EVMs? Trust Deficit!

The peo­ple of In­dia have to rely on ECI’s claims that all is well and EVMs are tam­per-proof de­spite of­fer­ing no demon­stra­ble ev­i­dence or an in­de­pen­dent au­dit re­port to back up its as­ser­tions. Sev­eral of the claims made by the ECI in its lat­est Elec­tronic

Gfiles - - CONTENTS - Vivek Mukherji

In 2019, when 800 mil­lion In­di­ans vote to elect a new gov­ern­ment, they, along with the po­lit­i­cal fra­ter­nity, will rest their faith on the con­tro­ver­sial, mal­func­tion­ing, and hack-able vot­ing ma­chines. Hence, it’s time for the po­lit­i­cal par­ties to de­cide whether they know­ingly wish to join the band­wagon, and trust the EVMs, or take the harsh stance to boy­cott the na­tional elec­tions. Our demo­cratic fu­ture lies in the hands of a ques­tion­able and doubt­ful tech­nol­ogy. The Elec­tion Com­mis­sion can change it. A coura­geous piece by Vivek Mukherji

In 2019, when 800 mil­lion In­di­ans vote to elect a new gov­ern­ment, they, along with the po­lit­i­cal fra­ter­nity, will rest their faith on the con­tro­ver­sial, mal­func­tion­ing, and al­legedly hack-able vot­ing ma­chines. In 2009, the op­po­si­tion (BJP) charged that the rul­ing regime (Congress-led UPA II) tam­pered and hacked EVMs. To­day, again the op­po­si­tion (Congress) have lev­elled the same al­le­ga­tions against BJP. The fact that there are un­cer­tain­ties about the vot­ing ma­chines is de­plorable in a healthy and ma­tured democ­racy. Hence, it’s time for the po­lit­i­cal par­ties to de­cide whether they know­ingly wish to join the band­wagon, and trust the EVMs, or take the firm stand. Is the fu­ture of the democ­racy is go­ing to be de­cided by a ques­tion­able and doubt­ful tech­nol­ogy even if all the po­lit­i­cal party de­cide to par­tic­i­pate in 2019 elec­tions? The Elec­tion Com­mis­sion needs to step in, and clear the murky air. An in­sight­ful re­port by

Dur­ing times of uni­ver­sal de­ceit, telling the truth be­comes a revo­lu­tion­ary act. – Ge­orge Or­well.

SO, what is the truth about the dark shadow of doubt that con­tin­ues to linger over In­dian Elec­tronic Vot­ing Ma­chine (EVM)—that they can be hacked or rigged to fix elec­tions. The con­tro­versy ac­quires a fresh lease of life af­ter ev­ery elec­tion in a coun­try where the elec­toral ma­chin­ery is in a state of per­pet­ual mo­tion. If the leg­is­la­ture, the ex­ec­u­tive and the ju­di­ciary are con­sid­ered as the limbs of a well-func­tion­ing democ­racy, then the sanc­tity and fair­ness of the elec­toral process through which In­dia elects its leg­is­la­tors to give it­self a gov­ern­ment “of the peo­ple, by the peo­ple, for the peo­ple” is its lifeblood. In case, this lifeblood gets con­tam­i­nated by toxic pathogens such as rig­ging, booth cap­tur­ing, bal­lot stuff­ing or hack­ing of EVMs lead­ing to ma­nip­u­la­tions of votes cast, then the health of democ­racy is at grave peril. There­fore, it’s per­ti­nent to ask two ques­tions. 1. Is it pos­si­ble to hack In­dian Elec­tronic Vot­ing Ma­chines? 2. Have they been hacked to al­ter the out­come of an elec­tion? The short an­swer to the first ques­tion is: yes, tech­no­log­i­cally speak­ing, it’s pos­si­ble to hack or ma­nip­u­late EVMs. That’s what a num­ber of com­puter sci­en­tists con­firmed to gfiles, both on record and off the record. The an­swer to the sec­ond ques­tion, how­ever, is a lot more com­plex. We don’t know whether elec­tions have been com­pro­mised be­cause the Elec­tion Com­mis­sion of In­dia (ECI) has con­tin­u­ously stonewalled all at­tempts by in­de­pen­dent com­puter se­cu­rity ex­perts to test the ma­chines for vul­ner­a­bil­i­ties that could be ex­ploited to ma­nip­u­late votes. It has stead­fastly de­nied crit­i­cal in­for­ma­tion that would en­able peo­ple to dis­pel or con­firm the doubts that con­tinue to per­sist about the in­tegrity of the ma­chines. It’s for these two rea­sons that all po­lit­i­cal par­ties across the spec­trum, from the left to the right, in­clud­ing the Bharatiya Janata Party (BJP), which is cur­rently in power in 21 states across the coun­try, have fanned the con­tro­ver­sies and con­spir­acy the­o­ries about EVM fix­ing, es­pe­cially af­ter los­ing an elec­tion bat­tle. In this cross-cur­rent of ac­cu­sa­tions and counter claims, the core is­sue of whether the EVMs are re­ally vul­ner­a­ble to ma­nip­u­la­tion tends to drift away from fo­cus. For the mo­ment, the peo­ple of In­dia have to rely on ECI’s claims that all is well and EVMs are tam­per-proof de­spite of­fer­ing no demon­stra­ble ev­i­dence or an in­de­pen­dent au­dit re­port to back up its as­ser­tions. Sev­eral of the claims made by the ECI in its lat­est Elec­tronic Vot­ing Ma­chines

