Election Commission has no convincing reason to keep the EVM source code secret when Brazil, another country using electronic voting, allows controlled access to its source code, conducts public security tests, and still runs credible elections.
The Election Commission of India (ECI) mulishly rejects the demand of citizens to reveal the source code of its electronic voting machine. The origin of this demand lies in the widespread suspicion that the source code—a set of instructions written in a computer language to enable the EVM to function—could be either flawed or have bugs that were maliciously planted to compromise its function of enabling votes to be cast as intended, registering them as cast, and counting them as registered.
The Supreme Court, too, refuses to order the ECI to disclose the source code. In April 2024, it said the source code could be misused if made public. A year earlier, the court had cited the possibility of misuse to dismiss a plea for an independent audit of the EVM’s source code. Such fears are baseless, and the Supreme Court, too, could have reached this conclusion had it asked the question: If Brazil can give limited access to the source code of its EVM, why shouldn’t India?
Indeed, 12 months before every election, Brazil’s Superior Electoral Court (SEC), a judicial-linked body authorised to supervise and conduct elections, opens the source code to be examined by nearly 100 oversight entities. These include not just the representatives of political parties, but also the Brazilian Bar Association, the Brazilian Computer Society, the federal police, a slew of public universities, etc. All of them are bound by confidentiality agreements not to circulate the source code in the public domain.
Even more significantly, at least 11 months before the election, the SEC conducts a public security test. Brazilian citizens 18 years or above can submit to the SEC their plans to establish the EVM’s vulnerabilities. Those whose plans are accepted visit the SEC premises, read the source code, and mount attacks on the EVM, just as a hacker would. The vulnerabilities found in the EVM through these attacks are addressed. Six months before the election, the attackers, aka investigators, are asked to confirm whether the glitches they exposed have been removed.
Undoubtedly, these attacks are carried out in a restrictive environment: It is impossible to analyse the Brazilian source code running into tens of millions of lines in a short span of time; a priori knowledge of attack plans better prepares the SEC to counter them; and investigators are disallowed from bringing their own tools to test the EVM. Yet, over severaleditions of the public security test conducted since 2009, several investigators have been successful in their attacks on the EVM.
The more celebrated of these successful attacks were by Diego F. Aranha, associate professor of computer science at Aarhus University, Denmark. A Brazilian citizen, he was teaching in the universities in his country a decade ago. In 2012, Aranha and his team showed that it was possible to determine who voted for which candidate. The flaw in the source code compromised ballot secrecy. In 2017, what they did was even more stunning: they modified the voting software to achieve malicious goals, such as preventing the machine from recording votes cast. But before they could establish that voting outcomes could be changed, they were asked to stop because the time allocated to them had run out.
I asked Aranha what he thought of the ECI’s obstinacy over not disclosing the EVM’s source code. He said, “The ECI’s position is not defensible. If the system has such deep design flaws that it could be exploited by someone with access to the source code alone, it would mean the EVM could also be trivially exploited by insiders.” The term insiders refers to those who inhabit the ECI’s entire ecosystem, especially the source-code writers.
I emailed Aranha the ECI’s Status Paper on Electronic Voting Machine (EVM), Edition 4, November 2021, and other extracts on EVM security on its website. In these publications, the ECI preens that its EVM can not be hacked because it is not connected to the internet. Aranha responded, “This argument the Brazilian electoral authority, too, repeats daily, but we proved them wrong by hacking the voting software before its installation in the EVM, undermining completely its narrative that the national press parrots before every election.” Sounds familiar, doesn’t it?
Captious critics will argue that Brazil’s EVM is different from India’s. The Brazilian one runs on a Linux operating system adapted by the SEC for the purpose of voting. Before every election, the software is installed in EVMs in a public ceremony, by inserting a memory card into them. They are not connected to the internet, as the Indian EVM too isn’t. Unlike India’s, the Brazilian EVM isn’t attached to the Voter Verifiable Paper Audit Trail (VVPAT) machine, which helps vouch for the integrity of votes. The absence of the VVPAT in the Brazilian EVM model makes it less secure than the Indian one.
The software or the source code of the Indian EVM is written by the engineers of Bharat Electronics Ltd and the Electronics Corporation of India Limited (ECIL), both public sector undertakings (PSUs). Another team converts the source code into a language the microcontroller in the EVM can read. This machine language is “burnt” into the microcontroller, which is essentially a small computer used for a specific purpose—the washing machine is an example of it. The “burning” turns the machine language into an electric circuit of the EVM hardware, which makes it far more secure than its Brazilian counterpart running on the Linux software.
This doesn’t mean the Indian EVM is insulated from malicious insiders intent on subverting the voting system. For instance, a person may have written a source code to perfectly carry out the EVM’s functions, but the compiler tasked with converting the source code into the microcontroller language could deliberately introduce bugs into it, leading to the EVM functioning contrary to its purpose. This possibility the source code should anticipate, and provide alerts regarding its malicious use.
