Omesh saigal’s letter to PM on EVM hacking
—– Forwarded Message —-
From: Omesh Saigal <omesh2omesh@yahoo.co.in>To: pmindia@nic.in
Cc: Omesh Saigal <omesh2omesh@yahoo.co.in>
Sent: Fri, 27 August, 2010 4:29:36 PM
Subject:
Omesh Saigal, IAS(retd)
N-130B, Panchshila Park
Ex-Chief Secretary,
Delhi & New Delhi 110017
Ex-Secretary to Govt of India
Dated Aug 27, 2010
Mobile: 9873000685 begin_of_the_skype_highlighting 9873000685 end_of_the_skype_highlighting
Sub: News reports about intel enquiries into suspected foreign hand in EVM matters
My dear Prime Minister,
It is reported in today’s papers that government suspects a ‘foreign hand’ in the tampering of an allegedly stolen EVM by three foreign professors and have ordered an enquiry by RAW and IB. This is good but my request is these agencies should also be asked to enquire into the role of two of its own agencies (BEL and ECIL), who got the ‘program code’, which really controls the functioning of the machine, written onto the chips, in USA by foreign private companies! The fact of the program having been written on these chips abroad has, reluctantly though, been admitted by both BEL and the EC in replies to my RTI queries. Since both these companies are also engaged in making highly sensitive defense equipment, the fact that chips are programmed in foreign countries does not augur well for the country’s external security as well.
That these machines are tamperable there is no doubt and no ones knows this better than your Minister of State who is also Minister in charge of both these agencies. He was a Director in a NOIDA company which designed an EVM with which the IIT Delhi alumni association conducts its election and because of doubts on such machines it has provision for a paper trail as an important safeguard against tampering.
I took up the issue of possible tampering of EVMs with the former CEC on June 30, 2009 and I was invited vide their letter of July 16, 2009 for a hearing and to conduct a mock poll, which was already done before several former Secretaries to the Government of India. In this meeting, even a member of the EC’s advisory council conceded that an audit of these machines, especially of the foreign programmed chip, was a must to ensure its reliability and non-tamperable. This audit will also help to restore the credibility of the elections conducted since the introduction of the electronic machine.
A bucket of water needs only one leak to empty; the attached Flow Chart (Annexure A) discloses several leaks. This examines dispassionately each one of the safe guards introduced by the EC, as disclosed in its various manuals, statements and websites.
With respectful regards,
(Omesh Saigal)
Enclosure: as above
To,
Hon’ble Prime Minister of India
New Delhi
ANNEXURE A
FLOW CHART
| ACTIVITY | EXAMINATION OF PRESENT POSITION/ SAFEGUARDS | ARE THESE ADEQUATE? |
| 1. Transparency as a concept in the election management has always been there, not just in India but in all democratic countries. | The Constitution of India calls for India to be a SOVEREIGN SOCIALIST SECULAR DEMOCRATIC REPUBLIC. The German Federal Constitutional court recently held that ‘the fundamental decisions of constitutional law in favor of democracy… prescribes that all essential steps of an election are subjected to the possibility of public scrutiny….’ It says that this results from the ‘principle of public nature of elections’. In the Returning Officers Manual, ECI mandates that ‘the election management should be transparent…’. | It is clear that ‘possibility of public scrutiny’ and the ‘principle of public nature of elections’ should guide every action connected with the management of the election process. This is the same as when the ECI talks of ‘transparency’ visiting all actions connected with the management of elections. The question of adequacy has to be judged in this light. |
| 2. By Act 1 of 1989 (w.e.f. 15-3-1989). Parliament amends theRepresentation of the People Act,1951to enable use of voting machines | Section 61A provides that the‘the giving and recording of votes by voting machines, in such manner as may be prescribed, may be adopted in such constituency or constituencies as the Election Commission may, having regard to the circumstances of each case, specify.’ It is further explained that ‘”voting machine” means any machine or apparatus whether operated electronically or otherwise used for giving or recording of votes ….’ | Two points are clear here: one, that voting machines are not necessarily electronic voting machines and two, the legislative mandate is for constituency–wise use of such machines and not their use in allConstituencies. It is a moot point if the decision of the ECI to use EVMs in all constituencies in 2009 will stand judicial scrutiny. |
| 3. Decision of ECI to have Electronic Voting machines | It is not clear if ECI examined other voting machines or apparatus, other than the electronic version, before going in for EVMs. We do know that EVM was first tried in a constituency in 1992. The present EVM merely records and totals the votes polled because of software loaded onto it. Because of high possibility of tampering in such systems, a whole lot of cumbersome and expensive safeguards have to be introduced. A mechanical machine would have been less cumbersome and less amenable to tampering. And far cheaper. | Disturbing possibilities: One, EVMs favoured because of prejudices of the Scientific adviser of ECI. Two, pressure from commercial interests who were experimenting with EVMs at that time. It is a known fact that a student of the Sr Adviser to the ECI was the Director of a Commercial Concern which was at that time in the forefront of EVM development. Another Director in this Company, by the way, is now an important Minister in the Central Government. |
| 4. Electronic Corporation of India and Bharat Electronics Ltd appointed advisers and manufacturers of the EVMs | Just having a government owned company to design these machines is not an adequate safeguard against malpractices and tampering. The Minister’s control on the staff of these companies makes their role even more dubious especially when even during election there is no provision of placing them under the control of ECI while at the same time the maintenance and upkeep of these machines may have to be given to them. | Section 28A of the RP Act provides for the Returning officer, presiding officer, etc., to be deemed to be on deputation to Election Commission but there is no similar provision for the staff of the Public Sector Undertakings. In fact, apart from Government servants on duty, none is allowed in the booths or counting centres. |
