This article is part of The Wire‘s ‘India Black Boxed’ series. Read it here: Introduction | Part I | Part II | Part III | Part IV | Part V>
In the first part, I aimed to delve deeper into certain responses provided by the Election Commission of India (ECI) in its revised set of 100 FAQs (frequently asked questions) to demonstrate how unsatisfactory they are. The ECI released these updated FAQs on its website in January of this year, with the intention of addressing all doubts regarding these electoral machines.>
When compared with the information contained in publicly available official documents, the ECI’s claims about the design, and functioning of electronic voting machines (EVMs) and Voter Verifiable Paper Audit Trail (VVPAT) units, raise more suspicion instead of resolving persistent doubts.>
In this sequel, I address additional claims by ECI, considering the VVPAT patent-related documents and information revealed in response to formal requests under the Right to Information Act, 2005 (RTI Act).>
In this piece, I’ve examined the following grey areas in the ECI’s FAQs:>
- What is the correct expanded form of VVPAT?
- Do we know enough about the microcontrollers used in the EVM-VVPAT combo?
What is the correct expanded form of VVPAT?>
At FAQ #1, the ECI addresses the question, “What is an EVM?”>
It says, “EVM stands for Electronic Voting Machine. It is a device used to electronically record and count votes cast in elections. The Indian Electronic Voting Machine (EVM) system is also termed as ECI-EVM, meaning an EVM specifically designed, manufactured and used for Elections as per election procedure and rules framed by Election Commission of India and documented in manual on EVM, so as to differentiate it from EVMs used in other countries. ECI – EVM consists of Ballot Unit (BU), Control Unit (CU) and the later added Voter Verifiable Paper Audit Trail (VVPAT)…” (emphasis supplied)>
According to the ECI, VVPAT stands for “Voter Verifiable Paper Audit Trail”. The reader is expected to believe that this is the correct expansion of that abbreviation. However other official documents tell a different story.
There is no specific mention of the term ‘VVPAT’ or its expansion in the primary election laws.>
The primary law which governs the conduct of elections and voting in India is the Representation of the People Act, 1951 (RPA). The lone provision which enables the use of electronic voting in elections to parliament and the State Legislatures is Section 61A is reproduced below:
“61A – voting machines at elections – Notwithstanding anything contained in this Act or the rules made thereunder, the giving and recording of votes by voting machines in such manner as may be prescribed, may be adopted in such constituency or constituencies as the Election Commission may, having regard to the circumstances of each case, specify.”>
Here “‘voting machine’ means any machine or apparatus whether operated electronically or otherwise used for giving or recording of votes and any reference to a ballot box or ballot paper in this Act or the rules made thereunder shall, save as otherwise provided, be construed as including a reference to such voting machine wherever such voting machine is used at any election.” (This provision was inserted through an amendment in 1989.)
There is no reference to VVPATs in the above provision, nor can it be found in the Conduct of Election Rules, 1961 (CoER), which contains the details of the manner in which the provisions of the RPA will be implemented. In 2013, a proviso each to Rule 49A and 49M and two new rules – 49MA and 56D – were introduced through an amendment to the CoER, to facilitate the use of VVPATs in conjunction with EVMs. (Other relevant rules were also tweaked to incorporate reference to this change in the electronic voting and counting system). The contents of these statutory insertions are also hyperlinked to the ECI’s FAQs.>
However, what is noteworthy in these amendments is the complete absence of a reference to the term “VVPAT” or an expansion of this abbreviation. Instead, the phrase “printer for paper trail” or its derivations are used in the amendments. So, to the best of our knowledge, the nomenclature “Voter Verifiable Paper Audit Trail” has no statutory mention, either in the 1989 amendment to the RPA or in the 2013 amendments to the CoER.>
How did the ECI coin this phrase and the related abbreviation is a question which is not explained in its FAQs or the related Annexures.>
Also read: The Anatomy of an Electronic Voting Machine: What We Know and What We Don’t>
VVPAT is expanded differently in the patent-related records>
According to the ECI’s answer to FAQ #7, Bharat Electronics Limited (BEL), which comes under the Ministry of Defence, and Electronics Corporation of India Limited (ECIL), which comes under the Department of Atomic Energy, have a duopoly on the supply of EVMs and VVPATs for parliamentary and assembly elections.>
As discussed in the first part, only BEL has been officially granted a patent for the production of VVPATs in May 2022. (This was done after the completion of the 2019 Lok Sabha election).>