Or the writer could introduce subtle elements in the source code to make the EVM perform functions contrary to its blueprint. The compiler is unlikely to discern these changes. For instance, the EVM could, in certain circumstances, transfer votes from Candidate A to Candidate B. It’s also possible for a person, even though incorruptible, to inadvertently produce a flawed source code. For instance, they could sequence votes in a way that it can be known who voted for whom, thus violating ballot secrecy.
All these three possibilities could be obviated with the source code being made public—and experts pointing to infirmities in it. The ECI claims thesource code is repeatedly checked, but given the Union government’s control over it and the PSUs, only an independent audit of it can inspire complete confidence in the electronic voting process.
Transparency matters because trust matters
The popular confidence in the EVM in India has declined because its performance has been inexplicable, to say the least. In the 2019 Lok Sabha election, journalist Poonam Agarwal found that as many as 373 constituencies reported a mismatch between votes cast and votes counted. The highest mismatch was of 18,331 votes. In the 2024 Lok Sabha election, the Association for Democratic Reforms (ADR), a nonprofit organisation, reported that in as many as 538 constituencies, votes polled and votes counted didn’t match. The scale of discrepancies is just too enormous to be simply ascribed to errors in reporting or entering data manually.
In contrast to India, Brazil hasn’t had a single instance of a mismatch between votes cast and votes counted. Carlos Alberto da Silva, a computer science professor at Federal University of Mato Grosso do Sul, Brazil, explained to me the unique system of counting votes in his country. At the end of polling, officials of each booth take a printout of the total votes cast and which candidate got how many of them. The printout is displayed outside every booth. Its count is also published online. The results are announced by adding the partial results of each booth and publishing them online. Any person can check whether votes cast match with votes counted.
da Silva said he had participated in YouInspect, a project Aranha launched between 2014 and 2016, to crowdsource vote counts displayed outside booths and tally them with the final results. By then, the counts were being provided with a QR code and were, therefore, easy to tabulate through mobile applications. da Silva said, “I emphasise upon Aranha’s parallel count because not a single instance of mismatch was found. It proves that Brazil’s system of control and verification works.”
In contrast to Brazil’s SEC, the ECI has stonewalled the demand for publishing online Form 17C, a physical paper recording the votes cast in a booth. Form 17C, by rule, is to be handed to the polling agents of political parties, who mostly don’t take it, or don’t preserve it after taking it. Gathering the count of Form 17C issued at each of the hundreds of booths in a parliamentary constituency is a formidable task. To do it for the entire country, almost impossible.
The ADR sought to overcome this hurdle by filing a petition in the Supreme Court in 2019, asking it to direct the ECI to publish online the data of each Form 17C. Five years later, with the petition not having been adjudicated and the 2024 election results a fortnight away from being announced, the ADR sought interim relief for publishing Form 17C online, which the Supreme Court rejected. The ECI’s position was again mulish: through an affidavit, it told the Supreme Court that there was no legal mandate for it to hand over the voter turnout data to anyone other than candidates or their agents.
The ECI’s legalistic position illustrates its lack of confidence in its EVM, in sharp contrast to the boasts in its literature that its machines are proofed against manipulation. Aranha finds its grandstanding full of contradictions. He says it’s “silly” of the ECI to claim its EVM can’t be hacked because it isn’t connected to the internet. This is because such a measure doesn’t protect the machine from the attacks of malicious insiders. The ECI highlights that its microcontroller is One Time Programmable and can’t be altered. Aranha argues, “This isn’t necessarily a security feature because it also means that a vulnerability found in the EVM can’t be fixed.”
And vulnerabilities there can always be. For instance, the Indian EVM, to prevent ballot stuffing, allows one vote to be cast in about 15 seconds. Finding a way to bypass the time limit would constitute a vulnerability. Ballot stuffing was the subtext of public intellectual Parakala Prabhakar’s analysis that over 17 lakh votes were cast in 3,500 booths in Andhra Pradesh between 11:45 pm and 2:30 am. Then again, the communication between different units of the EVM is encrypted, but the ECI provides no clue as to how the encryption keys, required for scrambling and unscrambling data, are generated and kept secret. Access to the keys can compromise theEVM.
The ECI argues that its source code is secure because it is kept “sealed”. “This makes no sense to me,” Aranha said. This is because only an audit, involving an analysis of the source code by independent investigators, can verify whether the EVM meets the security requirements, not sealing. But the ECI sits upon the source code like brooding hens do on eggs, except that what’s ultimately hatched are mismatches between votes cast and votes counted. So unlike Brazil!
Even if the ECI were to relent and make public the source code, there’s no way to know whether that, and not another one, was burnt into the EVM. This is why most computer scientists posit that the best guarantee against electoral manipulations is to count slips of more VVPAT machines than is currently done—just five in every Assembly segment. The more the slips are counted, the more sure we can be about the results EVMs produce. The Supreme Court has twice turned down pleas for increasing the count of VVPAT slips. Between the Supreme Court and the ECI, official intransigence has only succeeded in battering the public confidence in the electronic voting process.