| 5. Source code to be prepared by BEL/ECIL engineers | It would have been better if the agency that prepares the source code is different from one that also manufactures the machine. | Since these are commercial undertakings, the sanctity of the source code can be held ransom to their commercial interests. Moreover, they being under the control of Ministers cannot be trusted in election matters unless there is adequate control of the ECI. |
| 6. Source Code sent to Quality Assurance Group (for BEL) | Not an independent check because QAG is part of BEL only | |
| 7. EVM evaluated and cleared by the Technical Expert Group of the ECI and sent back to BEL | It is not clear if ECI approval was taken. Under 19A functions of ECI can ‘be performed also by a Deputy Election Commissioner or by the Secretary to the Election Commission’ and none else. Technical Expert Group has no such authority. It is also not clear if the ‘source code’ was also cleared by this Group or if this group has anyone who is competent enough in IT. | A more meaningful approval of the EVM would have been for a Dy Election Commissioner with IT qualifications to be appointed and empowered in this behalf. Or another agency of the government, like NIC, to have been involved. |
| 8. Software frozen | Not clear what happens now and where the ‘frozen’ software is kept for reference checking later. It is clear that it is not with the ECI. | Not keeping the frozen software exclusively with the ECI is a major security breach. Having it with commercial organizations, which can hold it ransom for commercial interests, is also not desirable. This point is amply proved when they rake recourse to these interests in denying information to the public under the RTI Act. |
| 9. Source Code converted to Object code by BEL engineers (ECIL presumably does the same; in the meeting in ECI, it was described as hex code by them.) | A major step since it is at this stage that the code that is written in language that is intelligible to us gets converted to machine language. The code in now in a form that it can be fused onto the chip/micro-processor. | A very important breach of security is that the Object Code/HEX Code was not sent back to the ECI or its advisory technical expert group at this stage. It may not be difficult for a corrupt BEL/ECIL engineer to add a ‘trojan’ software at this stage. Second stage approval of the ECI would have prevented this from happening. |
| 10. M/S Microchip USA and Renasas , Japan selected by BEL and ECIL resp for the microcontroller chip | It is not clear at all why foreign companies were selected for this task and whether any security clearance was taken for them. An Task Force of the Defense Science Board of the USA (Feb 2005) suggested that “…shift….to foreign manufacture endangers the security of classified embedded in chip designs; additionally, it opens the possibility that ‘Trojan horses’ and other unauthorized design inclusions may appear in unclassified integrated circuits…” | It is noteworthy here that the chip is the heart of the electronic machine and any tampering at this stage can effect the entire functioning of the machine. It is noteworthy that tampering is really altering the code or adding a virus (Trojan) which will give the control of the machine to the one who has tampered. He can now activate the Trojan as when he likes; and in whichever election he chooses without any danger of detection. |
| 11. The object code conveyed to them in USA/Japan | Even if these foreign companies had to be selected why the chip could not have been imported and the object code fused under the supervision of India engineers and under the guidance and control of the technical group of the ECI. | There must be some method by which the object code must have been conveyed to the company in USA/Japan. Whichever method is employed, it increases the chances of foul play of tampering with the object code. |
| 12. Object code fused into chip during manufacturing process. | This would essentially make it a masked chip. This is the most dangerous decision taken by the concerned persons; it essentially makes it a masked chip, making it impossible to detect any manipulation that may have been done at the time of the manufacture. If a ‘trojan’ program is added at this stage, there will be no way to detect it. Since the ‘trojan’ can be activated in many possible ways, including through a wireless device, it gives the one tampering an open and safe way of rigging the poll in whichever way he likes without any possibility of being caught. | It is not that experts advising the ECI are unaware of this possibility. In para 4.3 of his report of 2006, Prof Indiresan states that the program is ‘permanently fused and hence cannot be read’. In Para 4.7 he recognizes that the ‘EVM is an embedded and factory masked…’. This makes these machines absolutely impossible to be ‘subjected to the possibility of public scrutiny….’ , thus failing an essential test of transparency. That the program once fused cannot be read by anyone including the manufacturer is admitted by BEL in its website. It says: ‘Program codes once written and fused in this OTPROM (One Time Programmable Read Only Memory) cannot be read back or altered by anyone including the manufacturer’ |
| 13. The chip is sent back for being fixed onto the Printed Circuit Board of the EVM | Raises many questions, especially about the possibility of the chips being replaced while being shipped or at the time of clearing or by the clearing agents and so on. None have been satisfactorily answered. | Needless to say if the masked chips are replaced with others made by the same manufacturer or similar product with tampered software, the chances of detection are almost nil. |
