Let
us first make explicit our intentions in attempting such a response opposing
allegations against the EVM-VVPAT combination
We
all were aware of the controversies relating to EVMS when they were first
introduced. Since EVMS are electronic devices and since they include a
processor like thing inside them, there was a lot of hue and cry regarding the
possibility of it being hacked.
Control unit and ballot unit, source:ECI
But
the contentions regarding hacking were based on an incorrect understanding of
what is happening inside the EVM and what it is made up of. EVMS does not
in any way work like desktop computers or even microprocessor based
devices. Once they are programmed during manufacturing process, there is
no means by which it can be reprogrammed to make it behave like we want
to. It is more like a non-programmable calculator with the very basic set
of electronics that do not in anyway resemble modern computers / programmable
devices. Moreover, EVMS and Ballot units used along with are standalone
units that are not connected to external devices to be manipulated (they cannot
be manipulated in the first place), neither do they have hardware enabling
wireless communications. Even many from the opposition parties accept
this, ensuring us that EVMS are "calculator like devices" that cannot
be hacked.
It's
such misunderstandings created by flawed arguments we wish to dispel in this
article.
This
article cannot be made an exhaustive technical analysis of the details behind
EVM or VVPAT for two reasons:
1.
It is intended for the general reader
2.
Even the ECI has not published schematics of neither EVM nor VVPAT for obvious
reasons. So we can go only by what ECI has stated in the public domain.
Now,
the main argument is against the VVPAT machine, which was added as a means for
the voter to verify if the machine has indeed cast the vote for the candidate
he had in his mind. VVPAT machine contains information about the candidate list
in the constituency, their symbols and how they've been arranged in the ballot
unit. So, by checking the printout on the VVPAT machine one can verify if the
ballot unit and the whole voting process was working the way it was intended to
be. But there are a few things the critics brings to our notice which they
thinks are major vulnerabilities of the VVPAT machine, when combined with the
EVM- Ballot Unit duo allegedly compromises the whole election process, if his
accusations are factually correct.
Configuration of CU, VVPAT and BU, source:ECI
Let's
sum up the main charges against the VVPAT and the EVM-VVPAT-Ballot Unit
trio.
1. VVPAT is a patch work into the existing system.
2. Since VVPAT sits between Ballot unit and Control unit, it can
influence what goes inside of the control unit, i.e., information about the
vote.
3. VVPAT is not a standalone device since it is connected to
external devices during symbol loading
4. Since it is not a standalone device, it is prone to get hacked.
So,
the main point against VVPAT is since it sits between the CU and the ballot
unit, anyone somehow hacking the VVPAT tampering with its "programmable
memory" can sabotage the whole election process and get the system to
register votes for whomever the intruder wants. And he states the tampering can
be done when the data containing candidate list, symbols etc. are loaded into
the VVPAT using laptops or other compatible devices, likw symbol loading
jigs.
Now
the statement that VVPAT sits between CU and BU is correct as one can see from
the diagrams provided by Election commision of India. While it was the cable
from BU connecting to the CU previously, the cable from BU now goes to the
VVPAT and a second cable from VVPAT, similar to the BU-CU cable in the old
philosophy, connects with the CU. There's nothing doubtful regarding this. Now
it's the interpretative arguments about VVPAT and the connections involved that
we wish to analyze.
Interconnections of VVPAT, CU and BU, source:ECI
To
begin with, the purpose of VVPAT was to bring in more transparency to the
voting process through electronic means. The voter, unlike before, now has a
secondary means of visual verification, a paper trail that shows the candidate
he had voted for. Now, since a certain percentage of VVPATs are verified at the
end of the election process, matching them against the votes cast on EVMs , it
is not possible by any means to tamper with the election process exactly for
these two reasons:
1.VVPATs
are verified by the voters at the time of elections
2.VVPATs
are verfied after the election is over too.
Is
essence, VVPAT has brought in more transparency and trust factor in the
election process.
