Kannan Gopinathan’s letter to the Chief Election Commissioner on the vulnerability of the election process
Pictured: Control Unit, EVM and VVPAT
Since the 2018 assembly elections in the states of Madhya Pradesh and Rajasthan, concerns that Electronic Voting Machines (EVMs) can be hacked or tampered with have steadily gained ground. Such reports and concerns are often confined to the realm of conspiracy theories, even though there have been many questions left unanswered in India’s experience with EVMs. India’s Election Commission has steadfastly denied any possible vulnerability of EVMs. Even so, during the 2019 Lok Sabha polls, EVMs were reported to have malfunctioned, but the functionaries of the Election Commission were swift to remove the offending machines and replace them. Also, in the same election, independent data analysts demonstrated how the numbers of votes polled and votes counted did not tally in several constituencies. This finding was again swiftly rubbished by the Election Commission who blamed the mismatches on human error.
During the Lok Sabha polls in 2019 and the recently concluded assembly elections in Maharashtra once again doubts were raised about the reliability of EVMs. In one case, an EVM recorded votes for the ruling BJP independent of whatever button was pressed on that machine. The machine was replaced. Several such incidents were also reported by voters in other places during the 2019 Lok Sabha polls. However, with every such incident, arguments are made for states to revert to paper ballots. In May 2019, Frontline reported that about 20,00,000 EVMs were “missing” between 1989-1990 and 2014-2017, based on information sourced through the Right to Information.
If elections in a democracy are not widely seen as free and fair, there is a huge breach of trust by the government and its electoral institutions against its citizens. The problem in India is that current assessments of whether an election is free and fair are benchmarked against the days of booth capturing and ballot stuffing, and as against this backdrop EVMs are seen as a positive development that actually advance democracy. This thinking that techno-solutionism can automatically advance democratic rights and democracy are found across the board even in assessments made by prominent think tanks. Unfortunately, at this point, there are enough and more reasons to interrogate and investigate the vulnerability of those machines that are supposed to uphold the democratic voice of 900 million voters. Many concerns about the vulnerability of the democratic process and EVMs have been raised not only by concerned citizens but also by respected bureaucrats, politicians and political commentators. It is time that these concerns be taken seriously and openly debated in India.
Kannan Gopinathan, a former bureaucrat, has previously discussed how the Voter Verified Paper Audit Trail (VVPAT) makes the EVM system vulnerable to tampering in this interview. Earlier this month, he wrote a formal letter to Mr. Sunil Arora, the Chief Election Commissioner of India, expressing his concerns about the EVM-VVPAT process and interactions, pointing to how these interactions actually do lead EVMs open to tampering/hacking. We think this is a letter that every concerned citizen should read. Therefore, we are publishing the letter in the public interest in its entirety below.
Mumbai 2nd Oct 2019
Shri Sunil Arora, IAS
Chief Election Commissioner,
Election Commission of India
Nirvachan Sadan, New Delhi
Subject: Concerns about the vulnerability of Election Process (due to the introduction of VVPATs) and the potential threats to national security – Regarding.
As a responsible citizen of this country who has also been involved in the actual conduct of election processes in the official capacity of District Election Officer/Returning Officer, I am writing this letter to apprise you of my concerns about serious loopholes and vulnerabilities in the use of VVPAT machines making EVMs susceptible to potential hacking. It is feared that these vulnerabilities could be explored by forces inimical to the country to influence elections to the largest democratic country in the world.
In this regard, I would like to bring to your kind notice the following observations.
- The pre-VVPAT EVMs were candidate agnostic, meaning the EVMs were not electronically aware as to which candidate or party is in which position in the candidate sequence. However, post the introduction of VVPATs, the EVM as a whole is now electronically aware of which candidate and which party is at which serial number. This is due to the fact that serial numbers, names and symbols are electronically loaded on to the VVPAT memory after the candidate sequence is finalized and Form 7A is published. This is highly undesirable as this opens the EVMs to pre-programmed hacking even at the stage of manufacturing of the VVPATs. A program which can be hacked/installed into VVPAT en-mass can then learn the candidate sequence in each constituency by accessing VVPAT memories and doing a pattern match to identify candidates and the symbols and then use this information to alter the input to the control unit, thus affecting the election result. Thus potentially, a smart hack/program can manipulate EVM behavior in large scale using this exposure.
