Sunday, July 20, 2025

AI-171 Air Crash - System Malfunction most likely cause but Pilot Actions are under cloud - against Common Sense

Updated: 1-Aug-25

Synopsis: There is enough evidence to indicate that the culprit was FADEC (Full Authority Digital Engine Control system) which is a computer program coupled with sensors - it was a system failure - and not pilot(s) actions which crashed A-171. AAIB (Aircraft Accident Investigation Bureau) report is unnecessarily sketchy and ambiguous, likely intentionally. Meant to be confidential, the report's contents were leaked and a false narrative built by Western media. Common sense methods Sherlock Holmes applied can debunk the "pilot error-suicide-murder" narrative. The analysis below relies solely on data and evidence contained in AAIB's report.


AAIB
 of India released its preliminary report barely in time. The Air India's B787-8 aircraft bearing registration VT-ANB had crashed in Meghaninagar, less than 1.5 Km from the Ahmedabad Airport on 12-Jun-25. 

A preliminary report is required to be released within 30 days and AAIB released one on Saturday, 12-Jul-25 past mid-night. The 15-page report was unsigned - there was no press briefing. 

It's 14 pages contain almost useless information, lot of pictures and descriptions which were all known to everyone following the story. The article 12 has critical but truncated information, and information which is undoubtedly available with AAIB but has been withheld has created doubts about pilots' behaviour. One wonders why AAIB took the maximum time allowed to it for releasing the few facts it did in its preliminary report. Perhaps the time it took was for word-smithing and determining which time-stamps of events to hide and which to publish.  

The report seems to give a clean chit to Boeing and GE as it says, there are no recommendations to be made to these companies. Yet AAIB says, its preliminary report is not for apportioning blame (as if absolving parties of blame means something else)!

From the time plane starts rolling for takeoff it took 1Minute:34Seconds to crash. It became air-borne in 1M:02S, therefore, it was in the air for 0M:32S only. A second by second account could have been easily provided in one page with maximum of 32 lines in double space.

The following table lists the notable events after takeoff for Air India Flight AI-171, based exclusively on the AAIB preliminary report (article 12). Times are relative to the start of the takeoff roll at 08:07:37 UTC on June 12, 2025.

Time (MM:SS)

Event

00:00

Aircraft starts takeoff roll (08:07:37 UTC).

01:02

Aircraft reaches 155 knots, air/ground sensors transition to air mode, consistent with liftoff (08:08:39 UTC).

01:05

Engine 1 fuel cutoff switch transitions from RUN to CUTOFF (08:08:42 UTC).

01:06

Engine 2 fuel cutoff switch transitions from RUN to CUTOFF (08:08:43 UTC).

?

Pilot conversation: One pilot asks, “Why did you cut off?” Other responds, “I did not do so.” (No exact time specified).

?

Ram Air Turbine (RAT) deploys, indicating dual engine failure (No exact time specified).

01:15

Engine 1 fuel switch transitions from CUTOFF to RUN, initiating relight (08:08:52 UTC).

01:17

Engine 2 fuel switch transitions from CUTOFF to RUN, initiating relight (08:08:54 UTC).

01:28

MAYDAY call issued by pilots (08:09:05 UTC) - mentioned in article 10 on page 12

01:34

Flight data recorder stops, aircraft crashes (08:09:11 UTC).



In article no. 4 Aircraft Information, on page 5&6 of the AAIB's report, there is nothing that would draw any suspicion to an improper or insufficient maintenance performed or any known defect or deficiency in the particular plane. Were there any prior incidents of dual engine shutdown? AAIB failed to ask or answer this question? In this section, AAIB did cite one non-mandatory advisory issued by FAA (Federal Aviation Authority of USA): Special Airworthiness Information Bulletin (SAIB) No. NM-18-33 on December 17, 2018, regarding the potential disengagement of the fuel control switch locking feature. Air India confirmed that it did not carry out checks on fuel control switch as they were advisory in nature and not mandatory.

The above account would leave the cause of the accident to be explored in
i) the design and performance of the plane manufactured by Boeing,
ii) the design and performance of the engines made by GE and
iii) the conduct of the Air India pilots.

Performance of the plane ought to have included performance of the software or a system malfunction which can occur due to a bug or malware introduced by a saboteur. But this possibility is not cited anywhere in the AAIB report.

AAIB's report, going further, gave almost a clean chit to Boeing and GE by saying that at this time, it had no recommendations to offer to Boeing or GE. It was less equivocal with respect to the conduct of the pilots. After reading AAIB's report more people think Pilots are responsible for the crash than Boeing and hardly anyone blames GE. AAIB has been proclaiming that the preliminary report is not a final report and people should not jump to conclusions. However, AAIB's report is a dead give away of its incompetence and susceptibility to extraneus pressures.  

Captain Sumeet Sabharwal, designated as PM (Pilot Monitoring the flight) and First Officer Kunder Clive designated as PF (Pilot Flying the plane) in the context of flight AI-171 were, between them, above average pilots' crew because the former had logged flying time of 15,638:22 Hrs and the latter 3,403:12 Hrs. The former held ATPL (Airline Transport Pilot License) - which is the highest rated commercial Pilot License and he had been Air India's flight instructor too.  

Curiously, in AAIB report - many events' time stamp hidden, Pilots' conversation truncated and identity hidden, full transcript and audio alarms going off, if at all, not disclosed, simple  Question not posed to Boeing: Can the 787-8B's system CUTOFF fuel to the engines without manual operation of fuel control switches or without physical movement of fuel control switches? Most importantly, The AAIB chose not to disclose the transcripts and descriptions of voices and sounds in the 32 seconds the plane was airborne - did the two pilots work in concert or did they have disagreements in the specific actions they took after they discovered the emergency (loss of dual engines)? Other than the question one pilot asked, what other indicators of dual engine shutdown (or loss of thrust) were there and when did they occur? AAIB has given a miss to this information in its preliminary report. 

Both pilots, reportedly have adequate or above average relevant flyig experience. They have an unblemished mental health record. The chances of their acting in concert to deliberately crash the plane, in a fit of suicidal-cum-murderous frenzy, are far less than the chances of a simultaneous dual engine failure which is calculated by many as less than 1 in one billion. 

Suppose only one pilot had gone berserk and the other was in a sane state, in such a case they would not act in concert. The Cockpit Voice Recorder would have been definitely processed by the AAIB. 
If the pilots did not work in concert, there would have been an altercation between them. The chances that officers involved in the AAIB's report preparation, from foreign agencies, particularly from Boeing, would not publish any incriminating conversation between the two pilots can be certainly ruled out. After all the Boeing and GE companies are interested in clearing their name ASAP. [As per AAIB, Officers involved were: "NTSB, USA appointed an Accredited Representative and Technical Advisers from Boeing, GE and the Federal Aviation Administration (FAA) to assist in this Investigation. A team led by the NTSB Accredited Representative comprising of representatives from Boeing, GE and FAA arrived at Ahmedabad on 15.06.2025 and participated in the Investigation. A team of officials from AAIB, UK also arrived at Ahmedabad and visited the site with DG, AAIB."]  See motivations to blame pilots - short clip

Common sense indicates that this accident is not caused by one or both pilots' deliberate actions to cut off fuel supply to engines - it would be simpler or easier to just nose dive rather than cut fuel supply and then try to restore the same all the while keeping the nose of the plane up - videos show the plane's attitude as it sinks from its peak height of four-hundred and odd feet above the ground level - AAIB report also has a diagram that shows 8 degrees upward inclination at the time of crash. Likely, there was a malfunction and the dual engine failure occured for reasons other than the fuel control switch moving from RUN to CUTOFF. 

