Thursday, November 7, 2024

Indian EVM System vs Paper Ballot – Cars vs Bullock Carts – Common Sense vs Nonsense

 

 Summary: It would indeed be wise to switch to Paper Ballot just as it would be to demand switching to bullock carts if the Government of the day fails to recognise the prerequisites of safe journeys in cars. One of the safety requirements is that the car manufacturers obtain road worthiness certificate for every model they manufacture and sell. Car manufacturers use many components protected by patents; however, an independent agency checks the roadworthiness of the cars before granting their certification. The story of Electronic Voting Machines (EVM) in India has no parallels and, it is weird, to say the least. Government owns the manufacturers of EVMs and instead of an independent agency, the Government itself issues their fitness certificates; Election Commission of India (ECI) says the EVM’s software is protected by Intellectual Property Rights of the manufacturers, besides election security requires secrecy so, neither the EVM's technical design nor the software can be made public. The Supreme Court of India (SCI) wants citizens to believe whatever ECI says! ECI's processes are fraught and umpteen discrepancies in its own data remain unexplained and petitions in SCI kept pending for years on end. As a result, the Indian democracy suffers from exposure to i) manipulating hackable EVMs or ii) subverting what are faulty identifying, transporting and counting processes of EVMs. If we want to safe-guard Indian democracy, it is very important to make a few changes both, in their usage processes and in EVMs.  

 

1.      First let's list few smart-ass questions people have asked with regards to alleged hackability of EVM or subversion of existing processes (which are two different things) of the Indian EVM System (at this link, read descriptions and also watch demo of a hack in which VVPAT votes match with Control Unit, yet votes stolen):

1.1 EVMs have now been used in thousands of elections and counting of billions of votes. Where is the evidence of hacking? [Fact: Anomalies reported without answers from ECI; Citizen activists have consistently reported concerns - they are the bigger stakeholders; SCI should have known better than to view the tussle with EVMs as one mounted by Opposition parties]

1.2 Losers complain about EVMs but when the same party wins unexpectedly, everything seems to be kosher with EVMs! [Fact: Citizens are the main stakeholders, not Political parties - citizen activists have been consistent in expressing their concerns and asking for greater transparency and auditability; investigative journalist, Poonam Agarwal's queries to ECI regarding discrepancies in ECI's own published data remain unanswered since 2019, ADR's petitions are still not adjudicated by SCI - either they have not been heard or only interim orders passed]

1.3 If the ruling party can hack or manipulate results in one constituency, why does it lose in other constituencies? [Fact: Hacking methods may involve subverting integrity of District Election Officers/Returning Officers (DEO/RO) or Presiding Officers (PO) - therefore, risk of exposure must be limited by the hackers - they are not foolhardy to try to subvert officers across multiple constituencies]

2. Questions such as above are asked by people who may be technically qualified but are naive and certainly arrogant; though most of them are "digital illiterates" (who can't distinguish hardware from firmware from software from malware). Both sets of people are arrogant because they have not looked at demos of possible hacking (in which CU and VVPAT slips are in sync and yet votes can be stolen) and methods of subterfuge possible with utterly flimsy methods of identification of EVMs, non-disclosure of Form-17C, dark glass coupled with 7-second lamp in VVPAT, VVPAT having writable memory and EVM System not being a standalone system (most of the time ECI falsely portrays VVPAT and other EVM devices are OTP - one-time-programmable types and “EVM” is not connected to Internet but “EVM System” is - and the distinction between “EVM” and “EVM System” is not known to most people).

2.1 When technical design and software are kept secret, how can anyone (regardless of their technical competence) make a categorical statement that EVM is NOT hackable? Furthermore, when processes of identifying EVMs are flimsy, the challenge of wrong voting is fraught and conditions of testing are illogical and can invite fines and prison terms, record of counts and polling agent signatures are not revealed immediately after poll closing (in Form17-C), how can evidence of hacking or manipulations be gathered? Therefore, in the face of such odds, it is not very intelligent to ask for evidence of hacking or counter by citing the numbers of elections and votes counting that EVMs have been used for over the years!

3.      ECI in tandem with SCI have thwarted citizens’ efforts to introduce more transparency (make public hardware design and software source code) or simple measures of minor hardware modification (open VVPAT so voter can pick up vote slip and insert it into ballot box or VVPAT with transparent glass instead of tiny dark one-way view glass with an inside lamp that remains lit up for a longer period) and process changes in the existing EVM System and their usage (share Form 17-C with public). ECI has refused to reveal full details of technical design of EVM components, kept the software secret under the pretext of protecting IPR of Government owned units (actually this simple software will hardly require few weeks to develop)! Furthermore, questions raised about alarming levels of data discrepancies between votes polled and votes counted have been ignored by ECI for years on end. Seemingly curious  levels of battery charge of 99% in EVM components (the Control Unit) observed on the day of counting were only recently explained by ECI.

Ironically, while "timid or couldn't-care-less" types of Indian tech tycoons have kept mum (with the exception of Sam Pitroda), non-technical politicians and commentators have often cited non-sensical reasons for either continuing the existing EVM System or, revert to paper ballot – among the former are Yogendra Yadav, Justices Sanjiv Khanna and Dipankar Datta who asked civil rights petitioners (in their April 26th, 2024 order): Where is the evidence of hacking (?), we cannot act on mere suspicion (!) and, among the latter is Elon Musk who said, “anything could be hacked” and, in a tweet, he suggested that EVMs should be eliminated due to the risk of being hacked by humans or AI, even if the risk is small. It must be noted, not all EVMs are same, and Elon Musk was certainly not commenting about the Indian EVM System about which he likely knows nothing (In USA many States use Electronic devices and VVPATs) .

Experienced software engineers know it is possible to write malware (rogue software) which activates only when given parameter's values are in a certain range and the program can self-erase leaving no trace or evidence when certain values are reached (e.g. certain date-time or certain number of votes cast etc.).

ECI has falsely claimed that EVM is a standalone type of system even though in every election cycle, the laptop of DEO/RO is connected to ECI server via Internet to download Candidate ID, Name and Party Symbol file; this file is copied into 3 to 5 Symbol Loading Units (SLU - is a pompous name for a pen drive with flash memory) which are used to commission the EVMs in each booth of the constituency managed by the DEO/RO, by copying the file into the writable memory of VVPAT. ECI has asserted that malware cannot be infiltrated into the VVPAT via this file without revealing technical details of the devices and SCI has ruled that citizens cannot question ECI without any evidence of hacking! This is a Catch-22 situation.

3.1 It would be non-sensical for the car manufacturer to issue roadworthiness certificate to its own cars – which is exactly what ECI is doing in India – as EVMs are manufactured by Government owned companies, BEL and ECIL, and the quality certification is also done by STQC - the Standardisation Testing and Quality Certification (STQC) Directorate, which is an attached office of the Ministry of Electronics and Information Technology, Government of India. Unfortunately, in case of the Indian EVM System, these common sensical and basic democratic tenets are missing and all attempts to make the Indian EVM System trustworthy have been stalled by ECI and refused by the SCI.

3.2 SCI on its own introduced an "innocent" post-election audit option and ECI distorted it further making it a complete joke. On page#37 in para#76 the Judges had observed in their 26th April judgment: "Nevertheless, not because we have any doubt, but to only further strengthen the integrity of the election process, we are inclined to issue the following directions": ECI to allow post-election audit of EVM and SLU which was a pointless measure ab initio as no hacker would be so naive as to leave evidence of malware infiltration in EVM or SLU. The SCI should be petitioned to modify the testing methodology as mentioned below in prescription no.5.1 (the innocent SCI Judges will first need to be informed about self-erasing malware).

3.3 At stake is the Indian Democracy and the principal stakeholder is the citizen of India. To uphold the constitution of India, the ECI and SCI must respond to citizens’ demands for a safe and trustworthy EVM System.

4.      Without going into the history of petitions and pending queries with the SCI and ECI respectively, or the farcical stand of ECI to treat EVM as a black box and the SCI’s endorsement of ECI’s stand to maintain secrecy of software and hardware design and, ECI’s refusal to make public the Form 17-C data immediately after poll closing, let us consider the minimum tweaks in hardware and processes that SCI/ECI must be petitioned to accept.

5.      PRESCRIPTION: What can be done to make the existing EVM System trustworthy - assuming that ECI and SCI will not reverse their stand to keep the EVM's technical design and software secret? Petitions already filed before the SCI need to be amended or supplementary petitions added as follows. 

5.1 SIMULATED EVM TESTING ON THE DAY OF VOTING (in lieu of post-election audit option mentioned in the SCI's order of 26th April'24): This is somewhat similar to the "mock polling" that ECI has prescribed but only that it will be done separately. Presently mock polling is conducted just before polling starts in every booth, to check the performance of EVMs. Ater successful testing, the samples of mock votes are deleted from the memory of CU, and the ballot box of VVPAT is emptied out of the printed votes.

