If EC’s EVM-VVPAT Machines Are Secure, Why the ‘Cloak of Secrecy’?

Developed countries have stopped using EVM-VVPAT. While in India the cloak of secrecy around it is dangerous: expert

Poonam Agarwal
EVM-VVPAT machines are assembled by ECIL & BEL. Both refused to share information on the components of EVM-VVPAT machines via RTI, citing “national security”. But experts say “national security is an excuse. Security by obscurity doesn’t work.”
EVM-VVPAT machines are assembled by ECIL & BEL. Both refused to share information on the components of EVM-VVPAT machines via RTI, citing “national security”. But experts say “national security is an excuse. Security by obscurity doesn’t work.”
(Image: Erum Gour/The Quint)


Video Editor: Vivek Gupta

If I tell you that a particular gadget cannot be hacked, manipulated or tampered with, would you just believe me?

NO. You would either try to check it out yourself or bring in an expert.

So, why doesn’t the Election Commission follow this logic when it comes to EVM (Electronic Voting Machine) and VVPAT (Voter Verifiable Paper Audit Trail) machines?

Why are we, as citizens and voters, compelled to accept that EVM-VVPAT machines cannot be manipulated, just because EC says so?

Why is there a cloak of secrecy over this crucial issue in the name of national security?

The Quint filed an RTI with the Electronics Corporation of India (ECIL) and with Bharat Electronics Limited (BEL) seeking information on the components used in EVM-VVPAT machines, along with the names of the component suppliers.

Please note that ECIL and BEL merely assemble EVM-VVPAT machines after importing the components from various suppliers.

Both BEL and ECIL refused to share the information, saying: “Classified information. The disclosure of which would affect India’s strategic, scientific or economic interest, and would also harm the competitive position of a third party.”

But experts disagree.

Here’s what IIT Kanpur’s cyber security expert, Prof Sandeep Shukla says,

“If the EVM-VVPAT design is secure then why is EC afraid to publish it? National security is an excuse. Security by obscurity doesn’t work. Transparent external testing is the best way to find vulnerabilities and improve the design security of EVM-VVPAT machines.”

Many Developed Countries Have Stopped Using EVMs

The fact is that many developed countries have stopped using electronic voting machines after identifying their vulnerabilities.

For instance, Holland stopped using EVMs in 2007. Civil society there engaged with computer experts and found that memory chips in EVM machines could be easily replaced in less than five minutes allowing for manipulation.

They also found that simple radio receivers placed outside polling stations could observe variations in the electromagnetic signals of the EVMs, making it possible to detect who each voter was voting for.

One of The Quint’s RTI questions to ECIL and BEL was,

“What is the name of the micro-chip used in the EVM?” We also asked for the name and address of the supplier.

While our query wasn’t answered, we found that BEL had shared this information under RTI in May 2019,

The microchips for our EVMs are supplied by NXP, a reputed American firm.

But the more crucial RTI revelation was this – while the Election Commission has always claimed that the EVM microchip is one-time-programmable only, experts went onto the NXP website and found that its microchips have FLASH memory which are not just one time programmable.

Meaning, if accessed, they can be re-programmed, opening the EVM to manipulation.

Electronic Voting Is Vulnerable to Manipulation: US Study

Moving on, here’s another potential weakness of the EVMs that the EC is not being transparent about – the original source code embedded in the micro-chip of the EVM.

The Election Commission claims that,

“The original source code for the EVM is stored by ECIL and BEL under controlled conditions at all times and is not accessible to anyone.” The EC says this secret source code makes the EVM-VVPAT machines tamper proof and has refused to make it public.

But a study on electronic voting done by the International Foundation for Electoral System and National Democratic Institute, based in US shows that allowing external stakeholders to inspect the source code would allow errors to be identified and corrected.

The study mentions how this was done in the US in 2004, when a group of four scientists identified several flaws after the US govt published the source code of their EVMs online.

The question is –

  • Why don’t we do this in India? Why this secrecy about our EVM-VVPAT technology?
  • Why not open up the design, source codes, and components to transparent expert scrutiny?
  • Won’t this improve and make our EVM-VVPAT machines more secure?
  • Does the EC fear the embarrassment that may follow if the weaknesses of our EVM-VVPAT machines are made public?
  • By not being transparent and not letting experts audit our EVM-VVPAT technology, aren’t we jeopardising India’s election process and our democracy?

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

Published: undefined