Debating India

ELECTIONS

Tried, but tested?

R. RAMACHANDRAN

Monday 1 March 2004, by RAMACHANDRAN*Rajesh

While the electronic voting machines in use in India are apparently foolproof and designed in a user-friendly manner, whether they have undergone a rigorous process of testing and verification will be proven in the coming general elections.

ELECTRONIC voting machines (EVMs) will be used in all the 543 Lok Sabha constituencies across India in the forthcoming general elections. So far, several byelections and elections to the State Assemblies have been conducted with the help of EVMs. The EVMs used in India are of simple design and better suited to the prevailing situation, especially conditions characterised by widespread illiteracy and a multitude of languages.

In the United States, the ballot counting fiasco that was witnessed in the State of Florida in the presidential election of 2000 and the consequent resolution of the contest by the courts, led to the passage of several State and federal laws, particularly the Help America Vote Act (HAVA) of October 2002. The law was brought in to push forward electoral reforms, especially the shift towards a fully computerised system of EVMs that would resolve problems relating to the use of punched-cards. In these EVMs, also referred to as Direct Recording Electronic (DRE) voting machines, the voter-machine interface could be a touch-screen visual display unit (VDU) if it is of the more high-tech variety.

The DRE machine records the voter’s intent electronically, stores it in the computer memory and automatically tallies it at the end of polling. The code of the programme that translates the votes cast into a record is hardwired or burnt into the microprocessor chip inside the system, which has been designed by the manufacturer/vendor. Since the system does not run on any soft programme, it is believed to be secure and tamper-proof. The voting process is paperless - there are no ballot boxes, and therefore no possibilities of ballot-stuffing or booth-capturing. Yet, how can the voter be sure that her or his intent is recorded faithfully by the system? As there is no physical representation of the vote, recounting is not possible in the traditional sense in case of a dispute. The only method of recounting would be a rerun of the electronic tallying system, which will merely reflect the same total.

As the U.S. too prepares for elections in 2004, there are doubts about the reliability of the DRE system and these have been strengthened by a number of problems encountered during its use in the 2002 congressional elections. Computer scientists are at the forefront of the opposition to the new system. They argue that even a fledgling programmer can write codes that display the voter’s decision on the screen (which corresponds to blinks and beeps in the Indian design), records it another way and tallies it in yet another way. This can happen for a variety of reasons, including software and hardware errors, or "hacks" or bias deliberately introduced into the programme at the manufacturer’s end. Since ballots are secret, there is no way to check whether the votes were recorded accurately. According to the scientists, problems can occur even when voting machines have been thoroughly inspected and tested according to guidelines and standards laid down by the authorities. The source code of the programme is, for proprietary reasons, not open, and this prevents a third party - say an independent body of computer experts - from scrutinising the programme for bugs and errors. So there is an ongoing campaign in the U.S. calling for making the source code open. The manufacturers have rejected the proposition, arguing that they are protected by trade secrecy clauses built into their supply contracts with the government.

An interesting incident that has given an impetus to the campaign is the inadvertent leak of the code of one particular manufacturer, Diebold Systems Inc., one of the majors in the manufacture of automated teller machines (ATMs), through their insecure FTP server. The incident was made public by an online U.S. magazine and the code was then analysed by five computer scientists from Johns Hopkins University and Rice University. They pointed out several security loopholes and bugs in the code. The charges made by the scientists, Diebold’s response, and the rebuttals are all available on the Internet.

A demand is being made for a "voter-verifiable audit trail", which is a physical proof of the vote, which becomes the final record of the voting and can be used for a recount if required and serve as legal proof too. Scientists are demanding that the details of tests and security audits conducted on the systems by the authorities be made public even if the code is not made public.

