Sunday, April 28, 2024

EVM Petitions - analysis of SCI Judgment of 26th April, 2024 - good part and the curious (bad) parts

 

SCI Judgment of 26th April’24 – Justices misunderstood EVM petitions; fortuitously the relief given, which petitioners never asked for, will reduce chances of hacking considerably

 

The two-judge bench of the Supreme Court of India (SCI) delivered its much delayed judgment on ADR’s petition filed a year ago (other petitions were tagged with it), on the day of the second phase polling of General Elections 2024 which had started a week earlier. This was a contest between the citizens of India and ECI and not one between any political party and ECI or the Government – none of the political parties were petitioners. The bench missed this point and gave reliefs that petitioners never asked for. The SCI gave the right to 2nd and 3rd losing contestants to demand audit of devices - EVM (comprising Voter Verifiable Paper Audit Trail – VVPAT and Control Unit – CU and Ballot Unit - BU) and SLU (Symbol Loading Unit) with the help of BEL and ECIL engineers (para#75 page 37/38 of Order signed by both Justices – Sanjiv Khanna and Dipankar Datta; separate order was signed by only JDD).

So, the good part of the order is the directions issued to ECI which will CONSIDERABLY REDUCE the chances of hacking because of the fear of getting caught during the audit, if done honestly and competently. Unless the audit process, in the hands of ECI (BEL and ECIL engineers), is subverted, the risk for hackers getting caught will be great. The order has limited the audit to maximum of 5% of EVMs per constituency – had the losing contestants (number 2 and 3) been allowed to ask for audit of all EVMs, the hacking would have had no chance of escaping detection. The order makes it explicit that the burden of cost of audit will be on the challenger, but it does not speak about the consequences of discovery of malware in the suspected devices – will repoll be ordered around the booth where EVM was deployed, or the whole constituency, or the whole country? The order shows its magnanimity (a lofty sense of justice?) in refunding the cost defrayed by the challenger should any tampering be detected! It is strange that the order did not consider it justifiable to appoint independent auditors in resolving the audit challenge. Independent auditors could have compared the object code (access to source code is not necessary) in the suspected machines with healthy machines provided by ECI and given their verdict about the evidence of tampering, i.e. presence of illegitimate stuff (malware or any foreign software). The order unnecessarily elaborates that “microcontroller’s burnt memory” will be subject to audit – what about the flash memory of 4MB (see paragraph#22 in the order)? For the two types hacks which the Justices didn't understand, the problematic parts of the judgment and a semi-technical note on the EVM hackability read here.

Let’s now consider the curious (bad) part of the order which betrays the misunderstanding on part of the honorable Justices – and which is worthy of a challenge in a review petition. The main petitioner’s Sr advocate, Prashant Bhushan asked for sensible reliefs which would have served to FOIL hacking of EVM System completely. He did not allege that hacking has indeed happened. This does not mean that hacking cannot happen in future becasue of vulnerabilities in the EVM System. He also explained all the important vulnerabilities and tried to elaborate the possibility of malware infiltrating the “programmable memory” of VVPAT but JSK cut him off multiple times – as can be read from proceedings in the court – live updates from independent websites – read here.  