in In­dia: A sta­tus pa­per, have been ques­tioned by com­puter sci­en­tists and se­cu­rity ex­perts that gfiles spoke to. David D. Dill is a Pro­fes­sor of Com­puter Sci­ence at the Stan­ford Univer­sity. He is ac­knowl­edged glob­ally as an ex­pert on com­puter se­cu­rity and elec­tronic vot­ing. He has worked for over 15 years in the US to­wards mak­ing elec­tion re­sults trust­wor­thy. He re­mains scep­ti­cal about ECI’s claims. “I have heard pre­sen­ta­tions from the ECI at a con­fer­ence in the U.S. a few years ago and found them un­con­vinc­ing,” wrote Dill in an email re­sponse to a set of ques­tion sent to him by gfiles. He goes on to of­fer an even stronger counter. “Claims that a ma­chine can­not be hacked are al­most al­ways false, and of­ten demon­strated to be false in the most em­bar­rass­ing pos­si­ble way,” says Dill. “Peo­ple who make ex­tra­or­di­nary claims, e.g., that a ma­chine can­not be hacked, should be pre­pared to pro­vide ex­tra­or­di­nary ev­i­dence. Re­fusal to em­brace in­de­pen­dent se­cu­rity anal­y­sis of the ma­chines to me is an ob­vi­ous in­di­ca­tion that the peo­ple mak­ing the claims are not as con­fi­dent that those claims will hold up un­der scru­tiny”. He

goes to add: “It is com­mon sense to be scep­ti­cal about peo­ple who make claims that they are not will­ing to back up, es­pe­cially when the claim is im­plau­si­ble ac­cord­ing to tech­ni­cal ex­perts. This is es­pe­cially true since older ver­sions of the ma­chines were ex­am­ined (against the will of the au­thor­i­ties) and hacks were demon­strated.” It’s worth not­ing that till date, the ECI has failed to pro­vide any “ex­tra­or­di­nary ev­i­dence” to back up its “ex­tra­or­di­nary claim” that its EVMs can’t be hacked.

EVEN as In­dia’s elec­tion body stri­dently re­fuses to en­ter­tain any re­quest from com­puter se­cu­rity ex­perts to test its ma­chines, hack­ers at the 2017 DEFCON pro­vided tons of demon­stra­ble ev­i­dence that no vot­ing ma­chine is tam­per-proof. DEFCON, es­tab­lished in 1993, is the world’s big­gest jam­boree of hack­ers and com­puter se­cu­rity ex­perts that’s or­gan­ised ev­ery year in Las Ve­gas. Last year, it drew 25,000 par­tic­i­pants from around the world. For the first time in 2017, DEFCON set up a Vot­ing Vil­lage with the sole pur­pose of al­low­ing hack­ers to test the ma­chines for se­cu­rity flaws and vul­ner­a­bil­i­ties that could be ex­ploited to ma­nip­u­late votes. The Vot­ing Vil­lage put up 25 dif­fer­ent types of vot­ing ma­chines, in­clud­ing net­worked and non-net­worked stand-alone Di­rect Record­ing Elec­tron­ics (DRE) de­vices—sim­i­lar, but not the same, to what is used in In­dia—for se­cu­rity anal­y­sis by some of the sharpest minds in the world. These ma­chines were legally sourced ei­ther from their re­spec­tive man­u­fac­tur­ers or from the open mar­ket. On July 27, 2017, when the gates of the Vot­ing Vil­lage were opened, com­plete may­hem en­sued as hack­ers started tear­ing apart the hard­ware and the soft­ware of the vot­ing ma­chines. It took less than 90 min­utes for the hack­ers to re­veal some of the se­cu­rity flaws in the ma­chines. Vic­tor Gev­ers, a white hat hacker and founder of

GDI Foun­da­tion, who has 5,392 re­spon­si­ble vul­ner­a­bil­ity dis­clo­sures to his credit, re­ported from the scene on his Twit­ter time­line (@0xDUDE): “You should visit the vot­ing ma­chine hack­ing vil­lage @defcon. It’s ac­tu­ally a hor­ror show if you start look­ing at these ma­chines up close.” Af­ter three days of the hor­ror show, the faith of se­nior of­fi­cials of the Depart­ment of Home­land Se­cu­rity and the Depart­ment of Jus­tice in the in­fal­li­bil­ity of the ma­chines was firmly shaken and shat­tered. The ex­tent of dam­age and ma­nip­u­la­tion that could be car­ried out was summed up in a 18-page re­port ti­tled, DEFCON 25 Vot­ing Ma­chine Hack­ing Vil­lage co-au­thored by Matt Blaze (Univer­sity of Penn­syl­va­nia), Jake Braun (Univer­sity of Chicago), Harri Hursti (Nordic In­no­va­tion Labs), Joseph Lorenzo Hall (Cen­tre for Democ­racy & Tech­nol­ogy) Mar­gret MacAl­phine (Nordic In­no­va­tion Labs) and Jeff Moss (founder of DEFCON). Though, the re­port fo­cused ex­clu­sively on ma­chines used in the US, it pro­vides enough ev­i­dence that’s equally valid to counter the claims that the ECI has rou­tinely trot­ted out in de­fence of its ma­chines. “The re­sults were sobering. By the end of the con­fer­ence, ev­ery piece of equip­ment in the Vot­ing Vil­lage was ef­fec­tively breached in some man­ner. Par­tic­i­pants with lit­tle prior knowl­edge and only lim­ited tools and re­sources were quite ca­pa­ble of un­der­min­ing the con­fi­den­tial­ity, in­tegrity, and avail­abil­ity of these sys­tems,” says the re­port. “More­over, a closer phys­i­cal ex­am­i­na­tion of the ma­chines found, as ex­pected, mul­ti­ple cases of for­eign-man­u­fac­tured in­ter­nal parts (in­clud­ing hard­ware de­vel­oped in China), high­light­ing the se­ri­ous pos­si­bil­ity of sup­ply chain vul­ner­a­bil­i­ties.” The re­port fur­ther states that such sup­ply chain vul­ner­a­bil­i­ties can be ex­ploited by any­one with ma­l­in­tent. “This dis­cov­ery means that a hacker’s point-of-en­try into an en­tire make or model of vot­ing ma­chine could hap­pen well be­fore that vot­ing ma­chine rolls off the pro­duc­tion line. With an abil­ity to in­fil­trate vot­ing in­fra­struc­ture at any point in the sup­ply chain process, then the abil­ity to syn­chro­nise and in­flict largescale dam­age be­comes a real pos­si­bil­ity.”