In each constituency, one day before the polling day, ten EVMs at random should be replaced from the reserved stock; this doesn’t pose a problem because ECI manual prescribes stocking of backup EVMs, to meet the contingency of replacing defective EVMs at a short notice. These ten EVMs should be taken away for simulated testing, the next day, i.e. on the date of actual polling, by contestants’ parties. 

The simulated voting should be done on the ten EVMs by casting random votes, at a natural cadence (say 1,200 votes in 10 hours) throughout the day, however, each vote that is cast will also be noted on paper or a worksheet, with the date-time stamp. At the end of the day, the poll closed button should be pressed as usual on the CU, the total votes recorded and displayed in the CU, and the vote slips printed and dispensed in the VVPAT will be compared with the manual record – i.e.  the list or the worksheet. If there is zero discrepancy, the constituency's election will be considered valid, otherwise it will be countermanded and based on the pattern of discrepancies favouring a particular candidate, a competent authority will adjudicate on the question of fraud committed. The findings could lead to disqualification of the candidate or the banning of the candidate’s party from contesting any election for six years or instituting an appropriate criminal case.

 

5.2 NEW PROCESS TO IDENTIFY EVMs: In every election cycle, new type of tamper proof stickers (which cannot be peeled off without tearing them) should be pasted on EVM components - stickers should be large with space for machine IDs, should also have space for signatures of polling agents (at least two) and PO; who must sign these at the same time they sign the Form - 17C after the poll closes. [It is curious that these machines do not have mac IDs which could have been digitally displayed].

 

5.3 NEW PROCESS TO RECORD THE STATUS UPON POLL CLOSING: Photos of signed stickers of machine IDs of CU, VVPAT, Digital display of total votes count on CU and Form-17C should be uploaded on the ECI's portal within 30 minutes of poll closing. DEO/RO must unlock the uploaded photos for public viewing within 24 hours of poll closing.

 

5.4 NEW PROCESS WILL ENSURE EVM IS NOT SUBSTITUTED: On the day of counting, the contestants' agents should be allowed to compare the signatures seen in all photos of stickers on CU and VVPAT - with those on the physical EVM devices and the total vote count reported in Form17-C must match with the total vote count and candidate wise total count displayed by the CU in the counting room - if there is a mismatch of any type - either of signatures or vote counts - the EVM should be set aside for adjudication by a competent authority - these are conditions under which, normally speaking, a repoll must be triggered.  

 

5.5 MODIFICATION IN VVPAT TO ASSURE VOTER THAT CORRECT VOTE IS PRINTED AND DELIVERED: The light inside the VVPAT gets switched off within seven seconds of the vote being cast, i.e. the button being pressed on the BU - reason ECI has offered for this curious design is preservation of secrecy of vote. As VVPAT is placed in a secluded corner within a “voting compartment”, this untenable reason ought to be rejected. And the VVPAT design should be modified to make the inside lamp remain lit constantly so the voter can see both operations – i) a new vote slip getting printed and ii) the printed vote slip getting cut and dispensed into the ballot box.

6.      Out of the above five changes, first four ( #5.1 to 5.4 ), process changes, are essential. If 5.1 to 5.4 are accepted, demand for VVPAT modification #5.5, which is desirable but not essential, could be waived; similalry, the following demands pending in petitions before the SCI, may then be safely withdrawn: i) Vote slips printed by VVPAT to manually count (100%) and use the CU count only to counter check. ii) Post-election audit option as mandated by SCI in its 26th April'24 order (and incorrectly implemented by ECI

6.1 Fall back position: If process change #5.1 of simulated tests is not accepted, then the four demands # 5.2 to 5.5 become essential along with the pending demand of "100% VVPAT count", other wise type (a) EVM hacking of delayed printing and stealing votes or type (b) EVM hacking of printing correct vote and recording another (hacker-party's) vote in CU, should either (a) or (b) perpetrated, will not be caught - as already explained, the SCI's post-election audit is useless (malware could self-erase leaving no trace or evidence so audit will never find anything amiss). 

 7.      If the essential demands described above are not met, it would make sense to agitate for reverting to paper ballot system; Bullock carts are a better option than uncertified cars operating without a sensible framework.

 

 

Wednesday, June 19, 2024

Results of General Election 2024 - the gaming of EVMs – saving future elections



General Elections 2024 (GE 2024) results were expected to produce highly divergent results depending upon who you chose to back or believe - these targeted tallies were 400+ by the ruling side versus ~300 by the opposition side. Therefore, if at all any side were to achieve their predicted tally, the other side was expected to cry foul and immediately try to seek redress through the available legal recourse – either file for Electronic Voting Machine (EVM) audit, within seven days, or else file petitions in the Supreme Court of India (SCI) or a lower Court within 45 days. According to a press report, only 10 losing contestants have demanded EVM audit, including one from Bhartiya Janta Party (BJP).

There is enough circumstantial evidence that points to a con game the BJP team led by PM Modi and HM Amit Shah pulled off and, made suckers out of Opposition. The Opposition parties could have changed their fate had they joined the petitions civil rights groups and NGOs had filed against EVM - read what M.G. Devasahayam says about the stolen mandate. It is likely, the Opposition parties will suffer the same fate of losing elections in future if they fail to force Election Commission of India (ECI), through a review petition in the Supreme Court of India (SCI), to change the process of using EVMs. 

Narrative ("400 par") - was part of a con game - cover fire for EVM hacking

The ruling BJP, led by Modi, had run an “intimidating” narrative that it would by itself win 370 out of 543 seats and together with its partners, in the National Democratic Alliance (NDA), their tally would be 400+ seats (“abki bar 400 par” : 3 min clip). Indian National Congress (INC) with mass contact yatras, led by Rahul Gandhi,  across the country - south to north and east to west, had picked up a far more accurate pulse of the voters, their leaders declared INC would win 100+ seats and together with its alliance partners in the Indian National Developmental Inclusive Alliance (INDIA) bloc, they would easily cross the majority tally of 272 seats and end Modi’s rule. Rahul Gandhi proclaimed that he would write down that Narendra Modi will not return as the PM: clip of 30 secs

The results announced on 4th June were a stunning blow to BJP (it lost 63 seats compared to its 2019 tally) and they were just a little shy of a home run for INC (it doubled its seats compared to 2019 tally despite contesting far fewer seats). BJP/NDA tally was 240/292 seats. INC/INDIA tally was 99/234. The independents and unaffiliated parties won 17 seats to make up the total of 543 seats of Lok Sabha. Both sides claimed victory, though BJP fell far short of its target. So, no losing contestant charged the winner of fraud. INDIA bloc members, particularly INC, ought to have risen in protests and charged BJP for engineering results quite contrary to its own estimates; BJP's tally was  significantly higher than sub-200 tally many independent observers and opposition party members had predicted. INDIA being 38 short of the majority tally, had missed its most important goal of dislodging BJP from power. INDIA bloc parties did not immediately accuse BJP of hacking because being 130 seats short of its target of 370, BJP seemingly had a sufficient alibi - had BJP hacked the EVM System, why would they be so short of their target? 
The expectations of INDIA bloc were cleverly tamped down through atmospherics that Modi and team created otherwise they would have likely charged the ruling side of the fraud of carrying out a fiddle with the EVM or of a conspiracy with ECI in ballot stuffing (one example: stonewalling sharing of Form 17C with public).  

Ploys of distraction and misdirection

Many believe PM, Modi & Home Minister, Amit Shah (also known as Modi-Shah duo) are masters of electoral strategies and aces in the art of distraction and misdirection. Most ground reports filed by independent journalists and observers predicted big losses for BJP. Modi-Shah duo must be getting all State agencies’ intelligence reports besides their own Party’s surveys about the mood of voters and the likely grim election outcomes. Is it possible that Modi-Shah strategized to ensure their victory through EVM hacking and provide a cover through engineered atmospherics? Let us unpack this ingenious plot. 

Door for EVM hacking is left open; Civil Rights groups and Opposition must act to close it

There should have been much more disquiet among the Opposition parties than was seen, when on 26th April, the SCI dismissed ADR’s and two other tagged petitions (none was a political party) against the manner of usage of EVMs.  The petitioners wanted two voting process changes that could satisfy the voters at a very basic level. Petitioners had explained how the EVM system was hackable; and how these hacks could be foiled by the two simple process changes they prayed for. The extant rules of secrecy ECI has defined are such that it is almost impossible to provide evidence of hacking or a demo of a possible hack with real EVMs. ECI rejected the Petitioners’ suggestions and sadly SCI, siding with the ECI, dismissed the petitions and instead issued directions for post-result audits to ECI. The audits envisaged by SCI were technically absurd and untrustworthy. The time window for losing contestants to request for EVM audits expired on 11th June. The stands ECI and SCI took, left the door open for the elections to be subverted through the gaming of EVMs – ECI and SCI imperiled India’s democracy.       