A petition, "Resolution on Electronic Voting System", posted on the website www.verifiedvoting.org,,] maintained by David Dill, Professor of Computer Science at Stanford University and endorsed by nearly 1,600 computing professionals, urges that all DRE machines include a voter verifiable audit trail. In a paper written by David Dill and two other Professors in ACM Communications, a professional journal, the authors suggest an audit trail based on what is referred to in computing circles as the "Mercuri Method" after its proponent, Rebecca Mercuri, a computer scientist. The DRE machine records the vote on paper when the voter has finished voting. The voter can review the paper ballot to verify whether it is marked in accordance with his or her intention, after which it is deposited into the ballot box. Discrepancies can be brought to the attention of an election official and, in case of any error, the paper is destroyed and the voter is allowed to vote again. The paper ballots can be used for a recount in case of a dispute or a close finish. The original proposal by Mercuri requires the printer to be behind a glass walled cubicle, which the voter can only see and not handle and the ballot is automatically dropped into a box or destroyed.

IN the Indian context, this could lead to a tremendous amount of logistical and operational problems, including the possibility of the disruption of voting in the booth itself, because it willy-nilly brings in the human element that the electronic voting process was supposed to get rid of. Moreover, it goes back to the more cumbersome paper-based voting system, besides entailing additional costs, which seems to defeat the entire purpose. If the purely electronic process fails to ensure the larger objective of conducting fair elections, other verifiable processes would have to be considered. However, in response to an e-mail query from Frontline, Dill said that a printed ballot paper was only one possible voter verifiable audit trail and that one could think of alternative methods. So the basic questions concerning the reliability of the machines and mechanisms to ensure it are relevant in the Indian context too.

The EVM concept was first developed in India in 1977 by the two public sector companies, Bharat Electronics Ltd. (BEL) and Electronics Corporation of India Ltd. (ECIL), on an experimental basis. The first prototypes were built in 1980 and these were, according to A.N. Jha, Deputy Election Commissioner, put to a number of tests by a committee of the then Department of Electronics. It was tried out in a byelection in Kerala in 1981, but the result was challenged by one party and consequently struck down by the Supreme Court on the grounds that the Representation of the People Act provided only for paper ballots. It was only in 1989 that the law was amended to allow the use of EVMs. A committee of three scientists, headed by P.V. Indiresan, the then director, Indian Institute of Technology (IIT), Madras, looked into the technical aspects of the system and recommended that it was viable and could be used in elections.

According to former Chief Election Commissioner (CEC) T.N. Seshan, the committee said that unless at least 1,000 people became partners in dishonesty, no malpractice or fraud was possible. About 1,50,000 EVMs were then ordered at a cost of Rs.75 crores from BEL and ECIL. According to Seshan, V.P. Singh, who became the Prime Minister, did not favour the use of EVMs and later Prime Minister P.V. Narasimha Rao did not introduce it because of lack of finances. So EVMs were not introduced in the country for the next nine years. In 1998, under the initiative of former CEC M.S. Gill and Subhas Pani, a former official of the Election Commission (E.C.), who was chiefly responsible for introducing information technology in the working of the E.C., they were used in byelections in Delhi, Rajasthan, Madhya Pradesh and Mizoram. A study that was carried out by the Delhi-based Centre for the Study of Developing Societies concluded that EVMs were more efficient and easier to handle and did not compromise fairness. During the general elections of 1999, EVMs were used in 45 parliamentary constituencies. In the State elections of 2001, only EVMs were used. "It did not reveal any problem," Jha said.

However, the use of the EVM was challenged by the All India Anna Dravida Munnetra Kazhagam (AIADMK) before the elections to the Tamil Nadu Assembly was held. But the court approved the use of EVMs in the election. On the eve of the Assembly elections in Punjab, Chief Minister Amarinder Singh used a dummy EVM to claim that the system could be manipulated using a remote keypad, and the Punjab and Haryana High Court ruled that he be given an opportunity to prove his claim. Amarinder Singh sent some computer professionals to demonstrate and prove his claim before the E.C. However, the claims could not be substantiated with the EVMs provided by the E.C. "There are a whole lot of checks and balances to verify the system’s reliability," Jha said.

