The release of new FAQs (frequently asked questions) by the Election Commission of India (ECI) on January 30 and now superseded by another version on February 7 is a very welcome step. Importantly, this is the first time ECI has released at least some technical details about the electronic voting machines (EVMs). The clarification that the trio of devices in the EVM uses RS-435 serial communication brings clarity about connections.
It is evident now that disconnecting the Voter Verified Paper Audit Trail (VVPAT) unit from the Control Unit (CU) is not a mere device rearrangement. It will need redesign. And therefore the weakest part of the Electronic Election System (EES) ecosystem and the election process will remain the weakest in the near future. The diagram below clearly shows how the signal flows and that the electronic vote will not reach VVPAT from the Ballot Unit (BU) without first going to the CU, i.e. without the VVPAT- CU connection.
As I said in my article in The India Forum on January 4, the use of EVM has changed the Indian election system to be an Electronic Election System (EES). In any system, it is not sufficient to scrutinise only one part of the system, irrespective of how important that part is. The system must hold its integrity as a whole, for being trustworthy. The EES being electronic now must demonstrate electronic integrity against physical, electronic, and digital threats. We need to scrutinise the EES on the combined criteria of physical, electronic, and digital integrity.
Looking at the EES holistically, based on the material made available on their website by the Election Commission of India (ECI), the following major design deficiencies continue to exist:
1. EVM is not entirely location agnostic: While the BU and CU are, the VVPAT is not, because it contains constituency-specific candidate data, uploaded only a few days before the polling. Location insensitivity is the first need for being fair and impartial. As such all the 2-stage randomization is not of much help when the computationally powerful component of the system is not location agnostic.
2. EVM is not entirely disconnected as claimed before. When polling is ongoing, it is completely disconnected; but only a few days before polling, it indirectly, via the Symbol Upload Unit (SLU) and PC, connects to the internet i.e. to the ECI website to download constituency-specific data, to store candidate data. (answer to Q 52)
3. The claim that candidate data is only a bitmap (picture) is not the full story. For the VVPAT to match the candidate data with the incoming numerical value of the electronic vote, the bitmap needs to be tagged with a numerical value or stored as elements of an array. It is unknown but entirely possible that the bitmap could be tagged with any additional value in either case. Such additional data can easily be used to alter the values returned by the VVPAT to the CU, and the way these responses are processed further by the CU.
4. The EVM is not a simple machine like a calculator as claimed before. While the BU and CU may be so (we must believe ECI – no details are made available as proof), the VVPAT is certainly not. VVPAT has a program that, at a minimum has to process incoming numerical data, match it with the stored list, pass the bitmap image associated with the matched number to the printer, print the receipt, cut it and send a confirmation back to the CU. This is a fairly advanced set of operations than a mere Such a program could also be easily capable of counting the total number of votes, identify every nth vote, provide more “meaningful” response to the CU etc.
5. The VVPAT is not entirely One Time Programmable (OTP) as claimed before. While a part of its memory is OTP, one part is ECI clearly said so in its response (answer to Q 53) in the new FAQ. Considering this revelation, the VVPAT must now be accepted as a seriously vulnerable device. Now it is unbelievably difficult for any digital system expert to defend the integrity of the electronic vote in the CU with respect to the VVPAT receipt, more so because nothing is known about the program in the CU.Let us assume that the VVPAT responds with “Done x” in response to a “Print receipt for x” command.
In a hypothetical but plausible scenario, in response to the “Print receipt for 3” command from the CU, upon printing the receipt (bitmap image of the candidate name, party name and symbol) for candidate at position 3, if the VVPAT responds “Done 3,5” and if the CU program is written to recognise the x,y part of the response as record the vote for x as vote for y, inaccurate registration of vote in the CU is possible even after accurate printing of the receipt was done.
This is possible because:
a. VVPAT has a programme.
b. This program is written specifically to receive a number from CU and match it with the number in the list uploaded by the SLU.
c. SLU must upload image data acquired from a PC connected to the internet. It is easily possible to add just one special byte to a specific bitmap.
The programme may be capable of executing additional functions like keeping track of vote count etc. It may therefore take specific action in its response to such specific counts.
6. Considering the accepted vulnerability of the VVPAT, it becomes necessary to provide a recourse to every voter who complains of a VVPAT slip that does not match their choice of button press; because now with a programmable part of the VVPAT, it must be admitted that non-transparent transformation of the vote is possible even within the VVPAT.
