So, you might remember my spirited defense of EVMs. I still stand by it, except that my first election with VVPAT has taken away my trust. VVPAT has created a hole in the EVM armor & made the process amenable to hacking @DrSYQuraishi @AshokLavasa @ECISVEEP
https://twitter.com/naukarshah/status/842027913029414917?s=20
@DrSYQuraishi @AshokLavasa @ECISVEEP Just to state the source, all my references and pics are from the ECI manual on EVMs and VVPAT available for download from the ECI site. eci.gov.in/files/file/923… In case of any doubt one may download it and go through in detail. 2/n
@DrSYQuraishi @AshokLavasa @ECISVEEP On why now & why not while being in the service?
I did raise it on two occasions. During the ECI training of Returning Officers at the IIIDEM, and later at the time of commissioning with ECIL.
So now without attributing any malafide, I would like to put my concerns out. 3/n
I did raise it on two occasions. During the ECI training of Returning Officers at the IIIDEM, and later at the time of commissioning with ECIL.
So now without attributing any malafide, I would like to put my concerns out. 3/n
@DrSYQuraishi @AshokLavasa @ECISVEEP Unlike before, the Ballot Unit (BU) is not connected to Control Unit (CU - Memory of EVM) directly any more.
It is connected through VVPAT.
Means what you press on that blue button in the BU is not registering the vote in the CU anymore.
But what VVPAT communicates to CU is!
It is connected through VVPAT.
Means what you press on that blue button in the BU is not registering the vote in the CU anymore.
But what VVPAT communicates to CU is!
@DrSYQuraishi @AshokLavasa @ECISVEEP That is dangerous!
For VVPAT now controls two things.
1. What is being shown to the public in the form of paper slips. Or the perception & trust factor.
2. What is actually getting registered in the Control Unit as a vote. Or the actual vote factor. 4/n
For VVPAT now controls two things.
1. What is being shown to the public in the form of paper slips. Or the perception & trust factor.
2. What is actually getting registered in the Control Unit as a vote. Or the actual vote factor. 4/n
@DrSYQuraishi @AshokLavasa @ECISVEEP This itself is a serious design flaw.
But I guess this was done to make use of the existing CUs and BUs.
Existing EVMs did not provide for VVPAT ports.
So VVPAT was so designed to mimic as a CU for the BU and as a BU for the CU. I think.
But I guess this was done to make use of the existing CUs and BUs.
Existing EVMs did not provide for VVPAT ports.
So VVPAT was so designed to mimic as a CU for the BU and as a BU for the CU. I think.
@DrSYQuraishi @AshokLavasa @ECISVEEP With the kind of design, it is clear that the whole process can be vitiated by manipulating the VVPAT.
Question now is whether VVPAT can be manipulated?
If it can be, then how & when in the process.
And if it is, then do we have a fool proof process check.
Question now is whether VVPAT can be manipulated?
If it can be, then how & when in the process.
And if it is, then do we have a fool proof process check.
@DrSYQuraishi @AshokLavasa @ECISVEEP As I understand, VVPAT is a simple processor, a memory and a printer unit.
It has a memory because serial numbers, names & symbols of the candidates need to be loaded on to it before the elections, so that it gets printed in the paper slip.
Note: This pic from internet.
It has a memory because serial numbers, names & symbols of the candidates need to be loaded on to it before the elections, so that it gets printed in the paper slip.
Note: This pic from internet.
@DrSYQuraishi @AshokLavasa @ECISVEEP So VVPAT has a processor, and has a programmable memory, and it is what registers vote in the control unit.
And if it has a processor and a programmable memory, it can be hacked. Any malware downloaded on to it can cause the entire system to misbehave
But now on to when & how?
And if it has a processor and a programmable memory, it can be hacked. Any malware downloaded on to it can cause the entire system to misbehave
But now on to when & how?
@DrSYQuraishi @AshokLavasa @ECISVEEP The strongest defense any election officer has had to the question of
'What if the CU is already programmed/hacked before it comes to you'
was that
'But they wouldn't know the sequence of candidates. So whatever they may program, they wouldn't know who is at what number!'
'What if the CU is already programmed/hacked before it comes to you'
was that
'But they wouldn't know the sequence of candidates. So whatever they may program, they wouldn't know who is at what number!'
@DrSYQuraishi @AshokLavasa @ECISVEEP And that fool-proof check is what we have compromised with the introduction of VVPAT.
For symbols are loaded on to the VVPAT by the engineers from their Laptops/Jigs after the candidates are finalized.
VVPATs are connected to external devices after candidate sequence is known!!
For symbols are loaded on to the VVPAT by the engineers from their Laptops/Jigs after the candidates are finalized.
VVPATs are connected to external devices after candidate sequence is known!!
@DrSYQuraishi @AshokLavasa @ECISVEEP When one can access the VVPAT after the candidate sequence is known, and can connect a laptop/computer/Symbol Loading Jig, is precisely when one can load a malware also into the VVPAT.
This access should not have been provided.
That answers the when question. Now to the how.
This access should not have been provided.
That answers the when question. Now to the how.
@DrSYQuraishi @AshokLavasa @ECISVEEP I forgot to add the other defense we had. That no-one had physical access to the EVMs once candidates are set.
By allowing external devices to be brought to the commissioning room, and allowing it to be connected to VVPAT, we have foregone this defense too.
