While Indian EVMs cannot be hacked, they can be manipulated, said the computer expert who has been advocating for voting-machine reform.
Computer Science Expert Madhav Deshpande stresses for change in design of EVMs. (South First)
In an exclusive conversation with South First, Madhav Deshpande — who has over 40 years of experience in the field of computer science and its applications — questioned the credibility of the existing Electronic Voting Machines (EVMs) and called for a change in the design.
Deshpande has also worked as a consultant to state and local governments in the US.
He has built and helped build several pathbreaking software solutions for the first time in the world, including low-level storage management on mobile phones.
He has been the CEO and CTO of several companies in India and the US.
Excerpts from the interview:
Q: Are EVMs hackable? Can they be manipulated?
A: These are two different terms. I’ve always said Indian EVMs cannot be hacked because hacking is an activity where you take control of a machine. Indian EVMs are not connected anywhere — either by Bluetooth, Wi-Fi or any other communication technology. They cannot be hacked, but manipulation is another activity.
Manipulation means you may touch the equipment and make it do some things that are not expected to be done without opening the equipment. You make it behave in a way it is not expected to behave.
Manipulation? Yes, it can be done because there are buttons and there are programs inside.
The weakest link in our EVM is the Voter Verified Paper Audit Trail (VVPAT). Indian EVMs are not a single monolithic unit. There are three units inside. I think you can see those three units independently. They are connected by wires.
One is the ballot unit (BU), where the voter presses a button of his or her choice. The other one is a VVPAT which prints the receipt.
The receipt can, of course, be seen by the voter and verified. That’s why, it is called VVPAT.
The third one is the control unit (CU), which stores this vote. A very welcome thing that has happened in the last two days is the Election Commission of India (ECI) has come out with a new set of documents, or rather, some frequently asked questions (FAQs). They have responded to some of the queries that people have been raising.
This is the first time they have discussed at least some details — technical details — of these machines, which is a very welcome change.
The whole idea of our conversations is not to take the EVMs away but to strengthen the electronic election system that the EVM has brought into India.
To that extent, the more that people know about these things, the more they can point out weaknesses so that these can be overcome. That is the whole approach.
In the new technical document, the ECI says that the EVMs use an RS-485 serial bus, which basically means that the CU is the master and the BU and the VVPAT are the slaves. The BU and VVPAT can only respond to the commands that the CU will give.
Q: Why do you point to VVPATs being the weakest link in this process?
A. There are multiple reasons for this. One is that the VVPAT has a program. The whole objective of that program is to recognise the vote and print all the details on a piece of paper so that the voter can see it. Now, the VVPAT is the only part of the EVM that is aware of the local data.
The BU and the CU are randomised by that. What that means is if there are 1 lakh BUs and CUs stored someplace, which CU or BU will go where is completely unknown. There is no local binding of this CU and BU. Tampering becomes impossible because the binding happens much earlier, and that too three times.
Two such times are when they come from the central storage unit and when they are returned to the state central storage.
These are fairly location-agnostic: The location doesn’t make a difference. However, that is not the case with the VVPAT.
After the candidate list is finalised, which is about 10-15 days before the actual polls, the data is uploaded to the VVPAT using what is known as the symbol loading unit (SLU). This SLU connects to the internet.
Now that’s another problem which we can talk about later, but the SLU connects to the website of the election commission and downloads the local data for a specific constituency.
The SLU is with only those people who are authorised by the ECI. So, any average person cannot have access to the SLU. There is that kind of physical security.
But then when it connects to the internet and downloads data and then connects to the VVPAT to upload that data, there is a definite theoretical possibility that some additional data may be uploaded. That additional data may not necessarily be for every candidate.
The CU, as the ECI says, gives the command to the BU to go into ready mode. The BU then waits for the vote to be cast: Whatever button has been pressed, that button’s value is sent to the CU.
The CU then gives that value to the VVPAT and asks it to print the receipt. The VVPAT will take that to match it in the candidates’ list; the matching name, party name, and symbol are printed.
Once the VVPAT prints the receipt, it has to confirm the action to the CU. If the CU program understands this, whenever there is a done followed by a comma and a number, that means that the vote has to be recorded in that number instead of whatever vote has been received.
The process flow is that after the CU receives the confirmation from the VVPAT, it stores the vote and gives a beep.
If, for example, the CU has received a five after the comma instead of the two that was sent to the VVPAT, it can store five.
We don’t know if this can actually happen, because nobody knows the program inside either the VVPAT or the CU. But these possibilities definitely exist.
That makes the VVPAT the weakest link because it connects to the internet via the SLU.
Moreover, in the new technical FAQs, the ECI has now said that VVPAT has two parts in its programmable memory. This is its answer to Question 53.
