 Good afternoon, everyone, and welcome to the One Vote Conference. My name is Mansi Verma, and I am one of the trustees of Article 21 Trust, which is a co-organiser of the One Vote Conference with Hasgeek. Article 21 Trust works at the intersection of technology and welfare. And in the past, we have intervened on through wedlock to see an otherwise on issues like our heart based exclusion and privacy concerns, personal data protection, non personal data governance, technology and justice, one nation, one Russian, and participating and coming on board to organize this conference is also an extension of our mandate. Specifically, Article 21 Trust will be involved in organizing to rating and organizing the rights and access track of the One Vote Conference, which will be held on 25 January next year. I would also, at this moment, mention that today I will be facilitating this discussion, along with Mr. Sunil Bajpay, who will be joining in a bit later. And very quickly, I will offer an introduction of Mr. Bajpay as well, though many of you would already know him. So Mr. Bajpay has extensive experience working with the Indian government, shouldering responsibilities that have spanned across engineering, research, operational and policy making roles. Specifically at TRY telecom regulatory authority of India, he led the work on that neutrality for India and he has also been instrumental in leading the adoption of distributed ledger technology or what we call blockchain for controlling spam and fraud communications. With this, I would now invite Sankarshan to provide an introduction for the One Vote Conference. Hi, I think this will be a good time to introduce the One Vote project. Our project we started in order to examine the effects of introducing technology like blockchain in voting. So we started off with trying to focus on the consequences of thinking in new technology, but we soon understood that we needed to widen the scope of how we examine and include limit ourselves not just blockchain, but include other technologies that have been proposed following and special recognition or biometrics for voter authentication in the voter role and all of that. And so through the webinars, the sessions that we create, our aim has been to try and unpack the complexity of technology and make it easier for our audience. Some of them are not technology savvy, some of them do not understand the gamut of issues around it. To be able to evaluate the choices that are made, to be able to understand whether those design choices are based on some principles, whether proper public consultation has been happening. And to be able to bring forward an easy framework, easy to adopt framework by which new technology choices and various proposals can be examined, evaluated and discussed. We do the One Vote effort in collaboration with partners like the Article 21 Trust, PIVOT, who are also engaging in raising awareness around topics of inclusion, exclusion, rights, the consequences of voting, the issues around voting, democratic principles and all of that. The One Vote project has focused on breaking together experts who share their findings, their work and engage in conversations and participations. We grow through the efforts of our community, our supporters who provide us with financial support. So if you are interested in contributing and joining us, the details are on our project, do please reach out to us. We hope that you will continue to engage with us, participate in our conversations, be present in all the discussions that we are doing and read the output and the content that we produce. And certainly through all of these activities, be able to realize in far greater detail and in greater richness the issues at hand when technology is introduced into seemingly simple topics like voting. Voting is one part of a democratic process. Elections are contests. And to be able to understand and encourage detail what changes are brought about through this proposal is what we intend to do through One Vote. Looking forward to your participation, engagement and your support to our project in the future. Hi, I think this would be a good time to introduce you. Sorry, Mansi, you're all on mute. Sorry, I think almost all of us have been there, done that. Okay, so very quickly, taking ahead from the introduction that Santashan gave about the One Vote conference, I will very quickly mention for all of us who have joined us on Zoom and all of those who have joined us on the live stream, that the expected takeaways from this conference are that we are hoping that those who will stay with us in this conference will be able to acquire an understanding of a way to evaluate technology based solutions, which have already been introduced or might be introduced in future in the voting process and elections. And along with that, perhaps develop a better understanding of the attributes of the data involved in elections and how it is very intricately linked to the rights of the voters. I will also very quickly because we will now directly jump to our first talk of this afternoon but very quickly before that I will mention the meeting etiquette a bit. So this event is being organized in the meeting format. So all of you who have joined in with us on Zoom, I'd request all of you to please keep yourself muted while the talk is going on and also keep your cameras off. While the talk is going on, you are free to add your questions or comments, if any directly to the chat box and at the end of the talk, I will be taking them up and putting them to the speaker. The videos for the, you know, which will be, which are being recorded right now of the talks, they will be released later after the conference. So with that, very quickly, we will now jump to our first talk of the afternoon, which is by Shivam Shankar Singh and a very quick introduction. Though Shivam and I also have a long association going back to the time when both of us were lamp fellows. So Shivam is, is a data analyst campaign consultant and author of the best seller how to win an Indian election. As mentioned already he started out in politics as a lamp fellow that is legislative assistant to a member of parliament and went on to witness the process of conjuring political realities while managing data analytics for some of India's largest political parties. He is also the co-author of the art of conjuring alternate realities, how information warfare shapes a world which has come out on the very recently. Today, Shivam will be speaking about how data transforms elections. Very briefly, in his talk, he will be touching upon how the New Age campaign methods use data extensively to build campaigns and to shape the thoughts of voters, while on the face of it this might seem innocuous but it also enables profiling of voters on cast and community lines and can lead to disenfranchisement on the basis of those identity factors. So his talk will explain some of the ways in political, some of the ways in which political parties use data in their campaigns and how that would manifest in the world of electronic voting and blockchains in elections. So with that, Shivam, I quickly invite you to please initiate your talk. Thanks. Thank you Mansi. Thank you Shankar San for having me over on this very important topic. I would actually like to start out with a few stories and why these stories, they're not related to voting or blockchains at all, but they give you a perspective of what kind of problems are there in the democratic setup. What are the kind of problems that elections face when you actually go on the ground and campaign. So I will not name the states, I will not name the political parties but these stories are essentially there to make you understand what are the challenges and then we'll go on to evaluate how technology fits into the framework. So in one of the constituency, one candidate essentially gave 5000 rupees to 50% of the voters registered in that parliamentary constituency. An absurdly huge amount in about 10 times higher than the next candidate on the list. That candidate won the election. In another part of India altogether, politicians realize that even when they say someone, it's not necessary that they would vote for you when they decide to vote. They could take money from you, they could take money from the other side and then vote according to their wishes because we have a process called secret ballot where no one really knows who voted for who. That ballot is secretly cast inside the voting booth. What people did and what the political party did in this particular region of the country is that they realized, okay, these people in these specific communities are not going to vote for me. So I am actually going to pay them to not go vote at all because once they're there, I don't know who they voted for, but because the election commission marks your finger, it's very easy to tell who voted and who didn't. So people who paid to just sit at home and not vote at all. Another really interesting incident is while actually surveying people in a constituency, we met a lot of people who talked about a party affiliated with their caste group and their religious group. And people were very certain that, okay, we don't care what really happens on the development front, we really don't care about the infrastructure. We feel empowered when this party comes to power. Our community feels empowered. In a democracy, is that empowerment at the cost of, say, development a good thing or is it a bad thing? Is the person exercising his free right to choose whoever he wants in a democratic setup or is voting on religion and caste just because he feels a sense of pride, just because he feels that, okay, this party is my caste group and he decides to support them. Another very interesting thing that came up during surveys a lot is that a lot of people base their entire opinion on who they would vote for on entirely incorrect information, like the facts were entirely wrong. People would believe that, okay, this state's GDP has crossed the national average, even though it was the worst state in the country before. These kind of informations mostly reach people through the political corridors, now it reaches through social media and what's happened these different sources. And there's a really famous saying stating the essence of a democracy survives with a well informed electorate. If the electorate is misinformed, if they base their decision to vote on facts that are just not true, then is it still a democracy? One very scary thing that has come up multiple times is that videos have come out from different elections and this happens specially during local body elections where there is one person inside the polling booth and he presses the button for other people. So old people go to vote, they're standing in line waiting for their turn and their turn comes. Before they're about to vote, someone else presses the button on their behalf for obviously his political party and the side that he supports. So these kind of elements have entered polling booths. If you look at the history of India, booth capturing was a very common thing where a political party using just brute force took over an entire polling booth, stamped all of the ballot papers, just pressed all of the buttons on the EVM continuously. Ballot paper was much faster because you could stamp a lot of ballot papers and shove it into a box. EVM is slightly slower because it's rate limited. After every vote there is a certain amount of delay and another button needs to be clicked for the machine to get reactivated. So it's slower but these kind of things still happen in a lot of parts of the country. So these stories are essentially to tell you what challenges we face. Now what has happened is that two major things have transformed in democracies all over the world and their challenges that everyone is trying to figure out how to deal with. No one has a good response. One challenge is essentially social media and the interconnectedness of the world where everyone can present their own facts. So while we were writing the second book, The Out of Conjuring Alternate Realities, we realized there is no such thing as an objective reality anymore because your reality is based on the information that you consume, the information environment that you live in. In this kind of a climate, if I control all of the information that you see, because I know how to target you better on social media, I know how to target you over WhatsApp, I know how to target the people around you and I can shape their information. They will start to believe it once they continuously get information that reinforces a certain narrative or reinforces certain facts and figures. Even the data that people have is not factual anymore. Every side has its own data. So this transformation has happened essentially because of the penetration of the internet to even the remotest parts of the country. A lot of people believe that smartphones impact just a very small percentage of the population because very few people have smartphones. But the very interesting fact about this is when we went to villages to do electoral surveys, we realized that the arguments on WhatsApp reached much beyond people with smartphones because whoever has a smartphone saw those arguments and then used them while discussing politics with others within their village. So they use those arguments at the local chaika dhokal. They use the same arguments while working with other people or just sitting under a tree in the evening. So the WhatsApp arguments reach other people only. This is a major transformation. The second major transformation that has happened in Indian politics now, it started in US politics about 30 years ago, is just the amount of data that political parties have and the way that they use data. In essence, a political party is trying to figure out how your vote can be converted to their favor. What do you require for this? In the US, they started out with analyzing people's likes, analyzing people's thoughts on different issues. If you support gun rights, who are you likely to vote for? If you support liberal values, who are you likely to vote for? Even if you support something very obscure like a specific football team, who are you likely to vote for and how that football team can be used for messaging to convert your vote. So they did some of these obscure experiments. The scary part about India though is that it is a lot easier to do because caste and religion in general works very well out here. So you don't even need to know the person's individual preferences. You don't need to know what issues they care about per se. You need to only figure out what the caste group as a whole cares about, what can be used to convert their vote, what the religious group cares about and what can be done to convert their vote. And then you need to develop a mechanism to get the message out to them. How does this mechanism get developed? That essentially happens because the electoral rules are public records. So whoever is eligible to vote, their names are on the election commission website right now. This data gets converted into Excel sheets. From there, it gets linked to different data sets, which have your phone number, which because we don't have a great data protection law right now. Phone numbers are not even sensitive data under say the IT Act or any other legislation. So selling them and buying them is not illegal at all. Some of you might have gotten a lot of messages from companies that you've never interacted with. Or even maybe your local MLA or MP has called you through an auto dialer before election and said, please vote for me. How did they get your number? How did they know that you live in their constituency? It's essentially because your phone data was mapped to your electoral data. This forms the basis of how targeted messaging happens. But here is the very interesting component. This is not it. It's your caste and religion gets analyzed, your voter role gets linked to phone number, but then any other data set that is available. This includes say how rich or poor you are. How would a politician note this? Right now one of the best proxies for urban areas is something like the electricity bill. And a lot of the discounts actually have websites where you just need to enter a bill number to get the electricity bill out. That is how poor the data security here is. So essentially you can just write a script to go from say the number 1000 to 9999. And it is going to literally download all the bills running a very simple script. And this is true of even Delhi surprisingly, like we tried the North Delhi Discom website and it's still the same. I actually collected this data one and a half years ago. I looked at it right now to see if like it's still the same. All you need even right now is just your bill numbered and you can figure out what your neighbor's electricity bills are. Why is electricity bill so important? One, they give your exact address, they give your phone number, they give your name. So these things get correlated to the voter role very easily. But they also tell us, okay, this person is rich because he probably has air conditioning, he has more lighting, he has more roots. That's why he has a higher bill. If you have a lower bill, if you have something like say the free electricity, if you follow the free electricity bill criteria of the Delhi government, then it can be said reasonably that okay, you don't have too many appliances at home. You're probably not running say a heater and a cooler and a fridge 24-7. So these things become very important because then specific messages tailored to that socio-economic group can be sent by specific political parties to just that group. And this matters a lot in elections. Even if you have the best message in the world, if you don't have the mechanism to deliver that message, your entire great message and your entire great idea is essentially useless when it comes to the democratic process. So okay, we've covered some stories on how elections get manipulated and we've covered what kind of data political parties use. But how does it connect to something like say e-voting and blockchains? I'll start with one research that we did while writing the book and that is essentially we looked at what cyber criminals did to get OTPs out of people. So you know the one-time password that you get for bank transactions and for sending money from one place to the other or essentially any online transaction that you do these days. You require a message that comes to your phone number and people intuitively understand that okay, this number is supposed to be secret. This number is I'm not supposed to give it to anyone else. But a lot of things in India fell into place at the same time where cyber scammers realized they could create excellent scripts to get this number from people. So a lot of the first cyber scams that started forgetting people's OTP essentially started with people calling others and they bought these data sets. So they already knew where your bank account is, they knew your bank number, they knew your name. So they called very authoritatively. Okay, is this speaking? I am calling from this branch and you haven't linked your Aadhaar to your bank account. And if you don't do it right now, your account is going to get blocked. When this kind of a thing happens to someone who really requires their account to draw their monthly wages who have like 2,000, 3,000, 5,000 in their account, that person is going to give whatever OTP has very fast because his experience of working with the governmental system and especially PSU banks is so bad that he would be very scared of an account getting blocked. So cyber criminals use this and as soon as they got the OTP, they transferred all of the money out from that account using say payment wallets. This also affected a lot of very wealthy people. The script was different. They were promised some great price and to share their OTP if they wanted to receive it and a lot of people fell for it. So this is the level of digital security consciousness that we have in this nation. And this is honestly the level of security consciousness that the entire world has right now because all of these things are new. And one big problem that we had was OTP was supposed to be for bank transactions, but now everybody wants an OTP. You go to someone's building and they have like a building registration system which sends an OTP. You go to a lot of these tea and coffee shops and they send an OTP. You basically want to like eat at certain restaurants. They have a loyalty program that sent you an OTP. So we have normalized the sharing of OTPs constantly even though it's supposed to be something sensitive and secret. This connects to voting in the sense of if money can be stolen from people's bank accounts by themselves, them revealing their OTPs, then it's very likely that the vote will get stolen too. This can be something that is a major pitfall when we think about a process like voting. Though why do we care about say blockchains and voting at all? What is the problem that we are trying to fix here? The things that we talked about, cash getting distributed for votes, religion getting used, cars getting used, people capturing entire votes by physically going there. What kind of a problem does the voting solve? What kind of a problem does blockchain solve? I realized that there are three things that any technology in elections can do. Going from say the least effective and the one that we should care about the least to the most. The first thing that technology can do is make elections faster. So the voting happens more efficiently. Lines get like inside voting booths faster than the exit voting booths faster. The results come out faster. Why do I say this is something that we should care less about? Essentially, because it is our democratic duty to essentially vote for our representatives who are going to represent the country for the next five years. I don't think it's too much of an ask for someone to stand in line for one hour extra, even two hours extra or for the results to take five days or 10 days or 20 days. How does it matter if an election result comes out in two days versus 20 days when the people who are voted into power are essentially going to be controlling things for the next five years? So I don't see it as a major challenge, but it is something that technology can potentially improve. The next one is making elections cheaper. So in what