A reply to a query under the Right to Information (RTI) Act obtained from the Election Commission of India (ECI) and the EVM+VVPAT manufacturers—Bharat Electronics Ltd (BEL) and Electronics Corporation of India Ltd (ECIL), points out that the claim about EVMs being infallible is questionable. The prime reason is that the micro-controller used in the EVMs cannot be called `one-time programmable’ (OTP). They contain three kinds of memories including `FLASH’ memory (that can be electrically erased and reprogrammed), which allegedly makes it open to manipulating data. This information is posted on the website of the Netherlands-based NXP Semiconductors NV, which supplies the micro-controller chips. Also, most of the information sought on this vital public issue stands denied by all the three public authorities.
Venkatesh Nayak, RTI research scholar and programme coordinator of Commonwealth Human Rights Initiative (CHRI), who filed these RTI applications, says, “While the ECI continues to claim that the micro-controller used in the EVMs is OTP, the description of the micro-controller’s features on NXP’s website indicates that it has three kinds of memory—static random-access memory (SRAM), FLASH and electrically erasable programmable read-only memory (EEPROM or E2PROM). Experts who know enough and more about micro-controllers confirm that a computer chip, which includes FLASH memory, cannot be called OTP.” Mr Nayak, who filed the RTI application with the ECI in February 2019, sought the following information:
A clear photocopy of all reports of the technical evaluation committees received since 1990 till date regarding EVMs and VVPATs, along with annexures, if any;
A clear photocopy of the report of the forensic examination of EVMs conducted by the Central Forensic Science Laboratory (CFSL) pursuant to the direction of the Bombay High Court in EP No. 15 of 2014 along with annexures, if any; and
The complete list of manufacturers of micro-controllers used in the EVMs along with their postal addresses.
In his reply, the central public information officer (CPIO) from ECI simply stated that the file, regarding compliance with the Central Information Commission (CIC)’s recommendation to make the source code related information about EVMs public, was under submission.
The CPIO stated that the report of the forensic examination of the EVMs used in the elections to the Assembly constituency of Parvati at Pune in Maharashtra, in 2014 were submitted to the Bombay High Court in a sealed cover. The ECI’s CPIO claimed that information about suppliers of micro-controllers used in the latest generation (M3) of the EVMs and VVPATs supplied to the ECI were available exclusively with the manufacturers. Mr Nayak’s analysis of the main findings from documents obtained through the three RTI interventions shows:
The micro-controllers (computer chip) embedded in the BEL-manufactured EVMs and VVPATs used in the current elections, are manufactured by NXP—a reputable multi-billion dollar corporation based in the Netherlands with offices in over 30 countries.
ECIL refused to disclose the identity of the manufacturer of the micro-controller used in its EVMs and VVPATs citing commercial confidence under Section 8(1)(d of the RTI Act;
In 2017, some segments of the media reported that Microchip Inc, US headed by a non-resident Indian (NRI) billionaire supplied the EVM micro-controllers. Documents released under the RTI Act show, that at least BEL has not used this company’s micro-controllers in the EVMs sold to the ECI for use in the current elections;
While the ECI continues to claim that the micro-controller used in the EVMs is one-time programmable or OTP, the description of the micro-controller’s features on NXP’s website indicates that it has three kinds of memory – SRAM, FLASH and EEPROM (or E2PROM). Experts who know enough and more about micro-controllers confirm that a computer chip, which includes FLASH memory, cannot be called OTP;
The ECI has not yet made any decision on the September 2018 recommendation of the CIC to get the competent authorities to examine whether detailed information about the firmware or source code used in the EVMs can be placed in the public domain in order to create public trust in the EVM-based voting system;
Despite the passage of more than five years, the ECI does not appear to have acted on the 2013 recommendation of its own technical evaluation committee (TEC) to make the firmware or source code embedded in the micro-controller used in EVMs transparent in order to ensure that there is no Trojan or other malware in the EVMs;
ECIL replied that the firmware or source code testing was done by a third party, namely, STQC, an agency under the ministry of electronics and information technology. But the CPIO denied access to the reports on the ground that they were too voluminous. BEL denied access to this information claiming the exemption relating to commercial confidence and intellectual property rights under Section 8(1)(d) of the RTI Act;
BEL won a purchase order worth Rs2,678.13 crore to supply EVMs and VVPATs to ECI. ECIL, however, refused to disclose this information also, stating that despatch data will be supplied after the general elections are completed; and;
While BEL claimed that the battery powering its EVM could last 16 hours of non-stop voting with 4 ballot units, ECIL claimed a battery life of two years for its EVMs!