It is reported, the two switches "transitioned" from RUN to CUTOFF after 3 seconds of takeoff with one second interval. The transition events are picked up from the Enhanced Airborne Flight Recorders (EAFR), which also record cockpit voices (there are two EAFRs one in the front and second in the rear of the aircraft). 

Let's consider two scenarios of system malfunction in which pilots are heros rather than villains:

A) It is possible that immediately after takeoff the plane suffered a dual engine loss owing to an unknown system failure and the pilots sensed it at once. They quickly decided after seeing the fuel switches in the RUN state that there was something amiss. They figured there was a need to recycle - i.e. reset. As per Boeing's manual for achieving fuel flow revival, in case of dual engine failure, requires exactly the type of recycling actions the pilots took - move the switches from RUN to CUTOFF and then back again from CUTOFF to RUN. See the videos at these links made by an experienced Captain of a Domestic Carrier - Gaurav Taneja (X reference @flyingbeast320): Part-1 Part-2 and Part-3.

B) It is possible that three seconds after takeoff, due to a system malfunction, even without anyone touching the fuel control flow switches, the fuel supply was cut off and the plane suffered a dual engine loss. The pilot who got alerted to the dual engine loss first, asked the other "Why did you cut off"?, to which the other responded, "I did not do so". In this scenario, it is possible the FADEC system shifted the switches from RUN to CUTOFF or it is possible that it did not shift the switches but CLOSED THE VALVES that shut the fuel (or drastically REDUCED the flow) to both engines and sent a signal for recording in EFAR - very likely the sensors are in the valves and not in the switches  and likely the FADEC decided to shut the valves based on incorrect inputs from sensors coupled with it.         

There was such a precedent in flight NH985 (from Tokyo to Osaka) just before touch down. KJM Today article has the details - dual engine shutdown occurred through system command, without manual operation of any switches. See also what Mary Schiavo, an Aviation Expert Lawyer has to say here (The Guardian article) and here (Mojo Video).  

Summary and Conclusion:

Revised Chronology of Events for AI-171

The table below lists the events from takeoff to crash (08:07:37 to 08:09:11 UTC, 1 minute and 34 seconds), integrating my hypothetical scenario#1 with AAIB-reported events. Times are relative to the takeoff roll start (08:07:37 UTC = 00:00), with absolute UTC times provided. Hypothetical events are marked as such, and AAIB-reported events are noted for clarity. The remarks column distinguishes the source of each event.

Time (MM:SS)EventRemarks
00:00Aircraft starts takeoff roll.AAIB-reported: Takeoff roll begins at 08:07:37 UTC.
01:02Aircraft reaches 155 knots, air/ground sensors transition to air mode, consistent with liftoff.AAIB-reported: Liftoff at 08:08:39 UTC.
01:03System malfunction reduces or cuts off fuel flow to both engines, triggering EICAS warnings and/or audible alarms (e.g., “ENGINE FAIL”). Commanding pilot (First Officer) detects dual engine thrust loss.Hypothetical: Assumes system (e.g., FADEC/TCMA) malfunction causes thrust loss one second after takeoff, as per my scenario. Alerts align with standard 787 cockpit warnings.
01:04Commanding pilot asks, “Why did you cut off?” Other pilot responds, “I didn’t.” Pilots observe fuel control switches in RUN position despite thrust loss.Hypothetical: Places CVR conversation one second after thrust loss detection, consistent with pilot confusion noted in AAIB report. AAIB confirms conversation but provides no timestamp.
01:05Engine 1 fuel cutoff switch transitions from RUN to CUTOFF.AAIB-reported: Switch movement at 08:08:42 UTC. Hypothetically, pilots deliberately move switch to reset system after noticing thrust loss with switches in RUN.
01:06Engine 2 fuel cutoff switch transitions from RUN to CUTOFF.AAIB-reported: Switch movement at 08:08:43 UTC. Hypothetically, pilots continue reset attempt.
01:07Ram Air Turbine (RAT) deploys, indicating dual engine failure and loss of primary power.AAIB-reported: RAT deployment noted but no timestamp provided. Hypothetically placed after switch movement, as thrust loss persists. CCTV confirms deployment during climb. Few experts have said that RAT would require 6+ seconds to automatically deploy after a dual engine failure
01:08–01:14Pilots notice persistent thrust loss despite switches in CUTOFF, prepare to return switches to RUN to attempt engine relight.Hypothetical: Assumes pilots assess situation and follow emergency procedures (e.g., engine restart checklist) within seconds, constrained by short timeline.
01:15Engine 1 fuel switch transitions from CUTOFF to RUN, initiating relight attempt.AAIB-reported: Switch movement (transition) at 08:08:52 UTC. Hypothetically, pilots attempt to restore fuel flow after reset fails.
01:17Engine 2 fuel switch transitions from CUTOFF to RUN, initiating relight attempt.AAIB-reported: Switch movement (transition) at 08:08:54 UTC. Hypothetically, pilots complete relight attempt for second engine.
01:18–01:27Pilots observe one engine partially relighting but insufficient thrust to maintain flight. Aircraft begins descent.Hypothetical: AAIB notes one engine regained some thrust, but not enough to prevent crash. Descent aligns with 625-foot maximum altitude and crash 1.5 km from runway.
01:28Pilots issue “MAYDAY MAYDAY MAYDAY” call.AAIB-reported: MAYDAY call at 08:09:05 UTC. Reflects pilots’ recognition of imminent crash. As seasoned pilots they follow the protocol in extreme emergencies - aviate, navigate & communicate (in that order)
01:34Flight data recorder stops, aircraft crashes.AAIB-reported: Crash at 08:09:11 UTC, 32 seconds after liftoff, into B.J. Medical College hostel.

The 787-8’s fuel system is designed to respond to both manual pilot inputs and system-generated signals, reflecting its fly-by-wire architecture.

The Boeing 787-8’s fuel flow pipeline delivers fuel from tanks to engines via boost pumps, engine-driven pumps, and valves (spar, metering, cross-feed), controlled by a combination of manual fuel control switches and automated systems (FADEC - Full Authority Digital Engine Control, IFS - Integrated Fuel System). The switches manually actuate the spar valves, while the FADEC manages pumps and metering valves using sensor inputs and software logic. The NH985 incident confirms that software (TCMA - Thrust Control Malfunction Accommodation /FADEC) can reduce fuel flow without pilot intervention, but no evidence confirms it can close spar valves or mimic switch movement to CUTOFF, as seen in AI-171. The 787’s fly-by-wire design makes a software-induced cutoff theoretically possible, supporting my AI-171 scenario, but the AAIB’s focus on switch movement and lack of inquiry into software possibilities leaves this unresolved. Software malfunction could result from a bug or malware introduced by a saboteur. The fuel system’s electrical and electronic components enable both manual and system-driven control, with redundancy to prevent unintended cutoffs, but a rare glitch could disrupt this balance, as hypothesized for AI-171. The final AAIB report (due June 2026) should clarify whether such a malfunction occurred. In the near term, the Indian Pilots ought to haul AAIB to the court on charges of deliberate obfuscation, issuing a premature clean chit to Boeing and placing the integrity of Indian pilots under a cloud. AAIB should also be charged for leaking its draft report to Western media.


