Releasing a new study simultaneously in Chennai and Kolkata in view of the forthcoming elections in Tamil Nadu and West Bengal, the Citizens’ Commission on Elections (CCE) – a civil society initiative – has regretted “lack of integrity of EVM voting”, pointing out, the Election Commission of India (ECI) does not appear to safeguard against the possibilities of ‘side-channel attacks’, i.e, hacking electronic devices through electromagnetic and other methods.
Based on opinion from from Indian and foreign experts from well-known institutions, a CCE note on the study states, even the ‘software guard extensions’ of sophisticated Intel processors have “proved vulnerable to such interference and tampering, adding, these are important concerns because just a few EVMs can swing election results for a constituency.
The CCE note says, that the processor chip in the EVM is only one-time programmable is in doubt. In fact, the latest EVMs use the MK61FX512VMD12 microcontroller supplied by a US-based multinational, which has a programmable flash memory, demanding its “public technical audit.”
CCE note:
In a healthy democracy, citizens are expected to take an active interest in the process and conduct of elections. The Election Commission of India (ECI), set up under Article 324 of the Constitution of India, has often worked in close collaboration with independent organisations dedicated to the strengthening of democracy. Such bodies of citizens have provided valuable feedback to the Commission and have flagged issues of concern or alarm.It is regrettable, therefore, that the ECI’s conduct of the parliamentary elections of 2019 invited serious controversy and its very fairness came to be questioned by several organisations on very valid grounds. The Association for Democratic Reforms, the Constitutional Conduct Group (CCG) of former civil servants, the Forum for Electoral Integrity, the Delhi Science Forum, the Aman Biradari Trust, People First and the Centre for Financial Accountability were among several groups which were compelled to draw public attention to the lack of integrity of EVM voting and the ECI’s departure from neutrality.
Many political parties, mainstream and digital media houses and civil society groups also voiced serious apprehensions at the manner in which the ‘model code of conduct’ was being violated by the ruling party without adequate retribution from the ECI. On the contrary, the ECI chose to respond to such justified criticism with an alarming silence or by aggressively defending its record, even when patent infirmities were specifically pointed out by several former civil servants who had themselves conducted/supervised elections.
Since it was clear that the ECI was unwilling to introspect on its failures, MG Devasahayam, IAS (Retd), a distinguished retired civil servant and an active member of several civil society groups, took the initiative to consult other independent civil society groups and apolitical platforms which had also expressed apprehensions over the ECI’s stances.
In 2019 and 2020, seminars and wide-ranging public discussions were held on the issue. One of the unanimous suggestions that emanated from this process was the need to constitute a body of eminent and experienced persons with domain knowledge to delve into critical aspects related to elections in India.
The Citizens’ Commission on Elections (CCE) was thus constituted, with the mandate to draw upon expert advice where necessary and come up with appropriate suggestions to ensure that elections in the country are conducted with fairness and integrity. The CCE was set up on March 5, 2020, and comprised the following:
The Citizens’ Commission on Elections (CCE) was thus constituted, with the mandate to draw upon expert advice where necessary and come up with appropriate suggestions to ensure that elections in the country are conducted with fairness and integrity. The CCE was set up on March 5, 2020, and comprised the following:
- Justice Madan Lokur, former Supreme Court Judge, Chair
- Wajahat Habibullah IAS (Retd), Former CIC, Vice-Chair [CCG]
- Justice Hari Paranthaman, former Madras High Court Judge
- Prof Arun Kumar, Eminent Economist
- Dr John Dayal, Civil Society Activist
- Pamela Philipose, Senior Journalist
- Dr Subhashis Banerjee, Professor, Computer Science, IIT, Delhi
- Member-Convener, Sundar Burra IAS (Retd), [CCG]. MG Devasahayam [People-First and CCG] functioned as the Coordinator of the Commission.
CCE’s expert group reviewed the functioning of EVMs primarily on the touchstone of whether and how far their use complied with important ‘democracy principles’ detailed in the enclosed summary. In short, it insists on absolute transparency in facilitating the voters’ right to choose a candidate of their choice and in ensuring that this is faithfully reflected in the votes stored and counted -- without the slightest deviation whatsoever.
Democracy principles also mandate that the voting procedure is easily understandable and verifiable by the voter and open to audit without complications even when relevant technology is utilised. There should be absolutely no scope for error or misrepresentation of the elector’s choice. The group has relied on depositions and expert opinions of several national and international experts and was informed of the reasons why even the most advanced countries of the world have preferred not to use EVMs during polls.