sense do I mean cheaper? For political parties, there probably isn't much that technology can do to make elections cheaper, especially because the introduction of a new medium like social media does not cut down on other election expenses. Initially, when this entire phenomenon of Facebook and WhatsApp started in 2012-13, I actually believed that this is going to reduce electoral costs because parties now have an easier way to reach their audiences. But what happened was they had to advertise here. They had to build huge content farms and teams and units that would create WhatsApp groups here. Plus, they had to continue to do all of the activities on the ground that they were doing. The parties have not stopped, filling buses with people to get them at the rally when you have not stopped. Hortings and posters and pamphlets have not stopped. Autos and video vans have not stopped. All of it is there. Social media has just added onto it. And it is an external extra cost. TV advertising still happens, newspaper advertising still happens. So elections have essentially become more expensive because of electoral technology. If you look at something like 3D hologram or new campaign technologies, they are added to course. But how can technology make elections cheaper? Essentially, it can do it through the election commission. If it reduces the cost of, say, overseeing an election, if it requires less vehicles, less people, then that might be beneficial in some ways, but also not a very important consideration. Considering elections in a state happen every five years, at the national level happen five years, we should be spending some amount of money on democracy. Just to ensure that an election functions properly, if we need to deploy some more resources into the election commission, even in the sense of people monitoring, say, fake news on social media, hate speech on social media, then we should, as a democracy, be deciding that, okay, this is where we want to place resources. Maybe we will give less newspaper ads on how successful a government is and we would spend some more money here. So resource itself is not a very big problem when it comes to the election commission and even when it is, resources when the government are completely available, technology to reduce costs, and if it harms any other component, it's not really worth it. So what is the thing that technology should be doing in elections? In essence, I believe there is only one thing, which is making elections fairer and more democratic. How can technology make elections fairer and more democratic? One such thing, say, as Sankarshan mentioned early on, facial recognition and biometrics for voters, it could potentially, like people could say that, okay, a lot of fake voters vote on the behalf of others using their identity. So if you have something like facial recognition or you have something like biometrics, then that might prevent it. The problem here, though, and our experience looking at Adhaar-enabled PDS distribution was that a lot of the times the machine just fails. You try to authenticate someone's fingerprint and it just doesn't work at that point of time. If this happens in an election, if the person is not able to vote their scent back home, you have essentially taken away someone's democratic right. You have taken away the right that they have as a citizen of India, the most basic kind of right that they have here is the right to vote. That's not a way because, okay, your machine didn't take their fingerprint in or your machine did not recognize their biometrics and the facial recognition system did work at that point of time. This could be a potential challenge one. Second thing, a problem that I see with this is that it is also very susceptible. In a country like India, it's entirely possible that these systems exist, but there are also bypasses that exist. A lot of the times, you must have seen this on social media that a lot of people got an OTP for someone else's vaccination and then the vaccination happened too and the certificate got generated without you ever sharing your OTP. So this has happened to so many people that there is obviously some sort of a back door built into say the vaccination system where the OTP registration can be bypassed and the vaccination certificate can be issued regardless of the person sharing their data with you or not. So these kind of challenges, if they happen in a democracy, they reduce faith in the democratic system a lot and once that starts happening, it's a risk for the entire nation's setup and the basis of the country gets damaged if the faith and trust is damaged. So technology when it's brought in, we must recognize that it should work perfectly before it comes here. It cannot operate like a startup where we, okay, we are going to experiment with it. We are going to try it. The second thing with something like eVoting, if it is something like what's happening right now where you need to go to a voting booth and press a button, except it's electronically connected, that is just adding an additional risk factor because things get hacked. Connected systems are easier to break into. If everything is a standalone machine, if every EVM is a machine on its own, if someone wanted to hack it, they would have to go to every EVM. They have to go to lakhs and lakhs and thousands of booths. One MP constituency has like 2,500, 3,000 booths. MLA constituency has 500, 600 booths. So to reach that many booths and hack that many EVMs is a very difficult thing to organize logistically. But see if this was on the internet and if people could access that network and they could hack into the system, then essentially an election could get stolen. But if you have e-voting where the person doesn't even need to go there, if it's say blockchain based, but they can do it on their own phone or they can do it from different terminals, what comes in here is that if people's secret ballot is essentially taken away, what is going to happen is that politicians are going to build their own booths where they're going to be standing outside, paying you money and looking at, okay, are you voting for me or not? And this was the argument against postal ballots. Personally, like looking at the US, I studied there. Anyone can request a postal ballot. You get it to wherever you are at that point of time and you can vote in your home state too. So you essentially vote for whoever you want to, you fold it up in an envelope and you post it. And they count it as a normal vote. If Indian postal ballot is essentially only like different services and people who are working in elections who can't go and vote during that time. Why was this not extended to citizens? I wanted to understand this, and I realized essentially these ballot papers will get bought. You request a postal ballot, it comes to you. Political parties will go out to major constituencies and they will just say, okay, I'm going to give you the money. You give me your ballot. I will fill it up for you. I will send it in. You just sell it to me. So this kind of a threat gets created in the ballot setup, which can also exist in e-voting if the person is doing the voting outside the confines of a polling booth managed by the Election Commission. Another thing that technology has created now is that it's easier to recognize who votes for you and who doesn't. We have booth-wise voting data available in something called the Form 20, and a booth is 800 to 1,000 people. So we know right now how these 1,000 people voted across every booth. So when political parties look at data like that, they know, okay, this booth, 80% of the people did vote for me. Out of these 1,000 people, 800 people voted for me. Who are these people? It's very easy to identify because then you look at the voter role, you see what community they are from, what caste they are from, what religion they are from. You start understanding, okay, these are the groups that are against me. Now the challenge comes in that these groups can very easily be disenfranchised. In one state, they actually deleted names of particular people that they realized weren't probably not going to vote for them from the electoral role. They did a revision and they updated it, which the election commission is supposed to do anyways. But they did it in such a manner that a specific set of people just lost their right to vote because they no longer had their name on the voting board. They found out when they went to the polling booth on the election day, they handed over their voter ID and they were told, okay, your name is not there, even though the person had been voting at the same booth for like the last 15 years, the last 20 years. So these kind of challenges come in when you have this kind of data combined with power over democratic institutions. So how does voting help this? How does blockchain help this? How does it create a fairer election and a more democratic election is the only consideration that we should have? Faster election should not matter, cheaper election should not matter. In my personal experience, I have not found a great use case where voting and blockchain would help elections. On the other hand, it creates a lot of risks and vulnerability. So just because of this and because the current system is working reasonably well in the voting process, we have a lot of challenges in this democracy, but they don't come from the voting process itself. From what I have seen, it comes from the way elections are conducted. So we start to address that is how we make a better democracy and technology seems like a panacea for a lot of things. We are like, okay, we are going to eliminate fraud, we are going to eliminate risk, but first you have to evaluate how much fraud there is, how much of anything is happening that is wrong that can be fixed with these technological solutions. Very interested in the rest of the speakers of this conference because I have also been trying to learn how blockchain and voting helps the electoral process. So happy to take questions now. Thank you. Okay. Thank you so much, Shivam. So one of the questions was how does the idea of the seated ballot get affected and I think towards the end of your talk you managed to answer that question. But I think while you were speaking, a couple of thoughts which came to my mind and while I wait for other people to share their questions on the chat, I'll just very quickly share a couple of my thoughts as well. So one was that, I mean, I've also done some work with politicians and I think a lot of politicians take pride in the fact that they know their constituency very well. They know their constituency, the makeup of the constituency, the communities which are living there, like the back of their hand. And earlier, I think this understanding would be developed by actually spending time in the constituency being on the ground among the people. But nowadays you can develop all this understanding from the data itself. And as you have mentioned, all the data that you can gather from all these many sources. So I think it's just the very understanding of a grounded politician who knows the constituency very well has been turned around on its head. And now it's a politician who can remotely know all the data about their constituency and still not know what's happening in their constituency. So that was one thought that sort of came to my mind. And the other was with respect to trust. So at the end when you say that people are still coming out and voting, so they obviously trust the electoral process even though they might have a lot of distrust of the politicians, of political parties. But I think given the fact that despite everything that you mentioned about EVMs and all, there is still conversations which happen after every election. EVMs have been hacked and all of the conversation led to VVPACs coming in and everything. Do you think the usage of technology, which as a humidity that it could be hacked, it could create perhaps even more distrust among the voters with respect to the voting process? So if you could address that one question and then the other question from Mr. Bharun Mitra is... Yeah, exactly. I mean, something similar about how voting on EVM can be manipulated at the booth level. So yeah, so if you could answer those two questions. So just commenting on the first part completely agreed. A lot of the politicians who were very grounded understood their constituencies because they spent a lot of time there. That has transformed, but there are two reasons for it. One part is okay, they can do it remotely. The other component to it is actually that a lot of the candidates don't matter anyway. A lot of the elections that get contested get contested at say the state level and the national level and the national level leader and the state level leader has become more dominant in recent years. One third part also is that constituencies are much larger now than they were say 30 years ago. So reasonably you could expect a politician to see like one lakh people in his Lok Sabha constituencies at the constituencies size of five to six lakh people just in your constituency. It's almost impossible to get to know people and a lot of politicians who really try but aren't able to make it to even 10% of their constituency in their five year term. Coming to EVMs, there are two parts again. The first part is I have never seen any evidence that's conclusively shown that EVMs are being rigged or are being hacked. I don't personally believe in the theory only because they're unconnected devices. Every individual EVM can be susceptible to hacking but to do it at mass scale you would require people going to the EVMs physically and doing it. And I, as someone who's worked in politics for the last five, six years, I have like ranked teams who conducted surveys over like 250, 300 people. I don't know if I can find even like 20 people to go to Boots and do something like this without them coming out and claiming credit for it. We would have thousands of people right now in the country claiming, oh, I hacked the EVM. That's why this politician won. If this was being done at scale. So I don't believe it is. Is it possible to hack one single EVM? Yes, it is. I actually had a computer security professor from the University of Michigan who did hack into the EVMs. He can't enter India anymore but there is a very interesting paper on it on how he did it. So individual machines are susceptible but at scale it's not happening. Though the argument for why EVMs exist and why can't we use ballot papers are also not great ones. Essentially, it's only about time. It's that okay, counting ballot papers takes too much time. How does it matter if election results come in two days versus 20 days is something that I haven't understood yet considering the person is getting elected to run the country for the next five years. I think we can spend 20 days extra waiting. Okay. There is also a question that somebody has shared on the live stream. This is how can blockchain be used in election? There are a lot of ways to do it. Why we would do it with blockchains? That isn't a great answer. But technically every individual voter could be on the blockchain so that whenever anyone is deleted and added somewhere else, you can verify that this individual identity is listed there, it was canceled from there and it's been placed somewhere else. So what this does is it prevents someone from having their names in two or three different voter roles. Because a lot of people have it in their villages plus they have it in the city that they're living it now and it's very difficult to eliminate these names at multiple places. If it's on a blockchain with every individual voter having one identity, it will be very obvious okay, your name went from here to here to here and it will be a perpetual record. It does create some privacy concerns because then people know exactly when and where you've moved across your entire life on a perpetual ledger. So your life and movement can be tracked. But yes, that is one use case. Another use case of blockchains could potentially be something like just the tallying of results. So right now we issue physical certificates if you put it on a blockchain then it's immutable, no one can change the record and things like that. Once it's entered by the official it's permanently there. There's no question of anyone changing anything. But returning officers when they sign the certificate for a candidate getting elected representatives of all the candidates are there in the counting process. So if this was a problem if some fraud was happening at scale that would be huge. You and I right now which isn't there which leads me to believe it's not too much of a problem. Another couple of questions have come in. Another question is is there a tech solution to increasing voter turnout? So yes sir, there is but it comes with risks. As I said the US had such great voting during COVID also because they allowed for postal ballots for everyone. Anyone could request it they got a paper at their home. In India it is slightly riskier because those pieces of paper will get sold I am 100% sure of it. When votes get sold then why would ballots not get bought by political parties? We would literally see like boots and kiosks like literal shops where they are like okay you can sell your ballot here. That's going to happen. So that model of increasing voter turnout probably not a great thing. What could potentially be done for voter turnout increase is using technology to make registration material. It should be very easy for someone to register themselves to vote at a particular vote. If I move from here to another place I literally have to find an officer and request him sir please insert my name here. That process they put it online but even like a lot of people that have done it for they keep getting rejected based on okay we don't like this idea we don't like that idea get a change on your alhar then we'll put you here. So making that setup easier if someone wants to vote in one particular place because he's changed residences it should be much easier. Second part that I see for voter turnout increases obviously like information campaigns about why voting is important for your democratic rights but that is something that the educational system should handle instead of say the election commission. Right and I think this will be the last question for this talk today which is that does a government in power have any advantages because of the use of tech? Things like control over the machine or its maintenance or getting into contracts for the machines or the software or is it the election commission which is completely in charge of you know contracts for EVMs etc or is the government in any way involved there? The government in power has a huge tech advantage when it comes to data collection like a lot of the governmental scheme data a lot of the lists that get compiled for governmental schemes are essentially also used for politics. So if there is a party in power they obviously have access to it while the party who is not in power they likely like don't have access to it even when they do they have a partial list here and there they never have the entire database if you look at what has happened in say Telangana then they're trying to create the profile of every household in the state that maps the households income and cost and this and that so it's essentially the government collecting all of the data that the political party could ever do. So this kind of a thing this access yes when it comes to the machine itself there isn't an advantage to being in power versus not being in power what you do have is more control over the people who manage it so in general my belief is that still the most vulnerable component of an election is the people so how does a booth get captured gets captured with the consent of people who are designated it doesn't happen that like someone's just taken it over it because they have like a technological advantage it's that they had control over these people so that component needs to be addressed yes technology could potentially have a role there where like every booth could be live streamed and anyone could see any booth that would make things easier for say political parties to keep verifying what's happening at every booth are the lines functioning faster slowly very interestingly one thing that happens during elections political parties know which booths are not favourable to them so they do a lot of things to slow down voting and they slow it down so that some people will get frustrated some people won't be able to vote because it's now too late so less votes will get cast at those places while you try to speed up voting at the booths that are favourable for you so things like just getting live streamed could help okay so with that we come to the end of this talk thank you so much Shivam it was extremely interesting and enlightening I'm sure for everyone who has joined us on zoom and as well as on live stream so thank you so much once again thank you okay so now we will quickly move on to the next talk of our conference today which is going to be by Dr. Subot Sharma a very quick introduction Dr. Sharma is an assistant professor and Pankaj Gupta chair professor in privacy and decentralization at IIT Delhi his recent research investigations have been in the area of system security data privacy and blockchain he has co-authored several papers and opinion pieces on the topic of blockchain public bulletin boards for integrity of elections and election and electoral rules today he is going to be speaking on as you can all see on the screen designing electronic voting systems some considerations very briefly his talk will focus on key variants in variants that one must keep in mind if they are working on crafting and secure electronic voting systems he will also discuss some electoral voting over the internet and whether or not it is desirable as with the previous talk if you have any questions please feel free to share them in the chat and which we will take up at the end of the talk thank you so much Dr. Sharma please take over am I audible yes okay thank you Manthi for the introduction like you mentioned this talk is going to talk about is going to discuss rather some of the design considerations in implementing digital voting systems electronic voting systems and I must thank the previous speaker Shivam he pretty much covered everything that I wanted to cover in my talk all by it in a much