ECIL’s patent application for a VVPAT machine is not available on this database, so it may be presumed that there is some working arrangement between the two CPSUs for manufacturing the VVPAT machines.>
A copy of the order granting the patent to BEL by the Controller General of Patents, Designs, Trademarks, and Geographical Indications mentions the expansion of VVPAT as “Voter Verified Paper Audit Trail” and not “Voter Verifiable Paper Audit Trail”.>
Images of the patent order and its communication to BEL by the Chennai Patents Office testify to this fact (see images 1 and 2 below).>
>
>
The phrase “Voter Verified Paper Audit Trail” is also recorded on the patent certificate granted to BEL as part of the decision-making procedure (see image 3 below). In case readers begin to speculate, the Patents Office may have made an error in the name due to bureaucratic procedures, it’s worth noting that this is precisely how BEL named the VVPAT in the complete specifications submitted along with the patent application (see image 4 below).>
Why is this significant?>
Readers might call this nitpicking. “Verifiable” or “verified” – what difference does it make as long as the VVPAT machine does what it is required to do?>
The last question I raised before the concluding segment of the first part, which concerned the vote that must be counted, is at the heart of this semantic debate.>
The term “verifiable” only refers to the potential of the machine – to show a slip recording the name, symbol, and serial number in whose favour the voter clicked on the Ballot Unit (BU) so that he or she may be satisfied with it and nothing more. The term “verified”, on the other hand, indicates a certainty of the fact that the slip has been verified by the voter before it cuts and falls down into the Drop Box in the VVPAT unit.>
So, is it not the VVPAT slip that must be counted as the “vote”, which the voter verifies as a correct record of his or her choice, instead of the electronic tally recorded in the control unit (CU)? This is why use of the correct nomenclature becomes important.>
ECI’s longwinded answers to FAQs #62 and 63 based on its defensive claims of scientific sampling of five VVPAT Units, for the purpose of tallying those slips with the candidate totals from the CU, are simply unconvincing.>
Do we know enough about the microcontrollers used in the EVM-VVPAT combo?>
Microcontrollers form the nerve centre of the EVM-VVPAT combo. Extracts from the ECI’s FAQs, which explain what the microcontrollers do, are reproduced below:>
FAQ #42 says, “The ECI says an EVM can be programmed only once, making hacking unlikely. However, there are reports that it can be programmed several times. There are other reports saying that EVM machines can be manipulated by connecting it to cell phones, Bluetooth devices, replacing parts of it and other forms of manipulation, apart from physical replacement of it by other EVMs.”>
This query is explained as, “The ECI-EVM use secure controllers which can disable further programming after a step known as one-time-programming (OTP). The technical information about the micro controllers is available in public domain and can be accessed on the website of micro controller manufacturers…” (emphasis supplied)>
FAQ #46 says, “It is claimed that EVM machines can be manipulated by connecting it to cell phones, Bluetooth devices, replacing parts of it and other forms of manipulation, apart from physical replacement of it by other EVMs.”>
This query is explained as, “The claim is baseless and unscientific claim. The technical information about the microcontrollers is available in public domain and can be accessed on the website of microcontroller manufacturers. The EVMs / VVPATs use controllers which are One Time Programmable (OTP). This feature is activated by a code /command, fed via a software program, and in the first time run at power ‘on’ sets an internal register to shut off any re-programmability capability. The code / command and procedure are also available in public domain in the datasheets/ application notes on use of these microcontrollers….” (emphasis supplied)>
FAQ #48 says, “Can the details of the EVM microcontrollers be explained along with the OTP features?>
This is explained as, “Both BEL and ECIL use standard microcontrollers available off the shelf and hence all information on the microcontrollers is available in the public domain via manufacturers’ data sheets/ application notes and user manuals. The One Time Programmable (OTP) feature is not activated by any hardware or pin-based signal/command at external pins of the microcontrollers, rather this code/ command is fed via a software programme and in the first time “run” at power on sets an internal register to shut off any re-programmability. Once this is done the programme cannot be changed. The procedure is available in public domain in the datasheets / user manuals on use of the microcontrollers.” (emphasis supplied)>