Among the domain knowledge holders who submitted depositions before this CCE group were Poorvi L. Vora and Bhagirath Narahari of George Washington University, USA; Alok Choudhary of Northwestern University, USA; Bappa Sinha of Free Software Movement of India (FSMI); Subodh Sharma of Computer Science and Engineering and of the School of Public Policy, IIT, Delhi; S Prasanna, Advocate, Delhi; Venkatesh Nayak, RTI activist; KV Subrahmanyam, Professor, Computer Science, Chennai Mathematical Institute, Chenna; Poonam Agarwal, media-person; Anupam Saraf, Professor and Future Designer; and MG Devasahayam, activist and retired civil servant.
The Commission was also privileged to receive the testimonies of some of the best international experts in the field, including Ronald L Rivest of the Massachusetts Institute of Technology, Cambridge, USA; Alex Halderman of the University of Michigan, USA; Douglas W. Jones of the University of Iowa, USA,; Nasir Memon of New York University, USA; Philip B. Stark of the University of California, Berkeley; and Vanessa Teague, Associate Professor, School of Computing and Information Systems, University of Melbourne, Cybersecurity, Australia.
In section 1.1, the report has examined technical details and the engineering design of the current EVMs as also the stage-by-stage processes they undergo during elections. In section 1.2, the report has analysed the concerns that have been articulated by concerned citizens of errors or intentional tampering for political gains in utilising EVMs. In the next section, No 2, issues relating to the trustworthiness of the custody chain and post-election are all examined.
Among the domain knowledge holders who submitted depositions before this CCE group were Poorvi L. Vora and Bhagirath Narahari of George Washington University, USA; Alok Choudhary of Northwestern University, USA; Bappa Sinha of Free Software Movement of India (FSMI); Subodh Sharma of Computer Science and Engineering and of the School of Public Policy, IIT, Delhi; S Prasanna, Advocate, Delhi; Venkatesh Nayak, RTI activist; KV Subrahmanyam, Professor, Computer Science, Chennai Mathematical Institute, Chenna; Poonam Agarwal, media-person; Anupam Saraf, Professor and Future Designer; and MG Devasahayam, activist and retired civil servant.
The Commission was also privileged to receive the testimonies of some of the best international experts in the field, including Ronald L Rivest of the Massachusetts Institute of Technology, Cambridge, USA; Alex Halderman of the University of Michigan, USA; Douglas W. Jones of the University of Iowa, USA,; Nasir Memon of New York University, USA; Philip B. Stark of the University of California, Berkeley; and Vanessa Teague, Associate Professor, School of Computing and Information Systems, University of Melbourne, Cybersecurity, Australia.
In section 1.1, the report has examined technical details and the engineering design of the current EVMs as also the stage-by-stage processes they undergo during elections. In section 1.2, the report has analysed the concerns that have been articulated by concerned citizens of errors or intentional tampering for political gains in utilising EVMs. In the next section, No 2, issues relating to the trustworthiness of the custody chain and post-election are all examined.
That an EVM has not yet been detected to have been hacked provides no guarantee that it cannot be hacked. Elections must be conducted assuming EVMs may be tampered with
The report has devoted considerable time and expertise in scrutinising the technical architecture of EVMs and the accompanying VVPATs. It noted that ECI does not appear to safeguard against the possibilities of ‘side-channel attacks’, i.e, hacking electronic devices through electromagnetic and other methods. Even the ‘software guard extensions’ of sophisticated Intel processors have proved vulnerable to such interference and tampering. These are important concerns because just a few EVMs can swing election results for a constituency.
That the processor chip in the EVM is only one-time programmable is also in doubt. In fact, the latest EVMs use the MK61FX512VMD12 microcontroller supplied by a US-based multinational, which has a programmable flash memory. Further examination is possible only when ECI makes the EVM design and prototype available for a public technical audit.
It noted that none of ECI’s experts have credentials in computer security and the ECI, by reposing trust in many other external entities and organisations, may have inadvertently lent itself to a system that lacks complete security. After tracking the various stages of the EVM’s movement within the election setup -- before and during polls, subsequent storage, counting and declaration of results -- the report opines that there are certain intervals during which the machines could be accessed without authority or could be tampered with.
The findings reveal that there is, indeed, no guarantee that the voter’s choice has been reflected with total fidelity in all cases. Domain experts therefore submit that immediate steps need to be taken to rectify the ECI’s current procedures, irrespective of the scale and extent of possible error or manipulation. Besides, domain experts have clearly stated that the present ‘quality assurance’ and testing strategies of the ECI certainly do not rule out scope for mischief or the manoeuvring of results.