simpler and nicer way so my presentation would mostly be the formalization of the ideas that Shivam spoke of primarily for operationalization purposes of electronic voting technology and such right now why these properties are important because election security concerns are ever present as very nicely put by Shivam and this could be due to interference by foreign power or due to unauthorized voting voter disenfranchisement and technological failures so basically they all inevitably call into question the integrity of elections now what is clear in the last three decades of very fine research at least in the area of computer science on designing voting systems is that it should not be necessary to trust any authorities individually or collectively for establishing the correctness of the election process so any digital voting should essentially be constructed keeping this in mind that it should be allowed to operate without some explicit trust requirements right so for a digital voting system to be able to operate in such a way it should satisfy certain minimum requirements before these instruments could be considered for you know for voting right so for enabling electoral democracy because they are sort of in a manner enabling electoral democracy so what is important is to note is that these set of technical requirements is in fact driven by certain key obligations and what are those obligations the first obligation is that the losing candidate has to be provided with a convincing proof of their loss right so that's from the candidate who's participating in the election and from the voter side the voter should she demand be supplied with the guarantee or a proof that her vote was indeed cast as intended which essentially means indicates that the voting machine has registered the vote correctly and recorded as cast indicating that the cast vote is correctly included in the final tally and finally counted as recorded which means that the final tally is correctly computed from whatever records were essentially available and finally some other key obligations is that no vote should be recorded other than by those who passed through this process of eligibility verification so it should not be the case that I can come into the polling booth and somebody else votes on my behalf as Shivam was pointing out that there were cases which cropped up during Indian elections at some parts of India right by the way I must say that to solve such problems you know electronic voting systems will not cut it because technological solutionism can only make things messy if not done right and there are very high chances that technology if being constructed without putting due thought and due diligence will inevitably create more problems than solve issues so the actual solution lies in designing the process rather than focusing too much on technology yeah and finally all votes so the last obligation for designing such voting systems is that all votes must be kept secret during and even after the polling all the way up to Tally so now the first three obligations where votes need to be casted as I mean so voter has to be provided the priorities that the votes were indeed cast as intended recorded as cast and counted as recorded they together form the correctness aspect of a voting system and this correctness when you want to take this property and sort of operationalize it as in if I want to design a system how should I interpret this correctness property it invariably ends up defining splitting down into two properties universal verifiability which essentially says that through publicly posted data anybody should be able to verify the correctness of each vote from the Tally and from the records that are available now this is before I go any further I must also spit out what is the threat model under which I am defining these terms so I have to essentially talk about what are the powers that an adversary can have which can create in an election process so under an adversarial setting your adversary can do quite a few things what are those things so it can corrupt it can be a corrupt election authority itself so that's an insider modeling of an insider attack or it can corrupt the polling officers through whatever means can corrupt the voting machines themselves that are being used to conduct the election the adversary has the power to alter or delete cast votes during the polling or during the collection process or even during the or while publishing the recorded votes into some public bulletin board we can introduce fake votes in the system which are essentially those votes that are not certified by the polling officer so under such a threat model assuming these are the powers that an adversary can have what voting systems must guarantee what properties voting systems must guarantee and those two properties are essentially universal verifiability and individual verifiability you know like I said a voting system is universally verifiable if anyone in the public can verify using publicly posted data that each vote is indeed recorded as cast and counted as recorded so the last two properties specified in the first line of the slide and then there are of course no spurious votes in the final Italian individual verifiability on the other hand essentially means that if a voter can obtain a proof that their vote was recorded as intended in the final which means cast as intended as well as recorded as cast so these two properties together can compose or rather compose into recorded as intended property so what I'm doing is I'm essentially capturing all those thoughts that were already covered by Shivam in the last talk but formalizing them if you want to take them up and operationalize in a system now so those were the key obligations for correctness our security secrecy rather vote secrecy is also a key obligation and under vote secrecy one must never reveal how a given voter essentially voted to prevent what to essentially prevent vote selling or coercion so voting systems where votes are directly recorded which is such kind of systems are also known as direct recording direct recording electronic systems it is assumed that you know for such kind of systems it is assumed that the machines will not yell out and leak the vote or they are constructed in a manner that through side channels they will not leak out information thereby compromising the vote secrecy so if I have to consider secrecy and coercion resistance from these properties keeping these properties as pivots I would have to then start thinking about what can an adversary do so I'll have to essentially provide a threat model under which I have to situate these properties so at the threat model for an adversary for secrecy would be that the adversary would be able to observe all voting receipts what a voter receipts or they would be able to observe all voter verified paper trace or paper records VVPRs if there is one instituted in the voting process or the public outputs that the election commission decides to put out after the voting process has been conducted of course the adversary can participate as a bare handed voter can have all the powers that the previous adversary had when we were talking about correctness and here the you know the adversary can also corrupt the voting machines to reveal votes and other secrets what the adversary keeping the secrecy as private cannot do is they cannot corrupt the election authority to reveal the votes or other secrets so under such an environment system ensures voter secrecy when given possibly even malicious voter receipts and publicly posted data no information can be derived how the voter voted so that is an individual voter cannot prove to anyone else how she voted and that is essentially tagged here as individual vote secrecy community vote secrecy on the other hand is when a bunch of voter receipts having bunch of voter receipts and publicly posted data and adversary cannot derive how a community voted so well this is community vote secrecy it is very very important to preserve this community vote secrecy as well from unintended targeting or intended targeting for that and finally so before I go forward to quotient resistance it is important to state here that individual vote secrecy turns out to be a necessary condition for quotient resistance now and now I come to the point of quotient resistance it is essentially a property which says an adversary instructing a voter to vote in a certain way cannot determine if the voter did follow the adversaries instructions or not so quotient resistance is very very important otherwise all fairness and the democratic principles behind election electoral behind voting is then lost finally so community vote secrecy is also important to prevent why because you want to avoid profiling and targeting of voters belonging to a particular locality and revealing the vote tally of a polling booth map to say all neighborhood compromises community vote secrecy so essentially I would come back to a point that Shivam was talking about that if I were to put out this data of what votes were casted on a particular polling booth that polling booth essentially captures the voting patterns of a particular neighborhood it is small and therefore there is a high chance that community vote secrecy would be compromised so a suggestion made here is that only an aggregate tally is published to avoid community profiling you don't published polling booth level data but you aggregate the votes across polling booths and then publish them so these were the important properties of correctness and secrecy but in addition if you want to make sure that not only a voting system has this important property of correctness and secrecy it also gives you some amount of efficiency then you will also have to start considering other properties such as recoverability now recoverability has to do with the graceful recovery of a voting system in an event of an attack how can a voting system recover back now note that an adversary can participate as a voter as I had mentioned in the previous slide and the voter that the adversarial voter can come back and falsely claim that her vote was not recorded as intended right so what happens in such a in such a setting so either there is a dispute resolution protocol which figures out whether the voter is indeed saying or making false claims in addition what one would want to have in such digital voting systems is that basically the recoverability property is primarily tied to a software independence property which demands that a small detected change or error in an election outcome can be corrected without re-running the election now for so software independence to take place one needs to have mechanisms in place to identify a that error has happened to be able to fix the accountability where the error has happened which polling booth did the error originate from etc. so that there can be a graceful recovery instead of re-running the entire election you could perhaps do re-election only at a particular polling booth so so this is the traditional definition of recoverability which is a strong software independence which essentially demands that a detected change in error in an election outcome can be corrected without re-running the election so now if this software independence recoverability property has to be guaranteed in a voting system it would inevitably require you to go out of the digital system and maintain some additional record so that's where the idea of VVPR comes in so public VVR existence is very very important not only that one should be able to essentially so pretty much the common understanding is that if you have VVPR facility in your voting system that is going to be a trusted entity so I will look at because this is where the intention of the voter is recorded in a manner of speaking so this is assumed to be correct now the problem is that if I have to show the software independence I would have to have a one to one correspondence of VVPR voter verified paper record with a digitally recorded vote or the electronic vote and so what would this allow one to precisely identify those votes where there is a difference between the VVPR and the electronic votes so the electronic votes don't match up so of course one can so the VVPR verifiability is a very important property for recoverability to exist for voting systems now one to one correspondence the VVPR that I have been speaking about if it can be publicly demonstrated for any VVPR without compromising individual and community vote secrecy then we call the voting system to be VVPR verifiable now designing such a voting system is a challenge I think there are a lot of voting protocols that are in existence and whether or not all such voting protocols provide public VVPR verifiability is a matter of question and it is also worthwhile to note that there is an inherent tension between this strong software independence and community secrecy so verification say of of a VVPR against a digitally recorded vote may fail in many types of cases where receipts of VVPR exist but there is no corresponding electronic vote or there exists electronic vote with no corresponding receipts of VVPRs and if during audit it turns out that the margin of votes between the winner and the highest vote-getter is too narrow to ignore then to ignore these verification failures may not be the right thing to do and it may become imperative to identify the polling booths from where this fault arose or a set of polling booths from which the fault arose and conduct polling again in them locally so however the problem is so this process can leak information so an adversary monitoring the published votes before and after the repolling can really determine which votes have changed and the adversary can then use this information to correlate the changes with the polling booths involved in the repolling so such community secrecy compromises should be limited to recovery procedures and should be minimized to whatever extent possible so the general wisdom would be to conduct polling at a larger scale the larger the size of the repoll the lesser is the leakage of information so that's the wisdom finally I want to talk a little bit about dispute resolution a little more so a voting system should not just be fair but also appear to be fair and for that to exist dispute resolution is one of the key components and it should be there in one of the in voting systems where the intention of the voter is not recorded directly by the voter if it is recorded by the machine then dispute resolution becomes unnecessary so having understood these properties what I will do now is I will talk about some electronic voting protocols basically two electronic voting protocols one representative of each type that is the category that these voting protocols fall in so essentially electronic voting protocols are often are of two type optical scanning electronic voting protocols where there are hand marked paper ballots so voter comes in to the polling booth looks up at the paper ballot marks the paper ballot herself and then gets it scanned and scanning paper ballots of course the system will provide an encrypted part of the vote as a receipt of the ballot as a receipt and these the encrypted receipts are displayed on essentially public bulletin votes or the encrypted vote rather is displayed on the public bulletin votes and there are many such voting protocols over the years that have been which guarantee end to end verifiability so many of them provide universal verifiability as well as individual verifiability the other type of voting protocols are these direct record electronic voting protocols where the vote is not recorded manually on a paper and then later scanned but it's directly recorded by the machine and this is where problems can arise because how can one then establish that the machine has truly recorded your intent in a correct manner so there are quite a few DRE protocols as well I have listed some of them here on the slide so going forward there are of course some strengths of these voting protocols in the sense that they provide you these correctness properties and end to end verifiability but there are also limitations so for example in DREs there is a dispute resolution problem and there is no easy fix for this dispute resolution for DREs of course the dispute resolution problems do not arise in optical scanning protocols because the intent of the voter is directly recorded by herself but DRE or not DRE there are these randomization attacks and so what happens under these randomization attacks so many voting protocols try to prevent electronic recording machine from learning the vote and in process of doing so what they do is they randomize the permutation of candidate order on the prepared ballots right so that the voters selection appears to be random and can only be decrypted at the back end so every voter will see a different permutation of candidate orderings now these are essentially susceptible to coercion attacks where a coercer can ask the voter or force the voter to vote for whichever candidate that appears at some fixed point or position in the permutation so the vote may then get randomized in a manner of speaking you can understand this as a denial of voting attack instead of denial of service it's a denial of voting attack now the other limitation of these electronic voting protocols is the fact that they rest on very sophisticated and complex cryptography and the German Supreme Court in 2019 made an observation where it said that the use of voting machines which electronically record the voters votes and electronically ascertain the election result only meets the constitutional requirements if the essential steps of the voting and of the ascertainment of the result can be examined reliably and without any specialist knowledge of the subject now this these last few words are the words which are very very important where I want to lay the emphasis without any specialist knowledge of the subject and what's happening with most of these electronic voting protocols is that they take the agency away not just from the voter but also from the polling officers so it's some magic that's happening in the voting machines as a voter I do not have a perfect understanding of what's going underneath neither does the polling officer but we are expected to just trust the workings of this machine to have recorded everything correctly and secretly so so many of these protocols do not provide so and of course the last limitation is that I was talking about this idea of public VVPR verifiability where this one-to-one correspondence with VVPR slips is important and it so appears that many of the modern day end-to-end verifiable voting protocols do not provide this correspondence and the absence of which the trust on the electronic voting system is hard to establish so I'm left with 10 minutes I had prepared a couple of slides talking about the process of what happens say for an optical scanning voting protocol and a DRE based voting protocol so in the interest of time perhaps I will not go through all the details but limit my discussion I'll keep it at a very high level description of what goes through so as a first step is eligibility verification where a person who is eligible to vote is authenticated at the polling place in accordance to whatever procedures are put in place for voter registration and etc. Now here I want to comment and comment on what Shivam was talking about electronic voting machines of course theoretically are hackable but much of the fraud actually takes place in the electoral roll lists and the eligibility verification fails so it's very easy to delete a voter from an electoral record maintaining the integrity of electoral record is of paramount importance and we will see that perhaps this is perhaps one area where a very specific variant of blockchains could be applicable without the network just a cryptographic untamperable bulletin boards append only bulletin boards can implement electoral records that is essentially a part of blockchain because blockchain is this plus a distributed consensus so Shivam is absolutely right I mean voting on blockchain or blockchain doesn't make a whole lot of sense now or in posterity but there's a lot of hype around it okay so the second so before the voting happens let me very briefly talk about how the ballot is prepared so at least in this optical scanning protocol that I'm discussing which is Scantigrity 2 the ballot consists of a voting portion a receipt portion which is shown below after this perforated lining dotted line with a unique and every ballot has been provided a unique ballot ID number so the ballot ID number is there in the voting portion as well as the in the receipt portion and the voting portion of the ballot includes a list of candidate names with an optical mark because this is a handmark based protocol so there are these optical marks and all that voter has to do is use their pen to mark on so initially all of these optical marks are would not show these very unique IDs that are behind them right so so the ballot includes basically these list of candidate names but each bubble contains a sequence of randomly generated alphanumeric characters so to speak which are essentially also called in literature as confirmation codes and these are printed by an invisible ink so before the ballot is marked none of the confirmation codes are essentially visible and if a voter has to indicate her preference all she has to do is use her decoder pen to just mark over these bubbles and that particular alphanumeric encoding would present itself right so once it is done so the receipt portion is optional if the voter chooses she can record this alphanumeric text in the receipt portion if the voter is perforated she can edit off and keep it herself actually she has to show it to the polling officer and the polling officer will stamp it by saying that okay so the voting has been recorded right but at least cast now so that's the essentially the receipt stamp stamping and the collection and then what the voter does is the officer scans the top part or the voting part of the receipt of this ballot and it shows up on the screen so she can cross check whether the ordering is correct in fact what is important to note here is the actual vote would not be available to the machine so the machine will not get to know that the voter has actually voted for Arthi all that they would be able to scan is that alphanumeric encoding so now the