- Moreover, with the current design for M2, the original question that the VVPAT set to resolve, of how a voter can know at the time of voting what is getting registered in the control unit remains unanswered even after the introduction of VVPAT. This is because of the design configuration wherein VVPAT comes in between the CU and BU. With this while a voter can verify what is printed in the VVPAT and what she pressed in the BU, but there is no way she can verify what has actually been registered in the CU. So what VVPAT set out to solve has been left as it is, unless a one to one match matching is done during the counting time. Further, with the current design for M2 machines, it appears that the VVPAT is the one actually casting vote to the Control Unit rather than Ballot Unit directly. Such a configuration has thus also introduced an added vulnerability of manipulation of actual voting by the VVPAT irrespective of what is pressed in the Ballot Unit. Since it is what is getting registered in the Control Unit that gets counted, having a VVPAT in the middle effectively de-couples the actual event of pressing the button in ballot unit and actual registration/casting of vote in the control unit. Thus, it is a possibility that VVPAT could potentially print whatever is being pressed in the BU for satisfaction of the voter while sending some other input, casting vote to some other candidate in the control unit.
- As can be seen from the functionalities, VVPAT seems to be a much more sophisticated device than the rudimentary one-time programmable control unit which was the backbone of pre-VVPAT election process. So now not only is the VVPAT the master-mind in the entire election process, it is also now a capable system. Though authentic internal circuit schematics of VVPAT is not available in the public domain, it can be safely assumed to have a processor, a driver, a programmable memory, a sensor, a printing unit, I/O ports etc. With such a comprehensive system, it goes without saying that it will be amenable to hacking if and when a connection to an external device is made to it. This also shows the need of putting the design details in public so that its resilience to hacking can be publicly studied and verified.
- Question then comes to whether any external device is connected to VVPAT during the election process and if yes, when and by who. Yes, VVPATs are physically connected to external devices, either laptop/PC/Jigs for symbol loading. And this is done after the candidate sequence is finalized and Form 7A is published. This symbol loading is done by engineers, often outsourced by ECIL/BEL or taken on short-term contracts. This is a fatal blow to both the process and physical security which was the key aspect of earlier EVM based election process. These external devices are brought inside the secure and protected commissioning rooms by ECIL/BEL staff for loading candidate serial number, name and symbols on to the VVPAT so that VVPAT can print the actual symbol and candidate name at the time of polling. If any malware gets loaded on to the VVPAT through the Jig or the computers, it is practically impossible for the district election machinery to know at the time of symbol-loading as it is an opaque electronic process. Further, since this is happening after the candidate sequence is finalized, it opens up the possibility of targeted constituency-wise hacking wherein VVPATs send pre-programmed inputs to CU as per the hack.
- The question then arises whether to install such a hack, does it require the collusion of ECI officials or ECIL/BEL engineers. In fact, with the provision of connection to external devices such as laptop/Jigs etc. all a serious hacker needs to do is to hack that laptop or the Jig without the knowledge of any of the officials. And the fact that so many short-term contract staffs are used for such a key process in the election further opens up the vulnerability of the process. Such a hack can happen either when there is a physical access to the laptop to the hacker or when such laptops are connected to a network. It can even be done through the symbol loading software which is used to download symbols on to the VVPATs.
- Assuming it was/can be hacked, we would be relieved if we had fool-proof process checks to verify if it was indeed hacked subsequently to the symbol loading process. The process of randomization is rendered completely ineffective here as symbol loading happens after constituency is assigned and it really does not matter whether the EVM is going to one booth or the other as long as the candidates and the candidate sequence remain the same.
