Professor Mridul Nandi addressed a seminar last week at Kolkata’s Indian Statistical Institute (ISI) on a topic puzzling to most citizens: How transparent is the current EVM [Electronic Voting Machine] system in India? There couldn’t have been a better person to speak on the esoteric subject of the EVM than Nandi, for he’s a member of the ISI’s Applied Statistics Unit and specialises in cryptography, the science of using mathematical codes to secure information from breaches.

Nandi, in his address, said that just as a failed attempt to prove that ghosts don’t exist can’t be taken to mean they exist, the absence of conclusive evidence regarding the manipulation of the EVM also can’t imply it’s proofed from tampering. Theoretically, the algorithm, or mathematically coded instructions to complete an intended action, can be written into the EVM in a manner that it works contrary to its purpose of allowing votes to be cast as intended, registering them as cast, and counting them as registered.

Having followed the controversies over repeated mismatches between votes polled and votes counted and instances of astonishing upward revisions of voter turnout figures, I found my curiosity stoked by Nandi’s address. I read the synopsis of his presentation, and had extensive conversations with him to figure out how EVM functioning can be subverted and what the possible methods of countering it are.

At the outset, Nandi clarified to me, “The discussion at ISI was on theoretical possibilities and methods of improving transparency, and didn’t pertain to any particular election conducted in India.” Indeed, given the Election Commission of India’s (ECI) refusal to reveal the algorithm, a.k.a. source code, driving the electronic voting process, the only way of reversing the eroding faith in elections is by introducing protocols to make the EVM to function more transparently than it currently does.

Nandi suggested what these protocols could be in his address, but only after explaining why the EVM’s structure arouses suspicion that it could be manipulated. The EVM consists of the Control Unit (CU), into which are plugged the Ballot Unit (BU), and the Voter Verifiable Paper Audit Trail (VVPAT) printer. Algorithms are burnt into CU and VVPAT at the time they are manufactured, often many months before being used, to enable them to communicate with each other to complete the voting process.

Algorithms respond to numerically coded inputs. Suppose party V’s candidate and symbol are on Key No.2 of the BU. Once the voter presses this key, the CU records it and communicates to the VVPAT to print the name of V’s candidate and its symbol on a slip, which can be seen for seven seconds through a glass case before it drops into a box.

A case study

Now, for this piece, assume V is also the ruling party that possesses complete control over a supine ECI. V can have algorithm burnt into the CU that transfers votes cast for others to itself. V, though, faces a problem: the sequencing of keys—that is, the order of candidates arranged alphabetically on the BU—is decided after the last date of withdrawal of candidates. This order of candidates is downloaded to the VVPAT via Symbol Loading Unit (SLU) through image files. Thus, V wouldn’t have known at the time the algorithm was embedded into the CU that it would be assigned Key 2; its candidate can even be last on the BU.

V can overcome this hurdle by inserting into the CU’s algorithm a command according to which on receiving a number from the VVPAT, it should function contrary to its avowed purposes. When image files are downloaded to the VVPAT via the SLU, the number 2 can be attached to them as a DOC file. The VVPAT, following its algorithm, communicates this number to the CU, which can be ordered, for instance, to assign 600 of, say, the total 700 votes cast in a booth to V, regardless of the number of people who actually voted for it. This manipulation will match the count in Form 17C, which records the total votes polled in every booth.

In another constituency, V can be assigned Key 5. This number can be sent to the VVPAT via the SLU and then communicated to the CU. It would transfer votes to V now placed on Key 5 of the BU. The task of downloading images is the ECI’s or that of its designated contractors. The ECI hasn’t provided anyone with access to the innards of the SLU.

The CU’s algorithm could, in fact, be written to engage in a dishonest act through an input comprising a distinct pattern of voting. In this scenario, the VVPAT doesn’t come into play. For instance, when voters press the BU keys representing W, Y, Z, and X parties—V’s competitors—in this sequence, the CU’s algorithm, burnt into it beforehand, can be triggered into siphoning votes as spelt out in the previous example.

“The second form of manipulation requires V to arrange four people to sequentially press the keys for W, Y, Z, and X to make the CU behave contrarily. This is a cumbersome process,” said Nandi, adding, “I can write my own algorithm that most likely will pass all the tests and mock polls, but still illegitimately produce results favourable to a candidate.” Let’s call the two examples cited above as Problem No.1.