Discrepancies in votes cast, as published on ECI’s website, were not acknowledged by ECI - neither in the past nor in the GE 2024 (also watch herehere and here). In view of the foregoing, it is imperative that opposition parties as well as civil society unite and mount a concerted challenge in the SCI to upturn the 26th April Judgement of the two-judge bench. SCI had delayed hearing the petitions so much that there was no time left to file a review petition, however, now this must be done, and opposition parties must boycott the usage of EVM unless the two process changes demanded earlier are accepted and implemented by ECI.

“400 par” was a distraction and Stock Market and Exit Poll “scam” a misdirection?

There was a low voter turn-out right from the first phase, in the 7-phase election, which was another indicator. Therefore, it is safe to assume that the narrative of 400 seats Modi flogged till the end was false and set with an ulterior motive.

This false narrative of “400 par” required to be reinforced. This was done through two methods - scripted multiple Exit Polls and hyping the imminent boom in Stock Market.

On 1st June when polling concluded, all Exit Polls made unanimous predictions of a land-slide victory for BJP. All pollsters projected BJP tally of 350 to 400. It is highly improbable that multiple pollsters make the same mistake at the same time. It became strikingly obvious the Exit Polls were scripted by a central source.

In the weeks preceding the election results, the PM, HM, Finance Minister and External Affairs Minister, gave unsolicited (and illegal) advice to investors. All four top leaders of BJP gave public advice, which was none of their business (only Securities Exchange Board of India  [SEBI] licensed advisers can do so), to buy stocks before 4th June. They misled the retail investors by telling them the stock prices will sharply go up. The tip shared with the entities of interest to Modi or BJP donors was opposite in nature (based on truth about the expected results). The retail investors followed Modi and his team’s advice and lost money whereas the favoured entities followed the honest advice and booked profits. When sub-par results are declared, the market crash was predictable and that is exactly what happened; in one day Rs.30 lac crores (Rs. 30 trillion) market cap meltdown occurred on 4th-5th June. This is a classic example of insider trading which is a criminal offense. Rahul Gandhi has asked for the appointment of Joint Parliamentary Committee (JPC) to investigate this “Exit Poll scam. A petition has been filed in SCI asking that Government and SEBI be ordered to investigate the charge of insider trading and fix the responsibility. Praveen Chakravarty of INC in an interview with Karan Thapar on The Wire explained the curious stocks transactions and Exit Poll timings. It is possible that Modi-Shah used the Stock Market hype to make money for BJP in conspiracy with some known entities, but the primary purpose must have been to create atmospherics in which BJP’s victory would appear to be sub-par to the Opposition and, therefore, acceptable.

Motivations for the plot of EVM hack  

Having come thus far, it is time to explain the motivations underlying the above plot Modi-Shah likely enacted. For them losing was not an option because the adversaries they had created over the ten-year rule at the Centre would be a source of serious discomfort for them if at all they got to form the Government. Either BJP would need to hack certain numbers of EVMs to ensure victory or risk losing too many constituencies then resort to EVM audits and generate false positives through subterfuge to establish hacking has happened when none has happened. Modi-Shah could easily get ECI to countermand the elections – in the constituencies or even the entire 2024 General Election.
Now it is known that Modi-Shah did not choose the audit route to stay in power, instead the EVM hacking route was chosen. The constraints in EVM hacking were the capacity to safely subvert either the ECI or District Election Officers/Returning Officers in charge of target constituencies and the method used for hacking. According to certain political observers, without EVM manipulations, BJP would have likely won 180-200 seats only. Assuming this to be also the input received by Modi-Shah,  BJP’s hacking would be required in about 100 constituencies, however, due to capacity constraints, it was likely planned / done only in 30 – 60 constituencies. Since Modi-Shah were still not sure of hitting the target of 272, they pulled out all stoppers and Modi conducted a campaign that was unprecedented in vitriol and intensity - Modi gave 80 scripted interviews to media houses, conducted 206 public rallies and road shows, his campaign ran over 76 days, he traveled across the country and gave hate speeches and told lies about INC's manifesto unfettered by the Model Code of Conduct as ECI played along.
The only explanation for Modi's over the top and shrill speeches, of the type a man gone berserk would make (Modi claimed he is non-biological, he told voters in rallies that INC intends to steal your wealth, buffaloes and "mangal sutra" to give away to Muslims), is that Modi was thrown off balance with the inputs he must have received of the worst case scenario of winning only 180 seats and also the inputs from his hacking partners of the maximum number of EVMs that could be gamed safely and, still not reaching the required tally of 272. For making up the deficit, BJP needed to swing additional voters but Modi's vicious campaign, though fueled with unlimited funds, backfired. Hindus saw through the charade and Muslims were undoubtedly spooked. The real issues came to the fore, and Modi Government's track record and Modi guarantees could not sway the voters, especially in States that mattered most. 

Securing the future of Indian democracy - it is essential to change few processes and rules - it is not necessary to discard EVMs

PM Modi mocked the Opposition parties’ silence over EVM, post 4th June results – his jibe was whether opposition thought EVM was dead or alive, he expressed hope that at least for the next five years no one will oppose EVMs. This was his finesse (aka Masterstroke) in concluding the saga of EVMs which Modi-Shah will continue to exploit unless, as already mentioned, Opposition parties join the efforts of civil rights groups and NGOs to save subversion of electoral democracy.

Opposition parties and citizens must make SCI upturn the April 26th Judgment and also the May 24th Judgment (interim order) refusing the petition ADR had filed praying for ECI to publish Form 17C-Part I which the Presiding Officer and Polling Agents file from each booth, on its website soon after polling closed in each constituency.

It is unfortunate that despite India having an excellent Digital Public Infrastructure, no one is talking about introducing a hybrid-online system; in the meanwhile we are stuck with a totally obsolete and hackable EVM system which has been hyped up as invincible and the "Gold Standard".

Tuesday, May 28, 2024

Whither Indian Democracy – SCI Judgement of 26th April and impossibility of EVM Audit

 The dismissal of EVM petitions was a disaster and deserves to be challenged before a larger bench; the Directions to ECI are amateurish and likely to turn into a spectacular charade – of false negatives and false positives; either way elections can get subverted; Post June 4th, with ECI of a diminished stature, India should ready itself for a chaos of charges and counter charges

 

Both the Election Commission of India (ECI) and Supreme Court of India (SCI) have fallen short, and they have imperiled the Indian democracy. The Electronic Voting Machine (EVM), created by ECI, being a “gold standard” and its existing processes being “fool-proof” are a myth SCI bought into, despite these being questioned by experts, members of civil society and multiple petitioners. ADR (Association of Democratic Reforms), the lead petitioner, was ignored for a year. Ultimately, the two-judge bench of SCI which seemed in no hurry to deliver its judgment, started hearing the ADR’s and two more tagged petitions, on 16th April, two days before 2024 General Elections commenced, and after ten days, it delivered its judgment on 26th April 2024!

The proceedings, in the court of Justices Sanjiv Khanna and Dipankar Datta were indicative of what was coming. The SCI’s two-bench order dismissed all petitions and instead offered an “EVM audit” option for the losing contestants! The “EVM audit” conditions mentioned in the order make a strange reading – the conditions render the audit technically absurd and due to the composition of audit team, quite untrustworthy. Before understanding the “EVM audit” as SCI envisages, let’s consider the much better alternatives that would have assured the integrity of elections, but were rejected.

The reliefs petitioners had sought were:

i) voter must get to satisfy himself/herself that Voter Verifiable Paper Audit Trail (VVPAT) machine has printed the correct vote slip, cut it, and dispensed it into the ballot box – such a basic assurance is NOT provided by the existing system because the vote slip viewing window with a dark glass is back lit by a lamp for merely 7 seconds during which the slip printing, cutting and dropping operations cannot be seen – only the slip is getting displayed (the limited-time-lighting of 7 seconds enables hacking by method#1 mentioned in notes which includes a demo link).

ii) 100% of the vote slips dispensed in the ballot box must be counted – as voter has no clue of the vote record that gets written into the Control Unit (CU). 

ADR’s lawyer, Prashant Bhushan cited experts, explanatory demonstrations, and reasons how hacks can happen and how it could be thwarted through the reliefs sought. But the judges on the SCI bench did not bother to ask ECI how relief (i) can be provided? The petitioner had offered multiple solutions – the simplest one was to keep the light, in the VVPAT, on until the voter could see the vote slip printed, displayed, cut AND dropped in the ballot box – at present voter can only see the slip displayed (as explained in hack method#1 in the linked notes, it could be the previous voter’s slip that gets displayed).  Nor did the judges ask ECI what were their estimates of time and cost of complying with the relief (ii)? A reasonable answer from ECI, which it ought to have volunteered, would have revealed – one or two day(s) and Rs.20 crores extra – in percentage terms: a mere 4.27% more-time and a mere 0.2% more cost (computations here).

