Monday, January 17, 2022

Citizens’ Commission on Elections’ Report on EVMs and VVPAT

Citizens’ Commission on Elections’ Report on EVMs and VVPAT Madan Lokur, Wajahat Habibullah, Hariparanthaman, Arun Kumar, Subhashis Banerjee, Pamela Philipose, John Dayal, Sundar Burra, M G Devasahayam The complete report can be read at’-commission-elections’-report-evms-and.html Final Recommendations The analysis in the above two sections clearly demonstrates that the decisionmaking processes within the ECI need to be much more logical, rigorous, and principled, compared to what it was during the 2019 parliamentary elections. Ad hoc systems and processes without adequate analysis of the properties and guarantees should be avoided. Only then can elections using electronic means adhere to standard democratic principles, appear to be free and fair, and engender confi dence in election outcomes. Specifically, we make the following recommendations for the future: Software and hardware independence: The electronic voting system should be redesigned to be software and hardware independent in order to be verifi - able or auditable. The EVMs cannot be assumed to be tamper-proof. As defi ned by Rivest (2008), a voting system is software [hardware] independent if an (undetected) change or error in software [hardware] cannot cause an undetectable change or error in an election outcome. In other words, even if a voting machine is tampered to change the votes, it should be possible to detect so in an audit. This is not to say that a hardware based EVM cannot be used, but that the correctness of an election outcome should not depend on the assumption of correctness of the EVM. Any solution that relies crucially on the assumption of correctness of the EVMs is not software and hardware independent. (Vora et al 2020; Sharma 2020) To be compliant with democratic principles, there is a defi nite need to move away from only certifi cation of voting equipment and processes and instead demonstrate—end-to-end—that the outcome of an election is correct irrespective of machines and custody chains of EVMs. Two ways to do this are mentioned in the literature, namely adopting rigorous and well-established strategies for compliance and risk-limiting audits, or using a provably end-toend verifi able cryptographic protocol, or both (Lindeman et al 2012; Stark and Wagner 2012; Bernhard et al 2017; Vora et al 2020; Sharma 2020). End-to-end cryptographic verifiability: One way to achieve software and hardware independence is to use end-to-end (E2E) verifiable systems with provable guarantees of correctness (Vora et al 2020; Sharma 2020; Saraph 2020; Bernhard et al 2017). The overall correctness of voting is established by the correctness of three steps: (i) “castas-intended,” indicating that the voting machine has registered the vote correctly; (ii) “recorded-as-cast,” indicating the cast vote is correctly included in the final tally; and (iii) “counted as recorded,” indicating that final tally is correctly computed. There must also be guarantees against “spurious vote injections” (Sharma 2020). These guarantees should be publicly verifiable. The ECI should explore the possibility of using an E2E verifiable system (Bernhard et al 2017). Redesign of the VVPAT system: The other way to achieve software independence is through risk limiting end-of-poll audits using VVPAT (Lindeman et al 2012; Stark and Wagner 2012). For this, the VVPAT system should be redesigned to be fully voter-verified (Vora et al 2020; Saraph 2020; Sharma 2020). The voter should be able to approve the VVPAT printout before the vote is finally cast and be able to cancel if there is an error. Moreover, either the VVPAT slips must be in one-to-one correspondence with the electronic records—this is difficult, considering the secret ballot requirement—or it needs to be clearly defined which of the two is the legal definition of a vote. Simply declaring results based on the electronic counts violates the democratic principles. Moreover, in case a voter disputes that the vote has been incorrectly recorded, there must be a clear method of determination either in favour of the voter or of the authorities (Sharma 2020). This may not be possible in a pure DRE-based system like the ECI’s EVM, because the machine may not make the same error when tested, and it is not possible to determine, without doubt, whether it did originally make the error. In this case, the voter cannot be penalised and a clear protocol for dispute resolution must be put in place. End-of-poll audits: For proper end of-poll audit using VVPAT, the ECI needs to change the currently prescribed policy with rigorous risk-limiting audit based sampling strategies before the results are announced (Lindeman et al 2012). And, there must be a clear preannounced protocol for deciding the outcome—including possible re-polling—if there is a mismatch between the VVPAT and the electronic tallies (Devasahayam 2020). Legislation: T here has to be legislation to deal with the cases when the audit and the subsequent recount reveal a problem. Legislation will also be required to regulate when, and if, a candidate can request a hand count. Best practices suggest that such legislation be based on the established statistical principles as opposed to the judgment of individual election officials to the extent possible (Vora et al 2020). Independent review: The voting system design should be subjected to independent (of the government and the ECI) review, and the integrity of the election process should be subjected to an independent audit. The fi ndings should be made public. Transparent processes: The election processes need to be completely transparent and should not have too many requirements of trust on authorities and experts, including on the ECI (Devasahayam 2020; Prasanna 2020; Vora et al 2020; Sharma 2020; Saraph 2020). All design details should be publicly available. In addition to that, there should be more public consultations, and public and civil society concerns should be transparently and fairly handled. If we opt for electronic elections and bring computer science and statistics into public life, then we cannot leave their disciplinary rigour behind.

No comments:

Post a Comment