What is VVPAT, source:ECI
Next,
many from the opposition parties and
analysts makes the claim that the VVPAT machine is a very complex system
digital system that is prone to hacking. They also says it contains device
drivers such as those which would be used to actuate individual components such
as printers, photodiodes etc. In effect, they compare the whole VVPAT to a
general purpose mini computer. This is where the whole argument is erroneous.
Simple machines such as standalone printers which are not normally connected to
computers, and meant for very specific purposes such as a tocken machine or a
billing machine, runs on something called "Application Specific Integrated
Circuits(ASIC)". What it means that the IC used has been pre programmed,
much like the one time programmable EVM. ASICs are not reprogrammable in the sense
that you cannot change the code it runs on.
Malware
can affect only those systems which resemble general purpose computers, which
runs on an Operating system and has features like RAM etc. The only thing
it is designed to receive from an external device is the information about what
it should be printing. Just like a token machine can be *programmed* to alter
the content it is supposed to print by using a custom made application, VVPAT
too is most likely desgined around an Application Specific integrated circuit,
and the only thing one can change is what it prints, which is done by ECIL
engineers before the elections, using symbol loading Jigs or laptops as we have
been told by ECI. The code it runs cannot be changed since it should ideally
run on an ASIC. We can simply disregard the allegation that VVPAT is hackable
just by noting that it should ideally run on an application specific Interated
Circuit designed to carry out a specific task, here printing and acting as a
bridge between the BU and CU, and that its code cannot be accessed
changed.
This
method of loading external data is also used in setting the Real Time Clock
inside the Control Unit using time setting Jigs. Here too, the OTP(One Time
Programmable ) chip inside the Control Unit has been preprogrammed to receive
information about time and date, just as VVPAT receives the information of
candidates using symbol loading Jigs/Laptops with symbol loading application
made by ECIL. So, just connecting the EVM to an *external device* cannot change
the code it runs on. The same logic applies to VVPAT running on an application
specific IC, much like that of the EVM control Unit.
Uploading date and time in CU using Jigs, source:ECI
ECI
also mentions that newer models of EVMs are encrypted to the hardware level so
that only ECIL/BEL components can be interconnected. This further weakens the argument
that any type of tampering is possible. ECI also states these machines are not
*stand alone* in the strictest sense, but needs to be occasionally interfaced
with ECIL/BEL certified components for data upload, inspection etc.
Salient features of EVMs, especially the latest M3 model, source:ECI
Now since ECI hasn't yet released the internal schematics of both the EVM and VVPAT, our argument about VVPAT should hold just as good as that for EVM.
Just as EVM ideally runs on a One time Programmable chip which isn't hackable, VVPAT too like other special purpose printers should run on Application based integrated circuits which aren't *reprogrammable* in the strictest sense of the word, and hence not hackable like a general purpose computer which runs on an operating system and has accessories lIke RAM etc.
Critics makes another accusation that the introduction of VVPAT into the system is a patchwork which has compromised the security of the election process, because a "programmable" device is "sitting in" between Control Unit and Ballot Unit.
But this philosophy of "cascading" multiple devices has always been there in election processes, right from its introduction. For instance, when the total number of candidates in a constituency exceeds 16, the maximum number of keys in a single Ballot Unit, additional units are cascaded, i.e., connected in series. The connection is shown below.
Connection for cascading of multiple ballot units, source:ECI
So, to cast vote for, say 20th candidate, the voter has to use the second Ballot Unit, and the signal passes through the first Ballot Unit to the EVM.
Rear view of CU, showing connector compartment, source:ECI
Now since ASIC based devices are themselves not "reprogrammable/hackable", the new arrangement devised by designers, Ballot Unit-VVPAT-Control Unit, is nothing different from the old Ballot Unit-Ballot Unit-Control Unit philosophy, since we have argued that VVPAT is not hackable and the only variable inside it is the data for printing.