 

Affirming their own faith in ECI and the EVM, the Justices issued directions to ECI for post-result audit of EVMs – petitioners had prayed for none of this!

SCI Judgment on EVM audits may appear to be brilliant but is highly amateurish and flawed

Post declaration of results on June 4th, following predictions can be made based on possible scenarios – INDIA loses, or BJP/NDA loses (lose means win less than 272 seats). Both scenarios will trigger massive requests for EVM audits. Since audits will be a technical absurdity and auditors untrustworthy, a maelstrom is going to hit ECI.

Directions to ECI are in para#76 on page# 37; Extracts in italics below:

a) On completion of the symbol loading process in the VVPATs undertaken on or after 01.05.2024, the symbol loading units shall be sealed and secured in a container… They shall be opened, examined and dealt with as in the case of EVMs. (b) The burnt memory/microcontroller in 5% of the EVMs, that is, the control unit, ballot unit and the VVPAT, per assembly constituency/assembly segment of a parliamentary constituency shall be checked and verified by the team of engineers from the manufacturers of the EVMs, post the announcement of the results, for any tampering or modification, on a written request made by candidates who are at SI.No.2 or Sl.No.3, behind the highest polled candidate.

At present ECI has not published any document describing details of the audit process it will follow. However, the very proposition of a post-result audit of EVM and Symbol Loading Units (SLU) in context of EVM system is a non-sequitur – you can only audit a device that is currently in the state of being hacked and not one which was hacked and sanitized before being presented for audit.

It must be assumed that hacking of EVM System will not be attempted by a run-of-the-mill hacker. At stake is national security or an election that costs Rs.1.2 trillion -even both can get entangled.

A high-level hack leaves no smoking gun behind. The way field staff commission 1.2 million EVMs (one per booth) by using SLUs over a two-week period by using 2-5 SLUs in each constituency  (which are handed over to them by the District Election Officer/Returning Officer who connects his/her laptop via Internet to ECI Central server to download the candidate data file that is then copied into SLUs), it is eminently possible to infiltrate VVPATs (Voter Verifiable Paper Audit Trail) with a self-destructive malware and then remove the malware payload from SLUs (therefore, only sanitized SLUs with the legitimate candidate data file will be sealed after poll closing in each constituency). A self-destructive malware is one which erases itself from the device’s memory upon receiving a trigger, for e.g. when “Close Polling” button is pressed by the Polling Officer on his Control Unit (CU) – the malware on the connected VVPAT will self-destruct. Therefore, after poll closing, the EVMs and SLUs sealed for the audit envisaged by SCI will all be sanitized with no evidence of any malware/hack. 

SCI’s directions have more absurdities.

Firstly, the audit should be done of the full device and not just the “burnt memory/microcontroller” because a device like VVPAT has additional programable memory. A malware can sit in the additional memory and make the machine misbehave, leaving the “burnt memory/microcontroller” intact.

Secondly, there was no compelling reason for the Justices to require the audit team to come from the manufacturers of EVMs which happen to be ECIL and BEL, enterprises which are owned by the Government. One of them has BJP members on its board. Audit could have been done by independent engineers who could have been provided healthy set of EVMs – because then they could have compared the object code running on them with the suspected EVMs and detected tampering; it was not necessary to part with source code. Any sophisticated hacker can reverse compile the object code from stolen EVMs (a RTI query had revealed that between ECI, BEL and ECIL 1.9 million EVMs are missing) and write malware to make EVM misbehave. Malware could work with multiple parameters – Constituency, Party to steal votes from, Party to favour, date, time, rate of voting etc. The misbehaviour, therefore, cannot be predicted without the knowledge of program logic and parameters used.

Read about the three types of hacks and audits necessary to catch them - here. The ballot stuffing method requires audit of time stamp of vote record in CU versus the time stamp in the printed vote slip – they must match, and they must be spaced apart by at least 15 seconds – as per ECI submissions, the maximum rate of voting designed for is 4 votes per minute.

The SCI’s directions to ECI for sealing of EVMs and SLUs commence from 1st May. So, what will happen to contestants whose constituencies’ polling finished in April?

As the SLUs do not have device IDs probably, these are not mentioned in Form17C Part I. At the close of poll, Form 17C Part I has to be filled in, duly signed by the Presiding Officer, the Polling Officer, all present Polling Agents of contestants. This form mentions all three EVM Machine IDs but there is no mention of SLU ID. If Form 17C Part I is not placed in public domain before the devices are sealed and moved, it would leave the door open for manipulation – vote count inflation, even switching the EVMs. Poonam Agarwal, an investigative journalist has interviewed polling agents who did not sign Form 17C and no one asked them to! It is confounding to find that ECI does not require the Presiding Officer to sign the Form 17C using his/her Digital Signing Certificate (DSC).

SCI directions to ECI do not mention this: The audit must include examination of signatures on Form 17C Part I and matching with machine IDs, the Total Voters – registered and votes cast. ECI portal should host a table with the columns of Constituency Name, Booth ID and Scanned Form 17C Part I duly signed by PO and DEO/RO. Form 17C Part I total vote count must match the CU total vote count. Is ECI innocent about the importance of Form 17C Part I being signed and shared with the citizens of India or there is more than meets the eye?

What would it take for ECI to share Form 17C data? Essentially zero additional manpower would be required and not more than 500GB storage space – the program to manage the data table could be written in one day, read here.

Other troubling questions:

The auditors without integrity can allow malware to be copied into SLUs and then report tampering in that constituency to please the challenger (a losing contestant). Since SLU is utilized across the constituency, will ECI declare a repoll in that constituency?

Can the ruling party with control over the auditors countermand an entire election by the simple subterfuge of arranging copying malware into a few dozen SLUs?

An abridged version of this blog was published on 24th May, 2024 in The Wire

Sunday, April 28, 2024

EVM Petitions - analysis of SCI Judgment of 26th April, 2024 - good part and the curious (bad) parts

 

SCI Judgment of 26th April’24 – Justices misunderstood EVM petitions; fortuitously the relief given, which petitioners never asked for, will reduce chances of hacking considerably

 

The two-judge bench of the Supreme Court of India (SCI) delivered its much delayed judgment on ADR’s petition filed a year ago (other petitions were tagged with it), on the day of the second phase polling of General Elections 2024 which had started a week earlier. This was a contest between the citizens of India and ECI and not one between any political party and ECI or the Government – none of the political parties were petitioners. The bench missed this point and gave reliefs that petitioners never asked for. The SCI gave the right to 2nd and 3rd losing contestants to demand audit of devices - EVM (comprising Voter Verifiable Paper Audit Trail – VVPAT and Control Unit – CU and Ballot Unit - BU) and SLU (Symbol Loading Unit) with the help of BEL and ECIL engineers (para#75 page 37/38 of Order signed by both Justices – Sanjiv Khanna and Dipankar Datta; separate order was signed by only JDD).

So, the good part of the order is the directions issued to ECI which will CONSIDERABLY REDUCE the chances of hacking because of the fear of getting caught during the audit, if done honestly and competently. Unless the audit process, in the hands of ECI (BEL and ECIL engineers), is subverted, the risk for hackers getting caught will be great. The order has limited the audit to maximum of 5% of EVMs per constituency – had the losing contestants (number 2 and 3) been allowed to ask for audit of all EVMs, the hacking would have had no chance of escaping detection. The order makes it explicit that the burden of cost of audit will be on the challenger, but it does not speak about the consequences of discovery of malware in the suspected devices – will repoll be ordered around the booth where EVM was deployed, or the whole constituency, or the whole country? The order shows its magnanimity (a lofty sense of justice?) in refunding the cost defrayed by the challenger should any tampering be detected! It is strange that the order did not consider it justifiable to appoint independent auditors in resolving the audit challenge. Independent auditors could have compared the object code (access to source code is not necessary) in the suspected machines with healthy machines provided by ECI and given their verdict about the evidence of tampering, i.e. presence of illegitimate stuff (malware or any foreign software). The order unnecessarily elaborates that “microcontroller’s burnt memory” will be subject to audit – what about the flash memory of 4MB (see paragraph#22 in the order)? For the two types hacks which the Justices didn't understand, the problematic parts of the judgment and a semi-technical note on the EVM hackability read here.

Let’s now consider the curious (bad) part of the order which betrays the misunderstanding on part of the honorable Justices – and which is worthy of a challenge in a review petition. The main petitioner’s Sr advocate, Prashant Bhushan asked for sensible reliefs which would have served to FOIL hacking of EVM System completely. He did not allege that hacking has indeed happened. This does not mean that hacking cannot happen in future becasue of vulnerabilities in the EVM System. He also explained all the important vulnerabilities and tried to elaborate the possibility of malware infiltrating the “programmable memory” of VVPAT but JSK cut him off multiple times – as can be read from proceedings in the court – live updates from independent websites – read here.  

