Sunny Nehra’s assessment of the EVM’s security features is echoed by various independent studies and audits conducted by reputable organizations.
India’s electoral process is secured by a robust system of Electronic Voting Machines (EVMs) that are designed with multiple technical safeguards and administrative protocols to ensure the integrity of elections. Sunny Nehra, India’s top ethical hacker, underscores the significance of these measures, emphasizing their role in maintaining the security and reliability of the electoral process. “When it comes to security of the EVM Machines, it’s not just about the tech level security features, but also about the procedures followed while conducting elections.” Sunny Nehra highlights.
This article will help in removing several myths that are prevalent related to the EVM machines. After a thorough discussion with Sunny Nehra, the complete procedure of securely conducting the elections along with technical security of EVMs is explained as below.
Standalone machines with no connectivity with external world
The journey of the EVM’s security begins at the manufacturing stage. These machines are produced by two state-owned companies, Bharat Electronics Limited (BEL) and Electronics Corporation of India Limited (ECIL), under the strict supervision of the Election Commission of India (ECI). The EVM’s core strength lies in its standalone, non-networked architecture. Sunny Nehra, India’s explains, “The EVM is a completely isolated system that has no connectivity with the external world making it immune to remote hacking. There is a general myth around that it has Bluetooth, and other sort of signals which isn’t the case in reality.”
Manufacturers can’t manipulate it in any party’s favour
It’s important to note that the sequence of the candidates on the Ballot Unit (EVM) is not predetermined. The names are set in alphabetic order in three groups – Recognized Parties, Unrecognized Registered Parties, and Independent candidates – only after the finalization of the list of candidates. So, to make it clear, no symbol is pre-fed into the EVM machines, and the chronology of the symbols depends on the name of the candidate, which would vary from constituency to constituency.
The machines have been manufactured in various years starting from 2006. Following manufacture, they are distributed to states and districts. It’s impossible for manufacturers to predict candidate details or ballot sequencing for individual constituencies years ahead of elections. Which machine will go to which constituency is also not predetermined at manufacturing stage, the allocation is random, in fact at two different levels a transparent randomization protocol is followed.
Technical Safeguards:
Sunny Nehra highlights that the newer M3 EVMs produced after 2013 are equipped with an Unauthorized Access Detection Module (UADM) that permanently disables the EVM if any attempt is made to access its microcontroller or memory. Additionally, EVMs have self-diagnostic capabilities that thoroughly check the machine each time it is switched on, ensuring only authorized devices can interact with it. Encryption techniques secure the communication between the Control Unit (CU), Ballot Unit (BU), and Voter Verifiable Paper Audit Trail (VVPAT) units, making it impossible to decode the signals. Nehra also points out the importance of dynamic coding, where the coding of key presses is dynamically changed, preventing any possibility of decoding the voter’s choice.
The software used in the EVM is burned into a One Time Programmable (OTP) chip, making it impossible to alter or tamper with. “Even the manufacturers cannot change the code once it’s programmed into the chip,” Nehra adds. To further safeguard the system, the EVM is equipped with a Secure Access Module (SAM) that acts as a gatekeeper, preventing any unauthorized access to the machine’s microcontroller. “The SAM is designed to detect any tampering, and if it senses any intrusion, it puts the EVM in a non-functional mode, rendering it useless,” Nehra explains.
Dynamic coding of key presses
The EVM features dynamic coding of key presses, making it virtually impossible for anyone to decode the signals between the Control Unit and the Ballot Unit. “Every keystroke is encrypted in a real-time, dynamic way, so even if someone tries to intercept the communication, they won’t be able to make sense of the data,” Nehra says. Moreover, the EVM has a real-time clock that logs every authorized and unauthorized key press with a timestamp. “This feature ensures that any malpractice or tampering can be easily detected and traced back to the culprit,” Nehra adds.
Administrative Protocols:
The manufacturing of EVMs is tightly controlled by trusted Public Sector Undertakings (PSUs) like Bharat Electronics Limited (BEL) and Electronics Corporation of India Limited (ECIL), which implement stringent security protocols under the strict supervision of the Election Commission of India (ECI). The software used in EVMs is developed in-house, vetted by the Technical Evaluation Committee (TEC), and undergoes rigorous testing and certification by the Directorate of Standardisation Testing and Quality Certification (STQC). EVMs and VVPATs are randomized twice using the cloud-based EVM Management System (EMS 2.0) to prevent any predetermined allocation of machines to polling stations. The process of setting up candidates in the EVMs, called “Commissioning,” is done securely, and the machines are sealed with threads, address tags, and seals to prevent tampering. Mock polls are conducted at various stages, and the electronic results in the CU are tallied with the VVPAT slip count. Candidates and their representatives are allowed to select machines randomly and conduct mock polls themselves. EVMs are stored in secure strong rooms with robust security measures, including armed guards, CCTV monitoring, and restricted access. Sealed EVMs are transported to counting centers under police escort, with candidates or their agents allowed to follow the vehicles and place their seals. Vehicles transporting EVMs are equipped with GPS for tracking purposes, ensuring that their movement is monitored and secure. Political parties and candidates are informed in advance and can participate in crucial EVM management steps, such as opening and sealing warehouses, transport, first-level checking, randomization, candidate setting, and the counting process.