References:

1. My Q&A with ChatGPT on premature clean chit AAIB gave to Boeing and what is Boeing design and training related to fuel flow cutoff and relighting engines. Link

This chat reveals a critical design flaw - in an emergency FADEC should NOT overrule manual FULL THRUST COMMAND; possibly (unless there were other factors at play) pilots could have pulled up their plane even at the last moment but for this flawed design - FADEC was the boss as the Fuel Control Switches were in the RUN state and it disregarded pilots by design and merrily regulated the fuel flow "efficiently", at its own pace!! Should the Pilots not be given a button sequence or a pass code to tell the FADEC to yield?

2. Here is another software engineer pointing out how FADEC could have crashed the plane while Pilot's got overruled by the system - he describes the sequence of components failing after a lithium battery got into a thermal runaway:

Ranjit John, Founder Hawkai Data, has a great analysis and a scenario he constructs like Sherlock Holmes. His article dated 16-Jul-25 in LinkedIn reveals what likely happened and why it happened - his analysis is an example of smart sleuthing for finding the root cause. For those who prefer interviews - Barkha Dutt & Dr Ranjit John - 24-Jul-25 video of 45 min

3. 30-Jul-25 Geofrey Thomas Video - he reaches exactly the same conclusion I did - the RAT deployed 1 second after takeoff- BEFORE the switches reportedly transitioned, dual engine failure had occurred. He points out more inconsistency in the speeds Vr V1 V2 Vmax given the weight, temperature and pressure readings. Points to perplexing report of AAIB and its incompetence. Video 17 min

Saturday, January 4, 2025

India’s Digital Public Infrastructure – achievements and possibilities soon?

India has a great digital infrastructure stack with its unique Aadhaar foundation. This is mostly owned and sustained by Government, therefore, it is referred as Digital Public Infrastructure. There are already many successful applications that have reached the remotest and poorest habitats in rural and forest areas. After introduction of Low Earth Orbit Satellites communication networks, India can opt for developing and implementing many new exciting services which make for 100% inclusion and help create a more responsive democracy. Before we start discussing those, lets become aware of few facts and possibilities from 2025 onwards.


Today India has among the best, if not the best, Digital Public Infrastructure (DPI) of all major countries of the world. Other countries that have a great Digital Infrastructure have private players owning most of it; this is not so in India where ownership is significantly that of the Government or Government subsidised services constitute most of the DPI (China may be an exception).

In India the number of people who make online transactions as a proportion of literate people will likely be the highest in the world. The DPI provides great quality and reliable services free of cost and private players have built applications on top of it. Even the not-so-literate street vendors display a QR Code of their UPI (Universal Payment Interface) account mapped to their bank accounts or Paytm wallet accounts and people make payments into their account from their bank accounts or electronic wallets. India's top payment wallet players are listed at the end of the article.

The DPI has three pillars – what PM, Modi, the acronyms making champion, calls the JAM trinity. Jan-Dhan Bank account, Aadhaar ID system and Mobiles. In 2013 digital transactions as well as DBT (Direct Benefits Transfer) by the Government were already taking place among those who had bank accounts.  

On August 28, 2014, Prime Minister Narendra Modi launched the Pradhan Mantri Jan Dhan Yojana (PMJDY) with the goal of promoting financial inclusion by opening bank accounts for the unbanked. Banks were encouraged to open many accounts quickly, and reports claim that over 18 million accounts were opened in just one week as part of this initiative. PM forced RBI to drop the onerous requirement of KYC (Know-Your-Customer) paperwork and allow banks to open accounts for any Indian citizen above 10 years of age and having an ID proof. With this initiative, the financial inclusion, contemplated by Nilekani under the UPA regime, was scaled up rapidly. Today there are over 500 million Jan-Dhan active bank accounts, 56% belong to women and 67% are in rural and semi-urban areas.

The foundation of the DPI stack was laid in 2009 by the launch of Aadhaar project. Prime Minister Manmohan Singh recruited Nandan Nilekani who had proposed a biometric based ID System for every resident Indian. Nilekani had described his vision of an online ID System and its potential benefits, in his book, “Imagining India: Ideas for the New Century”. The project faced opposition from most of the people in positions of power – political leaders and bureaucrats – at the Centre and State Governments. As the Chairman of the Unique Identification Authority of India (UIDAI) in the rank of a Cabinet Minister, Nandan Nilekani did a stellar job of convincing almost all CMs and Cabinet Ministers, and conceptualizing, designing, developing and deploying Aadhaar ID System across the country. Nilekani was easily one of the best IT Managers in the world, a billionaire entrepreneur and one who was highly articulate. Time magazine had chosen him the Businessman of the Year in 2003. Nilekani joined Indian National Congress in March 2014. He contested from the Bangalore South constituency. Contrary to all expectations, he lost by 228,575 votes to BJP candidate Ananth Kumar in the 2014 Lok Sabha election. Modi had actively canvassed against him calling the Aadhaar project a big scam and one which deserved to be buried ASAP. Though Nilekani chose to retire from politics, he sought a meeting with the victor, Narendra Modi and convinced him about the utility of Aadhaar. After the meeting, Modi changed his stance and asked his government to aggressively continue issuing Aadhaar to all Indian residents. Today 99.8% of Indian residents have Aadhaar number.

By 2013, Aadhaar had been linked to 600 million Voter Cards (EPIC – Electoral Photo Identity Card). Had this exercise been continued with legislative support, India today would have had the biggest online voting system, far more reliable than the existing EVM System, in the world.
Unfortunately, Modi made the mistake of Passing the Aadhaar as a Money Bill. The Aadhaar Act, 2016 was passed by the Lok Sabha on March 11, 2016. The Act was introduced as a money bill, and certain provisions came into force on July 12, 2016. Money bill requires majority vote only in Lok Sabha. As BJP was not sure of securing +50% votes in Rajya Sabha, it did not propose Aadhaar as a General-Purpose ID System bill. As a result, Aadhaar cannot be legally mandated or used in applications which are not monetary in nature. Furthermore, SCI (Supreme Court of India) has ruled that even if one does not have Aadhaar, Government cannot refuse the monetary or other entitlements of that person.

If Aadhaar is passed as a security or General-Purpose ID System bill by both houses of the Parliament and extended in scope to the presently excluded territories of Assam, Jammu & Kashmir and Meghalaya, India can have a very robust security system besides online voting system and the world's most inclusive financial system.  

Here are some statistics, to console ourselves, that indicate how the investment in India’s DPI has paid off.

YearNumber of digital transactions per   dayValue of digital transactions per   day
20155.7 millionRs.25,205 crores
202024.2 millionRs.1.2 lac crores
2025284 millionRs.6.3 lac crores
 

Today the Government makes over 9 million DBT (Direct Benefits Tranfer) transactions daily of the value of Rs. 1,726 crores. The annual value of DBT in 2023-24 was Rs.6.9 lac crores. Approximately Rs. 2.2 lac crores have been saved due to avoidance of corruption and leakages through intermediaries. In future, DBT could be made "coupon linked money", in which the redemption of money could be made for specific purchases only - for e.g. school fees, food grains not just at PDS Ration shops but any shop! As of June 30, 2023, there were around 545,000 Fair Price Shops (FPSs) in India. These shops are the backbone of the country's Public Distribution System (PDS) and are responsible for distributing subsidized food grains to millions of citizens.