- The other process checks that we have are mock-polls. There are two mock-polls that are mandated after the commissioning of the EVMs (Wherein symbols are loaded and BU-CU-VVPAT pairs are established).
a.A 1000 vote mock-poll on randomly selected 5% of the EVMs. While this could have been an effective check, the fact that any mal-functioning EVM is just set-aside and another functioning EVM selected to complete the 5% target, makes this a search exercise for 5% functioning EVMs rather than a check through random sampling of EVMs. Moreover, if the tampering/hacking is done only in one or two EVMs the chances of it getting caught in the process is also statistically less. But if there are, say, 8 assembly constituencies (AC) in a parliamentary constituency (PC), manipulating even one EVM per AC could mean a potential manipulation of close to 10,000 votes in the PC.
b. A 50 votes mock-poll on all EVMs at the polling station on the day of poll: As per the ECI mandate, a mock-poll of 50 votes have to be conducted in the presence of polling agents on the poll day in all polling stations. This was a crucial check that ensured sanctity of EVMs to the satisfaction of polling agents of candidates. However, this mock-poll check is now rendered completely ineffective as the hacker knows that the first 50 votes will be tallied on the day of poll and can accordingly program it to correctly cast the first 50 or 100 votes and start with the manipulation only after that.
The Election Commission has repeatedly asserted that a mix of technological measures and administrative and security procedures make India’s EVMs absolutely non-tamperable. These included:
- The software source code remains only with authorized staff of the public-sector Bharat Electronics and Electronics Corporation of India,
- The machine is not networked to the Internet or any computer and has no communication device for it to receive wireless signals from any external device such as a mobile phone or a computer,
- EVMs are randomized by computer software, once for allocation to constituencies and second to polling stations in the presence of candidates’ representatives before they are distributed to individual polling stations,
- The sequence of names of candidates – alphabetical order, first national, then state parties, then independents – effectively precludes the possibility of any pre-determined manipulation of software for rigging votes,
- A mock poll of 1,000 votes in 5 per cent of randomly picked EVMs, are performed while preparing the EVMs in the presence of political parties’ representatives.
- On the day of the poll, the complete EVM set made up of the control unit, the balloting unit, and the VVPAT is tested at each booth. At least 50 votes are cast equally spread across all candidates. In case of error, the relevant component is replaced. Mock poll on the replaced machine is done with only 1 vote per candidate if control unit is replaced, and no mock polls if balloting unit or VVPAT are replaced
With the introduction of VVPAT into the process and outsourcing/hiring on a short term contract of engineers for the election process, if we take a re-look at these claims,
- The software source code remains only with authorised staff of the public-sector Bharat Electronics and Electronics Corporation of India: – A lot more staff, who are on ECIL or BEL payroll only for a short period of time are now privy and have access to the election related materials, symbol loading software.
- The machine is not networked to the Internet or any computer and has no communication device for it to receive wireless signals from any external device such as a mobile phone or a computer: – The machine is now networked and is physically connected to a Jig or a laptop after candidate sequence is known and constituency is assigned.
- EVMs are randomised by computer software, once for allocation to constituencies and second to polling stations in the presence of candidates’ representatives before they are distributed to individual polling stations: — The machine is now networked and is physically connected to a Jig or a laptop after candidate sequence is known and constituency is assigned after randomization.
- The sequence of names of candidates – alphabetical order, first national, then state parties, then independents – effectively precludes the possibility of any pre-determined manipulation of software for rigging votes: The machine is now networked and is physically connected to a Jig or a laptop after candidate sequence is known and constituency is assigned after randomization.
- A mock poll of 1,000 votes in 5 per cent of randomly picked EVMs, are performed while preparing the EVMs in the presence of political parties’ representatives: This is effectively a search for 5% functioning machines, and with real possibility of a hacking through VVPATs is nowhere close to a fool-proof check.
- On the day of the poll, the complete EVM set made up of the control unit, the balloting unit, and the VVPAT is tested at each booth. At least 50 votes are cast equally spread across all candidates. In case of error, the relevant component is replaced. Mock poll on the replaced machine is done with only 1 vote per candidate if control unit is replaced, and no mock polls if balloting unit or VVPAT are replaced: – This check has been made completely ineffective as any smart program that can correctly print first 50 votes can overcome this. Further no mock-poll if only VVPAT is replaced!!