First relief sought was that the voter should be able to verify the correctness of the vote slip printed by the VVPAT AND assure himself/herself that it is cut and dispensed into the ballot box. Prashant Bhushan explained (or tried to) that the existing arrangement is deficient and he offered three alternatives – i) revert to paper ballot, ii) hand over the vote slip to the voter who can verify its correctness and dispense it into a ballot box and iii) keep the light inside the VVPAT behind a dark glass (why on earth this glass should not be transparent is NOT explained satisfactorily by ECI – the secrecy argument is totally specious as the voter compartment is always placed in a corner of the room) illuminated all the time so that the voter would leave the voter compartment only after full satisfaction: the correct slip is printed, cut and dispensed into the ballot box – it is not sufficient to light up the lamp for a mere seven seconds to show the slip to the voter. Amazingly, the order has explicitly denied this right to the voter – JDD elaborates in his separate order – in para#15 & 16 page#48 & 49 - that under Rule 49M(3), it is sufficient to merely show the slip to the voter! Obviously, the Judge never understood the method of hack – in which consecutive votes are stolen and cast in favour of hacker’s party WHEN THE LAMP IS SWITCHED OFF. In this method of hacking, the vote count in CU and VVPAT printed slips would match; watch one of many explanatory demos, using representative machines, how this consecutive votes are stolen demo of 13 min. The Justices elaborate naively in their order that never in the past have discrepancies been reported between the CU count and manual count of VVPAT printed slips, therefore, no hacking could have ever taken place! That hack can happen even when the counts are consistent was not understood at all. The order quite unnecessarily derides the demand for paper ballot (Godi media had also amplified the “retrograde demand of paper ballot”) and the demand for voter slip being handed over to the voter WITHOUT MENTIONING ALL THE THREE ALTERNATIVES. Based the third alternative Prashant Bhushan offered, the Justices should have quizzed the ECI to articulate methods of satisfying the voter that the vote is correctly printed, cut and dispensed into the ballot box – ECI should have specifically answered why it has designed the complicated system of switching light on off and generating an audio beep signal – ECI should have been asked to explain why the simple method of illuminating the cutting operation and dispensing of the slip in the ballot box was not preferred. ECI had revealed in the court that there is a sensor which detects the falling slip and it sends out an audio beep. What if the audio beep signal is generated falsely by a hacked VVPAT? Therefore, the relief of voter verification should have been granted to foil this smart method of hacking. Post-results-audit can also detect this hack, however, the cost of foiling the hack is much smaller than the cost of recovering from the consequences of a hack after it has been allowed to happen.

 

Second relief the petitioners asked for was manual count of 100% vote slips and comparing the same with CU count (the comparison would diminish the errors of manual count – the order shows the wisdom of comparison escaped their comprehension completely). This comparison would serve to foil the simpler, though a dumber, hack of voter pressing the button of one candidate and the vote in the CU being written of another party. In this hack the vote slip of the correct candidate in a manual count would not match with CU count. This hack is easy to catch, therefore, it is not likely to be preferred by a sophisticated hacker. It is a no-brainer that the hacker is not likely to be a run-of-the-mill type; the subversion of Indian elections can entangle trillions of rupees (the General Election 2024 is projected to cost 14 Billion USD) and national security. The order allows only 5% of EVMs to be tallied manually in a constituency. However, it has directed ECI to evaluate bar code printing on the vote slips for possible machine counting in future elections. The denial of this relief was not logical and pennywise pound foolish. According to SY Quraishi the 100% manual count of vote slips cannot be compared with the paper ballot era when the ballot papers could be the size of a newspaper. With small VVPAT printed vote slips, it is feasible to finish counting within one day – watch here. By capping the manual count to 5% of EVMs per constituency, the chances of the second type of hack still remain, however, this is not as much a serious compromise as is the denial of the aforementioned relief of verification by the voter because that allows the smarter hack to still take place. In a review petition, the first relief ought to be demanded and perhaps with a bigger bench, the chances of convincing the judges will be better!

The judgment has many other technical bloopers (for e.g. para#22 the candidate data file is a bit map file – it cannot be so as the candidate name and ID apart from the symbol needs to the transferred). The language used in the SCI order, in many places, seems to be that of BEL or ECIL engineers, as pointed out by Kannan Gopinathan in a recent interview to Poonam Agarwal who had helped unravel the Electoral Bond scam.

     

 

Posted by at No comments:
Labels: , , , ,

Friday, April 26, 2024

EVM VVPAT curious Judgment of SCI - good thing - it will deter hackers as they could get caught

 

The SCI judgment, of the morning of 26-Apr-24, on the EVM VVPAT petitions delivered zero justice to citizens of India and a partial consolation to political contestants in the Indian elections. No thanks to Political Parties, which never took a consistent or firm stand against the EVM usage, the heroic efforts of Jagdeep Chhokar of ADR represented by Prashant Bhushan and many other petitioners deserve a salute. This is a fight between citizens and ECI, and not between a political contestant and ECI, as the two-judge bench’s order unfortunately seems to project.

