Before every election, various political parties, specifically, the non-NDA parties, start raising questions on EVMs used by the Election Commission of India. Such doubts on EVMs go up if BJP or other NDA parties win the elections, as the non-NDA parties accuse them of winning the elections by manipulating the EVMs. But when non-NDA parties win the elections, the questions on EVMs disappear completely.
The latest example of the same is the recently concluded assembly elections. Other than Assam, where BJP’s win was certain, and small union territory Puducherry, non-NDA parties have come to power in West Bengal, Tamil Nadu and Kerala. And as a result, no opposition leader is questioning the EVMs, until the next elections. Ahead of the assembly elections,. Mamata Banerjee and other leaders in TMC had raised EVM rigging allegations, but once the TMC govt returned to power, such allegations have disappeared.
The controversies relating to EVMS had started when they were first introduced. Since EVMS are electronic devices and since they include a processor like device inside them, there was a lot of hue and cry regarding the possibility of it being hacked.
But the contentions regarding hacking were based on an incorrect understanding of what is happening inside the EVM and what it is made up of. EVMS does not in any way work like desktop computers or even microprocessor based devices. Once they are programmed during manufacturing process, there is no means by which it can be reprogrammed to make it behave like we want to. It is more like a non-programmable calculator with a very basic set of electronics that do not in anyway resemble modern computers / programmable devices. Moreover, EVMS and Ballot units used along with are standalone units that are not connected to external devices to be manipulated (they cannot be manipulated in the first place), neither do they have hardware enabling wireless communications. Even many from the opposition parties accept this, ensuring us that EVMS are “calculator like devices” that cannot be hacked.
It’s such misunderstandings created by flawed arguments we wish to dispel in this article.
Now, the main argument is against the VVPAT machine, which was added as a means for the voter to verify if the machine has indeed cast the vote for the candidate he had in his mind. VVPAT machine contains information about the candidate list in the constituency, their symbols and how they’ve been arranged in the ballot unit. So, by checking the printout on the VVPAT machine one can verify if the ballot unit and the whole voting process was working the way it was intended to be. But there are a few things the critics bring to our notice which they think are major vulnerabilities of the VVPAT machine, when combined with the EVM-Ballot Unit duo allegedly compromises the whole election process, if such accusations are factually correct.
Let’s sum up the main charges against the VVPAT and the EVM-VVPAT-Ballot Unit trio.
- VVPAT is a patch work into the existing system.
- Since VVPAT sits between Ballot unit and Control unit, it can influence what goes inside of the control unit, i.e., information about the vote.
- VVPAT is not a standalone device since it is connected to external devices during symbol loading.
- Since it is not a standalone device, it is prone to get hacked.
So, the main point against VVPAT is since it sits between the Control unit and the ballot unit, anyone somehow hacking the VVPAT tampering with its “programmable memory” can sabotage the whole election process and get the system to register votes for whomever the intruder wants. And it is alleged the tampering can be done when the data containing candidate list, symbols etc. are loaded into the VVPAT using laptops or other compatible devices.
Now the statement that VVPAT sits between CU and BU is correct as one can see from the diagrams provided by Election Commission of India. While without the VVPAT, the cable from BU connects the CU directlu, the cable from BU now goes to the VVPAT and a second cable from VVPAT, similar to the BU-CU cable in the old system, connects with the CU. There’s nothing doubtful regarding this. Now it’s the interpretative arguments about VVPAT and the connections involved that we wish to analyse.
To begin with, the purpose of VVPAT was to bring in more transparency to the voting process through electronic means. The voter, unlike before, now has a secondary means of visual verification, a paper trail that shows the candidate he had voted for. Now, since a certain percentage of VVPATs are verified at the end of the election process, matching them against the votes cast on EVMs, it is not possible by any means to tamper with the election process exactly for these two reasons:
1.VVPATs are verified by the voters at the time of elections
2.VVPATs are verified after the election is over too.
Is essence, VVPAT has brought in more transparency and trust factor in the election process.
Next, many from the opposition parties and analysts make the claim that the VVPAT machine is a very complex system digital system that is prone to hacking. They also say it contains device drivers such as those which would be used to actuate individual components such as printers, photodiodes etc. In effect, they compare the whole VVPAT to a general purpose mini computer. This is where the whole argument is erroneous.
Simple machines such as standalone printers which are not normally connected to computers, and meant for very specific purposes such as a token machine or a billing machine, runs on something called “Application Specific Integrated Circuits (ASIC)”. What it means that the IC used has been pre-programmed, much like the one-time programmable EVM. ASICs are not reprogrammable in the sense that you cannot change the code it runs on.
Malware can affect only those systems which actually resemble general purpose computers, which runs on an Operating system and has features like RAM etc. The only thing it is designed to receive from an external device is the information about what it should be printing. Just like a token machine can be programmed to alter the content it is supposed to print by using a custom-made application, VVPAT too is most likely desgined around an Application Specific integrated circuit, and the only thing one can change is what it prints, which is done by ECIL engineers before the elections, using symbol loading Jigs or laptops as we have been told by ECI.
The code it runs cannot be changed since it should ideally run on an ASIC. We can simply disregard the allegation that VVPAT is hackable just by noting that it should ideally run on an application specific Integrated Circuit designed to carry out a specific task, here printing and acting as a bridge between the BU and CU, and that its code cannot be accessed or changed.
This method of loading external data is also used in setting the Real Time Clock inside the Control Unit using time setting Jigs. Here too, the OTP (One Time Programmable) chip inside the Control Unit has been preprogramed to receive information about time and date, just as VVPAT receives the information of candidates using symbol loading Jigs/Laptops with symbol loading application made by ECIL. So, just connecting the EVM to an *external device* cannot change the code it runs on. The same logic applies to VVPAT running on an application specific IC, much like that of the EVM control Unit.