The ECI asserts, not once but thrice, that information about microcontrollers used in the EVM is available in the public domain. It also says that BEL and ECIL purchase them off the shelf. That may be so and I do not have any reason to dispute that claim. But do we know from which manufacturer’s shelf these companies buy the microcontrollers? Neither the ECI nor the two companies have publicly disclosed the names of the microcontroller manufacturers/suppliers on their own. The only time we officially got to know of the identity of one such manufacturer/supplier was from BEL’s reply to one of my RTI applications.>
Also read: BEL Refuses to Disclose EVM, VVPAT Data Even After Demanding Fees. What Does It Mean?>
In April 2019, identical RTI applications were filed with BEL, seeking the complete list of manufacturers of microcontrollers used in the latest generation (M3) EVMs, along with their postal addresses.>
In response, BEL’s Central Public Information Officer (CPIO) replied with the model number of the microcontroller used in the EVMs (see image 5 below). ECIL’s CPIO denied access to the same information, saying it was ‘classified’, and invoked the national security exemption under Section 8(1)(a) of the RTI Act. (See image 6 below)>
ECIL’s denial and BEL’s rejection of other RTI queries were challenged all the way up to the Central Information Commission (CIC).>
In July 2021, the CIC strangely remanded the matter back to the respective first appellate authorities (FAAs) to decide the matter afresh, without examining the correctness of their decisions on its own, as it ought to have done.>
ECIL’s FAA directed its CPIO to provide a “proper explanation/justification” for claiming exemption against revealing the microcontroller-related information (amongst others) because I had shown that BEL had already provided this information (see image 7 below). This time, the CPIO invoked third-party interests and denied the names of the microcontroller manufacturers/suppliers by invoking Section 8(1)(d) of the RTI Act (see image 8 below).>
Given these prolonged RTI interventions, the ECI cannot claim with a straight face that information about the microcontrollers is available in the public domain. Even if it were, voters can only access it if the names of the manufacturers/suppliers are made public. Otherwise, this information remains trapped in a black box.>
Also read: Election Commission’s FAQs on EVMs Don’t Really Address Major Design Deficiencies>
Are microcontrollers, used by BEL and ECIL, only one-time-programmable (OTP)? >
As this was my initial foray into the world of EVMs, the query was negligently drafted, leaving out a reference to VVPAT in the RTI query relating to microcontrollers. I ended up asking only about EVM microcontrollers, as I had not read the relevant patent documents about VVPATs.>
As discussed in the first part, we know for a fact that both BEL and ECIL were granted patents for the EVMs in 2006. Both companies disclosed the presence of microcontrollers in the CUs of their EVMs to the Patents Controller, but there is no need under the patents law to mention the names of manufacturers of any component of the machine sought to be patented.>
However, while BEL claimed that the microcontroller it was using was one-time-programmable (OTP), ECIL staked no such claim (see images 9 and 10 below).>
I was a complete believer in their infallibility.>
Image 9 is an extract from the complete specifications of the EVM, which BEL submitted to the Patents Controller, where the microcontroller is described as OTP type. Image 10 is an extract from the complete specifications of the EVM, which ECIL submitted to the Patents Controller, where the microcontroller is not described as OTP type. Further, ECIL’s description of what the CU can do with its microcontroller – “collect, record, store, count and display the votes when called for” – completely obviates any possibility that it is one-time-programmable.>
As EVM machines are intended for repeated use across multiple elections, it is logical to assume that the microcontroller utilised by ECIL must be rewriteable. Therefore, the Election Commission’s assertion that the microcontrollers employed by both companies are of the OTP type does not appear very convincing. Unless ECIL has since altered the design of its CU to mirror the OTP-type microcontroller used by BEL, there is hardly any information available in the public domain regarding such changes.>
How many microcontrollers are used in the EVM-VVPAT combo?>
It is confirmed from the patent-related documents discussed above that there is indeed a microcontroller within the CU of the EVMs manufactured by both companies. BEL’s patent application documents further disclose that its VVPAT machine also contains at least one microcontroller and suggest the potential existence of multiple such microcontrollers (see images 11 and 12 below).>
At paragraph no. 0053 of the complete specifications submitted to the Patents Controller while applying for a patent, BEL states as follows:>
“[0053] In an aspect, the sensitive hardware may be one or more artefacts such as but not limited to one-time programmable microcontroller, associated storage comprising of computational program, sensitive data and configuration information among other things.” (emphasis supplied)>
