New Delhi: Former Indian Administrative Service officer Kannan Gopinathan, who recently quit the service citing growing disillusionment particularly over the restrictions imposed on Jammu and Kashmir, has now raised serious questions about the electoral process having been compromised with the introduction of Voter Verifiable Paper Audit Trail (VVPAT) machines.

VVPATs were inducted into the process to provide an additional buffer against the manipulation of the electoral process by allowing physical tallying of votes.

The Election Commission has, in the past, maintained that its system could not be hacked into as it was not connected to the internet and as Electronic Voting Machines (EVMs) are kept in a secure environment.

But through a series of tweets today, Gopinathan gave a detailed account of how the voting process has allegedly become vulnerable and prone to hacking due to the introduction of the VVPATs. This, he said, was the case because the VVPAT, which possesses a “programmable memory”, now connects the ballot unit to the control unit, that earlier formed the EVM.

Also read: VVPAT Verification: The Supreme Court Must Defend Democracy

Drawing from his past observations on the issue while he was still in service, Gopinathan said “by introducing VVPATs, we have created so much vulnerability in an otherwise fool-proof process”. He said there was an urgent need to address this.

He began by saying that “the fact that so many VVPAT slip countings [have] tallied with EVMs does instil a lot of confidence that such a manipulation wouldn’t have happened in the past. But we cannot and should not leave elections of the largest democracy in the world to even the slightest of the chances.”

He also tweeted that no chances should be taken with the election process.

The fact that so many VVPAT slip counting has tallied with EVMs does instill a lot of confidence that such a manipulation wouldn’t have happened in the past. But we cannot & should not leave elections of the largest democracy in the world to even the slightest of the chances. pic.twitter.com/Grh64sajiQ — Kannan Gopinathan (@naukarshah) September 24, 2019

“So, you might remember my spirited defence of EVMs. I still stand by it, except that my first election with VVPAT has taken away my trust. VVPAT has created a hole in the EVM armour [and] made the process amenable to hacking,” wrote Gopinathan who also tagged former Chief Election Commissioner S.Y. Quraishi and Election Commissioner Ashok Lavasa in his tweet.

Gopinathan said all his references and photographs were from the ECI manual on EVMs and VVPATs, available for download from the ECI site.

When people responded to his tweets asking why he was raising the issue now and why he did not do so while he was in service, Gopinathan said: “I did raise it on two occasions: During the ECI training of Returning Officers at the IIIDEM, and later at the time of commissioning with ECIL.”

Ballot unit now connected to control unit through VVPAT

Gopinathan further said the crucial difference now is that it is the VVPAT which communicates with the control unit.

Unlike before, the Ballot Unit (BU) is not connected to Control Unit (CU – Memory of EVM) directly any more. It is connected through VVPAT. Means what you press on that blue button in the BU is not registering the vote in the CU anymore. But what VVPAT communicates to CU is! pic.twitter.com/08vLFE6rNB — Kannan Gopinathan (@naukarshah) September 24, 2019

He further wrote that VVPAT now controls what is shown on the paper slips and what gets registered on the control unit.

That is dangerous! For VVPAT now controls two things. 1. What is being shown to the public in the form of paper slips. Or the perception & trust factor. 2. What is actually getting registered in the Control Unit as a vote. Or the actual vote factor. 4/n pic.twitter.com/U2dIn8HLH2 — Kannan Gopinathan (@naukarshah) September 24, 2019

Gopinathan also pointed to a “design flaw in the system”.

This itself is a serious design flaw. But I guess this was done to make use of the existing CUs and BUs. Existing EVMs did not provide for VVPAT ports. So VVPAT was so designed to mimic as a CU for the BU and as a BU for the CU. I think. pic.twitter.com/Lki4PRtUMg — Kannan Gopinathan (@naukarshah) September 24, 2019

Manipulating VVPATs

He went on to state that with the new design, the “whole process can be vitiated by manipulating the VVPAT(s)”.

Gopinathan then asked: “Question now is whether VVPAT can be manipulated? If it can be, then how and when in the process. And if it is, then do we have a foolproof process check.”

He also gave out details of what VVPAT was saying, “As I understand, VVPAT is a simple processor, a memory and a printer unit. It has a memory because serial numbers, names and symbols of the candidates need to be loaded on to it before the elections, so that it gets printed in the paper slip.”

‘It can be hacked’

“So,” he added, “VVPAT has a processor, and has a programmable memory, and it is what registers vote in the control unit. And if it has a processor and a programmable memory, it can be hacked. Any malware downloaded on to it can cause the entire system to misbehave.”

Gopinathan also argued that the “strongest defence any election officer has had to the question of ‘What if the CU is already programmed/hacked before it comes to you’ was that ‘But they wouldn’t know the sequence of candidates. So whatever they may program, they wouldn’t know who is at what number!’”

Also read: BEL Refuses to Disclose EVM, VVPAT Data Even After Demanding Fees. What Does It Mean?

But now, he said, this has changed. “And that fool-proof check is what we have compromised with the introduction of VVPAT,” he added.