WHILE In­dian EVMs, as­sem­bled by the Elec­tron­ics Cor­po­ra­tion of In­dia Lim­ited (ECIL) un­der the Depart­ment of Atomic En­ergy and Bharat Elec­tron­ics Lim­ited (BEL) un­der the Min­istry of De­fence, don’t use Chi­nese com­po­nents, they do, how­ever, use the most im­por­tant com­po­nent, the mi­crochip (also called mi­cro­con­troller), manu-

fac­tured by Re­ne­sas Elec­tron­ics, Ja­pan, and Mi­crochip Tech­nol­ogy Inc., USA. Var­i­ous other crit­i­cal com­po­nents that go into the man­u­fac­tur­ing of EVMs are also sup­plied by third-party ven­dors, ex­pos­ing them to the same sup­ply chain vul­ner­a­bil­i­ties that the DEFCON re­port high­lights.

IN­TER­EST­INGLY, the In­dian me­dia, bar­ring a few tech web­sites, com­pletely missed or buried the im­por­tant story of EVM hack­ing at DEFCON which has im­pli­ca­tions over here. Even more puz­zling is the re­ac­tions of celebrity ed­i­tors and star jour­nal­ists and an­chors, of­ten bor­der­ing on ridicule, ev­ery time al­le­ga­tions of EVM rig­ging sur­faced, with­out of­fer­ing a shred of ev­i­dence to the con­trary. A few tweets by two of In­dia’s most well-known jour­nal­ists are enough to un­der­line the cava­lier at­ti­tude that per­vades the In­dian me­di­as­cape to­wards an is­sue of such vi­tal im­por­tance. “On your knees guys who’ve de­monised EVMs and EC. A col­lec­tive apol­ogy is needed. What­ever the re­sult, this is no fixed elec­tion. Won­der­ful truth: no poll ever is in In­dia ( sic),” tweeted, Shekhar Gupta (@shekhar­gupta), ed­i­tor-in-chief of The Print on the morn­ing of De­cem­ber 18, 2017—the day the re­sults to the Gu­jarat as­sem­bly elec­tions were de­clared. Ear­lier on De­cem­ber 9, he tweeted, “EVMs are the loser’s fake ex­cuse. Ev­ery­body scream­ing about them wasn’t com­plain­ing when they won. And they won’t when they win again. ( sic)” Sim­i­larly, on March 3, the day of re­sults to the Megha­laya, Ma­nipur and Na­ga­land as­sem­bly elec­tions were de­clared, Barkha Dutt (@BDUTT) wrote on her twit­ter time­line: “Al­ways said EVM whin­ing is the sign of a sore loser. Just like those chan­nels who say rat­ings are rigged... ex­cept in the rare weeks they do well.” On May 28, the day of the Kairana par­lia­men­tary by­elec­tions, when news came in that Rashtriya Lok Dal chief, Ajit Singh, and Ram Gopal Ya­dav of Sa­ma­jwadi Party sought a meet­ing with the Chief Elec­tion Com­mis­sioner over re­ports of large-scale EVM mal­func­tion­ing through­out the con­stituency, she at­tempted a mild walk back, “Have al­ways scoffed at rigged EVM the­o­ries but to­day’s com­plaints on mal­func­tion­ing ma­chines seem far too many to be ig­nored.” In their ea­ger­ness to pin the ac­cu­sa­tions of EVM rig­ging on to the sore-loser com­plex, both Gupta and Dutt, like many other jour­nal­ists, in­ad­ver­tently point the fin­ger to the ele­phant in the room that started it all and reaped sub­stan­tial po­lit­i­cal cap­i­tal from it.

Back­ground: Rewind to 2009, a book, a hack and si­lence

Be­fore delv­ing deeper, it would be worth­while to cast our at­ten­tion to­wards the ge­n­e­sis of this pesky shadow that re­fuses to fade away de­spite the best claims made by the ECI. The seed of this con­tro­versy was sown into the fer­tile soil of In­dia’s elec­toral pol­i­tics on May 17, 2009. It’s a sig­nif­i­cant date as the elec­tion re­sults to the 15th Lok Sabha were de­clared on that day. It was a day on which the United Pro­gres­sive Al­liance (UPA) re­tained power by win­ning 262 seats in the lower house of the par­lia­ment with the Congress

The In­dian me­dia, bar­ring a few tech web­sites, com­pletely missed or buried the im­por­tant story of EVM hack­ing at DEFCON, which has im­pli­ca­tions over here. Even more puz­zling is the re­ac­tions of celebrity ed­i­tors and star jour­nal­ists and an­chors, of­ten bor­der­ing on ridicule, ev­ery time al­le­ga­tions of EVM rig­ging sur­faced, with­out of­fer­ing a shred of ev­i­dence to the con­trary

emerg­ing as the sin­gle largest party with 206 seats, im­prov­ing upon its tally of 145 seats in the 2004 gen­eral elec­tions. It meant, In­dia’s eter­nal PM-in-wait­ing, LK Ad­vani’s hopes of be­com­ing the Prime Min­is­ter were per­ma­nently dashed. By the time the tide turned in 2014, with the BJP sweep­ing to power, the Modi-Shah duo con­signed the party pa­tri­arch to its ver­sion of the Last Chance Sa­loon called the Margdar­shak Man­dal (guid­ance com­mit­tee), which hasn’t met even once since its for­ma­tion, but that’s a dif­fer­ent story best left for an­other day.

