The trial of a smartphone-based e-voting solution in Khammam district conducted by the Telangana State Election Commission (TSEC) in October of last year is a recent event that can be used to discuss how technology interventions can be evaluated in Indian elections. Even though only 3,830 out of 14,804 eligible voters were able to successfully enrol using the voting application, which also makes use of blockchain technology, the Khammam Municipal Commissioner stated that the mock online voting was conducted ‘successfully’.
The Telangana State Election Commission developed country’s first smartphone-based e-Voting Mobile Application with the support of Information Technology (IT) Department of Telangana Government and Centre for Development of Advanced Computing (CDAC). https://t.co/pBCZgsg9VO pic.twitter.com/QI8nxNlqf2
— Collector Khammam (@Collector_KMM) October 8, 2021
A key point here is that there were no official announcements on the objectives of the project or its success criteria. So, the public awareness of the ‘success’ of e-voting in Telangana largely came from media reports surrounding integrating technology into elections at large. It is possible that the absence of this specific context has resulted in a poor public understanding of the trial as well as its evaluation processes.
Technology is complex to unpack—especially in India’s evolving electoral system, where awareness around nascent blockchain and app-based voting exists, but an actual public understanding of how these systems work is scarce. In the context of online voting, which has the potential to critically impact India’s democratic systems and principles, it is necessary to present an approach that rigorously tests the feasibility of online voting processes, one that can be adopted by a wide array of participants—be they the citizens and voters, researchers and experts, or journalists who cover and report on elections.
Creating such a framework need not be an uphill task, as registering one’s choice using a smartphone is not a novel idea. Game shows and the like have registered public engagement using different text (SMS) codes or specific app-based multiple-choice surveys for years now. So, keeping in mind this knowledge—and its associated constraints and considerations—can shed light on how to create a durable, technology-agnostic, and easy to comprehend evaluation framework.
Ultimately, the State must be committed to the deliberative process in this decision aimed at generating public engagement with online elections. Governments, as well as private organisations contracted by the state, must begin to include a societal impact assessment of Public Interest Software like online voting technologies as they consider deploying them.
What’s Important to Consider About the Design of Online Voting Systems?
Elections are a key part of the democratic process—which is why it is essential to maintain their integrity. Some of the significant aspects of a free election in the traditional ‘offline’ sense include protected electoral rolls, the secrecy of the ballot cast, the auditability of the result, and a clear process to handle disputes and grievances. Discussions on the introduction of new technology for elections are themed around the topic of increasing voter participation, as well as making elections more ‘efficient’ through the quick recording, tallying, and publication of results. Ultimately, these technologies are supposed to enable more cost-effective elections.
While these are worthwhile objectives, these various systems of online voting have also been reviewed by secure systems engineering experts, computer scientists, and cryptographers. This body of work provides ample warnings against the rapid adoption of online and internet voting systems—especially those which are backed by blockchain technology. The generally-held expert opinion is that online voting—and especially voting using blockchain—greatly increases the risk of hard-to-detect interference in national elections. Additionally, threats originating from malware attacks, or poor systems design of online voting technologies for resiliency against such attacks, pose great dangers to the integrity of elections.
Few successes of such systems have been seen outside this theoretical review. Take the rather public failure of the iVote system in Australia’s New South Wales, the outcome of the security analysis of the Voatz (internet voting system) in the United States, or the Election Commission of Pakistan’s analysis of its iVote e-voting system for overseas nationals.
These recent instances highlight the need for improvements in voting systems to be based on three foundational assessments. Without considering them, it is plausible to predict the repeated failures of new online voting systems. These can result in data breaches that expose the choice exercised in the ballot, an inability to create an auditable tally, and increased opacity in flagging any security breaches.
The first is the design and evaluation of the threat model—or the structured approach used by an expert to analyse the application from a security perspective. Elections are democratic contests and are thus required to be highly secure. New changes in technology or processes need to be evaluated in terms of the threat models created through these changes. An example is the security analysis of the Voatz system which indicated that the votes being cast could be monitored, thereby attacking the secrecy of the ballot. It is desirable that such reviews also include the knowledge gained from similar interventions taking place across the world. This mitigates the risks of compromised encryption—as was analysed in the case of online voting introduced in Moscow.
Online systems are prime targets for complex (and expensive to detect attacks)—which as seen above, can be disastrous for democracy. So, the second assessment is that of security in systems design. A natural follow up to the threat model is the assessment of the application’s secure systems design—these systems resist coercion and can log any attempts at breaching the software for later forensic study.
The third is stakeholder mapping while introducing such technology. A complete understanding of the roles, scope, and actions of all the parties involved in an electoral process is necessary to design defensive tools against adversarial attacks. A reasonably complete stakeholder map aids in creating a matrix of roles, responsibilities, and risks. This adds to the knowledge needed to figure out what can go wrong and in creating countermeasures.
When it comes to online voting systems, their tolerance for failure (or ability to detect breaches) and resiliency from attacks are two attributes that can enhance citizens’ trust in them. That and the meaningful assurance that votes have been counted as they were cast, and were not tampered with or discarded from the count. The ability to balance convenience for users, efficiency, and security is the crux from which the design goals of an online voting system needs to emerge.
How Do We Design An Evaluation Framework for Online Voting Systems?
Software systems, by the very nature of their design, contain a set of risks—which as seen above, are especially visible for online voting systems. To that end, in order to better understand the nature of the changes being proposed, it is important to design and build a framework that equips the citizen to seek answers to specific and well-designed questions.