Gopinathan, who recently resigned from IAS, then explained how the entire system has now become vulnerable. He said “symbols are loaded on to the VVPAT by the engineers from their laptops/ jigs after the candidates are finalised. VVPATs are connected to external devices after candidate sequence is known!”

Therefore, he reasoned, “When one can access the VVPAT after the candidate sequence is known, and can connect a laptop/ computer/ Symbol Loading Jig, is precisely when one can load a malware also into the VVPAT.”. Therefore, he said, “this access should not have been provided.”

Stating that this answers when the system can be hacked.

‘Access to EVMs also compromised’

I forgot to add the other defense we had. That no-one had physical access to the EVMs once candidates are set. By allowing external devices to be brought to the commissioning room, and allowing it to be connected to VVPAT, we have foregone this defense too. — Kannan Gopinathan (@naukarshah) September 24, 2019

But, he reasoned, that “by allowing external devices to be brought to the commissioning room, and allowing it to be connected to VVPAT, we have foregone this defence too.”

Gopinathan also raised the issue of how the system can be hacked. He explained in detail the possibility.

On to the how part: Since VVPAT controls both the trust factor & the vote factor, a possible method could be, VVPAT prints what is pressed in the BU. So voter sees that paper trail tallies with his pressing of the button. #TheTrust Sends something else to the CU. #TheVote — Kannan Gopinathan (@naukarshah) September 24, 2019



But, he asked, what if VVPAT “sends something else to the CU”.

While we have a provision for if a voter complaints that the VVPAT paper trail does not match with the button he pressed, there is no way he can know if the VVPAT has send the same input to the CU. So the wrong printing can be caught, but not right printing and wrong registering pic.twitter.com/56D4WuteR6 — Kannan Gopinathan (@naukarshah) September 24, 2019



Is there a foolproof check?

Coming to the question of is there a foolproof check, Gopinathan wrote: “Ideally, since such a new device has been inserted in between two devices, the verification and tallying should be done at both the ends for every vote.”

While citizen has verified the BU & VVPAT end, that what he saw is what he pressed, the CU & VVPAT verification needs to be done through tallying paper trails with vote count in the CU. But as it takes time, we only do such verification for a selected few per constituency. — Kannan Gopinathan (@naukarshah) September 24, 2019



Therefore, he said, “even if we find an inconsistency, current procedure simply says go as per the VVPAT count for that particular EVM. So if one is to manipulate only a few EVMs and not all through VVPATs, the chances of getting caught are less, and even if caught, it will be seen as a one-off error.”

‘Mock polls can act as check’

Gopinathan said randomisation would be “completely ineffective here as the access of VVPAT to external devices is given after it is allotted to the constituency. So it doesn’t matter which EVM is going to which PS after randomisation.”

As for the other check of mock polls, he said, there are two of them following commissioning of EVMs or after candidates sequence is loaded.

In one of these, he said, mock-poll of 1000 votes on random 5% of EVM is done at the time of commissioning, and in the other a mock-poll of 50 votes at the polling station (PS) is performed on the day of voting.

With the 1000 vote poll, he said it is not fool proof because “if one is attempting to manipulate only a few EVMs, the chances of it getting caught are less. And even if caught, it is seen as a malfunction and the EVM is set aside.”

As for the 50 vote poll done on the day of poll, Gopinathan insisted that it is “not a check at all”.

On the reasons for the apprehension, he said: “If it is known that in every EVM first 50 votes will be tallied on the spot, you write your code such that it starts manipulating only after say a 100 votes.”

In such a scenario, he said, there would be “no chance of getting caught there.”

The Election Commission spokesperson in response to a query around concerns raised by Gopinathan said on the panel’s WhatApp group that “inputs” in the matter were awaited.

Commenting on the development, former chief election commissioner S.Y. Quraishi told The Wire, “If so many concerns and doubts are being raised around EVMs and VVPATs from so many quarters, the Election Commission should dispel them promptly, as it has always done in the past.”

EC’s response

Responding to the article, Election Commission ADG Sheyphali Sharan said:

“Mr Kannan Gopinathan, IAS (2012) who resigned recently was District Election Officer (DEO) and Returning Officer (RO) in Dadra & Nagar Haveli Parliamentary Constituency which has 304 polling stations. It would be recalled that the number of polling stations in 2019 Lok Sabha elections pan-India were around 10.36 lakh.

There was no document available where he has at any point of time sent any written analysis on the issue which he is now raising immediately post his resignation.

In answer to something to this effect in his tweets he said that he raised the issue in some internal meeting.

In meetings taken by CEOs several issues are mentioned, as they should be, by the DEOs and ROs. However, there is a difference between anecdotal mentioning of an issue and the mentioning backed by a written report raising any kind of doubts as the issue that he is now suddenly raising immediately after resigning.

Nonetheless a more rigorous scrutiny even of this is being got done.

It would be recalled that 1.25 crore VVPAT slips that were counted and matched with the EVM count not a single case of transfer of vote from one candidate to another has been found.”

Note: This article was updated with the EC spokesperson’s response at 8 am on September 26.