The VVPAT (Voter Verifiable Paper Audit Trail) system was introduced later to ensure that voters were able to see and check physically the paper slips that emanated from the EVMs and the printers attached to them. The Supreme Court had ordered introduction of VVPAT as an additional stage to assure voters about the complete fidelity of their votes but the current procedure of voting does not seem to be in sync with this objective and leaves gaps that could be exploited. This paper trail has, for instance, been rendered ineffective as the ‘marked slips’ pop up for too brief a time for the voter to verify her/his vote before it moves away to its sealed box.
The ECI is reluctant to cross check the tally of counting VVPAT paper-slips with electronic results on the grounds that it entails unnecessary consumption of time, even though the total time taken now is considerably less than the time spent in counting paper ballots in the earlier system. Although VVPAT voting slips are required to be retained for a full year after the polls, in the 2019 instance the ECI destroyed these slips prematurely leading to grave apprehensions about the electoral process.
Rules regarding the mandatory recount of EVM results and the compulsory counting of VVPAT paper slips need to be scrupulously followed. The time required for all this should not be regarded as an impediment to the electoral process. Key concerns and suggestions from the domain experts of the CCE are:
---
Click here to read the full report
That the processor chip in the EVM is only one-time programmable is also in doubt. In fact, the latest EVMs use the MK61FX512VMD12 microcontroller supplied by a US-based multinational, which has a programmable flash memory. Further examination is possible only when ECI makes the EVM design and prototype available for a public technical audit.
It noted that none of ECI’s experts have credentials in computer security and the ECI, by reposing trust in many other external entities and organisations, may have inadvertently lent itself to a system that lacks complete security. After tracking the various stages of the EVM’s movement within the election setup -- before and during polls, subsequent storage, counting and declaration of results -- the report opines that there are certain intervals during which the machines could be accessed without authority or could be tampered with.
The findings reveal that there is, indeed, no guarantee that the voter’s choice has been reflected with total fidelity in all cases. Domain experts therefore submit that immediate steps need to be taken to rectify the ECI’s current procedures, irrespective of the scale and extent of possible error or manipulation. Besides, domain experts have clearly stated that the present ‘quality assurance’ and testing strategies of the ECI certainly do not rule out scope for mischief or the manoeuvring of results.
The VVPAT (Voter Verifiable Paper Audit Trail) system was introduced later to ensure that voters were able to see and check physically the paper slips that emanated from the EVMs and the printers attached to them. The Supreme Court had ordered introduction of VVPAT as an additional stage to assure voters about the complete fidelity of their votes but the current procedure of voting does not seem to be in sync with this objective and leaves gaps that could be exploited. This paper trail has, for instance, been rendered ineffective as the ‘marked slips’ pop up for too brief a time for the voter to verify her/his vote before it moves away to its sealed box.
The ECI is reluctant to cross check the tally of counting VVPAT paper-slips with electronic results on the grounds that it entails unnecessary consumption of time, even though the total time taken now is considerably less than the time spent in counting paper ballots in the earlier system. Although VVPAT voting slips are required to be retained for a full year after the polls, in the 2019 instance the ECI destroyed these slips prematurely leading to grave apprehensions about the electoral process.
Rules regarding the mandatory recount of EVM results and the compulsory counting of VVPAT paper slips need to be scrupulously followed. The time required for all this should not be regarded as an impediment to the electoral process. Key concerns and suggestions from the domain experts of the CCE are:
- End-to-end verifiability: Pre-determined and pre-set test patterns are known to be inadequate for verification of the integrity of an EVM. The present EVM system is not verifiable and is therefore unfit for democratic elections. To ensure independence between software and hardware, end-to-end verifiable systems with provable guarantees of correctness must be introduced and the ECI must declare its publicly-verifiable guarantees against spurious vote injections.
- If the correctness of an EVM cannot be established then it is practically impossible to predict whether an EVM can be hacked or not. In particular, that an EVM has not yet been detected to have been hacked provides no guarantee whatsoever that it cannot be hacked. Thus, elections must be conducted assuming that EVMs may possibly be tampered with.
- There must be a post-election audit of the EVM counts against manual counting of the VVPAT slips. In fact, it may be sufficient to tamper only a few EVMs to swing an election if a contest is close. Thus, in practice, it may be necessary to test more EVMs than even what the civil society and political party’s demand (30% and 50% respectively) to ensure verification and reliable ascertainment of results.
- There must be a stringent audit of the electronic vote count before the results are declared. The audit should not be based on ad hoc methods but by counting a statistically significant sample of the VVPAT slips according to rigorous and well-established statistical audit techniques. The audit may in some cases -- depending on the margin of victory -- require a full manual counting of VVPAT slips.
---
Click here to read the full report
Comments