En­ter GVL Narasimha Rao, a grad­u­ate from the In­sti­tute of Ru­ral Man­age­ment in Anand, Gu­jarat. He joined the BJP in early 2009. At that time, he was the party’s in-house psephol­o­gist. At present, he is a Ra­jya Sabha MP from Ut­tar Pradesh and is one of the na­tional spokesper­sons of the party and a reg­u­lar face on tele­vi­sion de­bates. Even as the BJP was grap­pling with the elec­toral loss, Rao, un­der the ban­ner of an NGO called Cit­i­zens for Ver­i­fi­a­bil­ity, Trans­parency & Ac­count­abil­ity in Elec­tions (VeTA), de­cided to take a closer look if EVMs had any role to play in help­ing the UPA to re­tain power. In other words, Rao sus­pected that UPA won the 2009 gen­eral elec­tions with the help of rigged EVMs. Rao, with the back­ing of the BJP’s top brass, Chan­drababu Naidu and the

likes of In­dia’s PIL-in-chief, Subra­ma­nian Swamy, VV Rao and a team of tech­ni­cal ex­perts headed by one Hari K Prasad, manag­ing direc­tor of NetIn­dia Pvt Ltd, a firm spe­cial­is­ing in cy­ber se­cu­rity and surveil­lance, ac­cord­ing to its web­site, em­barked upon an in­ves­ti­ga­tion through the sum­mer and win­ter of 2009. Rao put to­gether an ex­tremely well-struc­tured cam­paign that op­er­ated at mul­ti­ple lev­els. Swamy and VV Rao fronted the le­gal bat­tle by fil­ing pe­ti­tions in var­i­ous courts, Prasad and his team de­vel­oped a “looka­like” EVM with which he went around the coun­try giv­ing demon­stra­tions how the vot­ing ma­chines could be hacked, while Rao him­self mar­shalled sup­port from var­i­ous in­ter­na­tional and In­dian ex­perts, at­tended in­ter­na­tional con­fer­ences and made pre­sen­ta­tions to add in­tel­lec­tual heft to the case that he was mak­ing against the ECI. He com­plied his ef­forts in a 246-page book (in­clud­ing seven an­nex­ures) ti­tled Democ­racy At Risk: Can we trust our Elec­tronic Vot­ing Ma­chines with the blurb on the cover that reads, “Shock­ing ex­posé of the Elec­tion Com­mis­sion’s fail­ure to as­sure in­tegrity of In­dia’s elec­tronic vot­ing sys­tem.” The book’s fore­word was writ­ten by LK Ad­vani en­dors­ing the claims made by Rao. It also car­ried two mes­sages: one by Chan­drababu Naidu and the other by Prof. David D Dill, who has been quoted ear­lier in this story. When gfiles asked Dill if he still stands by with what he had writ­ten in 2010, given that the BJP’s cur­rent stand on EVM rig­ging has changed, he said: “I wrote the pref­ace to Mr Rao’s book be­cause I agreed with his ar­gu­ments and be­cause I wanted the vot­ers of In­dia to be able to trust their elec­tion re­sults. I was a lit­tle cau­tious about that, be­cause I did not want to ap­pear to be en­dors­ing Mr Rao’s pol­i­tics.” The book was launched in Delhi on Fe­bru­ary 12, 2010, by the then pres­i­dent of the BJP, Nitin Gad­kari, in the pres­ence of se­nior lead­ers of the party. “On the one hand, we say vot­ing per­cent­age should be in­creased and vot­ing should be made manda­tory and on the other hand, peo­ple can­not vote (due to tam­per­ing of EVMs). This is not a prob­lem of vot­ing alone but a prob­lem re­lated to In­dian democ­racy,” said Gad­kari at the launch event.

IN his book, Rao makes sev­eral star­tling claims, but none more than the claim that dur­ing elec­tion sea­son “fix­ers”, with “au­tho­rised ac­cess” to the EVMs ap­proach politi­cians with of­fers to rig ma­chines in favour of a can­di­date or a party for money. The fig­ure quoted in the book is Rs. 5 crore per can­di­date is men­tioned in the chap­ter ti­tled: Elec­tion

Fix­ers De­mand Hefty Sums. “The ex-MP’s son stood for the Maharashtra as­sem­bly elec­tions re­cently. The ex-MP told me that they were ap­proached by some “au­tho­rised” engi­neers (ap­par­ently rep­re­sent­ing one of the EVM man­u­fac­tur­ers or their agents) who of­fered to ma­nip­u­late elec­tion re­sults in 50 per cent of the polling sta­tions of his as­sem­bly con­stituency for the princely sum of Rs. 5 Crore. The engi­neers said that the can­di­date could choose

which­ever polling sta­tions he wanted ma­nip­u­lated,” writes Rao, quot­ing one re­tired IAS of­fi­cer, Omesh Sai­gal, who is de­scribed as a whistle­blower. He then goes on to sug­gest how Hari Prasad was ap­proached by a po­lit­i­cal party to rig EVMs. “To­day, some rep­re­sen­ta­tives of a prom­i­nent re­gional party came to meet us in Hy­der­abad. They said that they were aware that some techies from Hy­der­abad or Ban­ga­lore are “fix­ing” elec­tions in favour of par­ties and can­di­dates. Can you do this for us?” writes Rao, quot­ing Prasad.