Over 1.2 billion mobile connections are active in India today. As of October 2024, there were 941 million broadband subscribers of which 896 million were wireless.

Over 99% of Indian families have at least one member with a bank account in India.

The above are statistics which must be sobered down a bit by the following statistics, which show India has long way to go in terms of user education and digitalisation, i.e. digital literacy and digital usage.
• Account Ownership: As of 2021, about 77% of Indians above 15 years owned a bank account.

• Digital Payments: The total transaction value in the digital payments market is projected to reach $1,892 billion by 2025 (China will reach a value of $4,240 billion).

• Online Banking: Approximately 51% of Indians use online banking channels (China's figure is 80%) .

While Direct Benefit Transfers (DBT) have helped in bringing more people into the banking system, true financial inclusion also involves regular usage of financial services, access to credit, insurance, and financial literacy.

Going forward, the following applications will deliver great efficiencies to users, thanks to India's DPI:

  1. Account Aggregator (AA) network was introduced as a financial data-sharing system by Reserve Bank of India (RBI) when it issued the Master Direction viz Non-Banking Financial Company (NBFC) - Account Aggregator (Reserve Bank) Directions, dated September 02,2016.

  2. DigiLocker is a key initiative under Digital India program. Aimed at providing paperless governance to the citizen. Citizens can log into DigiLocker account to securely access and manage their digital documents, e.g. Aadhaar, Driving License, PAN, EPIC, Ration Card, Ayushman Card etc. provided by various government departments.

  3. National Digital Health Mission envisages a secure online platform for storing and exchanging health related data of citizens. The Ayushman Bharat Digital Mission aims to create a connected digital health ecosystem in India. It intends to enhance accessibility and equity of healthcare services by ensuring continuity of care with citizens being the owners of their health data. This mission will link the digital health solutions of hospitals across the country.

  4. After introducing Aadhar linked EPIC, India can not only have online voting for elections, it can introduce online Referendum voting - making Indian democracy truly responsive. Furthermore, India can easily introduce Two-Round System (TRS) in place of First Past The Post (FPTP) system. In FPTP the winning party can have much below the 50% Vote share but much above the 50% Seats share! Not so in TRS, the winner will always be the one having over 50% Vote share. FPTP distorts democracy in a multi party country like India much more than it can in a two-party country like USA.

  5. After introduction of Coupon linked DBT, Government can remove all subsidised prices which distort the markets. Examples are - PDS prices at Ration Shops will be changed to market prices, Fertiliser prices will be made market prices, Electricity will be made market prices - because targeted beneficiaries will be given Coupon linked DBT for specific purposes. Going forward we will discover true cost of Subsidies AND we will be able to introduce market efficiencies - as consumers will have freedom of choice - she can buy rice from any shop not just PDS shop etc. Going sill further, we can remove all subsidies or coupon linked DBT and introduce DBT for targeted Basic Income (modified UBI - Universal Basic Income meant for all the poor people - i.e. BPL people).
 
List of top ten payment wallets in India:
Bajaj Finserv App: offers a wide range of services including bill payments, UPI transfers, and financial products. 
Paytm: A comprehensive app for UPI payments, bill payments, ticket booking, and shopping.
Amazon Pay: Provides a seamless payment experience with Amazon-specific offers.
WhatsApp Pay: Facilitates UPI transactions directly from WhatsApp chats.
Mobikwik: Combines digital wallet features with UPI payments, offering bill payments, mobile recharges, and credit line options.
BHIM: A UPI app developed by the National Payments Corporation of India (NPCI) for simple and secure transactions.
Freecharge: Offers UPI payments, bill payments, and recharges with cashback options.
JioMoney: Provides UPI payments, bill payments, and recharges, integrated with Jio services

Thursday, November 7, 2024

Indian EVM System vs Paper Ballot – Cars vs Bullock Carts – Common Sense vs Nonsense

 

 Summary: It would indeed be wise to switch to Paper Ballot just as it would be to demand switching to bullock carts if the Government of the day fails to recognise the prerequisites of safe journeys in cars. One of the safety requirements is that the car manufacturers obtain road worthiness certificate for every model they manufacture and sell. Car manufacturers use many components protected by patents; however, an independent agency checks the roadworthiness of the cars before granting their certification. The story of Electronic Voting Machines (EVM) in India has no parallels and, it is weird, to say the least. Government owns the manufacturers of EVMs and instead of an independent agency, the Government itself issues their fitness certificates; Election Commission of India (ECI) says the EVM’s software is protected by Intellectual Property Rights of the manufacturers, besides election security requires secrecy so, neither the EVM's technical design nor the software can be made public. The Supreme Court of India (SCI) wants citizens to believe whatever ECI says! ECI's processes are fraught and umpteen discrepancies in its own data remain unexplained and petitions in SCI kept pending for years on end. As a result, the Indian democracy suffers from exposure to i) manipulating hackable EVMs or ii) subverting what are faulty identifying, transporting and counting processes of EVMs. If we want to safe-guard Indian democracy, it is very important to make a few changes both, in their usage processes and in EVMs.  

 

1.      First let's list few smart-ass questions people have asked with regards to alleged hackability of EVM or subversion of existing processes (which are two different things) of the Indian EVM System (at this link, read descriptions and also watch demo of a hack in which VVPAT votes match with Control Unit, yet votes stolen):

1.1 EVMs have now been used in thousands of elections and counting of billions of votes. Where is the evidence of hacking? [Fact: Anomalies reported without answers from ECI; Citizen activists have consistently reported concerns - they are the bigger stakeholders; SCI should have known better than to view the tussle with EVMs as one mounted by Opposition parties]

1.2 Losers complain about EVMs but when the same party wins unexpectedly, everything seems to be kosher with EVMs! [Fact: Citizens are the main stakeholders, not Political parties - citizen activists have been consistent in expressing their concerns and asking for greater transparency and auditability; investigative journalist, Poonam Agarwal's queries to ECI regarding discrepancies in ECI's own published data remain unanswered since 2019, ADR's petitions are still not adjudicated by SCI - either they have not been heard or only interim orders passed]

1.3 If the ruling party can hack or manipulate results in one constituency, why does it lose in other constituencies? [Fact: Hacking methods may involve subverting integrity of District Election Officers/Returning Officers (DEO/RO) or Presiding Officers (PO) - therefore, risk of exposure must be limited by the hackers - they are not foolhardy to try to subvert officers across multiple constituencies]

2. Questions such as above are asked by people who may be technically qualified but are naive and certainly arrogant; though most of them are "digital illiterates" (who can't distinguish hardware from firmware from software from malware). Both sets of people are arrogant because they have not looked at demos of possible hacking (in which CU and VVPAT slips are in sync and yet votes can be stolen) and methods of subterfuge possible with utterly flimsy methods of identification of EVMs, non-disclosure of Form-17C, dark glass coupled with 7-second lamp in VVPAT, VVPAT having writable memory and EVM System not being a standalone system (most of the time ECI falsely portrays VVPAT and other EVM devices are OTP - one-time-programmable types and “EVM” is not connected to Internet but “EVM System” is - and the distinction between “EVM” and “EVM System” is not known to most people).

