and independently verified by the public to engender trust (Vora et al 2020; Nayak 2020; Shukla 2020).
Trustworthiness of the Custody Chain of EVMs
Several depositions raised concerns regarding the efficacy of the processes described above in maintaining the integrity of the polling process. Specifically, the following anomalies were noticed in the Lok Sabha elections 2019.
The ECI and the manufacturers-cum-suppliers of EVMs — ECIL and BEL — appear to have been evasive in response to RTI queries (Nayak 2020). In addition, the information on the audits conducted by the Standardisation Testing and Quality Certification Directorate (STQC) of the Ministry of Electronics and Information Technology and the Central Forensic Science Laboratory (CFSL) have also been sketchy and evasive (Nayak 2020). The reluctance by the authorities to share information publicly — despite the Central Information Commission’s recommendation made in 2018 that information relating to the software used in EVMs be made public in the larger public interest — is surprising and worrisome (Nayak 2020).
There were discrepancies in the voter turnout/votes polled data on the EVMs and the votes counted data on EVMs in over 373 constituencies (Agarwal 2020; Devasahayam 2020). The four highest discrepancies were of 18,331, 17,871, 14,512, and 9,906 votes, where the votes in the EVMs were in surplus. These numbers are clearly too large to be explained by inadvertently counted remnant mock polling data. Not only have there been no explanations forthcoming from the ECI regarding the discrepancies, but the ECI also took down the data from their website after an explanation was sought (Agarwal 2020). About two million EVMs were stated to be missing from the Election Commission. The ECI had no explanation for this either (Devasahayam 2020; Vora et al 2020). After the final vote was cast there were video reports from at least 10 different places of new EVMs being moved into strongrooms. The ECI said these were reserve EVMs but provided no evidence for this and no explanation for why they need to be moved just before counting rather than at the time of voting, when there were, in some cases, a period of several weeks between the voting and counting. They also provided no explanation as to why there were no security officers accompanying these vehicles — as required by the Election Commission rules— and why these vehicles were often unnumbered, unofficial vehicles. Doubts arise as to whether these are part of the two million missing EVMs. There have also been reports of irregularities in the counting process (Devasahayam 2020).
VVPAT Counting
The issue of how many EVMs need to be checked by comparing the electronic tally with a manual VVPAT slip tally for audit of the machine counts has also been mired in controversy. In its letter dated 13 February 2018, the ECI directed the state chief electoral officers to mandatorily verify VVPAT paper slips in only one randomly selected polling station in each assembly constituency. The statistical basis for this directive was however unclear (Devasahayam 2020; Prasanna 2020). At the request of the Election Commission, Abhay Bhatt of the Indian Statistical Institute, Delhi, and others provided a report describing how many EVMs should be cross-checked and why. The report recommends the cross-checking of only 479 EVMs across the country, independent of how many total EVMs there are (some reports mention that a total of 10.35 lakh EVMs were considered). It says that, if a fraction of 2% or more of the EVMs are faulty, cross-checking 479 chosen at random across the country will be sufficient to detect this fact with near certainty (very high probability) (Devasahayam 2020; Prasanna 2020; Vora et al 2020; Vora 2020; Saraph 2020). This was also supported by Rajeeva Karandikar of the Chennai Mathematical Institute (Devasahayam 2020).
In response to petitions in the Supreme Court from representatives of the civil society and opposition parties that the then standard of cross-checking one EVM per assembly constituency was not sufficient, the ECI used the Bhatt report to claim that their approach resulted in checking 4,125 EVMs over the entire country and was hence more than sufficient. However, the Supreme Court ordered the Election Commission to increase the number of cross-checked EVMs to five per assembly constituency in order to assuage the concerns of the petitioners; this corresponds to 20,625 EVMs across the country. The Court later turned down another set of petitions filed by civil society groups and opposition parties to count 50% of EVMs per constituency, stating that this was not necessary. The ECI claimed that manual VVPAT counting in 50% of the constituencies would delay the announcement of results (Devasahayam 2020; Prasanna 2020; Vora 2020; Vora et al 2020). The rationale behind the Supreme Court’s directive to cross-check only five EVMs per assembly constituency against manual VVPAT counts was never explained. It does not seem to have any statistical basis (Devasahayam 2020; Prasanna 2020; Vora 2020; Vora et al 2020). The failure to cross-check a sufficient number of EVMs even after widespread public suspicions, and despite 21 opposition parties as well as civil society requesting it, diminishes public faith in the process (Devasahayam 2020). The Supreme Court also failed to direct what “decision rules” must be followed by the ECI in the event of discrepancies between manual counting and electronic counting (Devasahayam 2020; Prasanna 2020).