RAO also de­scribes in de­tail how in Septem­ber 2009, ECI of­fi­cials de­vel­oped cold feet af­ter invit­ing VeTA rep­re­sen­ta­tives in­clud­ing VV Rao, Swamy and Prasad to Nir­vachan Sadan to demon­strate that ac­tual EVMs could be hacked in their pres­ence. “At a tam­per­bil­ity demon­stra­tion or­gan­ised in Nir­vachan Sadan, the head­quar­ters of the Elec­tion Com­mis­sion, re­ferred to in chap­ter 8, the Com­mis­sion rep­re­sen­ta­tives pre­ma­turely aborted an eth­i­cal hack­ing ef­fort. This in­ci­dent took place on Septem­ber 3, 2009 when the Com­mis­sion in­vited the pe­ti­tion­ers of the pub­lic in­ter­est lit­i­ga­tion in the Supreme Court to demon­strate vul­ner­a­bil­ity of EVMs. I was present at this meet­ing and wit­nessed these de­vel­op­ments per­son­ally,” writes Rao. On the tech­ni­cal side, to val­i­date the claims of EVM hack­ing, leaned heav­ily on the work done by Prasad and his team. They pub­licly demon­strated two hacks on an ac­tual Gen­er­a­tion 2 ma­chine ob­tained from an anony­mous source that was stolen from a stor­age fa­cil­ity in Mum­bai un­der the charge of the Dis­trict Elec­tion Of­fi­cer. The team that hacked the EVM in­cluded, Prasad, Alex J Hal­der­man and Dutch hacker Rop Gong­grijp. They doc­u­mented the hack­ing process in de­tail in an aca­demic pa­per ti­tled: Se­cu­rity Anal­y­sis of

In­dia’s Elec­tronic Vot­ing Ma­chines that was pre­sented at the 17th ACM Con­fer­ence on Com­puter and Com­mu­ni­ca­tion Se­cu­rity in Chicago, Illi­nois on Oc­to­ber 4, 2010. Harl­der­man is Pro­fes­sor of Com­puter Sci­ence & En­gi­neer­ing at the Univer­sity of Michigan and is a renowned fig­ure in the world of com­puter se­cu­rity and sub­mit­ted a sworn af­fi­davit in 2016 to the Se­nate In­tel­li­gence Com­mit­tee in­ves­ti­gat­ing the Rus­sian cy­ber at­tack on the servers of the Demo­cratic Na­tional Com­mit­tee in the run-up to the US elec­tions. Gong­grijp was the founder of Dutch hack­ing magazine called Hack-Tic, where he de­scribed his role as hoofd­ver­dacht (prime sus­pect). He was also in­stru­men­tal in the re­lease of 39-minute doc­u­men­tary film called

Col­lat­eral Mur­der in col­lab­o­ra­tion with Wik­ileaks that showed an at­tack by an US Apache he­li­copter on a group of un­armed peo­ple in New Baghdad in which two Reuters jour­nal­ists were killed. Lay­ing out the scope of their work, Prasad’s team noted: “In this pa­per, we an­a­lyse the se­cu­rity of In­dia’s EVMs and re­lated pro­ce­dural safe­guards. We show that while the ma­chines’ sim­plic­ity makes them less sus­cep­ti­ble to some of the threats faced by DREs stud­ied in prior work, it also sub­jects them to a dif­fer­ent set of highly dan­ger­ous at­tacks. We demon­strate two at­tacks that in­volve phys­i­cally tam­per­ing with the EVMs’ hard­ware. First, we show how dis­hon­est elec­tion in­sid­ers or other crim­i­nals could al­ter elec­tion re­sults by re­plac­ing parts of the ma­chines with ma­li­cious look-alike com­po­nents. Such at­tacks are made far sim­pler and cheaper by the EVMs’ min­i­mal­ist de­sign, and they could be ac­com­plished with­out the in­volve­ment of any field-level poll of­fi­cials. Sec­ond, we show how at­tack­ers could use por­ta­ble hard­ware de­vices to ex­tract and al­ter the vote records stored in the ma­chines’

mem­ory, al­low­ing them to change elec­tion out­comes and vi­o­late bal­lot se­crecy.” Ac­cord­ing to com­puter se­cu­rity ex­perts the two pos­si­ble lines of at­tacks de­scribed in the pa­per can be de­ployed to ma­nip­u­late votes even in the cur­rent Gen­er­a­tion 3 M3 ma­chines that have been used since 2013. The ex­perts also pointed out that the ma­li­cious dis­play at­tack that the pa­per out­lines in de­tail can still be used in the Gen­er­a­tion 3 M3 ma­chines. It in­volves re­plac­ing the orig­i­nal 7-seg­ment LED dis­play on the Con­troller Unit (CU) with a look-alike dis­play that has a tiny mi­cro­pro­ces­sor, a very small chip an­tenna and

In his book, GVL Narasimha Rao makes sev­eral star­tling claims, but none more than the claim that dur­ing elec­tion sea­son “fix­ers”, with “au­tho­rised ac­cess” to the EVMs ap­proach politi­cians with of­fers to rig ma­chines in favour of a can­di­date or a party for money. The fig­ure quoted in the book is Rs. 5 crore per can­di­date in the chap­ter ti­tled: Elec­tion Fix­er­sDe­mand HeftySums

a Blue­tooth mod­ule dur­ing rou­tine serv­ing and main­te­nance be­fore the EVMs are de­ployed in the field. Prasad and his team demon­strated how easy it’s to con­ceal these com­po­nents in the dis­hon­est dis­play. The low-cost com­po­nents needed to as­sem­ble a dis­hon­est dis­play are freely avail­able in the open mar­ket.

