EVM-VVPAT Vulnerable to Manipulation – Public Unaware & EC Silent

EVMs and VVPAT machines are vulnerable to manipulation during polls due to a major technical glitch, say experts.

4 min read

Video editor: Purnendu Pritam


The voter-verified paper audit trail or VVPAT machine was included in the election process by the Supreme Court in 2013 to assure voters that their vote has been correctly registered by the electronic voting machine (EVM). The Supreme Court, in its order, had said:

“The paper trail system will supplement the voting procedure. After recording a VOTE in the EVM, a printout from the VVPAT will confirm for the voter that [their] VOTE has been rightly registered.”

But since then, has the VVPAT made our election process foolproof?


Can the EVM-VVPAT combination be MANIPULATED?

The ANSWER, unfortunately, is YES.

When you voted during the 2019 Lok Sabha elections, you must have noticed the VVPAT placed next to the Ballot Unit (BU) of EVM, on which you pressed a button to cast your vote.

While the Election Commission of India (EC) did follow the Supreme Court’s order and included VVPAT machines in the election process, there was a major technical glitch that defeated its entire purpose.

To explain this in simple words – think of the EVM as a computer, think of its ballot unit as a keyboard, and its control unit as the computer’s hard drive. And think of the VVPAT machine as a printer connected to the computer.


EVM-VVPAT Combo Has a Major Technical Glitch

Each time a vote is punched in the ballot unit, it should get stored in the memory of the EVM’s control unit.

And then, a printout from the VVPAT machine should confirm that the vote has been cast as per the button pressed by the voter on the EVM.

The information should go from the ballot unit to the control unit to the VVPAT machine.

The Quint, however, has found out that this is not how the EVMs and VVPATs are connected.

In the current process, a VVPAT machine is placed between the ballot unit and the control unit.

So, the ballot unit transmits the vote first to the VVPAT machine, which gives a printout of the vote, and then that information is electronically recorded in the memory of the control unit.


Vote Registered First By the VVPAT and Then By the EVM’s Control Unit

Now, you may ask, WHY IS THIS SIGNIFICANT?

Well, in earlier elections, before the VVPAT was introduced, the EVM only recorded the information of which button was pressed on its ballot unit. It did not know which party that button stood for. However, for the VVPAT machine to do its job, it has to be told which party and candidate each button on the ballot unit stands for.

Now, the software containing the party symbol and the candidate name is uploaded via laptops into the VVPAT machines. This is done by engineers working for EVM manufacturing companies, like BEL and ECIL, over a period of two weeks before the polling dates.

If someone wanted to manipulate the election result, they could introduce a malware through an external device, ie laptop, into the VVPAT machines, while this sensitive information is uploaded into them.

Malware Can Dictate the Vote Which is Recorded in EVM’s Control Unit: Expert

The Quint spoke to former IAS officer Kannan Gopinathan, who was an election officer in the 2019 Lok Sabha elections and has a BTech in Electrical Engineering. He explained to us how malware can manipulate EVM votes:

“A VVPAT is connected to an external device, and this is where the malware gets into the picture. Now let’s assume whatever you are pressing on the ballot units is also showing on the VVPAT. So when the voter sees it, [they are] satisfied and happy – ‘Okay, I pressed candidate one, the symbol and the candidate number 1 has been printed.’ But we do not know what’s going from the VPPAT to the control unit. Let’s assume that the malware has the potential to send something else into the control unit. So now the voter has pressed number 1 or number 2 candidate, but VVPAT shares some other signal with the control unit through this malware. Let’s say, the voter has pressed candidate 1 and the VVPAT prints candidate 1, but shares the signal of candidate 2 with the control unit. An intelligent manipulation is possible. At that point of time, the voter has no way to find out what has been recorded in the control unit.”

Now, Why is This Fear Real?

Because, as a story published by The Quint has already shown, the engineers who upload this sensitive information into VVPAT machines are from private companies. In fact, the private company that provided engineers to the Election Commission for elections during 2017-18 was not even empanelled with the EVM manufacturing company ECIL.

Can we still consider our election process to be safe and secure? The answer is a clear NO.

Another defence offered by the EC is that of randomisation – that nobody knows which EVM-VVPAT is headed to which constituency, so they can’t be manipulated.

BUT, this argument now falls flat! WHY?

Because for the VVPAT machine to do its job, it has to be given the candidate and party names specific to each constituency, which means, this data can only be uploaded into a VVPAT machine after it is decided WHICH constituency it is being sent to.

We have asked the Election Commission these key questions:

Why does the VVPAT machine control the information reaching the control unit?

Why isn’t it the other way around?

And doesn’t this flaw make the VVPAT-EVM combination vulnerable to manipulation?

The Election Commission has not answered any of these questions yet.

As a voter, each one of us has the right to know that our election process is safe and our democracy is not at risk. We wonder why the EC is silent.

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

Speaking truth to power requires allies like you.
Become a Member
Read More