IN A DEMOCRACY PEOPLE GET THE GOVERNMENT THEY DESERVE - BUT WHAT IF THE ELECTION PROCESS IS COMPROMISED?
Anything can be made more complex than it really is. However, the looming threat due to the existing EVM System usage process, coupled with the attitude of ECI and SCI, is so serious and complex that political party leaders, technical experts, lawyers and activists must collaborate. Without collaboration and a unified approach, it will be tough to mount a credible campaign to counter the threat to "purity of the election process".
This note has references to old notes and one new note on an online solution - all links (in orange colour) provided below. Just so that we are clear of the terminology, copied below is the existing EVM usage (graphics copied from ECI website - however, red colour annotations are added):
In the existing process, this is what happens (or can happen):
- An elector (voter) walks into the Polling Station (PS) with an ID proof. S/he walks up to the row of Polling Agents of Political parties and they tick off the name after verifying his/her name on the voters list. If name is not found, the voter is not allowed to vote; s/he is asked to exit the booth.
- Indelible ink is smeared on one finger of the eligible voter.
- The voter walks up to the Voting Compartment and waits to press a button on the BU to register his/her vote. The BU has the names of contestants and election symbols adjacent to buttons. Max 16 names per BU - they can be daisy-chained.
- The Polling Officer with the CU presses a key to enable the BU to register a vote.
- The voter pushes a button to register his/her vote after hearing the audio beep that tells everyone that BU is enabled to accept one vote.
- VVPAT lights up for 7 seconds during which the voter can see the voting slip with the name of the candidate and symbol. Voter must assume that this slip is not of the previous voter - though there is no telling it could well be of the previous voter - a hacked VVPAT could behave in this manner. If the visible slip is NOT as per the vote cast then the Voter can complain and fill out a a form to nullify the "wrong vote". There is an intimidating process to rectify the error - which includes actions to "prove" that the machines are misbehaving! VVPAT is supposed to write a record of the vote in the CU; a hacked VVPAT could well write a vote in favour of a candidate of hacker's choice.
- The voter having cast his/her vote walks out trusting the the vote is recorded correctly in the CU and that the slip s/he saw in the VVPAT has been indeed dispensed in ballot box. It could well be that the the slip has NOT been dispensed in the ballot box nor recorded in the CU. A hacked VVPAT could behave like this - hold all consecutive votes of an adversary party (adversary of the hacker's party) until a vote is cast of a different party - upon that happening, the hacked VVPAT could print and dispense all the votes it had held back, in favour of the hacker's party candidate and also record the votes in the CU consistent with the printed slips!
This note is prepared with the intention to sensitise few more influencers and politicians who can mobilise public opinion against the continuance of the EVM usage in the present form. Regarding the pitch to be made before the ECI/SCI - what exactly should be the demand that is feasible to implement within weeks - to mitigate the risks of hijacking of the 2024 General Elections? We all believe that the outcome of upcoming General Election will be pivotal for the future (secular and democratic) character of the country.
- CJI recently said, "The great stabilizing force in the country is the purity of the election process". Ironically, the existing EVM usage process is DEMONSTRABLY HACKABLE - what makes it doubly fraught is that existing rules PREVENT AUDITABILITY and ECI is not prepared to engage with the citizens who have sought a meeting. To repeat - the present processes and rules allow a certain type of hacking to be done and the hack is not provable - this is a mockery of democracy and we should jettison such a set of processes and rules. As ECI is clearly aligned with the Government, it is only the SCI that can provide a solution. If SCI does not grant the following demands, the opposition ought to boycott all elections.
1.1 DEMAND#1 THE VOTER SHOULD BE ABLE TO PICK UP THE SLIP TO VERFIY ITS CORRECTNESS AND THEN PHYSICALLY INSERT IT INTO THE BALLOT BOX. Or else the voter should be assured that the vote slip coming out of VVPAT, after the vote is cast (by pressing the button on the BU), has the right candidate name and symbol AND it is dispensed into the ballot box. At present the slip is illuminated for 7 seconds behind a one way mirror in the VVPAT and the voter CANNOT EASILY recognise the candidate name or the symbol AND FURTHERMORE, THE VOTER CANNOT FIND OUT IF THE SLIP IS ACTUALLY DISPENSED INTO THE BALLOT BOX. THEREFORE, THE VVPAT SHOULD BE RECONFIGURED (OPENED UP) FOR ENABLING EASY RECOGNITION OF CANDIDATE'S NAME & SYMBOL ON THE SLIP AND ITS DISPENSATION INTO THE BALLOT BOX.
1.2 DEMAND#2 The results should not be based on the count read off from the memory of the Control Unit (CU) rather it should be based on a MANUAL COUNT of 100% SLIPS or RECOUNT IN CASE OF DISCREPANCY BETWEEN THE MANUAL COUNT AND THE CU COUNT. To further reduce the chances of errors of the manual count, TWO RECOUNTS MAY BE ORDERED, IF NECESSARY.