While ECIL claimed that the firmware and source code audit related information was 'classified' and could not be disclosed under Section 8(1)(a) of the RTI Act which protects national security interests, BEL claimed commercial confidence and intellectual property rights-related exemption under Section 8(1)(d) to deny access to the same information.
The controversial story of India’s EVMs
Senior leader of BJP, GVL Narsimha’s book, Democracy At Risk! Can We Trust Our Electronic Voting Machines? states:
The most important among the "insiders" are the manufacturers of India's electronic voting machines namely, Bharat Electronics Limited (BEL) and Electronics Corporation of India Ltd. (ECIL). Both are wholly government owned Central public sector undertakings under the administrative control of the government of India.
In implementing the electronic voting machine regime, BEL and ECIL have in turn engaged the services of many others including foreign companies manufacturing microcontrollers (commonly referred to as chips) and private players and outsourcing agencies (some of which allegedly having political connections) for carrying out checking and maintenance of electronic voting machines during elections. They all are a source of potential hazard.
Another group that has a major role in maintaining the integrity of the voting machines is district administration in whose custody the EVMs are stored throughout their life cycle. As the same voting machines are commonly used in the same district over several elections, there are concerns regarding the security of the voting machines often stored in a decentralised manner in several locations in a district.
"Secret" Software Revealed to Foreign Companies:
Shockingly, the EVM manufacturers, namely BEL and ECIL have shared the "top secret" software programming code used in the electronic voting machines with foreign manufacturers (Microchip, USA and Renesas, Japan) to have it fused (copied) onto the microprocessors. These chips are then delivered to BEL and ECIL through their local vendors as 'masked' microchips (in case of ECIL) or 'One Time Programmable Read Only Memory (OTP-ROM)' microchips (in case of BEL).
As the microchips delivered to the manufacturers are 'masked' or 'OTP-ROM', when the microchips are delivered, the EVM manufacturers have no facility to read back the contents in the microchips to establish whether the microchips supplied to them have the original software or not. Manufacturers of EVMs, BEL and ECIL can only carry out functionality tests on the electronic voting machines to check whether they are working properly or not. They cannot detect if the microchips supplied to them have malicious programming. To say the least, this is shocking.
If the microchips in the electronic voting machines contain malicious software (commonly referred to as Trojan), elections results can be manipulated easily.
Malicious programming can remain dormant during normal testing processes, but get activated later at the time of elections. This would result in an election fraud that can neither be detected before elections nor proved after elections.
Curiously, BEL and ECIL could have done the 'fusing' of the software onto microcontrollers in their own premises in a secure manner. That being the case, why did they prefer to do this in a foreign country? At whose instance was this decision taken and what were the compelling reasons for taking the decision? Was the Election Commission responsible for taking this decision? If no, did it approve of the decision by the manufacturers? And, was it at least aware of it?
Despite repeated queries, there are no answers forthcoming from the Election Commission to any of these questions.
According to the RTI replies given by the Election Commission, the software program (referred to as source code) in the EVMs is not available with it. The expert committee of the Election Commission, headed by Prof PV Indiresan, which approved the EVMs currently in use in elections, has done "black box testing". This means that the committee did not examine and certify the software program in the EVMs. It is the software in the EVMs that drives all its functions. By apparently not examining the software and merely relying on functionality tests, the Expert Committee has left a gaping hole in the security of the EVMs. This is horrifying.
(Vinita Deshmukh is consulting editor of Moneylife, an RTI activist and convener of the Pune Metro Jagruti Abhiyaan. She is the recipient of prestigious awards like the Statesman Award for Rural Reporting which she won twice in 1998 and 2005 and the Chameli Devi Jain award for outstanding media person for her investigation series on Dow Chemicals. She co-authored the book “To The Last Bullet - The Inspiring Story of A Braveheart - Ashok Kamte” with Vinita Kamte and is the author of “The Mighty Fall”.)