Saving grace of SCI order: 

ECI has been ordered to seal the SLU (Symbol Loading Unit – a fancy name of a pen drive which is used to transfer candidate data file into VVPAT) and EVMs after close of polling for a possible audit by engineers of BEL and ECIL. A losing contestant, either 2nd or 3rd, will be allowed to ask for audit of the memory of microcontroller of VVPAT (Voter Verifiable Paper Audit Trail) and CU (Control Unit) within 7 days of results. Bench does not seem to have realized that there is memory outside microcontroller too and the device can be compromised by malware sitting in that memory! Unfortunately, the order has capped the audit as well as manual count of vote slips to previously set limit of 5% per constituency. Regardless of these oddities, this order will deter a hacker as he will fear getting caught during the audit, unless the hacker and the auditors from BEL and ECIL, already accused of being under influence of BJP affiliated directors, are co-conspirators. SCI should have allowed independent auditors to have access to source code to enable them to do audits. However, the bench had refused to divulge the source code earlier. Finally, SCI should have asked ECI to seal the devices effective today instead of 1.5.2024, why allow hackers, if any exist, a free pass?  

The order, with directions to ECI, passed by the two-judge bench of Justices Sanjiv Khanna and Dipankar Datta is deficient on many counts and it is very likely that ADR, the lead petitioner, will file for a review by a larger bench. Indian democracy cannot be exposed to the slightest risk. The existing EVM System is easy to hack and many IIT Professors, other than those on Technical Experts Committee of ECI have confirmed this view. 7,000 eminent citizens had filed a petition before ECI but it did not even acknowledge it. General Elections of 2024 are projected to cost 14 Billion Dollars. Hackers, not the run-of-the-mill type, can entangle not only huge money but also national security. SCI must be tested to see if it pays heed to the voice of India’s citizens.

After this Judgment, the possibility of hacking could reduce considerably due to the possibility of the hacker getting caught. If the audit is done honestly and competently, the hacking would be caught surely if the right EVMs (out of 5% per constituency) are picked by the challenging contestant, otherwise he may still escape detection



RELATED

EVM petitions - proceedings in the SCI

Also read previous blogs - the two methods of hacks and the two reliefs petitioners had asked for.

To reduce the hacking chances to zero, the two reliefs necessary are: 1. Voter must be able to verfify her vote is correct, it is cut and it is dispensed into the ballot box before she walks out of the compartment of voting at the polling booth and 2. 100% of VVPAT printed vote slips must be manually counted and compared with the CU count - in whichever EVM there is discrepancy, recount should be automatically trigerred and in case of persistent difference, the manual count should prevail (this is the existing ECI rule anyway).

  Link

Posted by at 3 comments:
Labels:

Saturday, April 20, 2024

EVM VVPAT Petitions and the SCI - Voter verification even more important than 100% manual vote count (updated 27th April'24)

 The spectacular bluff of two "silos" of data of Electoral Bonds (EB) that State Bank of India (SBI), represented by top lawyers, tried to pull off was live streamed to the whole country from the Supreme Court no.1 in the month of March 2024. The two "silos" were actually two tables of data. Such data of EB buyer and EB recipient in two tables of a Database (or even Excel worksheets) would require not even three minutes to match but the lawyers of SBI, FICCI and GOI asked the five-judge bench to grant them three months. Had SBI used the word tables instead of "silos", any computer literate person could have pointed out that the matching is a trivial exercise of writing one join query in a database or "vlookup" command in an Excel worksheet.


Another more spectacular drama of EVM System hackability has been unfolding in the two-judge bench of the Supreme Court but this time it is not live streamed; as only constitutional bench proceedings are live-streamed at present. This time ECI is the culprit for obfusctions or outright lies which have left everyone confused. What could have been argued and concluded in two hours went on for three days without any order by the bench. As a result the General Elections of 2024 which have commenced from 19th April with status quo on the EVM System which people of India rightly suspect can be gamed.

The petitioners have laboured to convince the court that EVM System has deficiencies and the possible hacks can be easily foiled by making two changes in processes: i) allow voter to verify the correctness of the printed vote slip and ii) manually count all the printed vote slips and compare with the EVM count (in case of discrepancy, as per existing ECI rules, the manual count prevails). ECI's lawyers and experts argued that there is no deficiency; ECI representatives actually lied and made self-contradictory statements (such contradictory statements also exist on ECI's website).