1.3 DEMAND#3 After the Polling finishes, the CU and the Ballot Box pairs are supposed to be transported to the counting station and en route they have to be stored for many hours or even days. ECI has prescribed an elaborate and secure process for transportation and storage but it precludes presence or oversight of contestants' representatives. Fraud can be committed by replacing the sets of the pair of CU and Ballot Box. To mitigate risks - i) CU and Ballot Box pairs should NOT be transported and stored together and ii) Oversight of contestants' representatives should be allowed.
1.4 DEMAND#4 Presently a voter who complains to the Presiding
Officer in the Polling Booth that his/her vote is not properly generated, i.e.
the VVPAT has printed the wrong vote - is required to prove the allegation is
correct through a retest - if the error is repeated well and good but if it is
not repeatable, the voter can face a fine of up to Rs.1,000 and imprisonment of
up to 6 months or both. It is a matter of common knowledge that hacked programs can be
made to misbehave erratically or based on parameters such that without the
knowledge of source code, no one can predict if the error will repeat or when
it will repeat. The punishment under rule 49MA - Section 177, should be totally
removed as it is illogical, and it works as a deterrent for genuine voter
complaints - unelsss source code is made public and its auditability allowed before and during elections.
- Anything more than above demands may not be feasible to implement in the short time available before the elections. Anything less will not eliminate the threat of the election results getting hijacked. By getting bar coded slips, the counting process can be hastened by few hours. However, again the hacked VVPAT could print a bar code different from the correct candidate id / symbol printed on the slip. So further sample audit will be needed and this is avoidable complexity. It is also doubtful if 1 million+ bar code printers can be procured and fitted up in VVPAT in the available time. The demand of junking EVMs and switching over to paper ballot is neither feasible in the short time available nor necessary. There are many advantages of continuting to use the existing infrastructure and processes in which millions of people are trained. The demands listed here are entirely feasible to make and will ensure a FAIR and SAFE process.
- Manual count in 100% of polling stations may add one or two days which is trivial considering the elections are conducted for a period longer than a month. The 2019 General Elections were scheduled from 11-Apr-2019 to 19-May-2019. ECI website shows that over one million polling stations were setup. Each BU can accommodate only 16 names, with greater number of contestants more BUs would be required. Each CU has a capacity to record max of 2K votes.
- In summary, the demand for software auditability will encompass disclosure of software and its revisions, setting up auditors panel, process of audit challenge by contestants and its resolution - for all of these both SCI ruling and ECI cooperation will be required which may be difficult to obtain. ECI will likely not cooperate with this demand as it is perfectly aligned with GOI. Therefore, absent the software auditability, there is no alternative to the demands formulated above. At least the first two must be acquiesced to - if any one is granted it is not sufficient. Remember the VVPAT hack can be of two types -4.1 the vote slip dispensed and and the vote recorded in CU are consistent but NOT according to the actual vote cast (hence demand#1 is made)4.2 the vote slip dispensed is consistent with the actual vote cast but the vote recorded in CU is NOT (hence demand#2 is made)4.3 The possibility of a fraud of replacing the CU and Ballot Box pairs is non-trivial because a RTI based PIL had revealed that whereabouts of 1.9 Million EVM Systems are not known to ECI.
4.4 The punishment should be totally removed as it is based on an illogical prmise of predictability of hacked programs and it deters gneuine complaints of voters. If source code is made public, independent auditors can confirm if VVPAT BU and CU are working as per original program; this will allow citizens to prove hacking else it is NOT provable. Therefore, no fines or punishment should be inflicted on a complainant without the option of auditability of the source code.
To dig deeper, refer to other notes for which links are copied below.
RELATED REFERENCES:
Read the "Stuxnet" virus story - how Iran Nuclear fuel processing centrifuges were knocked out by CIA even though Iran's engineers had claimed the plant had "stand alone" systems - just like ECI is claiming their devices are in a "stand alone" state - they allow connecting a SLU before commissioning the system - this is sufficient to infiltrate a rogue program into VVPAT. The hacking can be done selectively - in certain systems only - as all the machines have unique IDs. The rogue program can behave according to a date - time - number of votes cast - schedule - thus defeating the FLC which ECI pompously claims is sufficient proof of proper functioning of the EVM system. They are fooling the public or they are ignorant.
EVM System - updated website - new revelations and questions (ECI has updated its website pages; new FAQ on 7-Feb-24, Presentation too is changed; probably in response to recent protests and demos of hacking; it has now changed the definition of EVM - earlier it used to mean BU and CU but now it includes VVPAT; so, EVM now cannot be claimed to be OTP device as VVPAT has programmable memory; furthermore EVM System, is more than EVM but ECI is silent on it).
Read about the two hack demos. Recently hacks of EVM System were demonstrated and videos shown on 4pm News Network. In these hacks the VVPAT votes differently from the actual votes cast - the slips printed and vote recorded in the CU were consistent. Therefore, the manual count of slips and the count from the CU would match. This type of fraud can only be prevented if Demand#1 is met, else it would require software audit but that is not possible as ECI and SCI have said that software is secret. SCI on the one hand ecourages Open Source - but on the other hand, in this particular instance, it protects the IPR of a ridiculously simple program - GOI can easily get the same software developed in Open Source or buy the IPR for cost which is not likely to exceed few million rupees! Another intriguing thing to read about is that 1.9 Million EVM Systems have gone missing - The Wire article of 22-May-19 linked.