To address and answer these gaps in assessing online voting systems, the One Vote Project has proposed a framework that evaluates the intersection of human rights and the technology, the sufficiency of the technology itself, and finally, its appropriateness for a digital public service such as elections.
There are four key questions within a rights-based evaluation—the first core aspect of the framework—that can help assess the efficacy and intent of online voting systems.
The first is the matter of representation: that is, whether the introduction of the changes will continue to provide all citizens with the right to be represented on the electoral rolls without discrimination and exclusion. The second is that of security: or whether the proposed changes furnish citizens with adequate safeguards against harms originating from data theft. The third is privacy: or whether the proposed system’s design includes and enhances the aspect of privacy inherent to the ‘secret’ ballot design of offline elections. Finally, there is coercion: or whether the proposed design includes sufficient safeguards against citizens being intimidated.
The combined answers to these questions can help citizens, researchers, and reporters alike better evaluate the democratic potential of specific online voting systems. In the process, they are simultaneously evaluating the constitutionality of such systems too.
The second core aspect of this framework is evaluating the minimal requirements for secure elections—and whether online voting systems live up to these benchmarks of the offline system.
The first point of concern is the secrecy of the ballot: or whether the system is able to securely record the choice of the voter. Then comes the second question of ‘software independence’, or whether the system can ensure that “an undetected change or error in a system’s software cannot cause an undetectable change in the election outcome”. This largely means that the output of any software-based system should be auditable by (preferably) non-software based means. This enables evidence to be gathered on the votes: that is, the system should allow votes to be collected as recorded and counted as collected.
The third point here is that of ‘voter-verifiable records’: or whether the system has a form of Public Bulletin Boards to foster trust in the online voting process. Such boards allow citizens to watch out for deletions or additions to the electoral rolls, be they erroneous or malicious. The fourth point is of contestability: or whether the voter has a way of challenging the veracity of an election by being able to back up their claim that the voting machine recorded their vote incorrectly. This question of contestability brings us to point five, that of auditing: or whether the system allows for an audit to determine its functional correctness.
Last, but not least, is question six on the technical knowledge and skills of the State: or whether the governing authority has the adequate knowledge and skills related to the technology being introduced. The absence of specialised and expert knowledge on online voting systems is a key gap that needs to be addressed if the numerous possible threat vectors are to be properly countered.
The third and final core aspect of the framework is that of representative deliberation. The questions under this bracket help concerned citizens understand just how representative online voting systems are—and whether they strengthen or weaken public participation in democratic exercises.
Under such a framework, the first facet to question is the public announcement of the technology: or whether the governing authority provided a formal announcement to enable public evaluation and feedback of the proposal. The second, is the scope definition and purpose declaration of the system: or whether the scope and purpose of the proposed online voting system are clearly explained by the governing authority, and if possible, with metrics.
The third is the public availability of knowledge on the technology choice: or whether the details of the technology’s architecture, systems, and other related information are provided for review and examination. The fourth is expert input and peer review: or whether experts across a range of necessary subject domains have been consulted for reviewing the online voting system in question. Finally, the fifth is the public evaluation of the prototype: or whether a process has been established for public evaluation of the prototype.
The Road Ahead: Applying the Framework to Online Voting Technologies in India
It is somewhat trivial to apply this framework to robustly evaluate the mock elections organised by the TSEC at Khammam. However, if we source the available facts on the system and apply the evaluative framework, there are several preliminary findings on this exercise in online voting.
The first is that there is no formally available document outlining the system, the conditions of the trial, or the success criteria. This limits the representative or public deliberation over the system itself—leading to fewer reviews of its functioning.
The second is that it is yet to be fully understood as to the presence and introduction of a blockchain in the recording of votes cast. This impacts the requirements of auditability and disputes. The adoption of a smartphone, which is likely to be a shared device amongst members of a single household (smartphone penetration in India is 32%) also increases the likelihood of coercion while voting, while further diminishing the security provided by an election booth for the secrecy of the ballot. Both these conditions challenge the core minimum requirements for secure elections.
There’s also the fact that Khammam’s online voting system relies on commercially available hardware (a smartphone) to cast the ballot. This creates an attack vector through device takeover using malware—making it an untrusted device. This risk of adversarial attacks directly challenges the nature of the democratic elections itself. Finally, the potential for election interference exists because the hardware used to cast the vote can be subject to adversarial attacks and hence cannot be trusted. This directly challenges the nature of democratic elections themselves.
The case of Khammam goes to show how a simple framework of essential and pointed questions can paint sharper pictures on India’s digital elections gambit. It also highlights that until all stakeholders—including election officers—are adequately resourced and have a reasonable degree of understanding and knowledge of online voting systems, it would be difficult to switch over to these new approaches. New technology choices such as blockchain-based remote and online voting systems should also be subject to such thorough evaluation, so that there is a clear understanding of the benefits obtained through these choices. Ultimately, there is a need to train all participants of an election to be more focused on security—especially for systems that are part of the operations of ‘the world’s biggest democratic elections’.
Featured image: Indian voters queue up to cast their vote in the 2009 General Election; photographed by Goutam Roy, courtesy of Al Jazeera (CC BY-SA 2.0).
Editor’s note: The One Vote Project will host its first Annual Conference on 25 January, 2022, to examine the effects of technological interventions in electoral processes on the democratic rights and freedoms of citizens. A collaboration between Article 21 Trust and One Vote, the conference will cover topics including voter data privacy and impact of Voter ID-Aadhaar linking, disenfranchisement of electors in Telangana, electoral bonds, political advertising, Pegasus, surveillance, and risks for electoral democracy, among others. To read more on the schedule and to register, click here!