Once voting concludes, trucks equipped with GPS and sealed for security transport Electronic Voting Machines (EVMs) to the Reception Centre, accompanied by police escort. There, the machines are securely stored in strong rooms designated for each constituency. The security system is structured in three layers: the Central Armed Police Force (CAPF) is positioned closest to the EVMs, followed by state armed reserve forces in the middle, and civil police positioned outside. Candidates and their representatives are allowed to track the vehicles, affix their seals on the storage units, and can also set up camp outside the strong rooms. Designated officials are required to access the storage area (up to the inner perimeter only) twice a day, in the morning and evening, to review the logbook and monitor video footage.
VVPATs
The introduction of the Voter Verifiable Paper Audit Trail (VVPAT) has further strengthened the integrity of the electoral process. The VVPAT provides a physical record of the voter’s choice, which can be cross-checked in case of any discrepancy. “The VVPAT is a completely separate system from the EVM, and it operates on a different power source. This ensures that any tampering with the EVM will not affect the VVPAT, and vice versa,” Nehra explains.
Cross Checking of 5% randomly selected polling stations of each constituency
Furthermore, the Supreme Court has directed the Election Commission to conduct a mandatory verification of VVPAT slips of randomly selected 5% of polling stations per assembly constituency/segment. This additional layer of verification ensures the accuracy and integrity of the electoral process. During the commissioning process, an additional higher mock poll of 1000 votes is done in 5% randomly selected EVMs and VVPATs, and the electronic result of the EVM is tallied with the VVPAT slips count. Candidates and their representatives are allowed to pick 5% of the EVMs and VVPATs randomly and also to do mock poll.
Strong rooms with 3 layer security
The security of the strong rooms housing the Electronic Voting Machines (EVMs) is also multi-layered. The strong rooms are typically located in secure government buildings and are guarded 24/7 by multiple layers of security personnel, including paramilitary forces. The strong rooms are under constant CCTV surveillance, with the footage being monitored by security personnel. The strong rooms are sealed and locked with multiple locks, with keys held by different authorities. Regular inspections are conducted by security personnel to ensure the integrity of the EVMs and the security of the strong room. Access to the strong room is strictly controlled, with only authorized personnel allowed entry. Notably, the “shoot at sight” order is implemented in high-security areas, including strong rooms. This order empowers security personnel to use lethal force against anyone attempting to breach the security of the strong room.
Security and checks during non-election period
During the non-election period, the EVMs and VVPATs are stored in secure district-level warehouses under the custody of the District Election Officer. These warehouses have a double-lock system, CCTV coverage, and armed security to ensure the machine’s safety. Before every election, the EVMs and VVPATs undergo a First Level Checking (FLC) process, where the machines are thoroughly tested and verified in the presence of representatives from national and state-recognized political parties. This process includes functionality checks, mock polls, and the loading of dummy symbols in the VVPATs.
Measures on the polling day
The EVMs and VVPATs are then randomly allocated to assembly constituencies and polling stations through a transparent randomization process, further ensuring the integrity of the system. On the day of the election, the EVMs and VVPATs are transported to the polling stations under the watchful eye of the candidates and their representatives. At the polling stations, mandatory mock polls are conducted in the presence of the polling agents to verify the functioning of the machines. After the polling is completed, the EVMs and VVPATs are sealed and transported to secure strong rooms, where they are stored under the vigilance of the candidates and their representatives until the day of counting.
Measures on the counting day
On the counting day, the strong rooms are opened in the presence of the candidates and their representatives, and the votes are tallied. Additionally, a mandatory verification of the VVPAT slips of randomly selected polling stations is conducted to ensure the accuracy of the EVM results.
Conclusion
Sunny Nehra’s assessment of the EVM’s security features is echoed by various independent studies and audits conducted by reputable organizations. The Election Commission of India has also consistently maintained that the EVMs are tamper-proof and secure. As India’s top ethical hacker, Sunny Nehra’s endorsement of the EVM’s security carries significant weight. He believes that the robust security measures implemented in the EVM make it a far better choice over paper ballot method, and ensure the integrity of the electoral process in the world’s largest democracy.