Analysis
In probability theory and statistics, the sufficiency of sampling is usually determined by the hypergeometric distribution. It is a discrete probability distribution that describes the probability of k successes — random draws for which the object drawn has a specified feature, in the present case, a defective EVM — in n draws, without replacement, from a finite population of size N that contains exactly K objects with that feature, wherein each draw is either a success or a failure. This is very similar to the binomial distribution that describes the probability of k successes in n draws with replacements.
In an analysis using the hypergeometric distribution, Shetty (2018) shows that if 1% of the EVMs are assumed to be defective (give a mismatch with the VVPAT count), then, for a 99% probability of detecting at least one defective EVM, the sample sizes required for various population sizes are given as per Figure 2. Table 1 defines population. Figure 3 shows how the sample size must vary with the proportion of faulty EVMs. Quoting Shetty (2018), “Studying Figure 2 and Table 1 together, it is obvious that if the EVMs used in an assembly constituency are defined as the population, the population size (N) will be very small; the sampling fraction (n/N) will be very big; and the sample size (n) will vary considerably across assembly constituencies. The same is true if the EVMs used in a parliamentary constituency are defined as the population. If the EVMs in a state as a whole are defined as the population, there is considerable variation in population size from the very small (Sikkim) to the very big (Uttar Pradesh). For the nine smaller states with population size less than 10,000 EVMs, the sampling fraction (n/N) will be quite big and the sample size will vary considerably across the states. For the 20 bigger states with population size greater than 10,000 EVMs, the sample size will “hit a plateau” in the 450s and further increase in population size will have little or no effect on it. If the EVMs used in India as a whole are defined as the population, due to the “plateau effect,” the sample size is just one more than that for UP.”
In view of the above, in most cases, the ECI’s prescribed sample size of “one EVM per assembly constituency” will fail to detect a faulty EVM with a very high probability (see Shetty 2018 for de- tails). Using a similar analysis, Vora (2020) and Vora et al (2020) show that with a 2% rate of faulty EVM, the Supreme Court’s directive of checking five EVMs per assembly constituency will fail to detect a faulty EVM in roughly 50% of the cases.
The Bhatt report is clearly based on the profoundly mistaken premise of taking the whole country as one population. At a 2% fault rate, the Bhatt approach is designed to detect only if roughly 20,000 EVMs are faulty. It completely misses the point that swinging a few tens of thousands of votes, with far fewer faulty EVMs, is sufficient to swing a single Lok Sabha seat (Devasahayam 2020; Vora 2020; Vora et al 2020; Prasanna 2020; Saraph 2020; Shukla 2020).
Table 1: Defining Population
Source: Shetty (2018).
Note that if the margin between the winner and the candidate with the second highest votes is small, fewer EVMs need to be rigged and to detect this, more need to be checked. If the “population” has to be defined at the level of an assembly constituency, the number of EVMs to be cross-checked will depend on the margin, and, while it can be smaller than 30%, it can be larger than 50% as well. For example, in the extreme case of the margin being only one vote, a com- plete manual count will be necessary. In view of the above, the civil society and opposition party concerns that five EVMs per constituency are not sufficient appear to be reasonable.
Thus, in practice, election outcomes may be changed by tampering significantly fewer EVMs than what even civil society demands consider, and it is incorrect to assume that faulty (or hacked) EVMs are distributed homogeneously across the population. Moreover, the number of EVMs that need to be audited against manual VVPAT counts cannot be independent of the margins. However, with rigorous risk-limiting audit procedures that consider the margins, it should be possible to audit election outcomes without necessarily manually counting all VVPAT slips (Lindeman et al 2012; Bernhard et al 2017; Vora 2020; Vora et al 2020; Stark and Wagner 2012). Complete manual counting should be the last resort, unless suitable mechanical machine counting systems can be developed.