EX­PLAIN­ING how the dis­hon­est dis­play method can be used to steal votes, the au­thors write: “We also de­vel­oped a more ro­bust sig­nalling method based on the Blue­tooth RFCOMM (Ra­dio Fre­quency Com­mu­ni­ca­tion) pro­to­col, which pro­vides a re­li­able stream of com­mu­ni­ca­tion sim­i­lar to TCP. Our pro­to­type im­ple­men­ta­tion con­sists of an ap­pli­ca­tion run­ning on an An­droid phone. It sends a short mes­sage to the dis­hon­est dis­play via RFCOMM in­di­cat­ing the favoured can­di­date and the pro­por­tion of votes to grant that can­di­date. The ap­pli­ca­tion ver­i­fies suc­cess by wait­ing for an ac­knowl­edg­ment from the dis­hon­est dis­play. Our ap­pli­ca­tion does not use any spe­cial An­droid fea­tures, so it could be ported to any smart­phone plat­form that sup­ports RFCOMM, such as the iPhone or Win­dows Mo­bile.” The vote steal­ing al­go­rithm en­sures that votes are not stolen from a can­di­date be­low a cer­tain thresh­old that’s de­ter­mined by the soft­ware with­out al­ter­ing the over­all to­tal num­ber of votes stored in the CU. “For each non-favoured can­di­date, it cal­cu­lates the max­i­mum votes that can be stolen given the over­all vote to­tal, the to­tals out­putted so far, and the need to re­serve a cer­tain num­ber of votes for the re­main­ing can­di­dates to pre­vent them from fall­ing be­low the min­i­mum vote thresh­old,” the au­thors wrote in the pa­per. Ex­perts con­sulted by gfiles say that this is a very ef­fec­tive line of at­tack be­cause it can be de­ployed at the count­ing stage in­stead on the polling day. Prasad and his team demon­strated an­other method through which votes can be stolen us­ing a clip-on mem­ory ma­nip­u­la­tor that can be at­tached to the Elec­tri­cally Erasable Pro­gram­mable Read Only Mem­ory (EEPROM) that stores the polling data. Though, this de­vice is equally ef­fec­tive in steal­ing votes from one can­di­date to an­other, it’s eas­ier to de­tect due it size. There­fore, ex­perts be­lieve that this method is un­likely to be used to steal votes. In April 2010, Prasad demon­strated both the hack­ing meth­ods on Tel­ugu tele­vi­sion chan­nel TV9. Af­ter keep­ing quiet for months, the ECI fi­nally filed an FIR through its Mum­bai Dis­trict Elec­tion Of­fi­cer that led to the ar­rest of Prasad on Au­gust 24, 2010, for unau­tho­rised pos­ses­sion of an EVM. But five days later, on Au­gust 29, he was granted bail a Met­ro­pol­i­tan court. “No of­fence was dis­closed with Hari Prasad’s ar­rest and even if it was as­sumed that EVM was stolen it ap­pears that there was no dis­hon­est in­ten­tion on his part....he was try­ing to show how EVM ma­chines can be tam­pered with,” ob­served Met­ro­pol­i­tan Mag­is­trate, VB Srikhande. Two days later, Prasad was on his way to Chicago to present the pa­per. Cu­ri­ously, since his re­lease, and more so af­ter the 2014 elec­tions that brought the BJP to power, all the main pro­tag­o­nists in­volved with the cam­paign have ei­ther have kept a very low pro­file or main­tained stony si­lence on the is­sue. There was no re­sponse to the ques­tion­naires sent by gfiles to Rao, Prasad and Hal­der­man, ask­ing them if they still backed their claims made in the book or their find­ings pub­lished in the pa­per apart from other re­lated ques­tions (see box). The emails to Rao and Hal­der­man were fol­lowed up by phone calls and mes­sages on What­sapp and Tele­gram but did not elicit any re­sponse from any one of them. Only, Dill re­sponded to the email.

Fast for­ward: Of VVPATs and Codes

In the more re­cent past, two in­ci­dents— vote switch­ing in one polling sta­tion in the Buld­hana lo­cal body elec­tions and large-scale fail­ure of EVMs and VVPAT ma­chines in the Kairana by­elec­tions— prob­a­bly played a role in hard­en­ing of the op­po­si­tion’s de­mand for go­ing back to bal­lot pa­per for the 2019 gen­eral elec­tions. (see box for de­tails). On May 29, the ECI is­sued one of the most bizarre press re­leases re­gard­ing the Kairana in­ci­dent, which didn’t help to cover it­self in any glory. “Dur­ing the bye-elec­tions to 2-Kairana and 11-Bhan­dara-Gondiya par­lia­men­tary con­stituen­cies on 28th May 2018 mal­func­tion­ing of a few VVPAT ma­chines was re­ported dur­ing mock poll and ac­tual poll....The pre­lim­i­nary fact find­ing re­ports sub­mit­ted to the Com­mis­sion, have in­di­cated that there were two ma­jor tech­ni­cal rea­sons for

Even as In­dia’s elec­tion body stri­dently re­fuses to en­ter­tain any re­quest from com­puter se­cu­rity ex­perts to test its ma­chines, hack­ers at the 2017 DEFCON pro­vided tons of demon­stra­ble ev­i­dence that no vot­ing ma­chine is tam­per-proof. DEFCON, es­tab­lished in 1993, is the world’s big­gest jam­boree of hack­ers and com­puter se­cu­rity ex­perts that’s or­gan­ised ev­ery year in Las Ve­gas