First relief sought was that the voter should be able to verify the correctness of the vote slip printed by the VVPAT AND assure himself/herself that it is cut and dispensed into the ballot box. Prashant Bhushan explained (or tried to) that the existing arrangement is deficient and he offered three alternatives – i) revert to paper ballot, ii) hand over the vote slip to the voter who can verify its correctness and dispense it into a ballot box and iii) keep the light inside the VVPAT behind a dark glass (why on earth this glass should not be transparent is NOT explained satisfactorily by ECI – the secrecy argument is totally specious as the voter compartment is always placed in a corner of the room) illuminated all the time so that the voter would leave the voter compartment only after full satisfaction: the correct slip is printed, cut and dispensed into the ballot box – it is not sufficient to light up the lamp for a mere seven seconds to show the slip to the voter. Amazingly, the order has explicitly denied this right to the voter – JDD elaborates in his separate order – in para#15 & 16 page#48 & 49 - that under Rule 49M(3), it is sufficient to merely show the slip to the voter! Obviously, the Judge never understood the method of hack – in which consecutive votes are stolen and cast in favour of hacker’s party WHEN THE LAMP IS SWITCHED OFF. In this method of hacking, the vote count in CU and VVPAT printed slips would match; watch one of many explanatory demos, using representative machines, how this consecutive votes are stolen demo of 13 min. The Justices elaborate naively in their order that never in the past have discrepancies been reported between the CU count and manual count of VVPAT printed slips, therefore, no hacking could have ever taken place! That hack can happen even when the counts are consistent was not understood at all. The order quite unnecessarily derides the demand for paper ballot (Godi media had also amplified the “retrograde demand of paper ballot”) and the demand for voter slip being handed over to the voter WITHOUT MENTIONING ALL THE THREE ALTERNATIVES. Based the third alternative Prashant Bhushan offered, the Justices should have quizzed the ECI to articulate methods of satisfying the voter that the vote is correctly printed, cut and dispensed into the ballot box – ECI should have specifically answered why it has designed the complicated system of switching light on off and generating an audio beep signal – ECI should have been asked to explain why the simple method of illuminating the cutting operation and dispensing of the slip in the ballot box was not preferred. ECI had revealed in the court that there is a sensor which detects the falling slip and it sends out an audio beep. What if the audio beep signal is generated falsely by a hacked VVPAT? Therefore, the relief of voter verification should have been granted to foil this smart method of hacking. Post-results-audit can also detect this hack, however, the cost of foiling the hack is much smaller than the cost of recovering from the consequences of a hack after it has been allowed to happen.

 

Second relief the petitioners asked for was manual count of 100% vote slips and comparing the same with CU count (the comparison would diminish the errors of manual count – the order shows the wisdom of comparison escaped their comprehension completely). This comparison would serve to foil the simpler, though a dumber, hack of voter pressing the button of one candidate and the vote in the CU being written of another party. In this hack the vote slip of the correct candidate in a manual count would not match with CU count. This hack is easy to catch, therefore, it is not likely to be preferred by a sophisticated hacker. It is a no-brainer that the hacker is not likely to be a run-of-the-mill type; the subversion of Indian elections can entangle trillions of rupees (the General Election 2024 is projected to cost 14 Billion USD) and national security. The order allows only 5% of EVMs to be tallied manually in a constituency. However, it has directed ECI to evaluate bar code printing on the vote slips for possible machine counting in future elections. The denial of this relief was not logical and pennywise pound foolish. According to SY Quraishi the 100% manual count of vote slips cannot be compared with the paper ballot era when the ballot papers could be the size of a newspaper. With small VVPAT printed vote slips, it is feasible to finish counting within one day – watch here. By capping the manual count to 5% of EVMs per constituency, the chances of the second type of hack still remain, however, this is not as much a serious compromise as is the denial of the aforementioned relief of verification by the voter because that allows the smarter hack to still take place. In a review petition, the first relief ought to be demanded and perhaps with a bigger bench, the chances of convincing the judges will be better!

The judgment has many other technical bloopers (for e.g. para#22 the candidate data file is a bit map file – it cannot be so as the candidate name and ID apart from the symbol needs to the transferred). The language used in the SCI order, in many places, seems to be that of BEL or ECIL engineers, as pointed out by Kannan Gopinathan in a recent interview to Poonam Agarwal who had helped unravel the Electoral Bond scam.

     

 

Friday, April 26, 2024

EVM VVPAT curious Judgment of SCI - good thing - it will deter hackers as they could get caught

 

The SCI judgment, of the morning of 26-Apr-24, on the EVM VVPAT petitions delivered zero justice to citizens of India and a partial consolation to political contestants in the Indian elections. No thanks to Political Parties, which never took a consistent or firm stand against the EVM usage, the heroic efforts of Jagdeep Chhokar of ADR represented by Prashant Bhushan and many other petitioners deserve a salute. This is a fight between citizens and ECI, and not between a political contestant and ECI, as the two-judge bench’s order unfortunately seems to project.

Saving grace of SCI order: 

ECI has been ordered to seal the SLU (Symbol Loading Unit – a fancy name of a pen drive which is used to transfer candidate data file into VVPAT) and EVMs after close of polling for a possible audit by engineers of BEL and ECIL. A losing contestant, either 2nd or 3rd, will be allowed to ask for audit of the memory of microcontroller of VVPAT (Voter Verifiable Paper Audit Trail) and CU (Control Unit) within 7 days of results. Bench does not seem to have realized that there is memory outside microcontroller too and the device can be compromised by malware sitting in that memory! Unfortunately, the order has capped the audit as well as manual count of vote slips to previously set limit of 5% per constituency. Regardless of these oddities, this order will deter a hacker as he will fear getting caught during the audit, unless the hacker and the auditors from BEL and ECIL, already accused of being under influence of BJP affiliated directors, are co-conspirators. SCI should have allowed independent auditors to have access to source code to enable them to do audits. However, the bench had refused to divulge the source code earlier. Finally, SCI should have asked ECI to seal the devices effective today instead of 1.5.2024, why allow hackers, if any exist, a free pass?  

The order, with directions to ECI, passed by the two-judge bench of Justices Sanjiv Khanna and Dipankar Datta is deficient on many counts and it is very likely that ADR, the lead petitioner, will file for a review by a larger bench. Indian democracy cannot be exposed to the slightest risk. The existing EVM System is easy to hack and many IIT Professors, other than those on Technical Experts Committee of ECI have confirmed this view. 7,000 eminent citizens had filed a petition before ECI but it did not even acknowledge it. General Elections of 2024 are projected to cost 14 Billion Dollars. Hackers, not the run-of-the-mill type, can entangle not only huge money but also national security. SCI must be tested to see if it pays heed to the voice of India’s citizens.

After this Judgment, the possibility of hacking could reduce considerably due to the possibility of the hacker getting caught. If the audit is done honestly and competently, the hacking would be caught surely if the right EVMs (out of 5% per constituency) are picked by the challenging contestant, otherwise he may still escape detection



RELATED

EVM petitions - proceedings in the SCI

Also read previous blogs - the two methods of hacks and the two reliefs petitioners had asked for.

To reduce the hacking chances to zero, the two reliefs necessary are: 1. Voter must be able to verfify her vote is correct, it is cut and it is dispensed into the ballot box before she walks out of the compartment of voting at the polling booth and 2. 100% of VVPAT printed vote slips must be manually counted and compared with the CU count - in whichever EVM there is discrepancy, recount should be automatically trigerred and in case of persistent difference, the manual count should prevail (this is the existing ECI rule anyway).

  Link

Saturday, April 20, 2024

EVM VVPAT Petitions and the SCI - Voter verification even more important than 100% manual vote count (updated 27th April'24)

 The spectacular bluff of two "silos" of data of Electoral Bonds (EB) that State Bank of India (SBI), represented by top lawyers, tried to pull off was live streamed to the whole country from the Supreme Court no.1 in the month of March 2024. The two "silos" were actually two tables of data. Such data of EB buyer and EB recipient in two tables of a Database (or even Excel worksheets) would require not even three minutes to match but the lawyers of SBI, FICCI and GOI asked the five-judge bench to grant them three months. Had SBI used the word tables instead of "silos", any computer literate person could have pointed out that the matching is a trivial exercise of writing one join query in a database or "vlookup" command in an Excel worksheet.


Another more spectacular drama of EVM System hackability has been unfolding in the two-judge bench of the Supreme Court but this time it is not live streamed; as only constitutional bench proceedings are live-streamed at present. This time ECI is the culprit for obfusctions or outright lies which have left everyone confused. What could have been argued and concluded in two hours went on for three days without any order by the bench. As a result the General Elections of 2024 which have commenced from 19th April with status quo on the EVM System which people of India rightly suspect can be gamed.

The petitioners have laboured to convince the court that EVM System has deficiencies and the possible hacks can be easily foiled by making two changes in processes: i) allow voter to verify the correctness of the printed vote slip and ii) manually count all the printed vote slips and compare with the EVM count (in case of discrepancy, as per existing ECI rules, the manual count prevails). ECI's lawyers and experts argued that there is no deficiency; ECI representatives actually lied and made self-contradictory statements (such contradictory statements also exist on ECI's website).