2.1 When technical design and software are kept secret, how can anyone (regardless of their technical competence) make a categorical statement that EVM is NOT hackable? Furthermore, when processes of identifying EVMs are flimsy, the challenge of wrong voting is fraught and conditions of testing are illogical and can invite fines and prison terms, record of counts and polling agent signatures are not revealed immediately after poll closing (in Form17-C), how can evidence of hacking or manipulations be gathered? Therefore, in the face of such odds, it is not very intelligent to ask for evidence of hacking or counter by citing the numbers of elections and votes counting that EVMs have been used for over the years!

3.      ECI in tandem with SCI have thwarted citizens’ efforts to introduce more transparency (make public hardware design and software source code) or simple measures of minor hardware modification (open VVPAT so voter can pick up vote slip and insert it into ballot box or VVPAT with transparent glass instead of tiny dark one-way view glass with an inside lamp that remains lit up for a longer period) and process changes in the existing EVM System and their usage (share Form 17-C with public). ECI has refused to reveal full details of technical design of EVM components, kept the software secret under the pretext of protecting IPR of Government owned units (actually this simple software will hardly require few weeks to develop)! Furthermore, questions raised about alarming levels of data discrepancies between votes polled and votes counted have been ignored by ECI for years on end. Seemingly curious  levels of battery charge of 99% in EVM components (the Control Unit) observed on the day of counting were only recently explained by ECI.

Ironically, while "timid or couldn't-care-less" types of Indian tech tycoons have kept mum (with the exception of Sam Pitroda), non-technical politicians and commentators have often cited non-sensical reasons for either continuing the existing EVM System or, revert to paper ballot – among the former are Yogendra Yadav, Justices Sanjiv Khanna and Dipankar Datta who asked civil rights petitioners (in their April 26th, 2024 order): Where is the evidence of hacking (?), we cannot act on mere suspicion (!) and, among the latter is Elon Musk who said, “anything could be hacked” and, in a tweet, he suggested that EVMs should be eliminated due to the risk of being hacked by humans or AI, even if the risk is small. It must be noted, not all EVMs are same, and Elon Musk was certainly not commenting about the Indian EVM System about which he likely knows nothing (In USA many States use Electronic devices and VVPATs) .

Experienced software engineers know it is possible to write malware (rogue software) which activates only when given parameter's values are in a certain range and the program can self-erase leaving no trace or evidence when certain values are reached (e.g. certain date-time or certain number of votes cast etc.).

ECI has falsely claimed that EVM is a standalone type of system even though in every election cycle, the laptop of DEO/RO is connected to ECI server via Internet to download Candidate ID, Name and Party Symbol file; this file is copied into 3 to 5 Symbol Loading Units (SLU - is a pompous name for a pen drive with flash memory) which are used to commission the EVMs in each booth of the constituency managed by the DEO/RO, by copying the file into the writable memory of VVPAT. ECI has asserted that malware cannot be infiltrated into the VVPAT via this file without revealing technical details of the devices and SCI has ruled that citizens cannot question ECI without any evidence of hacking! This is a Catch-22 situation.

3.1 It would be non-sensical for the car manufacturer to issue roadworthiness certificate to its own cars – which is exactly what ECI is doing in India – as EVMs are manufactured by Government owned companies, BEL and ECIL, and the quality certification is also done by STQC - the Standardisation Testing and Quality Certification (STQC) Directorate, which is an attached office of the Ministry of Electronics and Information Technology, Government of India. Unfortunately, in case of the Indian EVM System, these commonsensical and basic democratic tenets are missing and all attempts to make the Indian EVM System trustworthy have been stalled by ECI and refused by the SCI.

3.2 SCI on its own introduced an "innocent" post-election audit option and ECI distorted it further making it a complete joke. On page#37 in para#76 the Judges had observed in their 26th April judgment: "Nevertheless, not because we have any doubt, but to only further strengthen the integrity of the election process, we are inclined to issue the following directions": ECI to allow post-election audit of EVM and SLU which was a pointless measure ab initio as no hacker would be so naive as to leave evidence of malware infiltration in EVM or SLU. The SCI should be petitioned to modify the testing methodology as mentioned below in prescription no.5.1 (the innocent SCI Judges will first need to be informed about self-erasing malware).

3.3 At stake is the Indian Democracy and the principal stakeholder is the citizen of India. To uphold the constitution of India, the ECI and SCI must respond to citizens’ demands for a safe and trustworthy EVM System.

4.      Without going into the history of petitions and pending queries with the SCI and ECI respectively, or the farcical stand of ECI to treat EVM as a black box and the SCI’s endorsement of ECI’s stand to maintain secrecy of software and hardware design and, ECI’s refusal to make public the Form 17-C data immediately after poll closing, let us consider the minimum tweaks in hardware and processes that SCI/ECI must be petitioned to accept.

5.      PRESCRIPTION: What can be done to make the existing EVM System trustworthy - assuming that ECI and SCI will not reverse their stand to keep the EVM's technical design and software secret? Petitions already filed before the SCI need to be amended or supplementary petitions added as follows. 

5.1 SIMULATED (BLACK BOX) EVM TESTING ON THE DAY OF VOTING (in lieu of post-election audit option mentioned in the SCI's order of 26th April'24): This is somewhat similar to the "mock polling" that ECI has prescribed but only that it will be done separately. Presently mock polling is conducted just before polling starts in every booth, to check the performance of EVMs. After successful testing, the samples of mock votes are deleted from the memory of CU, and the ballot box of VVPAT is emptied out of the printed votes.

In each constituency, one day before the polling day, ten EVMs at random should be replaced from the reserved stock; this doesn’t pose a problem because ECI manual prescribes stocking of backup EVMs, to meet the contingency of replacing defective EVMs at a short notice. These ten EVMs should be taken away for simulated testing, the next day, i.e. on the date of actual polling, by contestants’ parties. 

The simulated voting should be done on the ten EVMs by casting random votes, at a natural cadence (say 1,200 votes in 10 hours) throughout the day, however, each vote that is cast will also be noted on paper or a worksheet, with the date-time stamp. At the end of the day, the poll closed button should be pressed as usual on the CU, the total votes recorded and displayed in the CU, and the vote slips printed and dispensed in the VVPAT will be compared with the manual record – i.e.  the list or the worksheet. If there is zero discrepancy, the constituency's election will be considered valid, otherwise it will be countermanded and based on the pattern of discrepancies favouring a particular candidate, a competent authority will adjudicate on the question of fraud committed. The findings could lead to disqualification of the candidate or the banning of the candidate’s party from contesting any election for six years or instituting an appropriate criminal case.

 

5.2 NEW PROCESS TO IDENTIFY EVMs: In every election cycle, new type of tamper proof stickers (which cannot be peeled off without tearing them) should be pasted on EVM components - stickers should be large with space for machine IDs, should also have space for signatures of polling agents (at least two) and PO; who must sign these at the same time they sign the Form - 17C after the poll closes. [It is curious that these machines do not have mac IDs which could have been digitally displayed].

 

5.3 NEW PROCESS TO RECORD THE STATUS UPON POLL CLOSING: Photos of signed stickers of machine IDs of CU, VVPAT, Digital display of total votes count on CU and Form-17C should be uploaded on the ECI's portal within 30 minutes of poll closing. DEO/RO must unlock the uploaded photos for public viewing within 24 hours of poll closing. Form-17C Part 1 itself should be reduced to the size of a small sticker with the number of votes polled information (i.e. CU count, test votes count etc. and the net total of votes polled count) - this form has identification numbers of EVM component machines, i.e BU, CU and VVPAT; it also carries signatures of the PO and polling agents. This modified Form-17C sticker should be pasted on VVPAT and also photographed along with the CU display of votes count - then there is no need of a separate Form-17C Part 1.