mal­func­tion as fol­lows: 1. Fail­ure of con­trast sen­sor (er­ror 2.2) 2. Fail­ure of length sen­sor (er­ror 2.4). The above er­rors are mainly caused by ex­ces­sive ex­po­sure to il­lu­mi­na­tion in polling sta­tions. ( sic)” The ECI’s press re­lease is trou­bling on many counts. What it termed as a “few VVPAT ma­chines” ac­tu­ally turned out to 384 VVPAT ma­chines out of the ap­prox­i­mately 1,483 de­ployed across the con­stituency ac­cord­ing to a Daily O spot re­port. Also, the re­lease was con­spic­u­ously silent about EVM fail­ures. Ex­perts have ques­tioned the “ex­ces­sive ex­po­sure to il­lu­mi­na­tion” the­ory be­cause polling booths are usu­ally set up in­side gov­ern­ment build­ings and schools, which are known to be poorly lit. Any­way, we have no idea how much il­lu­mi­na­tion can be termed as ex­ces­sive il­lu­mi­na­tion ac­cord­ing to ECI’s stan­dards. In Oc­to­ber 2013, Supreme Court passed an or­der af­ter hear­ing two peti- tions – Civil Ap­peal No. 9093 of 2013 and WP (C) No. 406 of 2012 the lat­ter filed by VV Rao—that made 100 per cent im­ple­men­ta­tion of VVPAT manda­tory. “The con­fi­dence of the vot­ers in the EVMs can be achieved only with the in­tro­duc­tion of the “pa­per trail”. EVMs with VVPAT sys­tem en­sure the ac­cu­racy of the vot­ing sys­tem,” ob­served the apex court. Bound by the court or­der, the 2019 gen­eral elec­tions have to be con­ducted with 100 per­cent VVPAT cov­er­age. But a news re­port car­ried in the July 25 edi­tion of the In­dian Ex­press, based on in­for­ma­tion ac­cessed un­der RTI, shows that the ECIL and BEL are lag­ging way be­hind on the de­liv­ery sched­ule of VVPATs. As on June 17, the two pub­lic sec­tor un­der­tak­ing de­liv­ered just 3.48 lakh units against a to­tal or­der 16.15 lakh units that would be re­quired for coun­try­wide de­ploy­ment ahead of the Septem­ber dead­line. Since the pub­li­ca­tion of the re­port, the Com­mis­sion has ex­tend-

A top com­puter se­cu­rity ex­pert who has worked on a num­ber sen­si­tive gov­ern­ment projects and does not wish to be named said, “Af­ter see­ing the ECI re­sponse to the lat­est RTI and ob­serv­ing its pat­tern of ob­scu­ran­tism to at­tempts of scru­ti­n­is­ing the EVMs in­de­pen­dently, it’s clear that some­where deep down they don’t have con­fi­dence in their ma­chines

ed the dead­line to Novem­ber 2018 (See ta­ble: ECI In­ven­tory). How­ever, the way the Com­mis­sion uses VVPAT to au­dit EVM votes it­self is both­er­some. At present it au­dits the pa­per trail in just one polling sta­tion in each of the as­sem­bly con­stituency. Sta­tis­ti­cally speak­ing, this is against all es­tab­lished and ac­cepted norms of ran­dom sam­pling. As pointed out in a pe­ti­tion filed by former IAS of­fi­cer turned ac­tivist, MG Devasa­hayam, through an NGO called Fo­rum for Elec­toral In­tegrity (pub­lished in the May is­sue of gfiles), this manda­tory count of VVPAT slips in just one polling sta­tion per as­sem­bly con­stituency turned out to be a mere 0.4 per cent in Gu­jarat and 0.9 per cent in Hi­machal Pradesh as­sem­bly elec­tions. This fails to pass even the most ba­sic test of ran­dom sam­pling that can be sta­tis­ti­cally val­i­dated and de­feats the very pur­pose of im­ple­ment­ing VVPAT. In the pe­ti­tion sub­mit­ted to CEC, OP Rawat on April 10, 2018, it de­manded “that VVPAT slips must be counted for a sam­ple size of at least 25 per cent of polling sta­tions in an as­sem­bly con­stituency with the sam­ple drawn ran­domly from the dif­fer­ent strata and ver­i­fied with the elec­tronic count.”

THAT’S not all. The cor­ner­stone of ECI’s de­fence of its ma­chines is its faith in the source code and the ma­chines code that is com­piled from it. In the sta­tus pa­per, the Com­mis­sion claims that the source code has been de­vel­oped by a small group of engi­neers work­ing for the two PSUs. It says that ECIL and BEL ex­er­cise com­plete con­trol over it and the Com­mis­sion it­self doesn’t have ac­cess to the orig­i­nal source code. This was con­firmed by the ECI in re­sponse to a set of 11 ques­tions sub­mit­ted by Mum­bai-based busi­ness­man turned RTI ac­tivist, Su­nil Ahya. His re­quest in­cluded: check­sum of the ex­e­cutable bi­nary file (ma­chine code) that is burnt into each pro­gram­mable de­vice, a copy of the firmware source code and copy of the pro­ce­dure whereby the check­sum of the ex­e­cutable bi­nary file which has been burnt into each pro­gram­mable de­vice (in­te­grated cir­cuit) used in both the units can be au­dited (ver­i­fied) at ran­dom at any given point in time on any of the field de­ployed units. The ECI’s re­sponse to these ques­tions was, “This in­for­ma­tion is not avail­able in the Com­mis­sion ( sic).” The ECI’s de­fence rests on the grossly mis­placed as­sump­tion that the source

code can­not be de­com­piled from the ma­chine code that has been burnt into the One Time Pro­gram­mable Read Only Mem­ory (OTP ROM). In fact this is a com­pletely mis­lead­ing claim. To prove that this claim is mis­lead­ing we need to re­fer to a judge­ment that was de­liv­ered by the United States Court of Ap­peals, Ninth Cir­cuit in the case of Syn­tek Semi­con­duc­tor Co., Lim­ited (Tai­wan) ver­sus Mi­crochip Tech­nol­ogy Inc., (USA) in April 2002. In the law suit, Syn­tek chal­lenged the copy­right held by Mi­crochip for the ma­chine code that was writ­ten in the widely-used mi­cro­pro­ces­sor PIC 16C5X that was man­u­fac­tured by the US com­pany be­cause the Tai­wanese com­pany was also man­u­fac­tur­ing a sim­i­lar chip. Mi­crochip Inc., is the same com­pany that sup­plies the mi­cro­con­troller that is used in In­dian EVMs. The US court up­held the chal­lenge of Syn­tek. And the rea­son why the court ruled in favour of the Tai­wanese man­u­fac­tur­ers is buried in the eighth para­graph of its or­der. “Mi­crochip did not have in its posses-

sion the orig­i­nal PIC 16C5x source code when it reg­is­tered its pro­gram with the Copy­right Of­fice; so Mi­crochip de­posited source code that it had de­com­piled from the ob­ject code em­bed­ded in the

PIC 16C5x com­puter chip. Mi­crochip in­formed the Copy­right Of­fice of the na­ture of its de­posit, stat­ing that “[t]he source code list­ing pro­vided is a list­ing which was re­gen­er­ated from the ob­ject code of the work be­cause Ap­pli­cant could not, af­ter a rea­son­able search, find a list­ing of the source code of the work,” says the or­der (em­pha­sis added).