Further, at paragraph no. 00136 of the same document, BEL states as follows, in the context of a detailed description of the drawings of the VVPAT machine submitted to the Patents Controller:>
“[00136] In another aspect, various software for control and operation of the proposed system can be held in appropriately configured one or more controllers in absolutely secure formats so that such software may not be tampered with, without errors being triggered. Microcontrollers used in the proposed system can be of one time programmable type and used to store firmware that cannot be changed or modified once fused.” (emphasis supplied)>
A combined reading of the two claims made by BEL indicates the use of at least one more OTP-type microcontroller in its VVPAT machine, which is in addition to the microcontroller used in the CU of the EVM. That is not all, in the same document, BEL claims that there is another associated storage component which will contain a “computational program”.>
Obviously, this will be the ‘artefact into which the candidate names, symbols and serial numbers are loaded during every election. So, this artefact (not being a hardware or software engineer, I hesitate to call them a ‘microcontroller’) cannot possibly be OTP-type. Who is supplying this artefact/device is a mystery hidden inside a black box.>
Also read: The Term ‘EVM’ No Longer Serves Us. We Need to Understand ‘Electronic Voting Systems’>
What kind of memory does NXP microcontroller have?>
As mentioned earlier, BEL’s CPIO wittingly or unwittingly disclosed the model number of the microcontroller in response to the 2019 RTI application. The webpage of the company NXP, from which BEL purchased the microcontroller, explains that the model type, NXP-MK61FX512VMD12, features not just one, but three types of memory. Among these, one is OTP type, and another is rewriteable, akin to the memory found in commonly used pen/flash drives (see images 13 and 14 below).>
Before I made this information public in 2019, and the media covered it widely, the Election Commission always labelled the microcontroller as an OTP-type. It is quite a relief to see the Commission acknowledging this fact in its FAQ #53 reproduced below:>
“FAQ53. Does the VVPAT have a programmable memory? If yes, then at what stages in the election process is it accessed by an external device? If no, then where are the names and symbols of the candidates stored in the VVPAT for it to print the same in theVVPAT slip later?>
Answer: A VVPAT has two different memories. One, where the program instructions are kept for the microcontrollers, is One Time Programmed (OTP). The VVPAT firmware is stored in the One Time Programmed memory. After the firmware is ported in the microcontroller at the manufacturers’ site, no changes in the program are possible subsequently.The other memory is for storing graphical images containing serial number, name, and symbol of the candidates as data. This is done with the help of a symbol loading unit, during the commissioning of VVPATs before each election. Live display of the symbols being loaded into the VVPAT is done during the Commissioning process in presence of candidates/their representatives to make the process more transparent.” (emphasis supplied)>
But what the ECI does not tell us is whether the same NXP-manufactured microcontroller is used in the CU of the EVM and also the VVPAT (for two types of uses – one for programme instructions and another for storing the candidate-related information and images?>
Is only one of the NXP chips one-time programmed while the others are rewriteable? Or do BEL and ECIL use other brands of rewriteable microcontrollers? Is the pattern of microcontroller usage similar in both BEL- and ECIL-manufactured machines? ECIL did not claim in its EVM patent documents that the microcontroller it uses are OTP type. Has that changed now? The ECI’s FAQs are silent about these matters.>
Conclusion>
A matter of grave concern is the November 2023 media revelation that NXP was the victim of an espionage attack between 2017 and 2020. Despite this, the company reportedly neglected to inform its customers individually about these developments. It is confirmed that at least BEL, if not ECIL, procured microcontrollers from NXP during this period. The extent to which this may have affected the EVM-VVPAT units produced by BEL, which serves as the Election Commission’s supplier year after year, remains unknown.>
This poses a significant national security concern that both the Election Commission and the companies utilising NXP microcontrollers must address to all voters before the next round of elections. When crucial information is withheld within a black box, suspicions will only continue to linger. These elections belong to us, the EVM-VVPAT units are machines funded and utilized by us, the people. Hence, WE THE PEOPLE have the right to demand more transparency than what the ECI has disclosed thus far.>
Venkatesh Nayak is director, Commonwealth Human Rights Initiative, New Delhi. All facts narrated above are in the public domain. Views expressed are personal.>