New Delhi: A group of experts on elections have issued a ‘statement of rebuttal’, to the Election Commission of India’s response to the recent claim by US Director of National Intelligence Tulsi Gabbard on the susceptibility of Electronic Voting Machines (EVMs) to manipulation.

Gabbard’s statement was made in India and called for a return to paper ballots. It caused disquiet in the Indian administration which is keen to be seen to appease US president Donald Trump’s appointees and also at once shut down any criticism of the election process in India which has been rising for a few years and involves EVMs.

Gabbard is seen to have an “Indian connection” and has long been in sync with Hindutva ideals. Her saying this can be understood to have made Indian authorities uncomfortable.

‘Sources’ at the Election Commission of India (ECI) had claimed in a counter to the statement by Gabbard that Indian EVMs were “not connected to the Internet or Wi-Fi,” and hence were safe. 

The experts countering this claim by the ECI, who are part of citizen’s collectives like Citizens Commission on Elections (CCE) and Vote for Democracy (VFD), have said that it was first “shocking that the ECI responds so promptly to an official of a foreign government, even as it is obdurate and non-responsive to legitimate queries by Citizens, Experts and the Political Opposition.”

The team of experts comprises Madhav Deshpande a former Obama consultant who has four decades of experience in computer science and related applications, Harish Karnick, retired professor of computer science and engineering at IIT Kanpur, Kaushik Majumdar, professor at Indian Statistical Institute, Sarbendu Guha who is principal product engineer at the Digital Infrastructure For India. Together, they have said that they  “strongly disagree” with the ECI for three main reasons.

‘Entirely possible to push a Trojan software through the USB drive…’

They argue that manipulation of an EVM “can be effected by providing additional data to the Voter Verifiable Paper Audit Trail (VVPAT) using the Symbol Loading Unit (SLU). The SLU acquires its data when connected to the ECI website after the candidate list is finalized, which only a few days before the voting day.”

In their view, while it is very difficult to alter the programme instruction set in the one-time write-locked software, “it is entirely possible to push a Trojan software through the USB drive when it is connected to the VVPAT for purpose of uploading the candidate list. Such Trojan software will modify the firmware as if the firmware is being “updated”. The “updated” firmware will then perform manipulated malfunction to deliver manipulated results. It is important to note that ISP (In-System Programming) is an established way of updating the firmware of a microcontroller and as such is a ubiquitously accessible technique.”

In addition, they say it is possible to “supply additional data to the already burnt-in programme. The programme existing in the VVPAT must be already written to recognise the additional data and decision making branches already must exist in the programme code to deliver manipulated functionality.”

‘Never demonstrated publicly…’

The team of experts has said “that earlier version of EVMs used before 2014 Lok Sabha elections were intended to be stand-alone and therefore not open to manipulation.” The critical difference between the pre-2014 machines and now is that “this earlier EVS system did not have the VVPAT unit nor the Symbol Loading Unit (SLU) and moreover, did not need data (mapping candidate/party symbol to buttons of the Ballot Unit (BU) nor any additional instruction set to be loaded into EVM-VVPAT through a physical communication port.”

They contend that the ECI’s bald statement, without “answering concerns by Indian Computer Science experts does not inspire confidence.” 

They say in their statement that as “the ECI has never demonstrated publicly and opened any operational CU, BU, and VVPAT in public presence. The ECI has never allowed any open door controlled testing of any working EVM in presence of Indian Public. It is not certified by any third party, neutral experts committee that the EVM does not emit or receive any Radio Frequency (RF) signal.”

Reinforcing their demand “that ECI should allow the Indian citizens to conduct non-invasive and non-destructive tests on the powered-on, working EVMs at three locations in every state to satisfy themselves that EVM does not respond to or create any RF communication channel. These EVMs must not be from the spare EVMs stored, but must be from those that were actually used in the 2024 Lok Sabha elections. In addition, we demand that the ECI publishes the steps and processes followed to establish and prove data integrity across the entire Electronic Voting System or Electronic Election System.”

‘Tantamount to official propaganda bereft of scientific or rational enquiry’

They have also demanded that the ECI publish “every step taken and the process at every step to establish and prove data integrity across the BU, CU (including the procedure to establish that both copies of electronic vote stored in the CU are identical), VVPAT (the data exchange between the VVPAT and the CU) and finally the values received by the counting unit (as applicable). The ECI must publish the detailed protocol it follows on the day of voting and the day of counting to establish that none of the above data has been changed.”

They say that the ECI’s statements that Indian EVMs are not connected to internet wirelessly /wired fashion (read external radio wave or microwave communication signals) “without giving out details of the circuits is tantamount to official propaganda bereft of scientific or rational enquiry.”

The problem is there are only claims (ECI) that the EVS is not connected but there is no proof demonstrated to the public. The experts contend that “the Symbol-Loading Unit (SLU) of the VVPAT unit is connected to the ECI’s website for a brief while – after the list of candidates and their symbols are finalized and before the date of polling. All details about the final list of candidates including their symbols are downloaded from the ECI’s website on to the VVPAT unit.”

‘Trojan can be programmed to act only on a certain date…’

This they term is “an electronic security loophole here because it is possible to introduce a vote-stealing Trojan into the ECI’s website, with or without the ECI’s knowledge, and this Trojan can get downloaded into the VVPAT unit. The vote-stealing Trojan can be so programmed as to get activated after a certain number of votes (say, 200 votes) have been cast, and to convert, say, every 5th vote cast thereafter to a vote for a certain political party, when the signal is transmitted from the VVPAT unit to the Control unit. The vote-stealing Trojan can also be programmed to self-destruct, say, 6 hours after the last vote has been cast, leaving no trace of its nefarious deed. The Trojan can be programmed to act only on a certain date and that too after a certain time of the day.” 

They have further demanded that “from each constituency, at least 3 randomly selected SLUs, (selected by public), should be given to open scrutiny by a committee of experts. This scrutiny should be carried out in full public view.”

The ECI, publicly and in court, have maintained that EVMs are tamper-proof.

As per The Hindu on April 11, 2025, sources at ECI have said that India uses Electronic Voting Machines (EVM), which work like “simple, correct and accurate calculators”, and cannot be tampered with. ECI sources were also cited by the newspaper as saying that “some countries use Electronic Voting Systems which are a mix of multiple systems, machines and processes, including various private networks like Internet, but India uses very simple Electronic Voting Machines which work like correct and accurate calculators and cannot be connected to either Internet, Wi-Fi or Infrared.”