No easy solutions to EVM manipulation, post VVPAT
Switching to a technology like the blockchain might be the way to retain electronic voting and integrity of the voting process
The essential task of a voting system is to make sure that a vote that is cast is cast as intended, recorded as cast, and counted as recorded. Many fear that the ongoing Indian elections, presided over by one of the least inspiring Chief Election Commissioners of the recent past, will fail to fulfil this task. The measures suggested to mitigate against this risk are one, ensure that the Election Commission publishes the total votes polled promptly after polling, and two, match turnout as pronounced by the EC with the constituency-level aggregate of the total votes, as certified on the Form 17C that every polling agent of every political party returns with from the polling booth, at the end of polling. These are necessary but not sufficient to guard against anything but the crudest form of manipulation.
The integrity of Indian elections now depends on the integrity of not the thousands of election officials but the integrity of the software and the engineers of the two companies, EIL and ECIL, that, besides manufacturing the voting machines, load the voter-verifiable-paper-audit-trail (VVPAT) machines with software to match the vote cast to the candidate plus symbol combination that then is printed out as a slip visible to the voter for seven seconds before dropping down to the bottom, joining other ballots for possible counting later. This software and the engineers who load the EVMs in every constituency, after the candidate list has been finalized, represent a vulnerability that the current system of process safeguards totally fails to guard against.
Another vulnerability stems from the design of the Electronic Voting Machine (EVM). The EVM has three components, the Control Unit, kept with the polling officer, the Ballot Unit, kept in an enclosed space for the voter to press the button against the name and symbol of the candidate of his choice, and the VVPAT unit. The countable votes are recorded and stored in the Control Unit of the EVM. The EVMs Ballot Units and Control Units are sealed and kept in strongrooms under CCTV monitoring until counting, and are opened on counting day. The Control Units are used for counting.
Amazingly, the control unit of the EVM gets its signal not from the ballot unit of the EVM, but from the VVPAT unit, so that if the VVPAT unit is hacked, the vote that is counted will not be the vote that is registered on the ballot unit but the vote as manipulated by the hacked VVPAT unit. The VVPAT unit is the one component of the EVM that is loaded with programmable software, and is vulnerable to manipulation. And the people who run software on the VVPAT units to enable them to match the button chosen on the Ballot Unit with the paper ballot to be printed out are not under the control of the Election Commission.
Another vulnerability pointed out by Kannan Gopinathan, the IAS officer who quit the service after the 2019 elections, following his discovery that the theoretical integrity of the election process has been compromised with the introduction of VVPAT, is the introduction of a centralized EVM Management System. The EVM system monitors where each EVM goes, nullifying the safeguard gained from the procedure of randomized allocation of EVMs to constituencies and booths.
What is the significance of turnout numbers inflated subsequent to the day of polling? It could suggest that additional EVMs were added to the ones inside the strongroom, filled with votes of the desired kind. But this would be rather crude. If you can turn off the CCTV cameras to bring in additional EVMs, you can also take out an equal number of original EVMs with more or less the same number of votes registered in them, so that the total votes polled remain the same but the composition of the votes would have changed.
Manipulation by adding to or substituting the EVMs in the strongroom can be checked by matching the serial numbers of the Control Units on Form 17C with the serial numbers of the Control Units used for counting. Provided the numbers matched are those embossed on the machines, rather than pasted on with a plastic or paper label.
The VVPAT unit prints out the ballot as cast by the voter for him to see. How can then it be accused of manipulating the vote into something else? The VVPAT only needs to print one kind of ballot for the voter to see and be satisfied, while sending a different vote to be stored in the Control Unit, for manipulation to take place. Is this beyond programming capability? Of course not. What about the test voting that happens before the actual voting starts? The VVPAT can be programmed to start manipulating votes after an initial batch of votes.
Counting the paper ballots from VVPAT machines to tally them with the electronic count for a statistically significant number of booths in each constituency is one check. But what if paper ballots are also switched? Forensic audit of the EVMs after counting, in the case of close results, is another option. But if the audit is done by the same companies that loaded them with software in the first place, that would not be useful.
The only sustainable solution is to shift to new, more reliable technologies of electronic voting, such as ones based on the blockchain, which underpins cryptocurrency and non-fungible tokens. These would allow a voter to find out how the vote he cast was registered, the ultimate test of foolproof voting.