One is one-time programmable (OTP), which cannot be changed, and the other part can be changed.
The earlier claim was that this whole unit was OTP. This answer goes contrary to that claim. It opens up a lot of possibilities.
Yes, we understand that some memory needs to be there to store local data. The answer to this vulnerability is simple: Disconnect the VVPAT from the control unit.
If it was not a master-slave relationship, if all units were equal and one could talk to the other, then this could have been easily implemented.
Keep the ballot at the centre: When the voter presses a button, the signal goes simultaneously to the VVPAT and the CU.
The VVPAT prints it, the voter sees it and verifies it, but the VVPAT does not give any confirmation back to the CU.
The CU gets the data and stores it, and then it becomes easier. But now, with the master-slave relationship, the problem is even more complicated. A vulnerability still exists.
Q. How technically sound are our EVMs?
A. Anything that is sound today may not be sound tomorrow. That is the actual problem with this whole system. The problem is that the system was designed in 1977 when there was no electronic advancement and no widespread internet access, and computer science was in its nascent stages.
This was a pure-electronic device like a calculator, as they said, and the enforcement and the security-thinking were around the same lines as ballot boxes.
In the last 46 years to be precise, things have changed dramatically. Now, you have mobile phones with gigabytes of memory.
What was adequate and that time sufficient is not so any more. That is why the strengths that we saw at that time have now become weaknesses because there are possibilities of doing things in a better way. Before the polling starts, they should be addressed.
A separation has to happen between the VVPAT and the CU. That will be the only authentic, only legitimate pair. Before the counting starts, this pair should be verified so that the CU doesn’t get replaced.
Today, a CU can be replaced by some other CU. But not one that is legitimate. The pairing has to happen. We are not doing that.
That becomes another inadequacy. This was not there earlier because we were not talking of cables, communication, and protocol because they were very elementary in 1977.
You might have heard of a Fiat car. It was considered a better car than most. But the moment Maruti and other companies came, made improvements, and added features, the Fiat was deemed inadequate.
Similar improvements should have been made to these EVMs. I always say 20 years ago, we were already 20 years late. We should be doing it right in the interest of Indian democracy.
Q. How has the ECI responded to the concerns raised by experts and citizens regarding transparency and accountability?
A. The development from four days ago was extremely welcome. It was a definite step forward.
If this is the approach that the ECI is taking, it gives me a lot of hope.
A lot of things need improving. That may not happen immediately — let’s say in the next two to four months. You will have to find other ways to address the problems.
Then there are possibilities that technical problems might happen next year and a half. But if this is the approach to make it more open, as the ECI has done in the new FAQs, then yes, it is on the right track.
Q. Is there any possibility for the ECI to implement changes to EVMs in the next two to three months to ensure fairness and transparency in the Lok Sabha elections?
A. As I see it, no. There are about 13 lakh units that the ECI ordered. The fundamental change in the architecture of master and slave cannot be made in two months.
And it’s not just about making the change. You have to make sure that the EVMs are tested properly.
It is impossible to do that for 13 lakh units in two months. Even if you take 12 lakh units for 60 days, how many units are we talking about per day? 20,000 units in a day. Can you imagine? It is unrealistic to expect that also.
As of now, there is no electronic evidence that has been given that this vote and this vote match, which every voter can see. We have a basic problem there. This question is very relevant.
Kannan Gopinath has been asking this. We have to clarify which vote is genuine.
As per the court orders, in case of variation between the VVPAT and the CU, the count of the VVPAT takes primacy. It should be taken into account when announcing the results.
If we have these serious weaknesses, the EVM is no more OTP.
Nobody has seen the program in the CU. That is the reason even a person like me, who is looking at it only technically, is saying that this design has to change.
Trust happens when there is transparency. Transparency is what brings trust. Everybody is Indian, and all of us are working to make India stronger. Let us do it collectively and we can do it.
Q. What other steps can be taken by the ECI to instil confidence in voters that their votes are accurately recorded, beyond relying on this printed ballot paper?
A. I am no policymaker. I am nobody in the administration or politics. My views are strictly as an ordinary citizen of India.
I think the easiest way that comes to my mind is making it a total VVPAT counting. That doesn’t mean abandoning the CU, though.
Also, use this opportunity to establish that every time you count VVPATs, whatever the result VVPAT gives you —let’s say A has 20 votes, B has 30 votes, C has 40 votes, whatever it is — the same result comes from the CU.
If you can do that across the nation, then people will automatically start trusting it.
May 14, 2024
May 14, 2024
May 13, 2024
May 13, 2024
May 13, 2024
May 13, 2024