Firstly ECI has claimed that EVM machines are a standalone system - standalone in IT industry means, "not ever connected to Internet or any network (WAN or LAN)". Secondly, ECI claimed that EVM has only "firmware" as opposed to "software". ECI claimed that the VVPAT (Voter Verifiable Paper Audit Trail) into which Symbol Loading Unit (SLU is a "red herring" name for a pen drive, like silo was the fancy name for a data table) has only OTP (One-time-programmable) memory and that no software (or malware) can be transferred into it through the SLU or by any other means. Both these claims are contradicted by ECI's own admission - as visible on its website pages. 

Search for "standalone" and "OTP" in the linked note here and here - you will find multiple occurrences of "standalone", "laptop" and "OTP" - you can read in five minutes in context what ECI has mentioned. EVM machines (BU, CU and VVPAT) are not the whole picture - EVM System is the whole picture - it comprises of a Central Server to be accessed via Internet, Laptop (in the custody of DEO/RO) and SLU. EVM System by no means is a standalone system and VVPAT has programmable memory too. This being the case, malware (software written by a hacker) can enter the system: via the central server or via the Internet into the Laptop, via the Laptop into the SLU, and finally via the SLU into the VVPAT's programmable memory. This infiltration of malware can occur with or without the knowledge of District Election Officer/Returning Officer or field engineers deployed in the over 1.2 million booths to commission the EVM during the 15 days prior to poll commencement. The malware can make the VVPAT misbehave as per multiple parameters set by the hacker, for e.g. date, time slots, constituency, the party to favour, the party to steal votes from, preceding rate of voting (i.e. misbehave only when there is rush) etc. Prashant Bhushan, ADR's Sr advocate, did try to explain some of these characteristics but the Justices cut him off frequently. 

The petitioners have made very sensible and feasible demands. Will the bench grant these reliefs? Without these reliefs, the 2024 Election's system will be highly fraught and its results untrustworthy. The public, at least a large section, will lose complete faith in the ECI's and GOI's democratic credentials.

Reliefs sought:

RELIEF # 1 to defeat 1st method of "steal the same successive votes - hack": The voter should be able to pick up the VVPAT printed slip for verification and physically insert it into the ballot box; else the voter should be able to see the vote slip printed is correct and it is actually cut and dispensed into the ballot box - it is not sufficient for the voter to just see the vote slip (because it could be the previous voter's slip which has not been cut and dispensed due to a hack) - this means the light should remain on and not merely for seven seconds, as is presently the case. This is a clever hack because it cannot be caught - the stolen consecutive 2nd or 3rd or successive votes (as parameterised) - cast in favour of the hacker's party - will not be seen because their printing, cutting, dispensing into ballot box and writing into the CU will all occur only when the light is in the switched off state and in few seconds after the button for a different party's candidate is pressed by a subsequent voter or when the stealing parameter count is reached. In this hack, the vote count in CU and the manual count of VVPAT printed votes will match. Therefore, even a 100% manual vote count cannot foil this hack. This delayed printing of consecutive vote will likely be the preferred method of hack.
 
RELIEF # 2 to defeat the 2nd method of "print correct vote slip but write vote in CU for hacker's party candidate - hack": The election results should be based on a manual count of 100% slips. In case of discrepancy between the manual count and the CU count, recounts may be ordered. Ultimately, the manual count would prevail and not the CU Count. This change in process is required to foil the second method of possible hack of VVPAT printing a vote slip for one party and writing into the CU a vote of another party. Compared to the above method of hack, this one is laible to be caught and, therefore, less likely to be preferred by the hacker.
 
RELIEF # 3 for safe transport: After the Polling finishes, the CU and the Ballot Box pairs are transported to the counting station. During the journey, oversight of contestants' representatives should be allowed.
 
RELIEF #4 for enabling genuine complaints: Presently a voter who complains to the Presiding Officer (PO) in the Polling Booth that his/her vote is not properly generated, i.e. the VVPAT has printed the wrong vote - is required to prove the allegation is correct through a retest. If the error is repeated well and good but if it is not repeatable, the voter can face a fine of up to Rs.1,000 and imprisonment of up to 3 months or both. It is a matter of common knowledge that programs can be written to work with random parameters or based on parameters such that without the knowledge of source code, no one can predict if the error will repeat nor when it will repeat. The punishment under rule 49MA - Section 177, should be totally removed as it is illogical, and it works as a deterrent for genuine voter complaints - unless source code is made public, and its auditability allowed before and during elections.  
   
The RELIEF#1 and 2 are essential but the 1st one is more important. Without these changes, the results of 2024 General Elections will always be suspect.

Both ECI and SCI have treated the challenges to the EVM usage in elections with contempt and derision. Requests for a meeting of political parties, citizens councils and lawyers to ECI have been ignored, not even acknowledged.

The petitions principally focused on EVM vulnerabilities have been pending with the SCI for many months or even years. In March'24, when Kapil Sibal and Prashant Bhushan, on behalf of ADR (Association of Democratic Reforms) requested SCI for an urgent hearing since the General Elections 2024 were set to start from 19-Apr-24, they were told that there are many pending matters and their pleas will be heard and decided before the polling starts.

The bench of Justices Sanjiv Khanna and Dipankar Datta finally heard the petitioners on 16th April, 18th April and 24th April for about 2.5 days and finally reserved the order. On 24th April the bench had asked ECI to provide answers to six questions. One question was about the repgrammability of microcontroller program in the EVM - in the VVPAT or the CU? This is a wrong question to ask. Even if the program is unalterable because it sits in the OTP memory, the device can be hacked - by malware being loaded into the programmable memory (VVPAT has both OTP and programmable memory) and intercepting the commands going into or out of the program. So the elections have started with status quo being maintained, no one knows when and what the bench will rule on the two main demands of the petitioners.

RELATED



Search for "laptop" in the proceedings - live updates from Bar & Bench here
There is a crucial fact of use of a laptop in every election cycle in every constituency, possibly every booth, where "EVM" must be commissioned within two weeks prior to polling date - this has always been obfuscated by ECI. Judge asks an incoherent but a leading and somewhat meaningless question, "software by ECI has a lock mechanism". Firstly, the software according to ECI does not exist in VVPAT - only firmware exists in VVPAT, secondly ECI itself does not have software which is kept secret by BEL and ECIL; no one knows what is meant by "lock in mechanism", ECI does not provide an answer either.
  
Excerpts (copied from Bar & Bench updates):

12:03 pm, 18 Apr 2024
  •   
  •  
Supreme Court: The SLUs are not stored to ensure that there is no tampering. etc.? Of course, very difficult.. SLU is done from the computers.. laptop etc used by returning officer.. The software by ECI has a lock in mechanism.

ECI: Yes, it is a secured software.

------------------------------------------------------------

21-Apr-24 The Leaflet this article reproduces portions of the proceedings and highlights the relevant issues here


Terminology primer for non-IT readers:

Any computer system or an intelligent device (e.g. VVPAT, Smartphone) works with the following components:

Hardware
Firmware - this sits in OTP (one-time-programmable) memory
Operating System - OS (or Control Program) - this sits in programmable memory
Application Program
Data (input from keypad or sensors or attached devices like pen drive)

Hacker corrupts the Operating System or the Control Program - if someone has the source code (or even the object code - from the set of stolen EVM machines - object code could be retrieved and reverse compiled - this is surely within the reach of a sophisticated hacker) then malware can be written into the programmable memory - in context of VVPAT, this can be done at the time SLU is inserted for copying the candidate data file; the SLU would likely be infected via the DEO/RO's laptop. 

Any laptop requires an OS and the OS can be infiltrated by malware knowingly or unknowingly by the user. Everyone knows when a computer is connected to Internet, virus can enter the computer - even if anti-virus program is installed on the device - this happens unknowingly - user can also download a malware knowingly, if he wants to. Everyone knows Windows OS is easy to hack, that's why antivirus programs are necessary to instal. Most of the computers today run under Windows OS. We donot know which OS runs on the laptops the DEO/RO use in commissioning the EVM. ECI representative at some point mentioned in the court that PO's (Polling Officer) laptop is used in commissioning of EVM, whereas on ECI website, it says, DEO/RO's laptop is used. The SLU (pen drive) inserted into an infected laptop will carry the malware and transfer it into any other computer or intelligent device (like the VVPAT) into which it is inserted. This is not rocket science.


Saturday, March 23, 2024

Election Reforms for India - EVM and Political funding - immediate fixes required to save democracy

This blog is not a plea for junking the EVM System, rather about making two process changes and junking few rules that thwart legitimate challenges. This will make the EVM System safe to use - the citizens will be saved from hacking that any party or anyone (a hostile country) with resources can EASILY execute in the existing system. 