 

5.4 NEW PROCESS WILL ENSURE EVM IS NOT SUBSTITUTED: On the day of counting, the contestants' agents should be allowed to compare the signatures seen in all photos of stickers on CU and VVPAT - with those on the physical EVM devices and the total vote count reported in Form-17C must match with the total vote count and candidate wise total count displayed by the CU in the counting room - if there is a mismatch of any type - either of signatures or vote counts - the EVM should be set aside for adjudication by a competent authority - these are conditions under which, normally speaking, a repoll must be triggered.  

 

5.5 MODIFICATION IN VVPAT TO ASSURE VOTER THAT CORRECT VOTE IS PRINTED AND DELIVERED: The light inside the VVPAT gets switched off within seven seconds of the vote being cast, i.e. the button being pressed on the BU - reason ECI has offered for this curious design is preservation of secrecy of vote. As VVPAT is placed in a secluded corner within a “voting compartment”, this untenable reason ought to be rejected. And the VVPAT design should be modified to make the inside lamp remain lit constantly so the voter can see both operations – i) a new vote slip getting printed and ii) the printed vote slip getting cut and dispensed into the ballot box.

6.      Out of the above five changes, first four ( #5.1 to 5.4 ), process changes, are essential. If 5.1 to 5.4 are accepted, demand for VVPAT modification #5.5, which is desirable but not essential, could be waived; similalry, the following demands pending in petitions before the SCI, may then be safely withdrawn: i) Vote slips printed by VVPAT to manually count (100%) and use the CU count only to counter check. ii) Post-election audit option as mandated by SCI in its 26th April'24 order (and incorrectly implemented by ECI

6.1 Fall back position: If process change #5.1 of simulated tests is not accepted, then the four demands # 5.2 to 5.5 become essential along with the pending demand of "100% VVPAT count", other wise type (a) EVM hacking of delayed printing and stealing votes or type (b) EVM hacking of printing correct vote and recording another (hacker-party's) vote in CU, should either (a) or (b) perpetrated, will not be caught - as already explained, the SCI's post-election audit is useless (malware could self-erase leaving no trace or evidence so audit will never find anything amiss). 

 7.      If the essential demands described above are not met, it would make sense to agitate for reverting to paper ballot system; Bullock carts are a better option than uncertified cars operating without a sensible framework.

 References and notes

EVM: petitions and legal challenges - only Civil Rights activists seem to be fighting - political parties mostly passive. Notes

Mar'24 (written before GE2024): The most urgent reforms India needs - election processes; political funding and changing FPTP to TRS or Proportional Representation System Blog

 

Wednesday, June 19, 2024

Results of General Election 2024 - the gaming of EVMs – saving future elections



General Elections 2024 (GE 2024) results were expected to produce highly divergent results depending upon who you chose to back or believe - these targeted tallies were 400+ by the ruling side versus ~300 by the opposition side. Therefore, if at all any side were to achieve their predicted tally, the other side was expected to cry foul and immediately try to seek redress through the available legal recourse – either file for Electronic Voting Machine (EVM) audit, within seven days, or else file petitions in the Supreme Court of India (SCI) or a lower Court within 45 days. According to a press report, only 10 losing contestants have demanded EVM audit, including one from Bhartiya Janta Party (BJP).

There is enough circumstantial evidence that points to a con game the BJP team led by PM Modi and HM Amit Shah pulled off and, made suckers out of Opposition. The Opposition parties could have changed their fate had they joined the petitions civil rights groups and NGOs had filed against EVM - read what M.G. Devasahayam says about the stolen mandate. It is likely, the Opposition parties will suffer the same fate of losing elections in future if they fail to force Election Commission of India (ECI), through a review petition in the Supreme Court of India (SCI), to change the process of using EVMs. 

Narrative ("400 par") - was part of a con game - cover fire for EVM hacking

The ruling BJP, led by Modi, had run an “intimidating” narrative that it would by itself win 370 out of 543 seats and together with its partners, in the National Democratic Alliance (NDA), their tally would be 400+ seats (“abki bar 400 par” : 3 min clip). Indian National Congress (INC) with mass contact yatras, led by Rahul Gandhi,  across the country - south to north and east to west, had picked up a far more accurate pulse of the voters, their leaders declared INC would win 100+ seats and together with its alliance partners in the Indian National Developmental Inclusive Alliance (INDIA) bloc, they would easily cross the majority tally of 272 seats and end Modi’s rule. Rahul Gandhi proclaimed that he would write down that Narendra Modi will not return as the PM: clip of 30 secs

The results announced on 4th June were a stunning blow to BJP (it lost 63 seats compared to its 2019 tally) and they were just a little shy of a home run for INC (it doubled its seats compared to 2019 tally despite contesting far fewer seats). BJP/NDA tally was 240/292 seats. INC/INDIA tally was 99/234. The independents and unaffiliated parties won 17 seats to make up the total of 543 seats of Lok Sabha. Both sides claimed victory, though BJP fell far short of its target. So, no losing contestant charged the winner of fraud. INDIA bloc members, particularly INC, ought to have risen in protests and charged BJP for engineering results quite contrary to its own estimates; BJP's tally was  significantly higher than sub-200 tally many independent observers and opposition party members had predicted. INDIA being 38 short of the majority tally, had missed its most important goal of dislodging BJP from power. INDIA bloc parties did not immediately accuse BJP of hacking because being 130 seats short of its target of 370, BJP seemingly had a sufficient alibi - had BJP hacked the EVM System, why would they be so short of their target? 
The expectations of INDIA bloc were cleverly tamped down through atmospherics that Modi and team created otherwise they would have likely charged the ruling side of the fraud of carrying out a fiddle with the EVM or of a conspiracy with ECI in ballot stuffing (one example: stonewalling sharing of Form 17C with public).  

Ploys of distraction and misdirection

Many believe PM, Modi & Home Minister, Amit Shah (also known as Modi-Shah duo) are masters of electoral strategies and aces in the art of distraction and misdirection. Most ground reports filed by independent journalists and observers predicted big losses for BJP. Modi-Shah duo must be getting all State agencies’ intelligence reports besides their own Party’s surveys about the mood of voters and the likely grim election outcomes. Is it possible that Modi-Shah strategized to ensure their victory through EVM hacking and provide a cover through engineered atmospherics? Let us unpack this ingenious plot. 

Door for EVM hacking is left open; Civil Rights groups and Opposition must act to close it

There should have been much more disquiet among the Opposition parties than was seen, when on 26th April, the SCI dismissed ADR’s and two other tagged petitions (none was a political party) against the manner of usage of EVMs.  The petitioners wanted two voting process changes that could satisfy the voters at a very basic level. Petitioners had explained how the EVM system was hackable; and how these hacks could be foiled by the two simple process changes they prayed for. The extant rules of secrecy ECI has defined are such that it is almost impossible to provide evidence of hacking or a demo of a possible hack with real EVMs. ECI rejected the Petitioners’ suggestions and sadly SCI, siding with the ECI, dismissed the petitions and instead issued directions for post-result audits to ECI. The audits envisaged by SCI were technically absurd and untrustworthy. The time window for losing contestants to request for EVM audits expired on 11th June. The stands ECI and SCI took, left the door open for the elections to be subverted through the gaming of EVMs – ECI and SCI imperiled India’s democracy.       

