Relevance : GS Paper II (Polity & Governance)
Why has this issue cropped up?
Whether or not to use EVMs (electronic voting machines) for elections in India has been a raging debate of late. There have been claims of hacking of EVMs and counter-claims of its impossibility.
Can EVMs be hacked?
- On the one hand there have been claims that all computer systems can be hacked .
- There indeed are computer systems that are provably secure, but sometimes such guarantees are difficult even for many well-designed ones.
- The question of whether they can be hacked or not is often “undecidable”.
- The fact that a system has not yet been hacked has sometimes been claimed as a proof of its infallibility. That a system has not been hacked provides no guarantee that it cannot be.
Manual ballot vs EVM
- Manual ballot has the advantage of not taking away agency from the poll officials, whose understanding of the poll process enables them to improvise on the spot to try and ensure correctness.
- In contrast, the obscurity of an EVM makes its correctness analysis absolutely crucial.
- Public posturing by the ECI, based on pronouncements by a hand-picked set of experts, does not engender confidence.
Ways to secure voting
- Ultimately the onus of establishing trust, either formally through verifiable proofs, or even informally using best practices and due-diligence, must always lie with the designers.
- Correctness demands that all votes are accurately counted and there are no false or duplicate votes.
- Secrecy demands that it should be impossible to determine who an individual voted for, provided the voting is not completely lopsided for any candidate or any social or political groups.
- Anonymity — indistinguishability from a specified number of other voters — follows from secrecy. Secrecy and anonymity are necessary conditions for coercion-free voting.
- Sufficient conditions for coercion-free voting will require methods and processes beyond an EVM.
- Verifiability demands that it should be possible to prove to every voter individually that their vote has been accounted for correctly in the aggregate without revealing, or even determining, the vote.
- Verifiability also implies non-repudiability — that is, if a voter falsely claims to have voted differently from what she actually did, it should be possible to prove that the claim is false without determining who she voted for.
- Identity verification must be certified by the polling officer and can either be offline or online, and must have its own guarantees.
- Un-hackability demands that the EVM should be tamper-proof, through any direct or even side-channel attacks.
- Fault tolerance demands that the system should be resilient to network and component failures. In particular, there should never be any data loss.
- Consistency demands that the design and implementation of all EVMs must be identical, and provably so at all stages of the election.
- Finally, auditability and self-certifiability demand that it should be possible to verify the above invariant conditions at all stages of voting.
- The EVM should be able to self-certify and provide proofs of all the above invariants at any stage.
It is imperative that the complete design, analysis and the hardware synthesis specifications be made public at the earliest so that the EVM may be subjected to rigorous scrutiny by the general public, institutions, political party representatives and experts.