Cascading of ballot units, source:ECI
Based on this too , we can conceptually dispel the allegation that the signal given out by Ballot Unit is prone to manipulation by the processor inside VVPAT. For one thing, you cannot change the code of an ASIC based machine. Second, such a transfer of data, like that already employed in the cascading of Ballot Units, can be employed by a simple timed latch, another non programmable component.
Now, coming to the uploading of symbols. What the critics say is in concordance with what the Election Commision of India has to tell- that symbols and other information are uploaded via laptops or other symbol loading machines. Now since the ASIC on which our VVPAT should ideally run, like any other ASIC, will treat this just as data and not as code, because they are non-reprogrammable in the first place.
Which means the worst one can do to a ASIC based VVPAT is to get it print something crazy. But this is an explicit error and can be noted by the voters Now such types of attacks on printers have occured in the recent past, like
these, where printers whose ports were open to the internet have been tricked into printing random stuff.
A recent malware attack on printers
So the only kind of printers that are hackable atleast to this level are hobby based ones such as given below, which runs of programmable micro controller based platforms. But it would be naive to think any serious designer would go for it.
Above all of these, as said in the beginning, the Control Unit of an EVM attaches a time stamp for each and every vote cast using a Real Time Clock (RTC). The presiding officer registers the sequence of voting too. The voting process is monitored by CCTV surveillance as well. So, during VVPAT matching, any discrepancy that crept in due to a possible hacking can be found out. This verification of VVPAT itself debunks the argument that the election process can be rigged by employing a malware. In fact, VVPAT has provided more transparency in the voting process and has elevated the trust factor common people would ascribe to elections through electronic means.
Time stamping in EVMs, source:ECI
So, the arguments by critics about VVPAT philosophy is both counter intuitive and wrong.
VVPAT has brought in more transparency to the election process, since votes cast are now verifiable. Use of VVPAT itself knocks off the argument that these machine can be hacked without anyone noticing, since the voting process uses time- stamping and video surveillance.
VVPAT like printers are not complex digital machines like programmable general purpose computers in the strictest sense of the word. They run on Application Specific Integrated Circuits the code of which is unalterable.
It needn't contain executables like device drivers you would see in Operating System bases platforms, but the code has been pre programmed into it.
Since ASIC based machines like VVPAT printers does not contain an operating system and RAM, you cannot manipulate it using any kind of malware.
The Ballot Unit - VVPAT - Control Unit philosophy is essentially the same as the Ballot Unit - Ballot Unit - Control Unit cascading philosophy used in elections.
Here we may prove the equivalency of CU-BU-BU cascading and CU-VVPAT-BU cascading since both VVPAT and EVM+BU are not reprogrammable/hackable
Equivalency of CU-VVPAT-BU and CU-BU-BU connections
Even the data uploading in VVPAT is in agreement with what is done in the Control unit, for example, setting of time using Jigs.
Printers can only be hacked to the extent of being tricked into printing something esle it was not intended to, which would become obvious to the eyes. Such cases have been reported worldwide, and happens mainly because their input ports were being continuously exposed to the Internet, or a hacked computer.
In essence, these arguments apply only to either general purpose desktop computers, or hobby designs such as described above. (Hobby designs use custom programmable microprocessor based platforms, like an Arduino Uno or Raspberry pi).
We would also like to point out that VVPAT machine is similar to the control unit of EVM in all respects, considering the arguments given above.
That the statement VVPAT being a "patchwork" on the existing system is far from logically correct even by considering the basic intentions behind incorporating VVPAT machine into the existing system. VVPAT was meant to function as a verification process in the existing scheme of things, and not as a correction to the old system. So, even going by an elementary level of reasoning, it doesn't look like the designers would have compromised an otherwise perfect methodology just to incorporate a verification mechanism. If adding something like a printer into it might dislodge its safety features, would such eminent designers have even gone for it. Now this defense is by no means fool proof, for only a reasonable technical examination of the arguments like that given above would vindicate it.