Discrepancies in votes cast, as published on ECI’s website, were not acknowledged by ECI - neither in the past nor in the GE 2024 (also watch herehere and here). In view of the foregoing, it is imperative that opposition parties as well as civil society unite and mount a concerted challenge in the SCI to upturn the 26th April Judgement of the two-judge bench. SCI had delayed hearing the petitions so much that there was no time left to file a review petition, however, now this must be done, and opposition parties must boycott the usage of EVM unless the two process changes demanded earlier are accepted and implemented by ECI.

“400 par” was a distraction and Stock Market and Exit Poll “scam” a misdirection?

There was a low voter turn-out right from the first phase, in the 7-phase election, which was another indicator. Therefore, it is safe to assume that the narrative of 400 seats Modi flogged till the end was false and set with an ulterior motive.

This false narrative of “400 par” required to be reinforced. This was done through two methods - scripted multiple Exit Polls and hyping the imminent boom in Stock Market.

On 1st June when polling concluded, all Exit Polls made unanimous predictions of a land-slide victory for BJP. All pollsters projected BJP tally of 350 to 400. It is highly improbable that multiple pollsters make the same mistake at the same time. It became strikingly obvious the Exit Polls were scripted by a central source.

In the weeks preceding the election results, the PM, HM, Finance Minister and External Affairs Minister, gave unsolicited (and illegal) advice to investors. All four top leaders of BJP gave public advice, which was none of their business (only Securities Exchange Board of India  [SEBI] licensed advisers can do so), to buy stocks before 4th June. They misled the retail investors by telling them the stock prices will sharply go up. The tip shared with the entities of interest to Modi or BJP donors was opposite in nature (based on truth about the expected results). The retail investors followed Modi and his team’s advice and lost money whereas the favoured entities followed the honest advice and booked profits. When sub-par results are declared, the market crash was predictable and that is exactly what happened; in one day Rs.30 lac crores (Rs. 30 trillion) market cap meltdown occurred on 4th-5th June. This is a classic example of insider trading which is a criminal offense. Rahul Gandhi has asked for the appointment of Joint Parliamentary Committee (JPC) to investigate this “Exit Poll scam. A petition has been filed in SCI asking that Government and SEBI be ordered to investigate the charge of insider trading and fix the responsibility. Praveen Chakravarty of INC in an interview with Karan Thapar on The Wire explained the curious stocks transactions and Exit Poll timings. It is possible that Modi-Shah used the Stock Market hype to make money for BJP in conspiracy with some known entities, but the primary purpose must have been to create atmospherics in which BJP’s victory would appear to be sub-par to the Opposition and, therefore, acceptable.

Motivations for the plot of EVM hack  

Having come thus far, it is time to explain the motivations underlying the above plot Modi-Shah likely enacted. For them losing was not an option because the adversaries they had created over the ten-year rule at the Centre would be a source of serious discomfort for them if at all they got to form the Government. Either BJP would need to hack certain numbers of EVMs to ensure victory or risk losing too many constituencies then resort to EVM audits and generate false positives through subterfuge to establish hacking has happened when none has happened. Modi-Shah could easily get ECI to countermand the elections – in the constituencies or even the entire 2024 General Election.
Now it is known that Modi-Shah did not choose the audit route to stay in power, instead the EVM hacking route was chosen. The constraints in EVM hacking were the capacity to safely subvert either the ECI or District Election Officers/Returning Officers in charge of target constituencies and the method used for hacking. According to certain political observers, without EVM manipulations, BJP would have likely won 180-200 seats only. Assuming this to be also the input received by Modi-Shah,  BJP’s hacking would be required in about 100 constituencies, however, due to capacity constraints, it was likely planned / done only in 30 – 60 constituencies. Since Modi-Shah were still not sure of hitting the target of 272, they pulled out all stoppers and Modi conducted a campaign that was unprecedented in vitriol and intensity - Modi gave 80 scripted interviews to media houses, conducted 206 public rallies and road shows, his campaign ran over 76 days, he traveled across the country and gave hate speeches and told lies about INC's manifesto unfettered by the Model Code of Conduct as ECI played along.
The only explanation for Modi's over the top and shrill speeches, of the type a man gone berserk would make (Modi claimed he is non-biological, he told voters in rallies that INC intends to steal your wealth, buffaloes and "mangal sutra" to give away to Muslims), is that Modi was thrown off balance with the inputs he must have received of the worst case scenario of winning only 180 seats and also the inputs from his hacking partners of the maximum number of EVMs that could be gamed safely and, still not reaching the required tally of 272. For making up the deficit, BJP needed to swing additional voters but Modi's vicious campaign, though fueled with unlimited funds, backfired. Hindus saw through the charade and Muslims were undoubtedly spooked. The real issues came to the fore, and Modi Government's track record and Modi guarantees could not sway the voters, especially in States that mattered most. 

Securing the future of Indian democracy - it is essential to change few processes and rules - it is not necessary to discard EVMs

PM Modi mocked the Opposition parties’ silence over EVM, post 4th June results – his jibe was whether opposition thought EVM was dead or alive, he expressed hope that at least for the next five years no one will oppose EVMs. This was his finesse (aka Masterstroke) in concluding the saga of EVMs which Modi-Shah will continue to exploit unless, as already mentioned, Opposition parties join the efforts of civil rights groups and NGOs to save subversion of electoral democracy.

Opposition parties and citizens must make SCI upturn the April 26th Judgment and also the May 24th Judgment (interim order) refusing the petition ADR had filed praying for ECI to publish Form 17C-Part I which the Presiding Officer and Polling Agents file from each booth, on its website soon after polling closed in each constituency.

It is unfortunate that despite India having an excellent Digital Public Infrastructure, no one is talking about introducing a hybrid-online system; in the meanwhile we are stuck with a totally obsolete and hackable EVM system which has been hyped up as invincible and the "Gold Standard".

Tuesday, May 28, 2024

Whither Indian Democracy – SCI Judgement of 26th April and impossibility of EVM Audit

 The dismissal of EVM petitions was a disaster and deserves to be challenged before a larger bench; the Directions to ECI are amateurish and likely to turn into a spectacular charade – of false negatives and false positives; either way elections can get subverted; Post June 4th, with ECI of a diminished stature, India should ready itself for a chaos of charges and counter charges

 

Both the Election Commission of India (ECI) and Supreme Court of India (SCI) have fallen short, and they have imperiled the Indian democracy. The Electronic Voting Machine (EVM), created by ECI, being a “gold standard” and its existing processes being “fool-proof” are a myth SCI bought into, despite these being questioned by experts, members of civil society and multiple petitioners. ADR (Association of Democratic Reforms), the lead petitioner, was ignored for a year. Ultimately, the two-judge bench of SCI which seemed in no hurry to deliver its judgment, started hearing the ADR’s and two more tagged petitions, on 16th April, two days before 2024 General Elections commenced, and after ten days, it delivered its judgment on 26th April 2024!

The proceedings, in the court of Justices Sanjiv Khanna and Dipankar Datta were indicative of what was coming. The SCI’s two-bench order dismissed all petitions and instead offered an “EVM audit” option for the losing contestants! The “EVM audit” conditions mentioned in the order make a strange reading – the conditions render the audit technically absurd and due to the composition of audit team, quite untrustworthy. Before understanding the “EVM audit” as SCI envisages, let’s consider the much better alternatives that would have assured the integrity of elections, but were rejected.