voter can go ahead and cast her ballot and and then basically take this receipt home and then there is this entire post process of posting these votes and tallying these votes which is a very interested sophisticated cryptographic cryptographically based system where the election commission is maintaining a bunch of tables some private some public and these tables are connected to each other via via mappings which are which are essentially cryptographically protected and that nobody has essentially gone and changed data across these tables so the cryptographic primitive that is typically used to prove whether at the time of tallying that these mappings are indeed correct from the vote to whatever encrypted data that has been put out in the public domain there is this cryptographic primitive called mix next and so this is the case in optical scanning scantigrity protocol of course one could change this cryptographic primitive the other kind of protocols use something called as homomorphic encryption where tallying is done using this homomorphic property where and votes being added the encryption of votes being added is essentially equal to the encrypted vote being multiplied together so this is the relative homomorphism and so some of the voting protocols their back ends essentially use this homomorphic property I think there are a lot of technical details I would not want to get into it otherwise this will just confuse a lot of audience and so in the interest of time also let me move ahead so so so optical scanning voting protocols the VVPR verifiability is essentially non-public it can be done so the public VVPR verifiability does indeed exist but it is non-public in the sense that they would have to open up the entire mixnet in order to make these mappings between the electronic vote and the VVPR and in process of doing so you know the vote secrecy would be preached so it cannot be a public process the other thing for DRE voting protocols is the fact that VVPR verifiability is only partially available because again that would mean the technical detail behind it is that the homomorphic homomorphism has to be they will have to open up everything which is counterproductive because it defeats the purpose of having this homomorphic encryption in place in the first place more importantly DRE voting protocol such as StarVote provide no secrecy from DRE scanners so somebody who is scanning the vote or printers so that is that and like I said what happens in the back end is so once the tallying has happened the election commission has to provide a proof that the tallying has been done correctly and again a very sophisticated computer science technique is used here to show that correct tallying has happened what the authorities do is they decrypt the encrypted tally of votes and publish a proof which is a very interesting proof it is called a zero knowledge proof of the correct decryption so essentially the proof is saying that I have not been any hanky-panky during the decryption process so the tally is indeed correct according to whatever recorded data I have let me skip this introduction to these cryptoprimitives of what is zero knowledge proofs and other so zero knowledge proof let me make one statement on it it's a proof strategy where if there is a declarative statement that requires a proof one is able to obtain a proof for that without knowing the knowledge required to make to design that proof so no knowledge behind the proof is essentially leaked but the verifier is convinced in a certain way that the declarative statement is indeed correct the assertion made in a particular declarative statement is true so what I will do is I will take last 2-3 minutes to touch upon internet voting and block based voting and primarily upon their unsuitability internet voting you know in my opinion and in many others opinion of course in fact lot of very big computer scientists in a sense that who have been working in this space for decades altogether have clearly talked about the unsuitability of internet voting why so because A how do we guarantee coercion freedom to have an app or a mobile phone and from your bedroom you are allowed to vote then quotient freedom goes for a toss there is no way where you can guarantee quotient freedom so it's just not possible so there's an impossibility reserved right there the other question is how can we trust the device and the app themselves and then in a day and age where malwares can you know see through a different app that you downloaded to a different app and that malware can break havoc right so not only can it break your voting secrecy but voter secrecy but it can do all sorts of unimaginable stuff breaking all the correctness properties and how do we really establish that your device and app is indeed correct so that itself is a computationally infeasible exercise as has been established in literature right again how do we guarantee software independence in the presence of such device and apps so software independence goes for a toss and therefore if you don't have strong software independence you don't have recoverability and so on so forth so and again then auditability and other properties also come under question so a very serious computer scientist who has done a lot of work in this space in fact he is also a winner of during award a Nobel Prize equivalent he was the guy who gave an RSA encryption strategy he says that internet and blockchain based voting would greatly increase the risk of undetectable and national scale election failures and he substantiates it with a lot of information so to say that to have internet voting just for ease and convenience and to increase the voter turnout and to see that also turns out to be incorrect there have been various studies done in Switzerland and Belgium where they have shown either no impact on voter turnout or negative impact on voter turnout and there have been other studies done in Canada which show that in fact so this study was not in Canada I think there is a typo here it was done in Estonia where they said that well with internet voting what they saw was that it would favour groups with higher income or higher education so demographics who have higher income or higher education and that is understandable so how would a person who is not lettered would navigate such technology so usability also is under so all of these properties that people typically point to while voting internet voting or blockchain based voting people have done studies and they don't inspire confidence again unsuitability of blockchain based voting so well this is again a non-starter because blockchains are essentially built on top of these nuts and bolts called smart contracts who is going to establish the correctness of these smart contracts your smart contracts are wrong your entire blocking blockchain is not going to be trusted so it's usb false flat on its face well it's a network and then therefore it will open itself up to a much larger set of attacks like denial of service attacks or collusions and cartelization group of users operating through their pseudonymous identities get together to collude create cartels and create a fork in the network and then what they do is they show one tally set of people and other so one kind of information to one group of people and one other kind of information to other group of people so this is opening a whole can of worms at a point in time when we are still working on unconnected sequential voting machines digital voting machines again so if you were to consider permission less blockchain voting systems then clearly the visibility of votes is under no question the votes have to be visible to all the players all the participants in the blockchain and then how do you talk about preventing coercion and vote selling when the vote information is freely available for everyone again where so a limited setting where a component of blockchain technology that could be used which I had referred to earlier in my talk is in implementing electoral rules and what is that component of blockchain essentially this idea of cryptographically chaining the records of a blockchain through this cryptographic chaining one could obtain properties of untemperability append only untemperability to these records and this is what we want in electoral rules so once you have been added as a registered voter for a particular constituency nobody should be able to manipulate those details so these are the properties that would be guaranteed through certified cryptographic hashing or chaining has chaining of these records it gives you these properties of certified publishing and analytical history so that's a very limited component where a component of blockchain perhaps could be used I think with that I will end my talk thanks for your attention the early version of our article from which many of the ideas that I discussed in the slides is available here thank you and I am open to taking questions now thank you very much sir very interesting very very interesting presentation from you and very informative and you provided an excellent framework for judging suitability of different types of porting systems and you discussed some of them also I wish I could say for myself that I understood everything and now it's clear what is possible but clearly it's difficult to compress so much into one session from both sides for the presenter because you know so much and also for the audience to grasp all of it I have a question and there are a couple of questions from the audience so we quickly quickly take them up the one question that came to my mind was that I need to be able to verify that my vote was correctly recorded and countered right but if my vote, if I can verify that my vote was directly recorded and countered it opens me up to the risk of somebody asking me to do that verification in the presence of a witness so these two things will always be in conflict would they not be? so essentially your vote is never revealed no vote will get revealed if I can verify that my vote was correctly countered so somebody can stand on my head and say reveal to me that it has been correctly countered which means reveal to me that it has gone to the candidate that I wanted to vote for correct but this would be something that is a mapping which you only know of and which is not given as an information in the receipt that you got that's okay that's okay yeah sorry if I can verify right after the votes have been recorded if I can access that and see that yes it is correctly recorded then somebody can watch over me to see that yes what am I seeing it's not only an assurance to me it's verifiability that I can execute later after casting the vote and that opens me up to some kind of threat but it's not a piece of information that you can provide to anybody you always have this freedom of lying if I may comment you can give this proof in zero knowledge so there are geographic techniques where you can give the proof in zero knowledge without revealing and all such proofs will have to be zero knowledge proofs and there are easy techniques that's true that's true that zero knowledge proofs can be constructed but this would make the German courts absolutely it would make it very difficult for people to deal with zero knowledge proofs unless it was their apps which were doing it in which case the trust shifts to the app or to some other system and it creates its own problems so thanks a lot and there are a couple of questions also from Mr. Berlund Nipra he says who won't targeting voters in the community level when voting data is widely and publicly available it's being more easy to detect and therefore it may prevent or help prosecution such assaults as well as build social pressure againstие on targeting of the voters when the community level voting data is widely attractive will be more easy to detect and therefore it may prevent or help prosecute such assaults as well as build So of course, I mean, how do you establish a correspondence or rather some sort of a correlation between targeting of voters and this community profiling. So that's where the problem lies, right. I mean, of course, the targeting is indeed happening, but in ways where you cannot say that this targeting is happening because that targeting the people behind that targeting have this, this sort of an information. So, if a party A, if a particular party A knows that in a particular community, they don't get a vote, they will, they are anyways doing it, they will preserve their resources and not do a whole lot of campaigning there where they know that there are fensiters perhaps they will put in a lot more resources and try to swing the vote there. So it's already happening. How do you establish that. Yeah, correct. Correct. Correct. And we can't also be sure that publicly if something is available, something is known that pressure can be built enough to prevent it from happening. That's also not necessarily, you know, that's debatable as well. He has another question. You have used some kind of optical scanning for ballots, thus keeping two parallel tracks of votes, the digital and the paper. Did this make the system verifiable? So basically, so yeah, so basically what happens is the paper ballot paper, the paper copy of the ballot is typically shredded and put into dustbin otherwise some correlations can be made and motor secrecy can be compromised. So there are some districts and consequences where optical scanning based ballots are indeed used. But I'm not sure whether they really do maintain the paper copy of the ballot. So once it's been scanned, they maintain the digital copy. Perhaps they can keep the paper copy for VVPR, public VVPR verifiability. So that's not correct. In United States, you are not allowed to do electronic elections. Yes, as a nation doesn't do it, but there are consequences. For example, even no, no constituents is allowed to do it. So you always do only paper elections. The problem is that verifiability does not come because the VVPR and the electronic elections has run as two independent parallel elections. They're not coupled together. So that's why the verifiability does not come. Okay. So one correspondence between them is the missing piece here. So thank you. Thank you very much for this very interesting talk. And you know, for helping clarify all these issues which just the previous speaker had thrown up so quickly. So thanks a lot. Thank you very much. We are supposed to have a 10 minute break, but we have already 10 minutes late. So I think we just go right ahead. And any breaks that are required, the people can individually take them. So since it's already passed the 440 time slot for Professor Subishi's energy, we can go straight through skipping the break. And Professor energy is well known to us. At least the people who have been watching this one vote series. He's a professor at the Department of Computer Sciences at the Shokha University. He's been deeply involved in writing, educating and commenting on the intersection of technology, society and politics. His recent work includes commenting on the range of topics such as our contact tracing applications as well as electronic voting. I had heard him speak last time he described all the election technology and various, you know, the systems of elections and and the concerns. It was it was my mind opening. And we also traced the conclusions to the original papers that illustrious people like Congress have written. So I look forward to to the start from you. Professor energy. He's going to speak on citizens commissions on elections report and analysis supporting systems in India. Over to you. Thank you. Thank you very much. Thanks for the kind introduction. Let me just share my slides. Are the slides visible. Yes, they are. Thank you. Yeah, so I will. I'll talk about thanks. Thanks for inviting. Thanks for the opportunity to give this talk and the introduction. So I will talk about the citizens commission of election which brought out its report earlier part of this year in 2021. And it brought out several reports but I'll restrict in the stock only to electronic voting. So the citizens commissions of election was formed just before the pandemic started around January, February of 2020. And the key person, the, the, the, as whose base the citizens commission was formed was Mr. MG. And I can see that he's listening in. Thank you, sir. And I think that the commission did work for about over one and a half years with more than 100 zoom calls. And it went through volumes of depositions, did lots of research and were held by a whole lot of other people. And it was headed by justice more than the court. It also had the advantage of having two constitutional judges in the commission, who kept us in check. And the volume one dealt with the compliance and EVM and be prepared with the principles. The reason this was brought out was the unrest in the country with the speculations about possibilities of hacking and so on. The second part which dealt with many more topics dealt with electoral roles. So that study was done by Mr. V Ramani and Harsh Mandar with a little add in them by me money power and criminalization was, was mostly research by Anjali Haradbhach, model code of conduct by Jagdeep Chaukar and others. A role of media by Paranjali Multakurta role of ECI by Mr. Sanjay Kumar. It also dealt with many other topics like linking other with the voters list and disenfranchisement and so on. The two volumes is going to come out as a book, edited by Mr. Devasaham and published by Paranjali Multakurta in the early part of the next year. So I essentially talk about volume one of this report. So the volume one was essentially based on depositions and depositions by these ladies and gentlemen. I think that the last series of depositions in which Ron Rivest whose name was mentioned several times and Philip Star. Subraman, I think if you have changed the slides, I don't see that on the screen. Okay, I know. I know what has happened. So let me just unshare. Now I can see it. Yeah. Okay, let me just unshare and reshare. I should share the screen. Otherwise, this turns out to be a little problematic. Just give me a moment. Let me stop share. Sorry about that. I don't share the desktop but share the entire screen. So can you share the screen now? So what can you see the screen? Yes, I can see the screen. But if you change the slides, then that will confirm whether the slides change. Okay, now I'm moving back up. Yeah, I saw that. Yeah, so this was based on depositions by these ladies and gentlemen, very large number of high quality depositions. And the computer science lot by Poojee Bora, I mean this was a joint deposition. Poojee corrected all of them from, you know, people who have worked in elections for now 30 years like Ron Rivest and Philip Star. And they were surprisingly aware of the Indian elections and all of them proposed and they were very, very valuable. And let me try to, you know, give out our findings. So first is why electronic voting and I think Shivam brought out this topic. A computer science, as Subod mentioned, computer science has looked at electronic elections for 40 years and they're great protocols over many, many years. Traditionally in computer science is only because of this. It's never because of efficiency. In fact, electronic electrons are not that efficient. But somehow in the Indian discourse, these two have got a little confused. So sometimes we talk about efficiency, sometimes we talk about correctness, and sometimes we're mistaken, you know. So the democracy principles, I mean this is, you know, essentially a simplification of the representation of the People's Act. If you'll read the representation of the People's Act and the main wish list out of the representation of the People's Act. If you summarize and play in English and put out the legales, then this is what it will look like, right? So it should be transparent. A general public should be satisfied about that the voter recorded correctly. The voting process ought to be publicly audited. Ordinary citizens should be able to check their situation steps. That's a crucial thing. So no zero knowledge proofs, you know, as was already mentioned out there. The election process should not only be pre and fair, but should also be seen to be fair. It should get public trust and otherwise the whole purpose of electoral democracy gets defeated. The election commission should be in full control of the entire voting process. It should not be that they have, you know, the certain parts of the election is being conducted by methods and means which they are not aware of or not directly in control. And electronic processes that give there to be used for voting at all. This was not a part of the representation of the People's Act, but this is a conventional system all around the world. They should be in sync with changing technologies and practices and be able to publicly audit and scrutiny. So that's what is decided at all. And when you come to electronic verifiability, the public verifiability essentially comes from two parts, right? There's an administrative verifiability. And administrative verifiability essentially is what ACI has largely put his efforts on, which is certification of equipment. There's an elaborate process by which equipment is certified. There's a trustworthiness of custody chain of election pre- and post-election. There are strong rules. There are seals of variance kind. They're locking of unions, putting them in trunks, moving them around by tracking with GPS. You know, there are a variety of methods. They are well listed in the ACI webpage with the do. The trustworthiness of the custody chain of the VPAT slips. So this is essentially based on seals and strong rules. So there's an assumption that the VPATs, even if they're trustworthy right at the election, they remain trustworthy at the time of counting, which is someone not destroyed or new ones are not added. And these are standard conventional administrative processes that take care of it. And VPATs are supposed to audit electronic elections. So this is a simple scheme that we practice in India. The public verifiability part is largely missing, right? I mean, which is so both talked about a great length that, you know, what computer science is and diverse to give methods so that the public can directly verify that the votes are past as intended recorded, just past and counted as recorded. So this part is largely missing and omitted in Indian elections. What we found is that