[Reference links given at the bottom. If you want to cut to chase, the link related to challenges to EVM copied here: Challenges to EVM and reaction of authorities ]

 

In a democracy, it is said, the people get the government they deserve. But what if the election process gets or can get compromised (hacked)? What if only one side gets all the resources to campaign and fight elections by tilting "the level playing field"? Both these problems have become manifest in India, and it is unlikely they can be resolved without the intervention of the Supreme Court of India. With what India has now begun to be called a "Electoral Autocracy", will very soon turn into a "Sham Democracy" or a "Total Dictatorship"; very far from "Mother of Democracy" boast of PM Modi.

Election Commission of India (ECI), an "independent constitutional authority", has announced India’s 18th Parliamentary Elections in seven phases 19th April through 1st June 2024 (a record duration of 44 days) with results scheduled to be announced three days later. ECI will setup 1.2 million polling booths across 543 Parliamentary Constituencies in which 960 million eligible voters could exercise their franchise. In the 2019 General Elections, 669 Political Parties and 3,469 independent candidates contested, and each one was allotted a unique symbol by the ECI.
ECI uses the Electronic Voting Machine System which has been hyped as the “Gold Standard”. Using the EVM System, the results can be announced within three days or else with manual counting, it may take about a week. The reality is that EVM System uses obsolete technology coupled with Internet and millions of staff to conduct the elections whereas India has the necessary Digital Public Infrastructure to conduct online elections in a fraction of the time and cost.
The 2019 General Elections involved an expense estimated at $ 8 Billion and the 2024 General Elections are projected to cost $ 14 Billion making them the costliest in the world. BJP (Bhartiya Janta Party) the ruling party, is estimated to have outspent ALL other parties put together in 2019. The skew will likely become greater in 2024. This is apparent from the partial disclosure of “white money” BJP mobilised through Electoral Bonds (white money is mobilised via banking channels and black money outside it). The black money every party mobilises and spends in elections is estimated to be 10x times the white money. There is little or no transparency in political funding – it was always fraught with quid pro quo but now it has emerged that extortion by the ruling party is routinely being used. SCI recently ruled EB to be illegal and forced State Bank of India and ECI to publish all details of bonds purchased and encashed by all political parties in the interest of transparency and curbing extortion and quid pro quo.    
With the above background information, let us consider the two problems and fixes one by one.

First, the EVM System which can upend the election results - what are the fixes:

After many curious results in 2019 elections, there have been multiple petitions filed in the Courts including, the Supreme Court of India (SCI) as ECI has either refused meetings sought by Opposition leaders or summarily dismissed all challenges. SCI has either turned down appeals for many of the reforms sought or dismissed them. However, in the past few months, particularly after statistical improbabilities of certain results were highlighted in a research paper, entitled “Democratic Backsliding in the World’s Largest Democracy” by Sabyasachi Das (who resigned afterwards from Ashoka University due to backlash) and also technical repudiations of claims ECI has made - (a) EVM is NOT a standalone system and (b) the VVPAT is NOT an One-Time-Programmable (OTP) device - by Kannan Gopinathan, who had work experience as an engineer with Motorola, as an ex-IAS Government officer and as an ex-Returning Officer (RO is in charge of conducting elections in a district) - the question of hackability has been closely examined and confirmed by many technical and industry experts. Furthermore, demos have shown how the EVM System can be gamed. The opposition to the manner of EVM usage has now picked up steam. ECI itself contradicts both its claims (those repudiated by Kannan Gopinathan) in its presentation and FAQ pages on its website. CCE (Citizens Commission on Elections) and ADR (Association of Democratic Reforms) and others have filed multiple petitions against use of EVMs and SCI has finally agreed to hear these before the end of March’24. Over 7K eminent citizens have signed petitions - these include retired Supreme Court Judges, retired Secretaries of GOI, Lawyers, Activists and Computer Science Professors.  
Just so that we are clear of the terminology, let’s understand what “EVM” is versus “EVM System” - the graphics below are copied from ECI website - red colour annotations are added. In the ECI website pages revised in Feb’24, the “EVM” consists of these three machines (CU, VVPAT and BU):
 



 
To commission the above three machines, the following devices are also employed (not disclosed by ECI in any public document), and most importantly, it is nowhere mentioned by ECI that Laptop needs to be connected via Internet to a central server (presumably belonging to ECI) which has the data of contestants (candidate names, ID, and symbol):
 




It is important to note that within 15 days before polling commences, the “commissioning” must be done: Symbol Loading Unit (SLU) is connected to a laptop for downloading the symbols of candidates from the central server accessible via Internet, then it is inserted into the VVPAT for uploading the same – it is at this moment, a rogue program can infiltrate the VVPAT AND EVM SYSTEM COMPROMISED. The hacker needs to subvert only few field staff – only in those booths which matter to his side. The hackers’ planners undoubtedly have booth level voters’ list – available in public domain; they know which are “sensitive” booths – which can swing the results. As there are over a million EVM Systems to be commissioned, within 15 days, there is an army of field staff hired by ECIL and BEL. Electronic Corporation of India and Bharat Electronics are the two public sector units which supply EVM hardware, firmware, and software. News has emerged that BEL’s board includes 3-4 BJP officers. To say the least, the EVM commissioning process in million plus booths should be a security nightmare for any System Designer. Why ECI has not discussed – the process in which Internet access via a laptop becomes necessary - in either its FAQ or Presentation pages – is a question begging to be asked.
 
It is also ironical that none of the well-known IT tycoons of India has spoken out about the obsolete design and vulnerabilities of the "EVM System". In the meanwhile, ECI is flogging the “invincible EVM” assessments of few IIT Professors (all on Government's payroll) of whom 2 or 3 on their expert committee, hold patents over the VVPAT design. The conflict of interest, as well as the fact that none of these professors are security experts, does not bother the ECI; nor the fact that the software source code is not divulged by ECIL and BEL to ECI. The ECI presentations do not distinguish the "EVM" (three animals) and "EVM System" (six animals with Internet connectivity). One would wonder if ECI is innocent, or it is obfuscating terminologies and hiding the details of commissioning process, which makes the EVM System easily hackable, on purpose.
 
Just as the rewards or stakes of hacking India's elections bear no comparison with hacking of an organisation's or an individual's account, so also the calibre and organisational wherewithal of the former are expected to be many magnitudes higher than the latter. Motivation for subversion of India’s elections can entangle not just trillions of rupees but national security too.
 
 



 
 
 
In the existing process (graphic copied from ECI website), this is what happens (or can happen):
 
  1. An elector (voter) walks into the Polling Station (PS) with an ID proof. S/he walks up to the row of Polling Agents of Political parties, and they tick off the name after verifying his/her name on the voters list. If name is not found, the voter is not allowed to vote. [It is alleged that many voter names are deleted by ECI due to system deficiencies or mala fide designs of the ruling party.]
  2. Indelible ink is smeared with a thin swab on one finger of the eligible voter. [ECI is not sure if the same voter is listed multiple times in different locations (booths) as there is no citizen ID in India at present.]
  3. The voter walks up to the Voting Compartment and waits to press a button on the BU to register his/her vote. The BU has the names of contestants and election symbols adjacent to buttons. Max 16 names per BU - they can be daisy-chained.
  4. The Polling Officer with the CU presses a key to enable the BU to register a vote.
  5. After hearing the audio beep that tells everyone in the room that BU is enabled to accept one vote, the voter pushes a button on the BU to register his/her vote.
  6. A tiny window with one way mirror glass on the VVPAT lights up for 7 seconds during which the voter can see the voting slip with the name of the candidate and symbol! Voter must assume that this slip is not of the previous voter - though there is no telling it could well be of the previous voter who voted for the same candidate - a hacked VVPAT could behave in this manner. If the visible slip is NOT as per the vote cast, then the Voter can complain to the Presiding Officer, and fill out a form to nullify the "wrong vote". There is an intimidating process to rectify the error - which includes actions to "prove" that the machines are misbehaving! Failure to prove the misbehaviour attracts a penalty of Rs.1,000 and imprisonment of three months! VVPAT is supposed to write a record of the vote in the CU; a hacked VVPAT could well write a vote in favour of a candidate of hacker's choice.
  7. The voter having cast his/her vote, walks out trusting the vote is recorded correctly in the CU and that the slip s/he saw in the VVPAT has been indeed dispensed in ballot box. It could well be that the slip has NOT been dispensed in the ballot box nor recorded in the CU. A hacked VVPAT could behave like this - hold all consecutive votes of an adversary party (adversary of the hacker's party) until a vote is cast of a different party - upon that happening, the hacked VVPAT could print and dispense all the votes it had held back, in favour of the hacker's party candidate, and record the votes in the CU consistent with the printed slips!     
CJI recently said, "The great stabilizing force in the country is the purity of the election process". As ECI is clearly aligned with the Government, it is only the SCI that can provide a solution.
What exactly is the fix for the EVM System that will foil the above hacks and is feasible to implement before the polling starts on 19th April 2024? It is really a very easy fix that SCI can order:  
 
CHANGE # 1 The voter should be able to pick up the VVPAT printed slip for verification and physically insert it into the ballot box.
 