ECI also mentions that newer models of EVMs are encrypted to the hardware level so that only ECIL/BEL components can be interconnected. This further weakens the argument that any type of tampering is possible. ECI also states these machines are not stand alone in the strictest sense, but needs to be occasionally interfaced with ECIL/BEL certified components for data upload, inspection etc.
Now since ECI hasn’t yet released the internal schematics of both the EVM and VVPAT, our argument about VVPAT should hold just as good as that for EVM.
Just as EVM ideally runs on a One-time Programmable chip which isn’t hackable, VVPAT too like other special purpose printers should run on Application based integrated circuits which aren’t reprogrammable in the strictest sense of the word, and hence not-hackable like a general-purpose computer which runs on an operating system and has accessories like RAM etc.
Critics make another accusation that the introduction of VVPAT into the system is a patchwork which has compromised the security of the election process, because a “programmable” device is “sitting in” between Control Unit and Ballot Unit.
But this philosophy of “cascading” multiple devices has always been there in election processes, right from its introduction. For instance, when the total number of candidates in a constituency exceeds 16, the maximum number of keys in a single Ballot Unit, additional units are cascaded, i.e., connected in series. The connection is shown below.
So, to cast vote for, say 20th candidate, the voter has to use the second Ballot Unit, and the signal passes through the first Ballot Unit to the EVM.
Now since ASIC based devices are themselves not “reprogrammable/hackable”, the new arrangement devised by designers, Ballot Unit-VVPAT-Control Unit, is nothing different from the old Ballot Unit-Ballot Unit-Control Unit philosophy, since we have argued that VVPAT is not hackable and the only variable inside it is the data for printing.
Based on this too, we can conceptually dispel the allegation that the signal given out by Ballot Unit is prone to manipulation by the processor inside VVPAT. For one thing, you cannot change the code of an ASIC based machine. Second, such a transfer of data, like that already employed in the cascading of Ballot Units, can be employed by a simple timed latch, another non programmable component.
Now, coming to the uploading of symbols. What the critics say is in concordance with what the Election Commission of India has to tell- symbols and other information are uploaded via laptops or other symbol loading machines. Now since the ASIC on which the VVPAT should ideally run, like any other ASIC, will treat this just as data and not as code, because they are non-reprogrammable in the first place.
Which means the worst one can do to an ASIC based VVPAT is to get it print something crazy. But this is an explicit error and can be noted by the voters. Now, such types of attacks on printers have occurred in the recent past, like when printers whose ports were open to the internet have been tricked into printing random stuff.
So, the only kind of printers that are hackable at least to this level are hobby based ones such as given below, which runs of programmable micro controller based platforms. But it would be naive to think any serious designer would go for it.
Above all of these, as said in the beginning, the Control Unit of an EVM attaches a time stamp for each and every vote cast using a Real Time Clock (RTC). The presiding officer registers the sequence of voting too. The voting process is monitored by CCTV surveillance as well. So, during VVPAT matching, any discrepancy that crept in due to a possible hacking can be found out. This verification of VVPAT itself debunks the argument that the election process can be rigged by employing a malware. In fact, VVPAT has provided more transparency in the voting process and has elevated the trust factor common people would ascribe to elections through electronic means.
So, the arguments by critics about VVPAT philosophy is both counter intuitive and wrong.
VVPAT has brought in more transparency to the election process, since votes cast are now verifiable. Use of VVPAT itself knocks off the argument that these machines can be hacked without anyone noticing, since the voting process uses time-stamping and video surveillance.
VVPAT machines, like printers, are not complex digital machines like programmable general purpose computers in the strictest sense of the word. They run on Application Specific Integrated Circuits the code of which is unalterable.
It needn’t contain executables like device drivers you would see in Operating System based platforms, but the code has been pre-programmed into it.
Since ASIC based machines like VVPAT printers does not contain an operating system and RAM, you cannot manipulate it using any kind of malware.
The Ballot Unit – VVPAT – Control Unit philosophy is essentially the same as the Ballot Unit – Ballot Unit – Control Unit cascading philosophy used in elections.
Here we may prove the equivalency of CU-BU-BU cascading and CU-VVPAT-BU cascading since both VVPAT and EVM+BU are not reprogrammable/hackable.
Even the data uploading in VVPAT is in agreement with what is done in the Control unit, for example, setting of time using Jigs.
Printers can only be hacked to the extent of being tricked into printing something esle it was not intended to, which would become obvious to the eyes. Such cases have been reported worldwide, and happens mainly because their input ports were being continuously exposed to the Internet, or a hacked computer.
In essence, these arguments apply only to either general purpose desktop computers, or hobby designs such as described above. (Hobby designs use custom programmable microprocessor-based platforms, like an Arduino Uno or Raspberry pi).
That the statement VVPAT being a “patchwork” on the existing system is far from logically correct even by considering the basic intentions behind incorporating VVPAT machine into the existing system. VVPAT was meant to function as a verification process in the existing scheme of things, and not as a correction to the old system. So, even going by an elementary level of reasoning, it doesn’t look like the designers would have compromised an otherwise perfect methodology just to incorporate a verification mechanism. If adding something like a printer into it might dislodge its safety features, would such eminent designers have even gone for it. Now this defence is by no means fool proof, for only a reasonable technical examination of the arguments like that given above would vindicate it.
Author: Sooraj R
(This article was originally published on author’s website)