Firstly ECI has claimed that EVM machines are a standalone system - standalone in IT industry means, "not ever connected to Internet or any network (WAN or LAN)". Secondly, ECI claimed that EVM has only "firmware" as opposed to "software". ECI claimed that the VVPAT (Voter Verifiable Paper Audit Trail) into which Symbol Loading Unit (SLU is a "red herring" name for a pen drive, like silo was the fancy name for a data table) has only OTP (One-time-programmable) memory and that no software (or malware) can be transferred into it through the SLU or by any other means. Both these claims are contradicted by ECI's own admission - as visible on its website pages. 

Search for "standalone" and "OTP" in the linked note here and here - you will find multiple occurrences of "standalone", "laptop" and "OTP" - you can read in five minutes in context what ECI has mentioned. EVM machines (BU, CU and VVPAT) are not the whole picture - EVM System is the whole picture - it comprises of a Central Server to be accessed via Internet, Laptop (in the custody of DEO/RO) and SLU. EVM System by no means is a standalone system and VVPAT has programmable memory too. This being the case, malware (software written by a hacker) can enter the system: via the central server or via the Internet into the Laptop, via the Laptop into the SLU, and finally via the SLU into the VVPAT's programmable memory. This infiltration of malware can occur with or without the knowledge of District Election Officer/Returning Officer or field engineers deployed in the over 1.2 million booths to commission the EVM during the 15 days prior to poll commencement. The malware can make the VVPAT misbehave as per multiple parameters set by the hacker, for e.g. date, time slots, constituency, the party to favour, the party to steal votes from, preceding rate of voting (i.e. misbehave only when there is rush) etc. Prashant Bhushan, ADR's Sr advocate, did try to explain some of these characteristics but the Justices cut him off frequently. 

The petitioners have made very sensible and feasible demands. Will the bench grant these reliefs? Without these reliefs, the 2024 Election's system will be highly fraught and its results untrustworthy. The public, at least a large section, will lose complete faith in the ECI's and GOI's democratic credentials.

Reliefs sought:

RELIEF # 1 to defeat 1st method of "steal the same successive votes - hack": The voter should be able to pick up the VVPAT printed slip for verification and physically insert it into the ballot box; else the voter should be able to see the vote slip printed is correct and it is actually cut and dispensed into the ballot box - it is not sufficient for the voter to just see the vote slip (because it could be the previous voter's slip which has not been cut and dispensed due to a hack) - this means the light should remain on and not merely for seven seconds, as is presently the case. This is a clever hack because it cannot be caught - the stolen consecutive 2nd or 3rd or successive votes (as parameterised) - cast in favour of the hacker's party - will not be seen because their printing, cutting, dispensing into ballot box and writing into the CU will all occur only when the light is in the switched off state and in few seconds after the button for a different party's candidate is pressed by a subsequent voter or when the stealing parameter count is reached. In this hack, the vote count in CU and the manual count of VVPAT printed votes will match. Therefore, even a 100% manual vote count cannot foil this hack. This delayed printing of consecutive vote will likely be the preferred method of hack.
 
RELIEF # 2 to defeat the 2nd method of "print correct vote slip but write vote in CU for hacker's party candidate - hack": The election results should be based on a manual count of 100% slips. In case of discrepancy between the manual count and the CU count, recounts may be ordered. Ultimately, the manual count would prevail and not the CU Count. This change in process is required to foil the second method of possible hack of VVPAT printing a vote slip for one party and writing into the CU a vote of another party. Compared to the above method of hack, this one is laible to be caught and, therefore, less likely to be preferred by the hacker.
 
RELIEF # 3 for safe transport: After the Polling finishes, the CU and the Ballot Box pairs are transported to the counting station. During the journey, oversight of contestants' representatives should be allowed.
 
RELIEF #4 for enabling genuine complaints: Presently a voter who complains to the Presiding Officer (PO) in the Polling Booth that his/her vote is not properly generated, i.e. the VVPAT has printed the wrong vote - is required to prove the allegation is correct through a retest. If the error is repeated well and good but if it is not repeatable, the voter can face a fine of up to Rs.1,000 and imprisonment of up to 3 months or both. It is a matter of common knowledge that programs can be written to work with random parameters or based on parameters such that without the knowledge of source code, no one can predict if the error will repeat nor when it will repeat. The punishment under rule 49MA - Section 177, should be totally removed as it is illogical, and it works as a deterrent for genuine voter complaints - unless source code is made public, and its auditability allowed before and during elections.  
   