Another problem, or Problem No.2, arises from the suspicion that data stored in the CU are manipulated between the end of polling and the beginning of counting of votes. The CU, it should be remembered, provides a count of votes polled, and who got how many of them. Votes stored in the CU are called EVM votes.

Nandi suggests Problem No.2 can be resolved by writing into the CU’s algorithm a command to generate at the end of voting a hash value, a.k.a. checksum, which is a unique alphanumerical code. Hash values are to data what locks are to doors. A change in data post-poll will alter the hash value and that will be evidence of tampering, just as a broken lock is of a break-in. Nandi’s proposal is that the hash value for every EVM should be published on the ECI’s website, as should also its value at the time it is opened for counting. Not only polling agents, but even concerned citizens in Delhi or Chennai can check the integrity of voting by verifying whether the hash value has changed.

Since the hash locks data at the end of polling, it can’t be a solution to Problem No.1, which involves manipulating votes before the polling is closed. The way to resolve Problem No.1 is to randomly count more VVPATs than what the ECI mandates: five in each Assembly segment. A match between the CU and the VVPAT counts is said to rule out tampering or malfunctioning. This format of counter-checking has been adopted because it’s extremely difficult to rig the VVPAT, since the voter sees the slip it generates as soon as they vote.

Only five VVPATs are randomly counted because of the statistical probability that there would be a high chance of detecting a compromised EVM. A high chance of detection doesn’t mean all compromised EVMs will be found out; some might escape detection, putting at stake a small percentage of total votes cast. This small percentage is still a worry because elections are now increasingly won by narrow margins.

The disingenuous V can use the law of probability to determine how many EVMs can be manipulated with a low or negligible risk of being caught. Nandi computed figures for me based on the probability of not being caught. In an Assembly constituency having 250 polling booths, the random counting of five VVPATs would mean 32 compromised or “defective EVMs” will have a 50 per cent chance of going undetected. It’s too high a risk for V to take.

However, five defective EVMs will have a 90 per cent chance of escaping detection. With an average of 1,000 people voting through every EVM, 5,000 votes could potentially be stolen by rigging five EVMs. In a constituency with 300 EVMs, six defective voting machines, with 6,000 votes, will have a 90 per cent chance of evading scrutiny. It makes sense for V to manipulate five EVMs in the first constituency and six EVMs in the second constituency, for the party is most likely to get away with its dishonesty.

How to build trust

Nandi suggests a higher count of VVPATs to shore up confidence in the electronic voting process. Thus, if 50 VVPATs are counted in a constituency with 250 polling booths, then only one manipulated EVM will have an 80 per cent chance of not being found out. With just 1,000 votes to steal, the gains for V wouldn’t be commensurate with the risk, however negligible, of it being caught. The number of VVPATs to be counted should, in fact, be linked to the margin of victory: the less the difference of votes between the winner and the runner-up, the more VVPATs should be counted.

The ECI has always opposed the demand for counting the slips of more than five VVPATs on the grounds that since this exercise is carried out manually, it would take inordinately long and delay the results. The Supreme Court has endorsed its argument. VVPAT slips are not counted before CU votes are tallied because of the possibility that those CUs whose VVPATs aren’t included in the five randomly selected can be tampered with without any chance of being detected.

Nandi’s scheme of hashing and locking data of all CUs makes it possible to count VVPATs a day or even two days before their corresponding CUs are opened. This is because it would be impossible to manipulate the data of CUs left out of random selection without altering their hash values. Nandi further added, “The current rule states that if there’s a mismatch between CU and VVPAT counts, then the latter prevails.” This isn’t a strong disincentive against manipulating the EVM. “I’d say even if there’s one mismatch, then all VVPAT slips in that Assembly constituency should be counted,” Nandi suggested.

The best way to instil complete confidence in the EVM-VVPAT system is to subject algorithms to public scrutiny, a demand the ECI has stonewalled. Why is the ECI so hesitant to disclose the algorithms? To this, Nandi responded that he specialises in scrutinising encrypted electronic processes, not in figuring out the probable intentions behind any institution’s conduct. I let the matter rest there, although acutely aware that a voting system suspected to lack integrity does our democracy no good.

Ajaz Ashraf is a senior journalist from Delhi and the author of Bhima Koregaon: Challenging Caste.

Also Read | Raising the EVM bogey

Also Read | Votes count, but trust counts more