7. VVPAT is a misnomer because it allows only view, not verification. The choice of rejection is a very crucial part of the verification process. Mere viewing is not verification. For example, when any authority verifies a document, the authority does not merely view it, it reserves the right to reject if the document is found incorrect. If a discrepancy is detected, does the voter have any agency to not just highlight the discrepancy, but mark the paper vote as incorrect, discard it and then cast a correct vote?
As per the rule sighted (Rule 49), if the voter fails to demonstrate that an unintended vote is cast for the NEXT test vote, they become a culprit, liable to criminal prosecution. Besides being tyrannical, this is also entirely unscientific. This is like denying the existence of a previously connected “wrong number” from a phone if the next call connects correctly.
8. Answer to Q49 says “If a DRE produces a voter verifiable paper audit trail, it is software independent”. What is the basis for this definition? No reference is cited. The principle of “software independence” was introduced by Wack and Rivest and according to its application to a voting system, “A voting system is software-independent if an (undetected) change or error in its software cannot cause an undetectable change or error in an election outcome.” “Software System” in this definition includes both program and data constants. Since undetected data constants (like a * against an image or an x,y styled response as mentioned in “5” above) may be processed by the unknown program in the VVPAT and CU to cause error in the election outcome, undetected change can cause a detectable change in the election outcome and therefore the test for software independence of the VVPAT + CU fails even on theoretical grounds.
9. The answer to Question 37 talks about digital certificates and public key encryption for authentication. However, merely being from an authentic group is insufficient here. Unique pairing is necessary to eliminate an authentic but illegitimate / replacement unit being used. Authentication does not address the replacement of one unit by another. That can be done only by pairing. And there is no mention of pairing. While the entire pool of the BUs, VVPATs and CUs carries electronic certificates of authentication from the time of manufacture; individual BU, VVPAT and CU are not uniquely paired on the polling day, nor is the pairing verified on the counting day. This leaves ample scope for the CU used for polling to be replaced by another authentic CU stuffed with spurious votes.
A digital certificate is akin to an entry pass issued to the participants of a close-group meeting. The door keeper allows entry to the pass holder without knowing their identity. This allows person B to enter in place of person A so long as B carries the pass. In every high-security environment, a unique identification for every member is not just necessary, but it must be established and verified, as we experience it at the airport entry. A boarding pass is necessary but for sufficiency, we need a government-issued identifier to uniquely establish our identity. Person B cannot enter the airport using person A’s boarding pass. This simple example of routinely established security more than highlights the need for unique identification as a necessary and sufficient condition in every secure system. Only the act of pairing all three components of the EVM with a unique identifier for each passes this necessary and sufficient condition.
Considering the disconnected and dispersed nature of the EVM unit, at least one dynamic component must be a part of the unique identifier. Such a dynamic component is easily available in the form of the date and time of pairing.
10. EVM’s location is not tracked every moment. The less harmful fall-out of this laxity in surveillance is these units being stolen by anti-social elements and their following misuse in some constituencies. The more serious fall-out is a possible mass-scale rigging by unfriendly countries to sabotage the entire election. This must be seen as a national threat. In a country that talks of GPS tagging every car so that toll booths are eliminated, not tagging EVMs with GPS is not just baffling, it shows total disregard for national security.
11. The entire EVM documentation (FAQ) has no disaster recovery (DR) implementation, or even a Considering that the outcome of elections decides the fate of the nation for half a decade, and that accidents are not too rare even in the recent past, absence of DR is entirely unacceptable.
In addition to these immediate, major, serious, discomforting deficiencies in the EES itself, I notice that every voter now has two copies of votes: one in the form of printed paper slip via VVPAT and the other in the form of electronic vote stored in the CU. Kannan Gopinathan has been asking a fundamental question in this regard. It needs to be answered by not just the ECI, but also the Supreme Court of India. The question is: Which is the real vote? The one that the voter has seen though not actively verified or the one that is neither seen nor verified by the voter?
Considering the volume of the task of making design changes and implementing them across the EVMs, the time may be inadequate before the upcoming elections. However, looking at the real and existential possibilities of manipulation that are open as now seen even more after the new information in the FAQ, the most appropriate action for the ECI would be to adopt a “hybrid model” by using the EVM to print the slip and manually counting 100% of the VVPAT receipts (like paper ballots) across the country. The manual counting effort may take an additional few days, but then those who win, stay in power for five years. I am sure a three-day delay is worth the wait in the interest of Indian democracy. The solutions to address the problems discussed above should be taken up as a year-long project and implemented completely.
Madhav Deshpande is a former CEO of Tulip Software and a former consultant to the Obama administration in the United States. He is one of India’s foremost experts on electronic voting machines (EVMs).