THERE­FORE, there is no truth in ECI’s claim that the source code can­not be il­le­gally ob­tained from the ma­chine code by an in­sider ei­ther work­ing for any of the two In­dian pub­lic sec­tor un­der­tak­ings or work­ing for the chip­mak­ers in Ja­pan and the US. For this rea­son, Ahya’s re­quest for the check­sum to the bi­nary code that is hard coded into the mi­cro­con­trollers as­sumes sig­nif­i­cance. Sim­ply put, check­sum is a sort of unique dig­i­tal sig­na­ture for a sin­gle piece data or code or a pro­gramme. It is gen­er­ated by run­ning an al­go­rithm called cryp­to­graphic hash func­tion. By com­par­ing the check­sum of a code that’s burnt into a mi­cro­pro­ces­sor with the check­sum of the orig­i­nal bi­nary code (ma­chine code) one can de­ter­mine the in­tegrity of the soft­ware run­ning on the de­vice. In re­sponse to Ahya’s re­quest for check­sum, the Pub­lic In­for­ma­tion Of­fi­cers of BEL and ECIL took re­course to Sec­tion 8 (1) (d) of the RTI Act, which al­lows ex­emp­tion from di­vulging in­for­ma­tion on ac­count of com­mer­cial im­pli­ca­tions. In other words, the two PSUs felt that by di­vulging the check­sum of their ma­chine code could lead to com­mer­cial loss. Ahya chal­lenged this dur­ing a hear­ing of his ap­peal con­ducted by the Chief In­for­ma­tion Com­mis­sioner (CIC) on June 27, by say­ing that both BEL and

The vote steal­ing al­go­rithm en­sures that votes are not stolen from a can­di­date be­low a cer­tain crit­i­cal limit that’s de­ter­mined by the soft­ware. ‘For each non­favoured can­di­date, it cal­cu­lates the max­i­mum votes that can be stolen given the over­all vote to­tal, the to­tals out­putted so far, and the need to re­serve a cer­tain num­ber of votes for the re­main­ing can­di­dates to pre­vent them from fall­ing be­low the min­i­mum vote thresh­old’

ECIL can pa­tent their codes and re­lease the check­sums. The CIC up­held Ahya’s chal­lenge and posted the mat­ter for fur­ther hear­ing in Septem­ber but not be­fore ob­serv­ing that, “the com­mis­sion is of the view that the de­fense taken by the re­spon­dents that the in­for­ma­tion is ex­empted un­der Sec­tion 8 (1)(d) has not been jus­ti­fied by them keep­ing in view that they are the only man­u­fac­tur­ers of EVMs.” It fur­ther noted that, “the CPIOs of BEL and ECIL are di­rected to sub­mit their writ­ten sub­mis­sion elab­o­rat­ing that how their com­pet­i­tive po­si­tion will be af­fected if the in­for­ma­tion is dis­closed. The re­ply should have the con­cur­rence of CMD of the con­cerned pub­lic author­ity.”

Atop com­puter se­cu­rity ex­pert who has worked on a num­ber sen­si­tive gov­ern­ment projects and does not wish to be named said, “Af­ter see­ing the ECI re­sponse to the lat­est RTI and ob­serv­ing its pat­tern of ob­scu­ran­tism to at­tempts of scru­ti­n­is­ing the EVMs in­de­pen­dently, it’s clear that some­where deep down they don’t have con­fi­dence in their ma­chines. If they are so con­fi­dent about their un­hack­bil­ity then they should send a ma­chine to DEFCON for test­ing.” Last year, the ECI is­sued a much-hyped EVM chal­lenge invit­ing rep­re­sen­ta­tives of po­lit­i­cal par­ties to demon­strate the hacks. But the con­di­tions that they at­tached caused much amuse­ment in the com­puter se­cu­rity com­mu­nity. “They were laugh­able. For ex­am­ple, one of the terms was at­tempt­ing to hack us­ing a com­bi­na­tion of five but­tons out of the 16 on the bal­lot unit. The to­tal time given was four hours. Now a sim­ple cal­cu­la­tion would show that us­ing a com­bi­na­tion of five but­tons works out to 10,48,576 com­bi­na­tions! It would take a few months to work out those com­bi­na­tions. It’s clear that they have no idea how com­puter se­cu­rity or hack­ing works,” says the ex­pert. From the month long re­search that gfiles un­der­took for this story, few things are clear: That the EVMs are hack­able. As long as the ECI doesn’t em­brace in­de­pen­dent com­puter se­cu­rity ex­perts drawn from out­side the PSUs, doubts will con­tinue to per­sist about the in­tegrity of the ma­chines. VVPAT can erase some doubts about EVM rig­ging, but for that at least 25 per cent of elec­tronic votes should be tal­lied against the pa­per trail for each as­sem­bly con­stituency. Go­ing back to pa­per bal­lot is not an op­tion be­cause of our past ex­pe­ri­ences of bal­lot box stuff­ing and booth cap­tur­ing.

Un­like, other In­dian me­dia houses, gfiles will be stay­ing on this story in the months ahead and will re­port as and when there are any fur­ther de­vel­op­ments.

RTI Re­sponse by Elec­tion Com­mis­sion

RTI Re­sponse by Bharat Elec­tron­ics Ltd

RTI Re­sponse by Bharat Elec­tron­ics Ltd

RTI Re­sponse by Elec­tron­ics Cor­po­ra­tion of In­dia Ltd

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.