since the special steps are missing, so we've got computer science into public life, but left its rigor behind. And that has created a little bit of a problem. There is a general public mistrust of the whole process. And I think Shivam mentioned that he hasn't seen whether there's any evidence direct evidence of tampering. No, even the commission did not get any direct evidence of tampering. But the commission did get lots of report about indirect evidence. You know, the commission received depositions, which means two lakh EVMs went missing. PCI had no control of them. Or EVMs landed up in the car, the key of the car of a candidate. And also, which means that many of the administrative verifiable decreases have been violated. Now, whether that has influenced the election, it's not here, right? Some political parties say yes, some political parties say no. But this mistrust has not worked for democracy. So, and what are the easy ways to remove this mistrust? That's what we will try to explore a little bit. There is this recent talk about internet voting. Quite a bit, right? And this is almost impossible, as Subodh mentioned. I just quietly believed in computer science. You know, computer science has known this for a very, very long time, and internet voting are a strict norm. And I think there is a complete agreement with it. So, in the computer science community. So, that this has been talked about in the national scale in India is a little surprising. And this, as Subodh has already mentioned, but let me touch upon, this is because of two essential problems. What is the secure platform problem? So, you may own a cell phone or an app, but for a general voter, for even the expert voter, like a computer scientist like Subodh, there is no way for him to know that his machine is not hacked or tampered. So, that his machine or his cell phone will follow his instruction correctly and vote as he wanted. There is no way to guarantee that. That's called the secure platform problem. Right now, computer science cannot solve that. There's no way to give a guarantee that your cell phone will not get hacked. You know, one cell phone may be used, but a public collection of cell phones will not get hacked, where there's no such technique in computer science. Whether such techniques will evolve in the next 20, 30 years, we hope it will, but we are unsure. But the second problem will never get solved. There is no way to make it coercion free. As long as the possibility, I think Subodh tried to mention this, that as long as the possibility of the wife coercing the husband to vote for her favorite political party, internet voting is not possible. So, if they don't come to the polling booth and vote from their bedroom, there's no way of knowing who is coercing who. And that problem, no technology or social process can be solved. So, that makes internet voting a strict no-no. It's an impossibility. And this has been realized for a very, very long time. It's not new. For 15 years, this has been documented and internet voting is a possibility. And the U.S. National Academy of Sciences, Engineering and Medicine jointly in 2018 recommended that elections can be only conducted using polling booths and that too using human readable paper ballots. Not using complicated electronic or cryptographic technology. And this is a 200-member committee that made this recommendation very recently in 2018. And they were quite emphatic. The report is available online. And it's quite an emphatic report out there. And this roughly followed the recommendation of a German constitutional court, which came out in 2009 with a recommendation with almost banned electronic voting in Germany. So, though this is not the German constitutional court's ruling is not applicable in other jurisdictions like the United States, England, Ireland, France and so on and so forth. But most countries have ordered this judgment. And I'll explain why. Most countries have abided by this judgment and have moved away from electronic voting completely. So, let's now look at only an EVM only selection. We can see that why the German constitutional court gave this ruling. And let's talk about an EVM only solution. And assume for the time being there is no VBPR, no VBPAT associated with the process. So votes are recorded electronic by press of a button. And it gets recorded somewhere inside electronically. And there's no way for the voter to know what has been recorded. So I pressed one and the machine recorded two. And it tells me that I've recorded one. There's no way for a voter to verify what is not recorded. And this is this violates almost all principles of voting. So there is no way for a voter to provide a guarantee to a voter that the vote is cast as intended. There's no way to resolve a dispute with it. If the voter says that look, my vote was not recorded correctly. There is no way the election authority can convince the waiter that is not the case. Because it has just gone inside and incremented some counter by one. And you only have an aggregate vote. So we have lost all ways to resolve a dispute. And as Subodh mentioned, not having dispute resolution is not good for voter confidence. That's a typical problem. And also there is no way to establish that a system as complicated as an EVM is correct. It is known to be theoretically a very hard problem, almost an impossible problem. And this was proved mathematically by Rebekah Murky in 1992 that the correctness is impossible to prove. Note I must also add that the incorrectness is also impossible to prove. That the machine is incorrect is also impossible. So in general, to make a statement that this machine will always function correctly. The statements of the type that ECI is routinely making every day in national press. There is a theorem to say that such statements are no big deal. And the theorem is due to Murky. So she's the one who recommended BBpatch in 1992. So she said that one easy way to solve this problem, if done correctly, is to have a voter verified paper audit trail, which has become routine in most elections all over the world. And in general, hence it is impossible to predict whether a machine like this can ever reach a state that will violate democracy principles. So the machine can potentially, as complicated as an EVM, can potentially lie in a very, very large number of states. And it's impossible to examine all of them to figure out that whether one of them is a hacked state or not. So that's not possible. So it is impossible to say whether an EVM can be hacked or not, that an EVM has not been hacked is no guarantee that it cannot be. If it is hacked, it is hacked. Till it is hacked, nobody can make any statement about the hackability of it. Testing of a system such as an EVM can never constitute it. You can only test a finite kind of behaviors. You can test for functioning, but you can never test for correctness. You can say that the most common use cases, the machine is behaving correctly. But you can never test for the infinitely many uncommon use cases that can form. So in computer science, we have got a maxim that testing never considered a proof. So you can never certify your machine to be correct by testing. That's not possible. And theoretically, one can never test for all possibilities. So in particular, a hacked system can easily be made to behave correctly under test conditions. That's not a problem at all. And I think that many people in the depositions appointed this out. At least six or seven depositions appointed this out. So these issues like this claims that one-time programmability, quality assurance testing, we have done all this, and hence we are correct. They don't pass most of them. They are their statements of dubious quality. And none of cost has intended recorded this cost and counted as reported or possible. And it is the owners should be on the ECI to demonstrate correctness, not on others to show that it can be hacked. So this public challenge like Coven hack, they are, you know, the little bit of a circus. They don't make any sense really. And I think that the citizens commissions of report has come down very strongly on such practices. Elections come in, this job is not to throw hackathon, but to convince the public at large that the system and the process that they have designed without electronics is correct. So the ruling of the German constitutional court says this. I think the main point is that because an EVM to the black box, there's no way to know what is going on inside. So the use of voting machines, which electronically record a voters vote and ascertain the election results meet constitutional guarantees. Only if the essential steps of voting and the ascertainment of result can be examined reliably without any specialist knowledge of the subject. So the German constitutional court is quite clear that computer scientist likes more than or the election permissions technical expert committee have no locus standing. They should not be trusted. They are untrustworthy. And just on their certification, the election cannot be declared correct. Nobody in a public election has a right to claim expertise to declare election correct. So this has to be verifiably correct and without any specialist knowledge. So an expert has no role in the conduct of an election. And this was a very, very compelling judgment. And most of the world has divided by but not so not so in India. And that's a concern a little bit. The constitutional court also said that the legislation is not prevented from using electronic voting machine. The possibility of reliable examination of correctness which is constitutionally prescribed is safeguarded. So it's suggested that you may use a complementary examination system. Perhaps we'll be back where votes are recorded in another way beyond electronic, besides electronic storage. In India, Mr. Subramaniam Swamy bought this year for find a public interest litigation in the Supreme Court and relying mostly on this German constitutional court's judgment. And he got a favourable ruling from the Supreme Court as a result of which Election Commissioner of India was asked to introduce VB PAC and not use EVM-only solutions. So since 2011, 2012, thereabouts we are using VB PACs in our elections. And mostly because of this ruling by the German constitutional court. So we need VB PACs. And this was recommended by Mercury way back in 1992. She almost thought in her PhD thesis that without VB PAC there is no real way to do an election. Must say that she was she had foresight. So what was the what is the conventional wisdom? The conventional wisdom is that there is a definite need to move away from certifying voting equipment from a certification process to establish that the outcome is correct. Even if you are using wrong machines even if you are using uncertified machines it does not matter. As long as you can show that there is no that your outcome has no problem. And this is the way to conduct trustworthy elections. And I think the German Supreme Court made this observation. The US National Science Academy made this observation. And Rebecca Mercury made this observation way back in 1992. That you can never conduct an election correctly by certifying voting equipment. That's a strict no-no. Instead concentrate on establishing that your election is correct, independent of the voting equipment. Right? There are two ways to lose. The first way has been examined in computer science for now 40 years. Which is end-to-end verifiable cryptographically secure voting protocol. Right? These are many of them are extremely sound. Sam Subod has presented. We believe we have one from which is completely takes care of everything. But they are difficult to deploy in public life because of the good to publish papers with great academic brownie points. But deploying them in public and throwing them at public at large is a little bit of problematic issue. Because of the ruling of the German Constitutional Court it will require experts to certify correctness, mathematicians to certify correctness. And why an electorate should trust mathematics is not clear. In fact, they should not trust mathematics. So worldwide cryptographic voting systems are not popular. It's not because they are incorrect but it is because that generating trust in them requires certification by experts. But ECI should still obviously explore the possibilities. I believe that if not today, tomorrow this is the route to doing elections correctly because you can give mathematical guarantees that elections can be conducted completely correctly without any risk whatsoever. The second way to do this if the first is not a possibility and it appears to be not a possibility today is to do post-election risk limiting audits using Vivipads. Yet you have got a Vivipad system that you have recorded votes using Vivipads. Use those Vivipads to do a risk limiting audit. How to do this is completely worked out in this great paper called Evidence for Selection by Staft and Wigner. Staft submitted a deposition to the Citizens' Commission of Election as well. He's a professor of statistics at Berkeley and he gave this elaborate statistical procedure on how to do the audit. We will discuss some of that. What are the essential requirements? The essential requirements are then software independence. This essentially means that if there is an undetected change in software or hardware that should not cause an undetectable change in the election. So even if the machine malfunctions it should be possible to detect that the malfunctioning has happened. This does not mean that you cannot use software or hardware but a malfunction in the software should not become undetectable. That's what we call software independence in computer science. The second property is dispute resolution that it cleared with anybody challenges like some of the challenges that my vote was not recorded correctly. That must result in either the challenger or the election alternative being proved wrong. There has to be a clear determination about it one way or the other. If there is no dispute resolution there is no motor confidence in the process. No dispute resolution cannot be done in a direct electronic recording machine. Between a secret transaction between a man and a machine there is no way of determining who is lying. If I press 1 and the machine says you press 2 that's an event that has happened without any witness and it's obvious common sense that there's no way to conclusively determine who is right, who is wrong. Between two human beings in private also there is no way but there are traditional methods like fist fights and so on so forth but you can't even fight with the machine. The only solution is then be fair to the voter. You cannot possibly be fair to a machine that doesn't make sense. If you cannot dispute resolution electronic machine then as many of our people who have deposed to the commission have said that the only sensible solution is to be fair to the voter. So what are the Vivipat requirements? This is required by law in most jurisdictions including in India if you conduct electronic elections and Vivipat are must but the Indian Vivipat system will be in our examination we found that has some lack on it. There is no clear definition in which is the vote. So the representation of the people's act proper about the ballot paper is there. The EVM somehow has not even made a proper appearance in their representation of the people's act. So there's a big problem and now if you are running two private elections one with voter verified paper audit trail and one is the electronic vote because they are not in one-to-one correspondence or they are not demonstratively in one-to-one correspondence in which case which is the one that should be counted. That's a lack on it that is there in the Indian election system. Indian election system the representation of the people's act says that the paper one should be the vote but India seems to be counting the electronic one. And that is vote a theoretical political, constitutional and worldly. Second is the voter should have full agency to cancel a vote because would if not satisfied and this process should be simple and should not require the voter to interact with anybody. But the Indian VVPAT system is not truly voter verified. It's not truly voter verified because the following reason that if you press a button so suppose you vote for a political party A and suppose the VVPAT slip prints political party B there is no way for the voter to cancel the vote. The because the voter verified paper audit slip does not come to the voter's hand. There is no physical process of casting the vote. So it gets displayed behind the glass window for seven seconds and then gets detached and falls in a sack and comes indistinguishable. So if that point the voter raises a dispute that look I press my preference for political party A and the VVPAT slip printed political party B then there is no way to resolve that dispute. And there is Indian Indian election system. There is an incredible report of such disputes and there is also 5000 rupees fine if the voter cannot prove that she is being truthful. That is that is a travesty of justice. And as a result in our deposition her story that even a police officer claims that he is scared to dispute that how will I ever prove that I am right. Now look that if the polling officer comes in as a mock poll next time that the mock poll happened correct does not mean that the previous complaint was incorrect. That is incorrect logic. So the voter verified paper audit trail is not truly voter verified. So this needs to be corrected and the only way this needs to be corrected can be corrected is the voter verified paper audit trail is something that comes to the voter sign the voter checks it and to complete the voting process and the voter is not allowed to vote on the ballot box. That is the notion of a casting in which case the paper should be the correct vote the electronic one is only a proxy and this needs to be correctly reflected and in an amendment in the representation of people's act and this is one of the recommendations of the commission. This is too much of undefined and this does not make sense. This needs to be immediately corrected in future elections. Now the VVPAT requirements of the VVPAT may be trustworthy during voting. Suppose it comes to the voter's hand and the voter puts it in the box then it's definitely trustworthy during the voting it captures the voter's instinct but how do you know that there remain trustworthy during audit. There's an intervening period in the last parliamentary constitutional election and this is the gap between voting and counting and this requires compliance audit you know to Stark and Wagner there's an elaborate process by which this compliance audit can happen to ensure that there is trustworthiness, there are statistical processes which I will not describe out there. The next question about which there are about I believe there are some 20 or 30 cases pending right now in Supreme Court of India which is how many EVM should be audited. An EVM captures about 2,000 votes a polling booth is about 2,000 votes so assembly constituency typically has about 300 parliamentary constituency about 10,000 EVM so how many of those EVMs should be audited with full manual paper counting and this is a dispute and suppose what should be done if an EVM count does not match the VVPAT count let declare the election for the entire population null and void and do a re-election or discard the electronic votes and do a paper count for the entire constituency so these are not adequately defined in the election commissions of India's procedure and this is a big problem they say audit fine but if the audit fails so if you find that by electronic count party A has won but by manual VVPAT count party B has won in a polling booth then what can you conclude about the entire constituency and what should you do you know that the electronic count is not matching the paper count so which should you trust right now the answer is electronics this is a hugely problematic this is a hugely problematic situation because of reasons that I will try to but anyway this first is that this process is not defined completely so this requires making amendments in the representation of people's act and making this completely clear what should be done in case of a mismatch okay so the risk limiting audit process goes the other thing I want to mention out here is that we requested the election commissioners to depose the last 10 chief election commissioners to depose to a committee only one of them did Mr. Kurishan we also asked the technical committee of the election commission of India to depose for the commission but from private conversations we heard that the reason that the VVPAT slips cannot be counted is that it takes too much time and almost all the people that we talked to like Shivam Shankar Singh who made the presentation thought that time should not be any you are electing your representative, your prime minister will rule you for the next five years and how does two more days matter to count all VVPAT slips right and also there are technologies to count VVPAT slips there are not counting machines in the banks IIT Delhi can design a mechanical VVPAT slip counting machine which can just count 2,000 VVPAT slips in a matter of one second so if no counting machines can be designed why can't VVPAT counting machines not be designed and if you count by a mechanical process standalone process and if that tallys with electronic process you know things are all right so not counting the VVPAT slips there is a commission found no convincing reason that why the entire set of VVPAT slips should not be counted it appeared to the commission that is an easy thing to do it should not even take too much time even if done manually and there is no need to do it manually there are no counting batch machines that you can go to every bank such a thing can be designed and there are many many companies and education institutions and IITs in India that can effortlessly design such a counting machine so mechanical counting machine so again the response that this will make it inefficient does not pass with this but if you want to do a statistical sampling only and not count the entire VVPAT you should count all VVPATs but if you don't want to count all VVPAT then this question assumes that how many VVPAT should be audited by full VVPAT counting and the answer in statistics comes from this distribution called a