The RELIEF#1 and 2 are essential but the 1st one is more important. Without these changes, the results of 2024 General Elections will always be suspect.

Both ECI and SCI have treated the challenges to the EVM usage in elections with contempt and derision. Requests for a meeting of political parties, citizens councils and lawyers to ECI have been ignored, not even acknowledged.

The petitions principally focused on EVM vulnerabilities have been pending with the SCI for many months or even years. In March'24, when Kapil Sibal and Prashant Bhushan, on behalf of ADR (Association of Democratic Reforms) requested SCI for an urgent hearing since the General Elections 2024 were set to start from 19-Apr-24, they were told that there are many pending matters and their pleas will be heard and decided before the polling starts.

The bench of Justices Sanjiv Khanna and Dipankar Datta finally heard the petitioners on 16th April, 18th April and 24th April for about 2.5 days and finally reserved the order. On 24th April the bench had asked ECI to provide answers to six questions. One question was about the repgrammability of microcontroller program in the EVM - in the VVPAT or the CU? This is a wrong question to ask. Even if the program is unalterable because it sits in the OTP memory, the device can be hacked - by malware being loaded into the programmable memory (VVPAT has both OTP and programmable memory) and intercepting the commands going into or out of the program. So the elections have started with status quo being maintained, no one knows when and what the bench will rule on the two main demands of the petitioners.

RELATED



Search for "laptop" in the proceedings - live updates from Bar & Bench here
There is a crucial fact of use of a laptop in every election cycle in every constituency, possibly every booth, where "EVM" must be commissioned within two weeks prior to polling date - this has always been obfuscated by ECI. Judge asks an incoherent but a leading and somewhat meaningless question, "software by ECI has a lock mechanism". Firstly, the software according to ECI does not exist in VVPAT - only firmware exists in VVPAT, secondly ECI itself does not have software which is kept secret by BEL and ECIL; no one knows what is meant by "lock in mechanism", ECI does not provide an answer either.
  
Excerpts (copied from Bar & Bench updates):

12:03 pm, 18 Apr 2024
  •   
  •  
Supreme Court: The SLUs are not stored to ensure that there is no tampering. etc.? Of course, very difficult.. SLU is done from the computers.. laptop etc used by returning officer.. The software by ECI has a lock in mechanism.

ECI: Yes, it is a secured software.

------------------------------------------------------------

21-Apr-24 The Leaflet this article reproduces portions of the proceedings and highlights the relevant issues here


Terminology primer for non-IT readers:

Any computer system or an intelligent device (e.g. VVPAT, Smartphone) works with the following components:

Hardware
Firmware - this sits in OTP (one-time-programmable) memory
Operating System - OS (or Control Program) - this sits in programmable memory
Application Program
Data (input from keypad or sensors or attached devices like pen drive)

Hacker corrupts the Operating System or the Control Program - if someone has the source code (or even the object code - from the set of stolen EVM machines - object code could be retrieved and reverse compiled - this is surely within the reach of a sophisticated hacker) then malware can be written into the programmable memory - in context of VVPAT, this can be done at the time SLU is inserted for copying the candidate data file; the SLU would likely be infected via the DEO/RO's laptop. 

Any laptop requires an OS and the OS can be infiltrated by malware knowingly or unknowingly by the user. Everyone knows when a computer is connected to Internet, virus can enter the computer - even if anti-virus program is installed on the device - this happens unknowingly - user can also download a malware knowingly, if he wants to. Everyone knows Windows OS is easy to hack, that's why antivirus programs are necessary to instal. Most of the computers today run under Windows OS. We donot know which OS runs on the laptops the DEO/RO use in commissioning the EVM. ECI representative at some point mentioned in the court that PO's (Polling Officer) laptop is used in commissioning of EVM, whereas on ECI website, it says, DEO/RO's laptop is used. The SLU (pen drive) inserted into an infected laptop will carry the malware and transfer it into any other computer or intelligent device (like the VVPAT) into which it is inserted. This is not rocket science.


Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)