Are VVPAT machines really hackable? Response to allegations made by ex-IAS Kannan Gopinathan
Let us first make explicit our intentions in attempting such a response opposing allegations against the EVM-VVPAT combination
We all were aware of the controversies relating to EVMS when they were first introduced. Since EVMS are electronic devices and since they include a processor like thing inside them, there was a lot of hue and cry regarding the possibility of it being hacked.
It's such misunderstandings created by flawed arguments we wish to dispel in this article.
This article cannot be made an exhaustive technical analysis of the details behind EVM or VVPAT for two reasons:
1. It is intended for the general reader
2. Even the ECI has not published schematics of neither EVM nor VVPAT for obvious reasons. So we can go only by what ECI has stated in the public domain.
Now, the main argument is against the VVPAT machine, which was added as a means for the voter to verify if the machine has indeed cast the vote for the candidate he had in his mind. VVPAT machine contains information about the candidate list in the constituency, their symbols and how they've been arranged in the ballot unit. So, by checking the printout on the VVPAT machine one can verify if the ballot unit and the whole voting process was working the way it was intended to be. But there are a few things the critics brings to our notice which they thinks are major vulnerabilities of the VVPAT machine, when combined with the EVM- Ballot Unit duo allegedly compromises the whole election process, if his accusations are factually correct.
Let's sum up the main charges against the VVPAT and the EVM-VVPAT-Ballot Unit trio.
1. VVPAT is a patch work into the existing system.
2. Since VVPAT sits between Ballot unit and Control unit, it can influence what goes inside of the control unit, i.e., information about the vote.
3. VVPAT is not a standalone device since it is connected to external devices during symbol loading
4. Since it is not a standalone device, it is prone to get hacked.
So, the main point against VVPAT is since it sits between the CU and the ballot unit, anyone somehow hacking the VVPAT tampering with its "programmable memory" can sabotage the whole election process and get the system to register votes for whomever the intruder wants. And he states the tampering can be done when the data containing candidate list, symbols etc. are loaded into the VVPAT using laptops or other compatible devices, likw symbol loading jigs.
Now the statement that VVPAT sits between CU and BU is correct as one can see from the diagrams provided by Election commision of India. While it was the cable from BU connecting to the CU previously, the cable from BU now goes to the VVPAT and a second cable from VVPAT, similar to the BU-CU cable in the old philosophy, connects with the CU. There's nothing doubtful regarding this. Now it's the interpretative arguments about VVPAT and the connections involved that we wish to analyze.
To begin with, the purpose of VVPAT was to bring in more transparency to the voting process through electronic means. The voter, unlike before, now has a secondary means of visual verification, a paper trail that shows the candidate he had voted for. Now, since a certain percentage of VVPATs are verified at the end of the election process, matching them against the votes cast on EVMs , it is not possible by any means to tamper with the election process exactly for these two reasons:
1.VVPATs are verified by the voters at the time of elections
2.VVPATs are verfied after the election is over too.
Is essence, VVPAT has brought in more transparency and trust factor in the election process.
Next, many from the opposition parties and analysts makes the claim that the VVPAT machine is a very complex system digital system that is prone to hacking. They also says it contains device drivers such as those which would be used to actuate individual components such as printers, photodiodes etc. In effect, they compare the whole VVPAT to a general purpose mini computer. This is where the whole argument is erroneous. Simple machines such as standalone printers which are not normally connected to computers, and meant for very specific purposes such as a tocken machine or a billing machine, runs on something called "Application Specific Integrated Circuits(ASIC)". What it means that the IC used has been pre programmed, much like the one time programmable EVM. ASICs are not reprogrammable in the sense that you cannot change the code it runs on.
Malware can affect only those systems which resemble general purpose computers, which runs on an Operating system and has features like RAM etc. The only thing it is designed to receive from an external device is the information about what it should be printing. Just like a token machine can be *programmed* to alter the content it is supposed to print by using a custom made application, VVPAT too is most likely desgined around an Application Specific integrated circuit, and the only thing one can change is what it prints, which is done by ECIL engineers before the elections, using symbol loading Jigs or laptops as we have been told by ECI. The code it runs cannot be changed since it should ideally run on an ASIC. We can simply disregard the allegation that VVPAT is hackable just by noting that it should ideally run on an application specific Interated Circuit designed to carry out a specific task, here printing and acting as a bridge between the BU and CU, and that its code cannot be accessed changed.
This method of loading external data is also used in setting the Real Time Clock inside the Control Unit using time setting Jigs. Here too, the OTP(One Time Programmable ) chip inside the Control Unit has been preprogrammed to receive information about time and date, just as VVPAT receives the information of candidates using symbol loading Jigs/Laptops with symbol loading application made by ECIL. So, just connecting the EVM to an *external device* cannot change the code it runs on. The same logic applies to VVPAT running on an application specific IC, much like that of the EVM control Unit.
ECI also mentions that newer models of EVMs are encrypted to the hardware level so that only ECIL/BEL components can be interconnected. This further weakens the argument that any type of tampering is possible. ECI also states these machines are not *stand alone* in the strictest sense, but needs to be occasionally interfaced with ECIL/BEL certified components for data upload, inspection etc.