hyper geometry distribution so you don't have to understand it but this essentially tells you defines the probability of finding a defective item in NRA in a population of capital N which may have capital K defective so if you know that there are 1% faulty television sets 1% television sets are faulty then how many should you sample in a population of 1000 how many television sets should you examine closely to determine say 5 faulty sets this is given by the hyper geometry distribution this is routine in engineering this is taught to secondary students in statistics and every component engineering component is audited you cannot probably test every possible car that you are manufacturing you select a small sample based on a statistical sample given by the hyper geometry distribution put them to regular test the whole lot is correct statistically with a very high probability this is the way you sell televisions this is the way you sell cars this is the way you sell cell phones and computers no company has the way with all to test every iPhone that they have with a clutch that's not possible it comes out of the factory with a standard process you check a small statistical sample and declare the whole lot with a high confidence now if you do that process there is an IS officer called Ashok Baradanshakti he didn't depose to our commission but he wrote an article in the Hindu business line before the commission came out and the commission took so much of cognizance of his article and his statistics were impeccable and it matched Professor Philip Starks' recommendation exactly they gave exactly the same process and what it says is that suppose one percent of EVM's are faulty or hacked or whatever to detect at least one faulty EVM with 99% probability how many EVM's should you sell now it so turns out that if your population is what is this how many zeros this is one crore of course there are seven zeros they can't even read but it does not matter there is one crore and if it is one percent faulty EVM sampling 459 EVM's they will get one faulty EVM with 99% certainty and if you add one more zero the number doesn't change it remains 459 for one lakh EVM it is 458 you have to sample only one less EVM so the India went to the Supreme Court and said that one per assembly constituency is enough and they were backed by some top-class statistician from India of very high repute who filed FDFits in the Supreme Court in support of HCI's claim and they presumably went by this plot and they said that if you take a parliamentary constituency the whole country as a whole with 1.2 billion population that's somewhere out there or if you deploy so many EVM's then collecting only about 400 EVM's is statistically auditing only about 400 EVM's is sufficient for the entire population but the problem is that what should be the population an assembly constituency has about 30 to 300 EVM's a parliamentary constituency has about 300 to 18,000 EVM's state as a whole depending on how large the state is about 10,000 EVM's and India as a whole has about 10 lakh EVM's right in a parliamentary election India as a whole deploys 10 lakh EVM's so if you consider the entire India as a population and say that 459 459 auditing 459 EVM's are sufficient for the entire country you are assuming a homogeneity across the entire country you are assuming that your election subversion strategy in Kerala is exactly the same as the election subversion strategy in West Bengal is exactly the same as the election subversion strategy in Kashmir right but election results are declared in much smaller units so if you go to a one assembly constituency and say that there are only 300 EVM's then the curve shows that you will require to audit about 50% EVM's if you are in a larger parliamentary constituency which has got about 1,000 EVM then you have to for the same certainty you have to do about 40% EVM, 36.8% EVM needs to be statistically audited so this claim that you need to ultimately the Supreme Court ruled that neither this way nor that way audit only 5 EVM's per assembly constituency and that is the current practice now that has no statistical or logical basis and what shows as an assembly constituency is typically of 1,000 EVM then this detection should require at least 268 EVM's to be audited if you want to manually count if you don't want to do a full VVPAT count but only do a statistical count then you have to pick up 368 EVM's from this and do a counting so this is elementary any secondary engineering students should tell you Supreme Court should have used better judgment than to come up with a dictum and say that 5 EVM's per assembly constituency is sufficient that doesn't seem to have any any statistical basis and in fact as another deposition this is probably by Professor Starr the view of this table to show that if misreporting EVM's in a Luxembourg constituency at 25% then the Supreme Court's dictum will capture it with a virtual certainty but if the misreporting EVM in a Luxembourg constituency is only 1% then you will detect it with only a probability 1 third and you will miss it with a probability 2 third now that is not good statistics from Supreme Court of India and this is something that the commission very strongly very strongly objective so I think that you know blockchains let me see if I have the time for blockchains perhaps not I think that Subodh has talked about blockchains already I will just mention by saying that blockchain is a thing that the commission also investigated and the commission's report we have published in India for a article and there is adequate you know the conventional wisdom in computer science says that a blockchain based election does not make any sense a blockchain is a process that goes with distributed consensus and when there is only one authority the commission of a distributed consensus does not arise so the U.S Academy of Sciences report has also cautioned against blockchain saying that it is a hype that should be completely blown and this can have disastrous consequences for elections the citizens commission of election also makes the same recommendation and I will not discuss this in great detail out there so in a summary it is well known that it is impossible to verify an electronic system as complicated as the Indian so VBPATs are a must if you use a VBPAT then define which is the the VBPAT is the mode of the electronic button presses the vote and what should you do if they don't mismatch leaving that undefined is not good for democracy the VBPAT system should be voter verified not having the VBPAT system it is called voter verified paper audit trail so not having it voter verified is a fundamental flaw EVM wanted by crossing with manual VBPAT the commission did not understand that why 100% VBPAT counting should not be done it seemed easy but if you have to do a statistical audit follow well established statistical procedures don't arbitrarily declare 5 EVM should be audited with constituency and blockchain really does not address the verifiability problem either for electoral processes or for pooling so I will stop here and leave the questions I will try to take Thank you very enlightening, very clear presentation on the difficulties in designing these systems and what you said about machine readability of the VBPAT makes perfect sense why should it not be possible so one question that comes to mind is that why the EVM should not record the vote rather than keep account of the votes it can electronically, digitally record the votes in a random order in a stack and the automatic reading of the re-repair should be part of the transport of the slip itself into the vote so as you see it going in it should be read by the device tell it against the vote which is digitally recorded and then allowed to drop into the vote this way you will get votes in the vote that exactly match the recorded votes and you can recount both anytime you wish of course you will not have one to one correspondence between the slip and the electronic version can we do something like that there are two problems one is that just the VBPAT matches the EVM does not give you a guarantee that the election was gone correctly they just show that they both match why can't I delete 5 votes from both or add 5 votes into both for my favour of my political party the second thing is that the reason the Indian EVM does not record identical votes but just records an aggregate cumulative count is because nobody can guarantee that the EVM will maintain secrecy and the EVM leaking vote information is something that probably are just that the ACI designers did not want to take but indeed the system that we have proposed the cryptographic system the EVM keeps a full record but EVM keeps a completely encrypted record in fact it is in computer science almost all designs except 2 or 3 gives a vote secret from the EVM EVM getting to know the vote is an extremely problematic thing so I like Shivam Shankar saying made a statement that the EVM is reasonably safe if it is not connected there can be no electronic equipment that is not connected you are interacting with the environment through heat through sound through light so there are hundreds of channels and it is impossible to know that the electronic equipment is not shouting out in an unaudible ban that Subodha has just voted for BJP for example this can be communicated out you don't need an internet for this you can do it in the infrared band or the ultrasound band and I can hide an antenna in an electronic device that you cannot recognize even if you open it there is that famous case of radiating antenna which is not even electrically not even electrically transmitted so I think that this is a false conception that a machine is not connected it does not exist like a human being is connected to other human beings otherwise your machine is not breathing so so machine getting to know the vote is a very big risk and this risk is mitigated in Indian election by machine just keeping account but if the machine maintains a record which is in one to one corresponding with a VB pad then the risk increases many I think that the electronic if you want to go that route if you want to take that route then you have to keep the vote secret from the EVM and the best election is conducted if the EVM is a public machine you take public laptop in USA elections are conducted using public laptops you take them from schools and conduct an election that's where there is the least chance of hacking so you don't require the correctness of the machine to conduct an election correctly you should be able to conduct on the office's cell phone using just an app and those will be the perfectly correct election and that's what computer science has been advocating for a very long time so how the Indian election system has not gone in that direction Thank you, thanks there is one interesting question from Mr. Bharu a comment that in the 60s and 80s people trusted the elections though there was a known good character in such other problems whereas today we have mistrust where the EVMs and other things so what is this what's the reason you know I don't think that personally this is something that we had a lot of debate in the citizens commission of election I personally don't think there is any reason to trust a paper based election that's a there's no way to establish the correctness of a paper based voting system and I don't I disagree that this was trusted I remember my father will always complain you know I think that people like me who are brought in brought up in Bengal Booth capturing is an art there you know so people who did not support CPM complained for the last 40 years that they captured Booth's and manipulated elections so I don't think that at least people in Bengal trusted paper based elections no one should trust paper based elections there are dangerous things so elections should be electronic there's no doubt about it just because the paper based elections should not be trusted you know the Indian VBPAD system is actually Indian EVM system is not bad actually it is just that the VBPAD audit procedure is completely incorrect make that correct it's a low hanging fruit because it becomes a good system that's the recommendation of the citizens commission of Belgium there's a question addressed to both you and Prasad Sharma by Sankarshi what do you think would be able to convey these concerns that you've articulated in a manner that the you know that the institution can take note of you know okay so I don't have any official contact with the election commission clearly there's no official not just the election commission for the entire apparatus that is concerned with this you know I think that being a part author of the report have spent some time on his understandability you know even within the election commission of India I don't think that there is any problem with understandability they completely understand what we are trying to say whether they want to act is a different matter whether they want to acknowledge is a different matter altogether so I think by and large people who have read the report this is not that difficult to understand and this is sort of straightforward that if you are having a paper and electronic and they're not in one-to-one correspondence that you need to define which one is the vote it's a simple English statement which one should you count if paper is the vote then why are you counting the electronic and if electronic is the vote then how is the paper or it is the electronic at least these processes should be made clear perhaps what Mr. Sankarshan is trying to do is to make the system listen rather than you know making the system listen is something that you know I try to leave it to Mr. Devashayam and Justice Madan Lokur and yeah perhaps white papers and hope that you know release as many white papers as possible keep the discussion in active memory and hope that enough people a credible number of people would take it up and force the system to acknowledge okay thank you thanks a lot there are other comments and questions but I don't think we have the time we are already at 5.40 we missed one break but it was so interesting and engaging so thanks to both of you we can take a 5 minutes break not a 10 minute break and then go to the last presentation today thank you very much thank you for wish you no not at all very interesting thanks okay so welcome all of you back to the conference and to the last presentation this evening this presentation is by Dr. Paha Ali who is a professor at NUSD Institute of Information Technology and he is an information security practitioner Dr. Ali shall walk us through the history of attempts to adopt electronic voting in Pakistan he sounds a caution about technology fetishism and mentions that electronic voting designs should only be adopted after due public consultation and after understanding the objectives that we are trying to address that's the same kind of concern that Shreem Shankar also I liked it right in the beginning so so without further delay a request for this presentation by Dr. Paha Ali I think that is important I think the recording is being pulled up and it will get started okay right good afternoon everyone my name is Taha Ali title of my talk is Elections Technology and the State Perspective from Pakistan sorry I can't be here in person for this talk but I hope you find this interesting and worth your time a bit of introduction about myself so I am from Pakistan I am an assistant professor at NUSD in Islamabad National University of Sciences and Technology Department of Electrical Engineering my PhD is in Network Security from the University of New South Wales in Australia and then I followed this up with a postdoc in 2014 in specifically looking at next generation electronic voting systems I also got a background in cryptocurrencies and the blockchain and since 2016 so I have been in Pakistan since 2016 and I have been involved in the national activity on electronic voting so there has been frantic activity over the last 5-6 years and we stand at a pivotal point in time and so I have written I have authored research papers on this topic I have written in fact one of the highlights of my career was a contribution to a book which my research group was instrumental in putting together my new class of research group so this is real world electronic voting so this brings together all the latest research on the new systems that are being built secure and verifiable systems which use cryptography I have written newspaper articles I have been part of several government committees I have authored reports which have influenced the discourse so my goal here in this talk is to bring you up to speed on what is happening in Pakistan like I said there has been frantic activity over the last 6 years and we are now at a historic point actually I will get into that in a bit and I hope to give you a personal perspective as in more of an insider account so you can see things from the inside many of these things you probably already know but some of them will still be shocking for you or illuminating and there are lessons to be learned here for developing countries because from what I have read and what I have seen election technology experiences in developing countries tend to have a lot of things in common and you know what they say that those who do not read history often end up repeating it we have actually repeated history we have repeated the mistakes made by other countries and we might end up doing that again so it is good to talk about these things so that people know and people find out and they can think more clearly so a bit of humor history repeats itself and every time it does the price goes up and this actually happens too I can testify to this from personal experience so anyway so before we get into what is happening on the ground here I would like to clarify my stance and this I believe is the stance of the of the majority, the overwhelming majority of the election technology community today to which I belong which is that technology can be a viable and promising option for elections it can be very useful, it has several good qualities, advantages but deployments must not be done in haste when you approach election technology you have to exercise caution and skepticism and what happens is that when you bring in technology to fix a problem the technology can end up creating problems itself and sometimes those problems can outweigh the initial problem and then what people tend to do is they tend to bring in more technology to fix those problems and you get into this vicious circle spiral of sorts so this is well known there are lots of papers written on this this is well known in the literature if you look at any expert any handbook on expert guidelines one thing they make clear is don't rush into this do your homework go slow, scale up, gradually address challenges as they arise so that is what I am saying here as well and that new technologies should be deployed for transparency and security things like verifiable voting risk limiting audits, I believe there are calls in India for these as well you've probably already heard Subashish's talk at this forum great care, effort and liberation is required for the ecosystem so technology requires an ecosystem around it, so you have lots of things around it there are human factors, socio-political things, dispute resolution mechanisms, how to handle technologies, procedures, lots of things and this effort is often underestimated sometimes the effort and costs of the ecosystem can actually outweigh those of the technology itself so this has to be factored in and there is a critical lack of expertise and processes in Pakistan, so no one knows anything about election technology absolutely no one, and this is pretty much in many countries unfortunately and we do not have more important, we lack the processes to talk about election technology, like we lack the forums and the we lack the knowledge of how to go about building our expertise and we are often in denial, at least from what I've seen over the last six years all the stakeholders I've talked to they are in denial that this gap even exists for them, elections is just an IT problem, bring an IT to fix it yes but IT doesn't fix it, okay fine bring a blockchain that will fix it so we need to confront these challenges, we need to take ownership of them we need to recognize them and then we need to address them and they can be addressed that is what I believe as well so that is my stance and that is the stance I'll take throughout this talk so one important point for Pakistan, for elections in Pakistan was 2013 so the prior elections prior to 2013, we've had quite a few were, they were problematic but they were mostly peaceful and they were low stakes, low stakes in the sense that you had two political parties and they would just swap every election, they would just, it would be one or the other and you knew that and there would be some rigging but it wasn't too much or it wasn't too obvious the 2013 polls were historic, historic for three reasons the first reason was that this was the first in all of Pakistan's 70 plus years of history this was the first election where you were having a transition from a democratically elected government to another democratically elected government, right before that what had happened was that either democratic governments had been overthrown by military coups or what happened is that the president would dissolve the assemblies and would basically dissolve the government at call for new elections. This was the first transition from democracy to democracy so this was historic in that sense. The second reason was that for the first time the pattern of the the two-party pattern was broken a third party had emerged and this was the Pakistan Tehrik-e-Nsaaf which was led by Imran Khan, you might know the former cricketer philanthropist and a very charismatic and new faces and he completely galvanized the discourse, they changed everything and there was this wave of change, the dili which was due to come so everyone was very excited and that's why we had 55% voter turnout in these elections which is again historic. I think this was the largest turnout since the 70s so this is this was a big deal and the third reason why these polls were historic also was because these elections were a nightmare in terms of in terms of how they were conducted and the rigging and the fraud and so let me get into that. So the election watchdog body so these