CHANGE # 2 The election results should be based on a manual count of 100% slips. In case of discrepancy between the manual count and the CU count, up to two recounts may be ordered. Ultimately, the manual count would prevail and not the CU Count. 
 
CHANGE # 3 After the Polling finishes, the CU and the Ballot Box pairs are transported to the counting station. During the journey:
i) CU and Ballot Box pairs should NOT be transported and stored together and
ii) Oversight of contestants' representatives should be allowed.
 
CHANGE #4 Presently a voter who complains to the Presiding Officer (PO) in the Polling Booth that his/her vote is not properly generated, i.e. the VVPAT has printed the wrong vote - is required to prove the allegation is correct through a retest. If the error is repeated well and good but if it is not repeatable, the voter can face a fine of up to Rs.1,000 and imprisonment of up to 3 months or both. It is a matter of common knowledge that programs can be written to work with random parameters or based on parameters such that without the knowledge of source code, no one can predict if the error will repeat nor when it will repeat. The punishment under rule 49MA - Section 177, should be totally removed as it is illogical, and it works as a deterrent for genuine voter complaints - unless source code is made public, and its auditability allowed before and during elections.  
 
Anything more than above demands in petitions pending in the SCI, may not be feasible to implement in the short time available before the elections. Anything less will not eliminate the threat of the election results getting hijacked.
Manual count in 100% of polling stations may take one week at most for counting which is trivial considering the current schedule which is of 47 days: 44 days for polling + 3 days for counting.

Summary:
Remember the VVPAT hack can be of two types -

  • The vote slip dispensed, and the vote recorded in CU are consistent but NOT according to the vote cast on the BU, therefore, Change # 1 of verification by voter is required
  • The vote slip dispensed is consistent with the actual vote cast, but the vote recorded in CU is NOT, therefore, Change # 2 of rule of manual count compared with CU count and manual count to prevail, is required
  • The possibility of a fraud of replacing the CU and Ballot Box pairs is non-trivial because a RTI based PIL had revealed that whereabouts of many EVM Systems are not known to ECI. Therefore, Change # 3 of rule of transportation is required
  • The punishment should be totally removed as it is based on an illogical premise of predictability of hacked programs, and it deters genuine complaints of voters. If source code is made public, independent auditors can confirm if VVPAT, BU and CU are working as per original program; this will allow citizens to prove hacking else it is NOT provable. Therefore, Change #4 of rule of fines or punishment should be removed or else the source code should be made public and the option of auditability of the source code should be provided
 

Second, the pernicious political funding system which reduces chances of honest and smart candidates winning elections - fixes required

Funding reforms that can be done immediately


  • ECI should mandate 100% disclosure of all funds mobilised by every contestant and every political party. In todays world this is easy and the name of the donor, his identifier, the amount of donation and date should be the minimum data included in the list to be published on the website of the party or individual or ECI provided platform. At present donations below Rs.2,000 need not be disclosed. This loop hole is exploited by parties - one party had claimed that its entire funding was of smaller donations, therefore, not a single name was disclosed!
  • The elections expense caps which apply to contestants should be totally removed. The expense caps are so low that virtually all contestants are forced to tell lies because they spend much more money than is legally allowed. Those who do not have unaccounted (black) money, tend to lose out. The existing system reduces the chances of honest and smart candidates winning elections and it rewards those who have lot of black money and who can manipulate the system and get others to spend on their behalf (with quid pro quo of course). 
  • The State should provide free airtime on its TV channels – national and regional - to all contestants. It should also arrange leading three or four contestants to debate so that voters are better informed before they vote. The moderators can be selected by the candidates themselves. The recorded debates and statements of objects should be made available on ECI's portal.    
 
The above election reforms related to political funding will improve the transparency and reduce costs candidates incur in fighting elections. At the same time the citizens will make more informed decisions and the candidates become more accountable because their statements can be recalled by voters, and their accomplishments, can be compared with their promises or objects.
The reforms that can be done in the next five years (2024 – 2029) – before the General Elections of April-June 2029
In the previous Elections of 2019, of those 900 million eligible voters, 67% voted. The largest share of votes was polled by BJP. With 37.4% vote-share, BJP bagged 303 seats; they can thank India’s First Past The Post (FPTP) system for the disproportionate seat-share of 55.8% (absolute majority) they got. The NDA (National Democratic Alliance) of which BJP was the main partner, polled 45% of the votes and won 353 seats which amounts to 65% seat-share in the 543-member lower house of the Indian Parliament – Lok Sabha (LS).
The Two Round System (TRS) followed by France ensures the winner has at least obtained 50% votes. India uses TRS for President and Vice-President elections but not for legislators in LS or State Assemblies (Vidhan Sabha). With TRS, the Opposition parties with similar ideologies (aka “secular” ideologies), or the types which conflict with the right-wing Sangh Parivar ideology (aka Hindu Supremacist ideology), would have fared better because their votes which get splintered in the first round would likely coalesce in the second round in a one-on-one contest; in TRS, if in the first round no candidate wins over 50% votes, the top two candidates in the first round, get to contest in the second round. Therefore, in TRS, Opposition parties and not BJP would have obtained the majority of seats in the Parliament. The election reform of replacing FPTP system with TRS could ensure a far more representative democracy in India as India has multiple parties and often coalition governments, unlike in USA which has two dominant parties. Even without a pre-poll alliance, the Opposition parties would have defeated the BJP in 2019 – a completely different outcome would have been assured – one which would better reflect the preference of the majority (62.6%) of the voters. The irony is that Modi is pushing forward the reform of “One-Nation-One-Poll” (ONOP) whereas the Opposition has no interest in advocating alternative systems – one wonders if they have any clue about the importance of the TRS in context of INDIA grouping they are trying to create before the 2024 elections?  ONOP, it is argued will save costs and time whereas an online voting system can save far more cost and time. Even while continuing the FPTP system, an online system can easily replace the obsolete EVM System and assure greater security – reliability and cost savings.
 
 
RELATED REFERENCES:
 
Challenges updated - on 1-Apr-24 SCI has issued notice to ECI in the petition against EVM processes

how Iran Nuclear fuel processing centrifuges were knocked out by CIA even though Iran's engineers had claimed the plant had "stand alone" systems - just like ECI is claiming their devices are in a "stand alone" state - they allow connecting a SLU before commissioning the system - this is sufficient to infiltrate a rogue program into VVPAT. The hacking can be done selectively - in certain systems only - as all the machines have unique IDs. The rogue program can behave according to a date - time - number of votes cast - schedule - thus defeating the FLC which ECI pompously claims is sufficient proof of proper functioning of the EVM system. They are fooling the public or they are ignorant.

 

EVM System - updated website - new revelations and questions 

(ECI has updated its website pages; new FAQ on 7-Feb-24, Presentation too is changed; probably in response to recent protests and demos of hacking; it has now changed the definition of EVM - earlier it used to mean BU and CU but now it includes VVPAT; so, EVM now cannot be claimed to be OTP device as VVPAT has programmable memory; furthermore EVM System, is more than EVM but ECI is silent on it). 

 

ECI presentation on EVMs - false claims and misrepresentations discussed in this note

 

Are EVM System components OTP type devices? No clear answer from ECI/GOI

 

The hardware in EVM System of today can be easily replaced by Smartphones running a secure App - within weeks

 

Kannan Gopinath's interview on EVM system hackability

Read about the two hack demos. Recently hacks of EVM System were demonstrated and videos shown on 4pm News Network. In these hacks the VVPAT votes differently from the actual votes cast - the slips printed and vote recorded in the CU were consistent. Therefore, the manual count of slips and the count from the CU would match. This type of fraud can only be prevented if Demand#1 is met, else it would require software audit but that is not possible as ECI and SCI have said that software is secret. SCI on the one hand ecourages Open Source - but on the other hand, in this particular instance, it protects the IPR of a ridiculously simple program - GOI can easily get the same software developed in Open Source or buy the IPR for cost which is not likely to exceed few million rupees! Another intriguing thing to read about is that 1.9 Million EVM Systems have gone missing - The Wire article of 22-May-19.

 The Wire article series on multiple issues including EVMs "India Black Boxed":

4-Jan-24 MK Venu

24-Feb-24 Venkatesh Nayak


EVM Opposition - by senior leaders - call for reforms - urgency ignored by ECI and SCI - 2024 General Elections become fraught

 

Political funding existing in India today is recognised as the fountainhead of corruption: Notes

 

SBI stonewalling SCI - is it perjury and contempt? SCI's honour was at stake - partially redeemed

 

How BJP raises its funds - white (5% to 10%) and black (90% to 95%) - world's biggest and most corrupt party

 

On-line voting and political funding India requires: Blog