Monday, 30th October 2017

E- paper

Paper machine chink in EVM: Officer

VVPAT machines may be the most susceptible to tampering: IAS officer Kannan Gopinathan

  • Published 25.09.19, 4:40 AM
  • Updated 25.09.19, 4:40 AM
  • 4 mins read
  •  
A woman casts her vote on a demo electronic voting machines and checks on Voter Verifiable Paper Audit Trail or VVPAT during an election awareness drive by district administration ahead of the general elections. (PTI file picture)

IAS officer Kannan Gopinathan, who resigned last month to be able to regain “my voice”, on Tuesday claimed that paper trail machines had made electronic voting machines (EVMs) vulnerable to tampering.

Voter-verified paper audit trail machines have been used with all EVMs since the 2017 Goa Assembly polls. Under court orders, the Election Commission (EC) tallied five VVPAT counts with the respective EVM in every Assembly segment during the Lok Sabha polls earlier this year.

Although a mismatch was detected in eight machines, the difference in votes was too small to impact the results in any parliamentary contest. Almost all main Opposition parties have demanded a tally of at least half of all VVPATs used.

However, Gopinathan’s claims suggest that VVPAT machines may be the most susceptible to tampering. The EC is yet to respond to Gopinathan’s allegations.

Gopinathan, who was the returning officer of Dadra and Nagar Haveli in the general election, tweeted quoting from the latest edition of the “Manual on Electronic Voting Machine And VVPAT” published by the EC in February 2019.

He tweeted: “So, you might remember my spirited defence of EVMs. I still stand by it, except that my first election with VVPAT has taken away my trust. VVPAT has created a hole in the EVM armour & made the process amenable to hacking…

“On why now & why not while being in the service? I did raise it on two occasions. During the ECI training of Returning Officers at the IIIDEM, and later at the time of commissioning with ECIL. So now without attributing any malafide, I would like to put my concerns out.”

“Commissioning” refers to the checks done on the machines by engineers sent by the PSUs that make them. The checks are done in the presence of the returning officer before the machines are sent to polling stations. The IIIDEM is the India International Institute of Democracy & Election Management, the EC’s training wing in New Delhi.

“Unlike before, the Ballot Unit (BU) is not connected to Control Unit (CU — Memory of EVM) directly any more. It is connected through VVPAT. Means what you press on that blue button in the BU is not registering the vote in the CU anymore. But what VVPAT communicates to CU is!” Gopinathan tweeted.

“That is dangerous! For VVPAT now controls two things. 1. What is being shown to the public in the form of paper slips. Or the perception & trust factor. 2. What is actually getting registered in the Control Unit as a vote. Or the actual vote factor,” Gopinathan explained.

He added: “As I understand, VVPAT is a simple processor, a memory and a printer unit. It has a memory because serial numbers, names & symbols of the candidates need to be loaded on to it before the elections, so that it gets printed in the paper slip…

“The strongest defence any election officer has had to the question of ‘What if the CU is already programmed/hacked before it comes to you’ was that ‘But they wouldn’t know the sequence of candidates. So whatever they may program, they wouldn’t know who is at what number!’

“And that fool-proof check is what we have compromised with the introduction of VVPAT. For symbols are loaded on to the VVPAT by the engineers from their Laptops/Jigs after the candidates are finalised.

“When one can access the VVPAT after the candidate sequence is known, and can connect a laptop/computer/Symbol Loading Jig, is precisely when one can load a malware also into the VVPAT. This access should not have been provided. That answers the when question. Now to the how. VVPATs are connected to external devices after candidate sequence is known!!

“I forgot to add the other defence we had. That no one had physical access to the EVMs once candidates are set. By allowing external devices to be brought to the commissioning room, and allowing it to be connected to VVPAT, we have foregone this defence too.”

Gopinathan proceeded to explain how an EVM can be hacked: “On to the how part: Since VVPAT controls both the trust factor & the vote factor, a possible method could be, VVPAT prints what is pressed in the BU. So voter sees that paper trail tallies with his pressing of the button. #TheTrust Sends something else to the CU. #TheVote

“While we have a provision for if a voter complaints that the VVPAT paper trail does not match with the button he pressed, there is no way he can know if the VVPAT has sent the same input to the CU. So the wrong printing can be caught, but not right printing and wrong registering.”

Gopinathan further explained how the checking is not foolproof.

He tweeted: “While citizen has verified the BU & VVPAT end, that what he saw is what he pressed, the CU & VVPAT verification needs to be done through tallying paper trails with vote count in the CU. But as it takes time, we only do such verification for a selected few per constituency.

“Even if we find an inconsistency, current procedure simply says go as per the VVPAT count for that particular EVM. So if one is to manipulate only a few EVMs & not all through VVPATs, 1. Chances of getting caught are less. 2. Even if caught, it will be seen as a one-off error…. Randomisation is completely ineffective here as the access of VVPAT to external devices is given after it is allotted to the constituency. So it doesn’t matter which EVM is going to which PS after randomisation.”

Gopinathan also explained how mock polls are ineffective in detecting any tampering. “…There are two mock-polls after the commissioning of EVMs (When candidates sequence is loaded). 1. Mock poll of 1000 votes on random 5% of EVM at the time of commissioning. 2. Mock poll of 50 votes at the polling station (PS) on the day of poll

“The mock poll of 1000 votes on 5% random EVMs could act as a check. But not a fool-proof check. If one is attempting to manipulate only a few EVMs, the chances of it getting caught are less. And even if caught, it is seen as a malfunction and the EVM is set aside. Nothing else!

“However, the other mock poll of 50 votes on the day of poll is not a check at all. If it is known that in every EVM first 50 votes will be tallied on the spot, you write your code such that it starts manipulating only after say a 100 votes. No chance of getting caught there.”

While several parties have hinged their hopes of fair play on VVPAT machines, Gopinathan said: “So, by introducing VVPATs, we have created so much vulnerability to an otherwise fool-proof process, while not adding adequate checks, either in the process or during the counting…”