were the most controversial elections we've had also in 40 to 50 years so the election watchdog body at the time, Fafan, free and fair election network, they've done some fantastic work in Pakistan, they recorded some over 71,000 irregularities and this there were all sorts of irregularities there was weak polling station management polling staff were doing things they should not be doing ballot boxes breach of protocols, ballot boxes were being brought in and the seals were already broken there was ballot stuffing some constituencies recorded more votes cast than actual voters on the election rolls there were over 288 recorded incidences of violence some of it was severe, some people were killed there was poor results management I'll get into the result management in a bit, this was a big factor in what happened so people, the polling workers were submitting precinct results on handwritten on paper normal pieces of paper not on not on the letterhead or the actual forms and the forms which were supposed to consolidate the precinct level results in many cases the totals did not add up in some cases the seals were missing, the signatures were missing there was no provenance or no accounting for how these forms were managed it was a nightmare so right after the elections there were allegations of massive organized rigging 21 political parties claimed that the rigging had happened the election tribunals were packed with complaints they were overflowing with complaints then a whistleblower emerged from within the election commission who said that yes massive rigging, lots and lots and lots of rigging the chief election commissioner resigned and later on he revealed that he resigned because the judiciary would not let him investigate these claims of massive rigging the NADRA chairman resigned so NADRA is our is the national database registration authority so they manage the they assist the election commission with technology matters and they maintain and with the electoral roles they assist them and they had a role in designing the election protocol the chairman was a very active figure he tried to investigate this fraud himself he held a few press conferences then in the middle of the night he was fired suddenly by the government and he went to the Islamabad high court and he got his job back but then he claims he started to receive threats he and his family and so he resigned and left the country so this was a complete disaster and you had failures at almost every possible level it was a collapse your election administration collapsed your checks and balances collapsed the dispute resolution mechanisms collapsed the judicial mechanisms collapsed parliament refused to investigate so the tribunals were packed with complaints but it started to take years it took almost months and months up to a year for the complaints and they were still not resolved because that process itself was broken so Pakistan, Tehran and Saf again Imran Khan's party they decided to do something about this and they released a white paper 2100 pages with evidence affidavits copies of the forms lots and lots of evidence and then after one year of basically exhausting all possible avenues to get redress they decided to launch a political movement to to get an investigation into what happened so they launched the freedom march Azadi march and they started with protest rallies in larger cities in large cities and then culminated in a sit-in in Islamabad and this again was a historic sit-in this was the largest sit-in in Pakistan's history it got worldwide attention the people actually lived there they set up tents and trailers and right in front of parliament and they would sleep there they would cook there they would be everyday people would from Islamabad would go over to join them in solidarity there would be speeches the entire news cycle 9 to 5 media cycle was completely disrupted it was focusing on those protests there were speeches every night fiery speeches so things were at a fever pitch and this protest was so huge it cost estimated losses of 5 million dollars afterwards it was discovered in terms of lost productivity and stalemate so there was a stalemate because the key demand of the protesters was that the prime minister should resign and then there should be an independent investigation into what went wrong in the elections and the prime minister on the other hand Nawaz Sharif he said that alright you can have your independent investigation but I'm not going to resign and this went back and forth for quite a while and neither party was budging then the stalemate was broken a terrorist attack happened in a terrorist attack happened in 2015 this was on the army public school and it was allegedly the Taliban they burst in and there were 150 casualties almost all of them students and teachers and this was horrific the attack itself and overnight the entire discourse changed and the Pakistan Terikin Saab they called off the Pakistan Terikin in the interest of as a show of national solidarity with the government and they both the government and the opposition they got together to tackle terrorism and but they made it clear that this matter was not over and shortly afterwards the judicial inquiry commission was formed to investigate these rigging allegations and side by side a parliamentary committee was working on electoral reforms so this is what was happening then the judicial commission did an inquiry and they cleared the elections this was surprising it was not a very satisfying result but the conclusion they drew was that elections are definitely broken they said the opposition parties were justified in calling for an investigation it was very justified but while there were problems and incidents there was no proof of necessarily what you can call a specialized rigging so there was a bit of semantics here as well and they said that yes by and large the elections did sort of reflect the public will and the spotlight then turned from rigging it turned on to the election commission the report made clear that the election commission had failed here they had failed to administer the elections they were the weakest link in the chain they had failed to have any accountability they had completely failed so just then the parliamentary committee came out with the elections reform bill of 2017 and this bill was designed to empower the election commission to make it more independent and autonomous so they were now given the powers of a high court and they were given greater freedom in terms of flexibility for financial matters in terms of administrative rights and duties and they also called the bill also called for a transparent results management system because one thing that had emerged in this judicial commission in the enquiry was that this result management system this had failed catastrophically so what happens in Pakistan is you've got these precinct level camps which are documented in what we call form 14's every precinct when the polls close they document their totals in a form 14 and then these forms are collected at the district level and their totals are organized in something called a form 19 and as per the election commission's protocol after the elections they were supposed to post all of these forms online so that everyone could see there was transparency into what was happening but the judicial commission found that about 30% of Pakistan's form 14's were missing they could not be accounted for we didn't know where they were and this was scandalous I mean this was catastrophic and then several of the form 19's their totals did not meet did not match what the form 14's were saying so there was a big fiasco they called for a transparent results management system and this bill also called for piloting electronic voting machines and biometric voting machines and this was the time that I also returned to Pakistan in 2016 and I contributed a couple of articles to this discourse and this was the same stance that yes machines have a lot of advantages but they do not solve all your problems and there is a lot of technology fetishization involved here which we have to be careful about and then I talked a bit about mistakes other countries have made and so on and so forth and then the ECP election commission of Pakistan they reached out to certain universities in Islamabad for a potential collaboration R&D to modernize Pakistan's voting systems and I was part of these discussions we met for like almost a year and we hammered out action plans and things like these but then those talks fizzled out for some reason or the other and then the attention shifted to internet voting for overseas citizens so this time again the Pakistan Terikin staff took the lead they went to the supreme court and they petitioned the supreme court to order the election commission to empower to enfranchise overseas citizens using internet voting now Pakistan's constitution does allow for overseas citizens to vote it is recognized as a fundamental right the moral argument here is that Pakistan a big bulk of Pakistan's GDP is actually depends on the remittances sent by these overseas workers to Pakistan and therefore they should at least have some representation in parliament so that was the argument but for a very long time the argument put forward by the election commission was that we don't have the means to do this so they tried piloting postal voting and telephone voting but those mechanisms according to their reports had failed and they said that internet voting is not reliable yet so the supreme court then asked Nadra again the database authority to can you help with an internet voting system and Nadra said yes we can so in 10 weeks they put together something called I vote an internet voting system and the supreme court unveiled this system in 2018 about 5 months before the election they called in civil society the politicians, all the stakeholders academia the media and the system was unveiled and this was called I vote and at that meeting the academics including myself we raised a vigorous protest we said that this system from what we can see it seems to be repeating all the mistakes made by earlier such systems and it seems that the people who have made this system they are not aware that all such systems in the past have failed they have failed in very very obvious ways and I can see from the presentation that is presented that this system has those same mistakes in fact one of the things I talked about was that I vote if someone had bothered to google I vote you would discover that I vote is actually the name of Australia's system which was the largest internet voting system at the time and that had failed and it had failed and this system was basically using the same model so based on these discussions the supreme court then set up an internet voting task force to assess the system and check if it was suitable for use in the elections if it was suitable for use and I was part of this task force as well along with other technologists people from other universities from provincial technology technology boards and we were given 45 days to look at the system so there is just a brief summary of our findings the main findings so the obvious is that when you vote when you take voting outside of the polling booth into some remote setting then there is no privacy you cannot guarantee that a person will vote a certain way for instance I might be standing here I might force my wife to vote a certain way my wife might force me to vote a certain way so an employer might force his employee to vote a certain way and these fears are not unfounded in the sense that what happens in this diaspora a lot of it is concentrated in the Middle East and in the Middle East the relationships between employees and employers are very complex the employers are usually Middle East citizens citizens of Middle East countries and they hold the passports of their employees that's the normal practice and they are able to force them to work in certain conditions which others object to there is a lot of pressure there and there is a lot of potential for this kind of coercion, voter coercion and then we found certain very standard flaws which are not surprising at all we found that we could do phishing attacks we could send emails pretending to be the election commission which reroute the voters legitimate voters to our websites which look like election websites and basically we steal their votes and their voting credentials this has happened in the past for a long time people tended to be government websites Pakistani government websites for a long time and it has proved very very difficult for government bodies in Pakistan to get these websites down because they are based overseas and this has been happening for a long time then there is the standard man in the middle attack in fact what happens here is that so a standard practice when you set up a website or a web service is that to protect to prevent denial of service attacks you don't route website traffic directly to your website you route it through a filtering service like Cloudflare or Akamai and they have very large data centers so there is a lot of spam and malicious traffic coming in they filter it out and then they send you the useful traffic and that is what this voting system did as well but as researchers have found in the past that when you use this kind of solution then you are trusting this body this middle body, this middle man to actually look at your votes to actually even change them and then forward them on to you and you don't have visibility into this process and many of these body these organizations like Cloudflare they are not based in Pakistan their servers are overseas they are subject to foreign laws and foreign jurisdictions so we don't have this kind of control over them and elections are sensitive you can do other things you can entrust other activities but not critical activities to this kind of a setup and then we found certain very careless flaws we found one for two flaw which is a bit high opening so basically when you log on to the system you can cast two votes as an overseas voter I can vote for one national assembly seat and one provincial assembly seat let's say I've got national assembly NA 125 and provincial assembly 35, PA 35 NA 125, PA 35 but if I go into my browser and I open up the raw HTML code then within minutes I can make changes it literally takes two minutes and then I can vote for any two seats of my choice like let's say NA 250, two votes gone and counted and this was shocking and basically there was no security sensibility basically you had two people who had done some IT work in the past they had met and they decided oh let's build a voting system and this is the kind of voting system you would get in this case there was no security sensibility, obsolete components had been used, old database technologies which had been hacked, captures which had already been broken and what was really eye opening to me was that there was no homework done in this case now this system was going to be the largest voting system largest internet voting system in the world the largest voting system before this the Australian voting system, the I vote had catered to about two to three hundred voters at that time two to three hundred thousand voters two to three hundred thousand this was going to cater to six to seven million voters so this is equivalent to climbing Mount Everest but you haven't even done any basic homework, you haven't even climbed some neighborhood hill or the Margala Hills of Islamabad there you have no background in this area and now you're suddenly within four months to go you want to ascend Mount Everest so this was eye opening to me that this kind of gap, cognitive dissonance existed and then there was no recognition that there was an ecosystem involved in this process for instance we had interviews with all of the stakeholders so we went to the people who built the system and we said alright so this system has this component, this component and this component who's going to take care of this, where is this going to be housed who's going to talk to who, what are the procedures what are the security clearance is going to be, who are the people how many employees do you have none of that homework had been done they thought that alright we've got this thing up and running that's it, now somehow everything is going to fix itself or we can fix it at the last minute and this was shocking to me as well and then the worst thing was that there was no concept of best practices, standard practices like I'm sure there are many technologists here who are listening to the stock and for instance when you go to build a house you don't just start, you don't bring the bricks and you start building the house, first you go to an architect and you come up with a blueprint a map, an architectural diagram and this blueprint has all the details of the house, it has the doors the number of rooms, the height, the width, everything so you can actually see the house before it is built and in the development community the equivalent we have is something called a software requirements specification before you build a piece of software you document the essential features of that software, so that later on if you have a dispute both parties have this to refer to that alright I was supposed to do this and I did this and then you can also visualize what you're going to get, the output now this is a standard practice, we teach it at university every student who makes a final year project, the first thing he does is submit an SRS but in this case this was a 150 million rupees project there was no SRS there was no recognition of the need for an SRS so we were really at rock bottom and so our recommendation the committee's recommendation was that in fact let me see if I have that okay no I don't so the committee's recommendation we wrote a detailed report on this and our recommendation was that the election commission of Pakistan invest on a critical basis they invest in a research and development wing, so that they could come up, they could look at new technologies they could look at best practices, they could guide the national discourse, they could basically provide, they could inform the discourse right now everything was going in the dark we literally had the case of the blind leading the blind, that's one intellectual called it that he said in most policy we actually have the scenario it's blind leading the blind and this is an unfortunate reality and this is not just specific to Pakistan this is a common problem across the developing world and if you look at election technology experiences in the developing world most of those are just white elephants you bring in very expensive technology and then you realize it doesn't work and there are even worse stories than this I think it was Namibia or Nigeria one of these countries so they got these very fancy biometric yes sorry it was Kenya they got very fancy biometric voting machines which was state of the art top of the line and then they deployed them and then on election day they discovered that alright the batteries have run out and these plugs the polling places aren't equipped with power sockets so we can't really run these machines and in midday they had to switch to so this is basic homework that needs to be done when you try to deploy technology the technology itself is one component the ecosystem is generally ignored and that can prove fatal so this we delivered this report in 2018 and in 2019 and 2020 activities started again towards getting an election technology system up and running in 2020 so I was asked to join several committees lots and lots and lots of committees and basically I must have attended over a hundred meetings at least a hundred and fifty meetings I mean there were days when every week every day of the week we were having meetings it was either this ministry, that ministry present subcommittee, this forum, that forum and I was giving talks on what we should be doing, how should we we should be going ahead and so at that point in time so the message I was giving was I made dozens of presentations dozens and dozens, like I've given lots of presentations but I've actually physically prepared dozens and dozens of PowerPoint slides for this audience, that audience this topic, that topic and the message was consistently the same that there is a lot of homework to do and we must not underestimate election technology we must not rush into it but unfortunately I was not having much luck and bit by bit I was gently nudged out of all of these committees so at first people would be very receptive to what I had to say but then when it became clear that this was a colossal amount of effort literally a mountain of effort then people would start to soar on the whole idea so this is how the meetings would normally go so almost 99.99% of the time would be spent on high level discussions and thought experiments and there would not be we wouldn't have any the discussions would generally not be rooted in actual ground realities of election technology of the complexities, we would not we would not be discussing new technologies there would be no talk of risk limiting audits or hard to build machines and developing indigenous expertise there have hardly been any pilots conducted, there has been no capacity building no talk of best practices so we are still where we were three years ago in 2018 when we submitted our report on high voting and basically where we were then was basically we were at least 10 years ago in terms of the global experience I think we're still at in the early 2000s so 10 to 15 years so this is where we are today so all of these meetings there were some positives I met some very interesting people that's how in fact that's how I discovered the Hazgid community we've started some nice collaborations I discovered some people reached out we authored some research papers we in fact a few of us we managed to raise research funding so now we have the semblance of a research group myself and two or three students of mine sorry a handful of students some working on a volunteer basis so now we have a small community where we are actually doing we are trying to start on the big homework assignment that has to be done for election technology I've written lots and lots of articles on this they have thankfully had some they've managed to make a dent in the national discourse now there is talk of an ecosystem Nadra has recognized that there is something