An important difference between the situations in the U.S. and India is that here the companies involved belong to the government sector and it is unlikely that they would try to manipulate the results through a built-in programme. Machines are procured only by the E.C., and Jha feels that the contract for procuring them is unlikely to be given to the private sector. One reason why the U.S. public distrust Diebold Systems is that its chief executive officer, William O’Dell, is known to be a supporter of the Republican Party. Said Prof. Dill: "I’m not comfortable with the level of private corporate involvement in American elections. Having the government do it may be superior."

In spite of the involvement of public sector companies, the source code of the programme that is embedded in the chip - the two companies have different codes - is not in the public domain and therefore cannot be evaluated by an independent expert for bugs, errors or security loopholes. According to J.B. Venkataratnam of ECIL: "The proof of the reliability of the programme, like any software, is in its repeated use without any flaws." He rejected the suggestion to make the code public, saying that it is proprietary. The EVMs have been introduced and the election process designed in a manner that will retain most of the checks and balances present in the traditional ballot paper system of voting, according to Jha. He pointed out that automation was only with respect to the recording of votes and the counting of them. According to Indiresan, it was R.V.S. Peri Sastry, as Election Commission Chairman, who meticulously ensured that it was so.

One of the tests that the machines undergo is the `mock poll’, which is done at every polling station in front of the representatives of the various candidates, before voting starts. Once the system’s reliability is okayed in the mock poll, it is sealed in front of the candidates (or their representatives), and no one has access to it afterwards. There are four or five seals for each system and if it is not found proper at the time of polling, the system is rejected. "We follow a number of such prescribed procedures," Jha said. Two procedures are followed to reduce the probability of a deliberately introduced code rigging the elections, say, by shifting the votes systematically from candidate A to candidate B. One is that the list of candidates is released only 15 days before the election by which time the machines are not accessible to the supplier at all, and the other is that the distribution of machines to the polling stations is randomised so that one cannot execute any planned manipulation. This ensures that even a random shifting of votes does not serve any purpose because it is likely to affect the votes of the candidate indulging in such manipulation.

The system has a provision for obtaining a paper trail of the votes cast using a decoder, which can be checked against the manually recorded sequential voters’ register in case of a dispute. The paper trail is, however, not a voter verifiable audit trail in real time, as the campaign in the U.S. wants it to be. So the voter does not see the paper record. It may be produced only in the court and the court may summon a particular voter to confirm whether the record confirms with his vote. Of course, there is room for deliberate false information being given to the court by voters with vested interests.

While the system of checks in the Indian context seems to be foolproof, computer scientists point out that the tests carried out by the authorities are usually considerably less than the ideal. Their argument is that the `mock poll’ test might detect only simple programme errors and obvious defects. According to them, it is capable of filtering out only the most obvious bugs, leaving the subtler ones that are triggered less frequently intact. Such testing, they say, cannot gauge software reliability, security or malicious code problems. Apparently, DRE systems used in the 2002 U.S. elections revealed several flaws despite being tested in mock elections that used more votes than a typical machine gets during actual polling. More important, according to the scientists Dill, Mercuri, Peter G. Neumann and Dan S. Wallach, testing for security problems, especially if they were intentionally introduced and concealed, is basically impossible.

The Indian EVMs may be secure and foolproof. The 2004 parliamentary elections will be the real testing ground. But it is not obvious that the systems have gone through the level of scrutiny of the code that is required - as the U.S. scientists have carried out on one code.

Says Pani: "Those theoretical questions are meaningless. The EVMs have performed without any flaw so far. But you can put the systems through a billion votes. BEL and ECIL engineers should be commended for the great job they have done in building a simple but extremely robust system. More important, the people have already accepted it without any furore. No other country, developed or developing, has been able to introduce electronic voting across the entire country in just four years. The management of the entire process and delivering it to 620 million voters is not a mean achievement."

See online : http://www.hinduonnet.com/thehindu/...

P.S.

Pic : AFP ; On the outskirts of Agartala, an election official demonstrates how to use an electronic voting machine.

Frontline, volume 21 - Issue 04, February 14 - 27, 2004.

SPIP | template | | Site Map | Follow-up of the site's activity RSS 2.0