The reliefs petitioners had sought were:

i) voter must get to satisfy himself/herself that Voter Verifiable Paper Audit Trail (VVPAT) machine has printed the correct vote slip, cut it, and dispensed it into the ballot box – such a basic assurance is NOT provided by the existing system because the vote slip viewing window with a dark glass is back lit by a lamp for merely 7 seconds during which the slip printing, cutting and dropping operations cannot be seen – only the slip is getting displayed (the limited-time-lighting of 7 seconds enables hacking by method#1 mentioned in notes which includes a demo link).

ii) 100% of the vote slips dispensed in the ballot box must be counted – as voter has no clue of the vote record that gets written into the Control Unit (CU). 

ADR’s lawyer, Prashant Bhushan cited experts, explanatory demonstrations, and reasons how hacks can happen and how it could be thwarted through the reliefs sought. But the judges on the SCI bench did not bother to ask ECI how relief (i) can be provided? The petitioner had offered multiple solutions – the simplest one was to keep the light, in the VVPAT, on until the voter could see the vote slip printed, displayed, cut AND dropped in the ballot box – at present voter can only see the slip displayed (as explained in hack method#1 in the linked notes, it could be the previous voter’s slip that gets displayed).  Nor did the judges ask ECI what were their estimates of time and cost of complying with the relief (ii)? A reasonable answer from ECI, which it ought to have volunteered, would have revealed – one or two day(s) and Rs.20 crores extra – in percentage terms: a mere 4.27% more-time and a mere 0.2% more cost (computations here).

 

Affirming their own faith in ECI and the EVM, the Justices issued directions to ECI for post-result audit of EVMs – petitioners had prayed for none of this!

SCI Judgment on EVM audits may appear to be brilliant but is highly amateurish and flawed

Post declaration of results on June 4th, following predictions can be made based on possible scenarios – INDIA loses, or BJP/NDA loses (lose means win less than 272 seats). Both scenarios will trigger massive requests for EVM audits. Since audits will be a technical absurdity and auditors untrustworthy, a maelstrom is going to hit ECI.

Directions to ECI are in para#76 on page# 37; Extracts in italics below:

a) On completion of the symbol loading process in the VVPATs undertaken on or after 01.05.2024, the symbol loading units shall be sealed and secured in a container… They shall be opened, examined and dealt with as in the case of EVMs. (b) The burnt memory/microcontroller in 5% of the EVMs, that is, the control unit, ballot unit and the VVPAT, per assembly constituency/assembly segment of a parliamentary constituency shall be checked and verified by the team of engineers from the manufacturers of the EVMs, post the announcement of the results, for any tampering or modification, on a written request made by candidates who are at SI.No.2 or Sl.No.3, behind the highest polled candidate.

At present ECI has not published any document describing details of the audit process it will follow. However, the very proposition of a post-result audit of EVM and Symbol Loading Units (SLU) in context of EVM system is a non-sequitur – you can only audit a device that is currently in the state of being hacked and not one which was hacked and sanitized before being presented for audit.

It must be assumed that hacking of EVM System will not be attempted by a run-of-the-mill hacker. At stake is national security or an election that costs Rs.1.2 trillion -even both can get entangled.

A high-level hack leaves no smoking gun behind. The way field staff commission 1.2 million EVMs (one per booth) by using SLUs over a two-week period by using 2-5 SLUs in each constituency  (which are handed over to them by the District Election Officer/Returning Officer who connects his/her laptop via Internet to ECI Central server to download the candidate data file that is then copied into SLUs), it is eminently possible to infiltrate VVPATs (Voter Verifiable Paper Audit Trail) with a self-destructive malware and then remove the malware payload from SLUs (therefore, only sanitized SLUs with the legitimate candidate data file will be sealed after poll closing in each constituency). A self-destructive malware is one which erases itself from the device’s memory upon receiving a trigger, for e.g. when “Close Polling” button is pressed by the Polling Officer on his Control Unit (CU) – the malware on the connected VVPAT will self-destruct. Therefore, after poll closing, the EVMs and SLUs sealed for the audit envisaged by SCI will all be sanitized with no evidence of any malware/hack. 

SCI’s directions have more absurdities.

Firstly, the audit should be done of the full device and not just the “burnt memory/microcontroller” because a device like VVPAT has additional programable memory. A malware can sit in the additional memory and make the machine misbehave, leaving the “burnt memory/microcontroller” intact.

Secondly, there was no compelling reason for the Justices to require the audit team to come from the manufacturers of EVMs which happen to be ECIL and BEL, enterprises which are owned by the Government. One of them has BJP members on its board. Audit could have been done by independent engineers who could have been provided healthy set of EVMs – because then they could have compared the object code running on them with the suspected EVMs and detected tampering; it was not necessary to part with source code. Any sophisticated hacker can reverse compile the object code from stolen EVMs (a RTI query had revealed that between ECI, BEL and ECIL 1.9 million EVMs are missing) and write malware to make EVM misbehave. Malware could work with multiple parameters – Constituency, Party to steal votes from, Party to favour, date, time, rate of voting etc. The misbehaviour, therefore, cannot be predicted without the knowledge of program logic and parameters used.

Read about the three types of hacks and audits necessary to catch them - here. The ballot stuffing method requires audit of time stamp of vote record in CU versus the time stamp in the printed vote slip – they must match, and they must be spaced apart by at least 15 seconds – as per ECI submissions, the maximum rate of voting designed for is 4 votes per minute.

The SCI’s directions to ECI for sealing of EVMs and SLUs commence from 1st May. So, what will happen to contestants whose constituencies’ polling finished in April?

As the SLUs do not have device IDs probably, these are not mentioned in Form17C Part I. At the close of poll, Form 17C Part I has to be filled in, duly signed by the Presiding Officer, the Polling Officer, all present Polling Agents of contestants. This form mentions all three EVM Machine IDs but there is no mention of SLU ID. If Form 17C Part I is not placed in public domain before the devices are sealed and moved, it would leave the door open for manipulation – vote count inflation, even switching the EVMs. Poonam Agarwal, an investigative journalist has interviewed polling agents who did not sign Form 17C and no one asked them to! It is confounding to find that ECI does not require the Presiding Officer to sign the Form 17C using his/her Digital Signing Certificate (DSC).

SCI directions to ECI do not mention this: The audit must include examination of signatures on Form 17C Part I and matching with machine IDs, the Total Voters – registered and votes cast. ECI portal should host a table with the columns of Constituency Name, Booth ID and Scanned Form 17C Part I duly signed by PO and DEO/RO. Form 17C Part I total vote count must match the CU total vote count. Is ECI innocent about the importance of Form 17C Part I being signed and shared with the citizens of India or there is more than meets the eye?

What would it take for ECI to share Form 17C data? Essentially zero additional manpower would be required and not more than 500GB storage space – the program to manage the data table could be written in one day, read here.

Other troubling questions:

The auditors without integrity can allow malware to be copied into SLUs and then report tampering in that constituency to please the challenger (a losing contestant). Since SLU is utilized across the constituency, will ECI declare a repoll in that constituency?

Can the ruling party with control over the auditors countermand an entire election by the simple subterfuge of arranging copying malware into a few dozen SLUs?

An abridged version of this blog was published on 24th May, 2024 in The Wire