called end to and verifiable voting so that is good but there is still this huge gap like in Pakistan we still do not have any organization or any entity which can talk authoritatively about election technology we don't have this so we are not that organization so my research group we've tried to make a start at this by we've launched a web presence on twitter called pivot promoting innovative voting technologies what we try to do is we try to comment or provide we try to deconstruct or break down what is happening in the election technology ecosystem in fact we post stories of interest to Pakistan for instance we posted on the news articles on the Russian voting system that failed the Moscow blockchain based voting system which elections I think happened last month and last week I vote Australia's I vote system again collapsed in mid election we sort of try to raise awareness about these things and point to the way forward and then last month we had a landmark development again so the government actually amended the elections act 2017 and now they have mandated the deployment of electronic voting machines and internet voting in the next general elections of 2023 so that's about a year and a half away so this is where we are like I said this was a historic this is a historic point we are at a crossroads the government is convinced that this amendment is extremely controversial the opposition parties resisted it vigorously the election commission resisted it vigorously civil society organizations election wash talk bodies they advised against it the only the government was behind it and the government was convinced to bulldoze it through parliament they had the numbers so they managed to pass it and they apparently they are convinced from my dealings with them I believe they are convinced that this is the way forward this is also a failure of the election technology community of people like myself we have failed to convince the government that so when you have large scale deployments of election technology typically it takes at least 4 to 8 years to scale up to fully this is two such deployments so if these deployments happen this will be perhaps the largest deployment of internet voting in the world and it will be the second or third largest deployment of machines in the world and with this kind of a setup if you are rushing into projects like these national infrastructure projects on a global scale you would expect that there would be tons of homework there would be a whole bookshelf filled with feasibility studies pilot reports manuals design specifications environmental impact studies procedural mechanisms legal requirements all sorts of things, commentaries but there is nothing there is no paperwork on this nothing at all so this is historic so now we are at a point where we have to decide Pakistan has to decide are we going to are we going to challenge this in court the election commission might challenge this amendment in court the opposition might challenge it in court and get a stay or at least a delay the election commission might decide to go ahead they might bring in all these machines then we might be set up for another Kenya type disaster where we haven't done the homework and then we have a catastrophic systems failure on election day which is in the whole world can see what is happening but this could be the start of a healthy engagement with technology where we decide that all right now we are going to get our act together we are going to invest in R&D we are going to go step by step we are going to follow this process through to the end and this is actually the reason I am not able to deliver this talk in person I am part of the election commission's technical they have a technical committee and we have a meeting at the time of this talk it's one of these critical strategy meetings so I have to attend to the formulating policy I would request all of you to pray for us let's see what happens so the estimated cost of this deployment of just the electronic voting machines is about 150 billion rupees for nationwide deployment so we cannot afford to get something like this wrong but the reality is as I have explained we have no homework in the last half year no country has been able to deploy to this scale in one and a half year no country that I know of so anyway that is where we are and this is I believe a failure of the election technology community and so I am about to wrap up what I want to talk about is that there is there is this big disconnect between our community and the general public the stakeholders for the stakeholders there is no problem election technology is not a big deal I mean the most obvious question I get is if I can bank online why can't I vote online and election technology is simply an IT problem that's how the world that's how people see it and this is how they see it in the west as well up until very recently this is what if you went to the they have state level election boards in the United States and if you talk to their administrators they would say just election technology it's an IT problem let's bring in the IT people and then many of these meetings the commissions I showed you a long list of committees that are joined they would have a small technical group I would be part of that technical group but the other people would always be an IT expert, a software developer or electronics expert some of them would be very good people but they would have no inkling of what election technology is so what can be done what has been done they would have no idea of the failures of the Australian system the Estonian system what went wrong in Kenya what went wrong in Germany the Netherlands they have no idea they haven't seen they haven't read about the hacks into the Indian voting machines they don't know who many of these people are so there is this disconnect and I would have to spend a lot of time trying to explain that no this is like if you want to launch a space program or if you want to build a nuclear power plant or you don't bring in an IT person or a database person to advise you on space technology likewise for election technology you need to build this expertise or at least bring in consultants or experts who can advise in this domain but the whole point was that oh no IT can fix it and then these buzzwords AI and blockchain made everything worse because oh the point of view would be oh if it can't be fixed by IT let's bring in blockchain that will definitely fix everything and that would obviously this would be very very frustrating for me for a long time only recently I've started to get over this and see it as an opportunity and but what I want to get across is that this communication gap is very genuine it is very real and people like us who are working in this domain who want to help with election technology in our respective countries our first goal should be to bridge this gap and I'll tell you how I have had some luck in bridging it and maybe that can help you as well so this is a cartoon which you've probably seen it before which is pretty much along the same lines so aircraft designers when you talk to them about airplane safety they say yeah but the chances are very low it's wonderful it's super safe and if you ask people elevators the engineers say oh yeah the elevators are perfect they're nearly incapable of falling but when you ask software engineers about computerized voting electronic voting they say oh no no that's terrifying don't ever do that and then you when you get into more details you see I don't trust voting software don't listen to anyone who tells you it's safe we are terrible at what we do everything will go wrong if you use electronic voting and then you say oh but blockchain takes care of everything I said no no no keep away from it bury it in the desert where gloves it's all wrong it's all wrong so this this gap is very very real right so I've started to see it as an opportunity if someone says if I can bank online can I vote online I asked them to sit down and then I give me five minutes of their time and then I go into what the difference between banking online and voting online is and I believe that if you can explain this properly to the other side if you can connect with them on this if you convince them of this that these are different problems then things become much easier right and then you have a real chance of impacting the mainstream consciousness and the way to do that is you talk about how banking online is different from voting online and this is how it is really different in that when you bank online or when you use an ATM machine everything is logged right everything has to be logged the moment you slide in the card that is logged your password is logged the moment you make a transaction the amount is logged the interbank mechanism the movement of the money that is logged everything is logged and it has to be logged it has to be logged so that you so that the money can be protected right so if something goes wrong you can raise a complaint you can even get your money back if your account gets hacked the funds can be traced so you have to have logging everything has to be fully recorded otherwise the system falls apart but you can't do that with elections because when you start recording things in elections you forfeit the privacy of the vote because when you cast a vote all identifying information is stripped away from the vote and this has to be because privacy is the fundamental principle the bedrock of free and fair elections it is in the UN human declaration of human rights it has been known for over a millennia the Greeks the Romans even the Indians used to have this concept of secrecy of the ballot so when you remove all identifying information from a vote this is an interesting thought experiment can you track the vote can you protect the vote you can do that in a physical setting like when you slide your ballot into a physical ballot box when you slide the paper in you effectively anonymize it and then you keep an eye you put a camera you train a camera on the ballot box and you make sure no one tampers with it right but you can't do that with a machine because a machine is technically a black box things go in, things come out you don't know what is happening inside the machine you don't this is the reason that Germany, Netherlands so many other countries, Ireland they phased out, they terminated their electronic voting deployments and other countries like Finland the UK, France etc they just chose not to jump into this they chose not to open this Pandora's box and this I believe it is easy once you put the argument like this in front of people it is easy to convince them to to get them to see what is happening and then you can build on it you can say that because you have this black box the system is actually more vulnerable to fraud than a paper based system because in a black box you can write computer code that can manipulate votes without being detected that has been done these attacks have been demonstrated in the US likewise you can have retail fraud like in paper based elections it takes a bit of effort to manipulate one vote to manipulate a thousand votes or 10,000 votes you have to do a lot of physical effort you have to set up a you have to capture a polling station you have to capture a ballot box, you have to spend all night you have to have a coffee machine running, you have to spend all night manipulating the ballots and these things can be discovered but to manipulate a thousand votes in an electronic voting machine you just have to press the single button there have been attacks which have shown that all you have to do is you just slide in you just walk up to a voting machine you slide in a USB, in one minute you take it out the votes have been manipulated that's it so this is called retail fraud like wholesale fraud in bulk you just one step, thousands of votes manipulated likewise you often go up to ATMs and you might your ATM is out of business the link might be down you walk up to another ATM you use that in the sense you might log on to your internet banking portal, the portal might be down you log on 20 minutes later the portal is up but with elections you don't have that luxury the machines have to work on election day and they have to be available if they go down that immediately casts a whole cloud of suspicion on the elections and how you recover from incidents like for instance if my banking account gets hacked there is a whole audit trail investigators can follow up and they might be able to recover my funds I can even protect myself I can get insurance against banking fraud but there is no such equivalent for elections, I can't get insurance against fraudulent election and in many cases the attackers people who hack elections the goal might not be to manipulate votes it might just be to cast suspicion on results like if we knock off a results transmission system or if we knock off the online voting website for 4 hours we can cast genuine suspicion on the elections that is in a sense an election it's not only that the election must be fair it must be seen to be fair and if it is not seen to be fair it is technically a failed election so this is very important and likewise then banks elections when you hold them so they are national infrastructure level projects they attract a whole different class of attacker, elite intelligence agencies so now you're in the domain of cyber warfare banks are not subject to cyber warfare online banking they're not but elections are and you might be aware that in 2017 the US Department of Homeland Security officially designated their election systems as critical infrastructure in the same class as dams or power grids in the sense that if you attack election systems that might be declared an act of war it might be considered an act of war and likewise these attackers have resources that we cannot even imagine unlimited resources and one for instance one capability they have is something called zero day attacks what these agencies do they look at popular software and they document certain flaws they find certain flaws but they don't announce them publicly they hoard them and then when they have enough they put together an attack using those flaws and they launch that attack and the effect is devastating because technically the person who is attacked the party that is attacked has zero days to recover from the flaw because they have no idea this flaw even existed so when the Iranian nuclear reactors were attacked that attack had four zero day flaws it was unprecedented and it set the nuclear program back by a few years and in 2015 researchers demonstrated zero day attacks on New South Wales eye vote voting system so this is we have the proof of concept these attacks are very real so if this argument is followed you do manage to have common ground with you make some progress on overcoming the cognitive dissonance that exists between the technology community and the general stakeholders the politicians, the media the general public, the watchdog bodies civil society so this is something that I've had a lot of luck with and I'm going to conclude now because I think I'm out of time so the conclusion here is this is a very positive thing which I've discovered only in the last year as well that when you try to generally connect with the stakeholders, when you meet them on their own terms, when you engage with them with their dialogue that itself, that leads to visible results, visible progress and apparently the literature suggests, the research suggests that this actually is also good it leads to more fruitful outcomes using election technology as well so this is the again, this is a very nice paper, one of my favourite papers from this domain, digital dilemmas it's a study of election technology deployments in African countries and they looked at what failed and what worked and a lot of things failed and they found that unsurprisingly, the greatest gains from digitization come from countries where the quality of democracy is higher and the election commission is more independent because when people, when the stakeholders when they genuinely understand technology and they have the means to discuss it and debate it, then they come up with solutions which make more sense, which are more transparent and they also take ownership of those solutions so what happens also as well is that in the event of a mishap, there is less finger pointing and there is more movement towards the solution so we don't, people who are working in this domain, people like myself we don't just have to push forward the right technology, we should try to inculcate a democratic culture we should go about it in a democratic manner which means that we should sit down with the stakeholders we should look them in the eye, we should respect their integrity as individuals and we should engage with them honestly we should try to change their minds but we should be open to the possibility of our own minds being changed as well and so this is what I have to say and this is what I'm going to be trying at our, what I have been trying for for a while now and what I'll be trying at our meeting so I hope you enjoyed this talk and I'm sorry I'm not here to answer questions and thank you for your time and I'll hopefully see you again so thank you that was Dr. Taha Ali very fascinating story that he had to tell us and a very passionate delivery because he's obviously very passionate about what he does although he's not here and therefore cannot take the questions right now any questions or concerns that are put in the chat will be shared with him and perhaps we can get him back on our project page as this impression has suggested let me take just a few minutes, maybe two minutes or three minutes of your time to share what I heard the speakers say starting with who had fabulous stories and raised very far-provoking questions about the complexity of the election whether we understand it fully or not before we attempt to change anything and the important point he made was that you know we should not have a false objective whether speed or lower cost are the considerations we cannot have those considerations we can have only one consideration otherwise subsidiary objectives will take over and in his words making the election fair and more democratic if that is the objective that's a good objective and technology and all other efforts should be aligned in that direction and in no other because the other objectives should not be allowed to subvert the main task that we have with the elections however even if we select the right objective we cannot be lax we have to evaluate the risk we mentioned a lot of that loss of secrecy analytics and targeting the people the problem of bias which is probably so obvious in technology and the problem of trust all these problems will have to be examined even if we design a system to deliver on the objective that we are looking for so first is what is the most important thing when we do that and even then we should not give up due diligence as it is he shared that when he saw Facebook become big he thought it will reduce the cost for the political parties but it actually increased the cost as he does it is very difficult to predict where it will take us and therefore no amount of diligence is actually raised Dr. Subodh Verma provided a theoretical framework for judging the suitability of voting systems and he walked us through details of some of those systems very illustrative and worth going into all those systems in detail because the importance of thinking through and each of those systems help us think through individual problems that they are designed to solve none of them can solve all the problems Dr. Subishi's energy of course is always very clear in his presentation and he helped us see the system we follow currently and what we could do to improve it he shared the recommendations of the success commission and the insights that went into the formulation of the recommendations so that was very useful of course and then finally we had Dr. Taha with the story of the pools and pressures that every institution in this country had to deal with in holding and preserving an election and he shared how big the gaps were between what the elections were supposed to do and what the reality was found to be and in that situation it's not unreasonable for people to look towards technology for solutions now whether technology can actually solve those problems is far from what P.S. has pointed out and that is why the evaluation of the technology and all the approaches is needed he mentioned about overseas voter being allowed to vote on the internet which by itself is problematic as as many have pointed out I mean it can be done in small numbers for a few people but it cannot be a large-scale thing at all and other problems that he mentioned of course were related to technology processes and can actually solve but you know whatever the architecture is whatever the code is it has to be open and that means all the code including what is part of the firm so I think there is no getting away from evaluating this and doing the homework I think for me is that we have to choose the right reasons we cannot let the name objective which is to conduct a fair election be subverted by other considerations and we have to have the right process you know which is consultative and collaborative and everybody who can contribute to solving the problem is encouraged to come together is welcomed and their contributions are integrated and then we see if we can improve our system or whether we should leave it alone but technology tends to move forward and we cannot really ignore it and therefore we need to do an evaluation and all the hard work that is mentioned by so thanks a lot, thank you very much thanks to the organizers for letting me share my thoughts here and for inviting me to this conversation and I would like to thank them for the very important work that they are doing on behalf of all of us thank you very much thank you before we all wrap up I just want to point out that we will continue to organize more of these conversations as we lead up to a conference that is coming up in January please do register and subscribe to the project page to receive the updates these the talks of today from today would be uploaded to the YouTube channel and we will be taking some time to summarize and extract some of the key points and also post to our project page thank you for staying with us thank you thanks a lot