- When this matter was raised through twitter, tagging Shri Ashok Lavasa sir, Shri SY Qureshi sir, and ECISVEEP official handle, the following reply was given as a comment by the ECI to newspapers and also got circulated in various IAS groups. Unfortunately, and rather uncharacteristic of an institution of the repute of Election Commission, the response was more on when and where I raised it and why am I raising it now, rather than addressing the genuine concerns raised to make the system robust and resilient. I am quoting the reply as available here.
“Mr Kannan Gopinathan, IAS (2012), who resigned recently was district election officer and returning officer in Dadra & Nagar Haveli constituency which has 304 polling stations. It would be recalled that the number of polling stations in 2019 Lok Sabha elections pan-India were around 10.36 lakh. There was no document available where he has at any point of time sent any written analysis on the issue which he is now raising immediately post his resignation.
In answer to something to this effect in his tweets he said that he raised the issue in some internal meeting. In meetings taken by CEOs several issues are mentioned, as they should be, by the DEOs and ROs. However, there is a difference between anecdotal mentioning of an issue and the mentioning backed by a written report raising any kind of doubts as the issue that he is now suddenly raising immediately after resigning
Nonetheless, a more rigorous scrutiny even of this is being got done. It would be recalled that 1.25 crore VVPAT slips that were counted and matched with the EVM count, not a single case of transfer of vote from one candidate to another has been found”
I would like to clarify that the issue was raised during the RO training conducted by ECI at IIIDEM before the 2019 Loksabha elections and the response was not encouraging. I find the repeated insinuation to why am I raising this issue immediately after resigning or whether I was a returning officer of a constituency with 304 polling stations or 1200 polling stations rather ‘shooting the messenger’. What is important is that the issue is made aware to all concerned and that a serious formal study that is both transparent and with stake-holder partnership is undertaken at the earliest to remove the lacunae in the process.
On the VVPAT tallying, while contention that 1.25 crores VVPAT slips were counted and matched is reassuring, it is in no way an affirmation that the process is not hackable. Further, as per the reports available through newspaper reports, there were mismatches between VVPAT counting and CU count in at least 8 polling stations. Considering that the matching was done only in around 2% of the total number of polling stations, even 1 mismatch should be a cause of serious worry. These mismatches also question as to how is that we are claiming not a single case of transfer of vote from one candidate to another has been found. It cannot be the case that finding a plausible explanation for the mismatch is a fool-proof confirmation on non-tamper-ability of the VVPAT.
Further, a tampering attempt at one EVM per AC in a critical PC could well be left undetected in the 5 EVM tallying per AC exercise. Or assume a by-poll to a Parliamentary Constituency. All the statistical probabilistic exercise will come to naught when it is reduced to small sample size. Chances of that 1 tampered EVM not being selected for those random 5 checks in a 100 or 200 PS Assembly Constituency is so high that it effectively does not remain a check anymore. The statistical study done at the national level can in no way ensure a fool-proof check at the constituency level? Especially with known vulnerabilities in the process as we are aware now.
Thus, the current process does not enable the Returning Officers to claim with 100% confidence that not even one EVM in his constituency was tampered with. And that raises serious doubts on the process. Further, what if an external force or a country inimical to us uses these loop-holes to smartly influence the election process? Wouldn’t this have serious national security implications for the country?
Therefore, in the interest of the integrity of the election process and in the larger interest of the nation, it is earnestly requested that an immediate transparent study be conducted, with stake-holder consultation with all relevant parties, interested citizens, technological institutes etc. and recommendations for rectifying the flaws be implemented at the earliest. I would also like to humbly submit that this letter is written in good faith with the understanding of the process and design I have with my experience as a returning officer and also as an electrical engineer with experience in VLSI/Semiconductor design industry. Further, this letter in no way is intended to insinuate any sort of malpractices in the past, but to raise the concern of a potential vulnerability in the process and the immediate need to address it in the national interest.
No Voter To Be Left Behind
No Vote To Be Tampered With