By allowing external devices to be brought to the commissioning room, and allowing it to be connected to VVPAT, we have foregone this defense too.
@DrSYQuraishi @AshokLavasa @ECISVEEP On to the how part: Since VVPAT controls both the trust factor & the vote factor, a possible method could be,
VVPAT prints what is pressed in the BU. So voter sees that paper trail tallies with his pressing of the button. #TheTrust
Sends something else to the CU. #TheVote
VVPAT prints what is pressed in the BU. So voter sees that paper trail tallies with his pressing of the button. #TheTrust
Sends something else to the CU. #TheVote
@DrSYQuraishi @AshokLavasa @ECISVEEP While we have a provision for if a voter complaints that the VVPAT paper trail does not match with the button he pressed, there is no way he can know if the VVPAT has send the same input to the CU.
So the wrong printing can be caught, but not right printing and wrong registering
So the wrong printing can be caught, but not right printing and wrong registering
@DrSYQuraishi @AshokLavasa @ECISVEEP For me, that answers the question of how.
Now on to the question of do we have a fool-proof process check against this.
Ideally, since such a new device has been inserted in between two devices, the verification and tallying should be done at both the ends for every vote.
Now on to the question of do we have a fool-proof process check against this.
Ideally, since such a new device has been inserted in between two devices, the verification and tallying should be done at both the ends for every vote.
@DrSYQuraishi @AshokLavasa @ECISVEEP While citizen has verified the BU & VVPAT end, that what he saw is what he pressed, the CU & VVPAT verification needs to be done through tallying paper trails with vote count in the CU.
But as it takes time, we only do such verification for a selected few per constituency.
But as it takes time, we only do such verification for a selected few per constituency.
@DrSYQuraishi @AshokLavasa @ECISVEEP Even if we find an inconsistency, current procedure simply says go as per the VVPAT count for that particular EVM.
So if one is to manipulate only a few EVMs & not all through VVPATs,
1. Chances of getting caught are less.
2. Even if caught, it will be seen as a one-off error.
So if one is to manipulate only a few EVMs & not all through VVPATs,
1. Chances of getting caught are less.
2. Even if caught, it will be seen as a one-off error.
@DrSYQuraishi @AshokLavasa @ECISVEEP Now on to the process checks of randomization & mock-polls.
Randomization is completely ineffective here as the access of VVPAT to external devices is given after it is allotted to the constituency.
So it doesn't matter which EVM is going to which PS after randomization.
Randomization is completely ineffective here as the access of VVPAT to external devices is given after it is allotted to the constituency.
So it doesn't matter which EVM is going to which PS after randomization.
@DrSYQuraishi @AshokLavasa @ECISVEEP The other check is of mock-polls. There are two mock-polls after the commissioning of EVMs (When candidates sequence is loaded).
1. Mock-poll of 1000 votes on random 5% of EVM at the time of commissioning.
2. Mock-poll of 50 votes at the polling station (PS) on the day of poll
1. Mock-poll of 1000 votes on random 5% of EVM at the time of commissioning.
2. Mock-poll of 50 votes at the polling station (PS) on the day of poll
@DrSYQuraishi @AshokLavasa @ECISVEEP The mock-poll of 1000 votes on 5% random EVMs could act as a check. But not a fool-proof check.
If one is attempting to manipulate only a few EVMs, the chances of it getting caught are less. And even if caught, it is seen as a malfunction and the EVM is set aside.
Nothing else!
If one is attempting to manipulate only a few EVMs, the chances of it getting caught are less. And even if caught, it is seen as a malfunction and the EVM is set aside.
Nothing else!
@DrSYQuraishi @AshokLavasa @ECISVEEP However, the other mock-poll of 50 votes on the day of poll is not a check at all.
If it is known that in every EVM first 50 votes will be tallied on the spot, you write your code such that it starts manipulating only after say a 100 votes.
No chance of getting caught there.
If it is known that in every EVM first 50 votes will be tallied on the spot, you write your code such that it starts manipulating only after say a 100 votes.
No chance of getting caught there.
@DrSYQuraishi @AshokLavasa @ECISVEEP So, by introducing VVPATs, we have created so much vulnerability to an otherwise fool-proof process, while not adding adequate checks, either in the process or during the counting.
I feel there is an urgent need to address this so that the process become more robust.
I feel there is an urgent need to address this so that the process become more robust.
@DrSYQuraishi @AshokLavasa @ECISVEEP The fact that so many VVPAT slip counting has tallied with EVMs does instill a lot of confidence that such a manipulation wouldn't have happened in the past.
But we cannot & should not leave elections of the largest democracy in the world to even the slightest of the chances.
But we cannot & should not leave elections of the largest democracy in the world to even the slightest of the chances.
@DrSYQuraishi @AshokLavasa @ECISVEEP Phew!
A load off the chest.
Wanted to write it before I forget all these details. 😬
Also so that there is an informed discussion on the role of VVPAT in EVMs.
Hope I am wrong about my concerns. n/n
A load off the chest.
Wanted to write it before I forget all these details. 😬
Also so that there is an informed discussion on the role of VVPAT in EVMs.
Hope I am wrong about my concerns. n/n
@threadreaderapp unroll
• • •
Missing some Tweet in this thread? You can try to
force a refresh