| 14. ECIL/BEL claim that they have elaborate electronic methods to check the software fused onto these masked chips. | The Task Force of the US Defense Department has this to say about this checking: “Trust cannot be added to integrated circuits after fabrication; electrical testing and reverse engineering cannot be relied upon to detect undesired alterations in military integrated circuits.” | It is clear that the trustworthiness of these chips and the subsequent EVMs in whose PCBs there will be solder, has been seriously jeopardized. Apart from the fact that these EVMs and the chips inside cannot be ‘subjected to public scrutiny’ there is this further point that they are not ‘trustworthy’. This is exactly what the German Federal Court too recognized when they said in their judgement holding use of EVMs in elections unconstitutional: “…programming errors in the software or deliberate electoral fraud committed by manipulating the software of EVMs can be recognised only with difficulty”. |
| 15. Orders placed on suppliers for material for the Printed Circuit Board of the EVMs | The refusal of both BEL and ECIL to disclose details of these suppliers raises deep suspicion and points out to total lack of transparency as far as matters concerning PCB are concerned. | There needs to be public scrutiny of the companies who have supplied parts for the most important part of the EVM, i.e. the PCB. Non disclosure of the details makes that impossible. It is not clear that this information has even been made available to the ECI |
| 16. Manufacture of the EVM with the PCB | Again the same lack of transparency and secrecy by the two companies. It is obvious from their website that some important information which can be used later to detect tampering lies in the factory where these machines were manufactured. It is not clear how this information has been preserved in the factories and with what level of security. One thing is clear: that this is not with the ECI | The following facts are in the factory: 1. Unique serial numbers captured on the PCB 2.Manufacturer’s ID Number 3. Details of the soldering device with which the Micro-controller IC and Non-Volatile memory are soldered onto PCB. These facts are essential for a public audit but are being kept back not only from public but also from the ECI. The records are claimed to be in the factory but even the names and addressed of the factories are being kept back from the public in the name of ‘commercial interests’. Whether they are properly secured in the factories is a moot point. |
| 17. Quality Assurance Certificate is issued and machines are ready for delivery | This is only a ‘functionability’ certificate and does not (obviously cannot) certify that the program in the chip is the same as was approved by the ECI technical committee. | If there is a ‘trojan’ in the software, the functionality certificate will not detect it because the ‘trojan’ only becomes active when the person who has put it in so desires. |
| 18. Delivery is made to States and District Election authorities | Not being in the picture till now, since all earlier negotiations took place at the level of the ECI, state and district authorities have to accept it on the basis of the functionality certificate supplied by the two companies. They can perform a ‘mock poll’ to check the functionality and that they must have done. | This cannot be taken as an independent check as would be required by the principle of ‘public scrutiny’ nor as a safeguard against any manipulation that may have taken place with the software. Mock poll cannot by itself check the software. Functionality checks alone cannot detect tampering in the software as state earlier. |
| 19. Stored in sealed rooms | Adequate precautions are prescribed to prevent any tampering at the time of storage but cannot account for deficiencies and tampering that may already have taken place. | Useful to prevent any one in the state and district to tamper the machine in any way but Trojans already there in the software cannot be detected. |
| 20. Pre-election check (5% Mock poll). Political parties invited | This check is made by engineers of the ECIL/BEL. In a national election hundreds of engineers would be needed for this job since the EVMs lie scattered all over the country. It is apparent that this job is outsourced to private companies and/or to temporary staff recruited for the purpose. The antecedents of this staff are not verified as is routinely done for all government servants at the time of their recruitment. | It is not clear why the same companies who supplied the EVMs are called for this check. Companies other than these two or even engineers directly under the control of the ECI (drawn from various technical departments of the government) could ensure an independent check. They could do this on the basis of manuals already provided by the manufacturers. Since the crucial record which is there for checking tampering (Unique serial numbers, Manufacturer’s ID and details of the special soldering device used) are known to them, they can easily tamper the machines without any fear of detection. It is clear that about 6 lac machines were got manufactured after 2006; these are called the ‘new machines’. ECI needs to explain why all these machines were sent to opposition ruled states and these were not distributed randomly. Randomisation could at least have allayed public fears of possible manipulation in these machines as opposed to the earlier ones. |
| 21. 1st level randomization, Mock poll, political parties invited | Since the EVMs are in sealed rooms, the tampering could only have been done at the time of the manufacture or at the time of pre-election check. Randomisation would at best be a preventive for someone who is trying to selectively tamper EVMs for some booths and/or constituencies. | It is not understood why BEL/ECIL engineers (or the ones to whom the work has been outsourced) are present at this time. If they have been privy to any tampering earlier, their presence here would only help them prevent detection. |
| 22. 2nd level randomization and Mock Poll in presence of candidates | This is touted as one of the best safety devices adopted by the ECI to ensure EVMs non-tamperability. It is only at this stage that the order in which the candidates will appear will come onto the ballet unit; if anyone at an earlier stage is trying to help some particular candidate, he cannot do it because he will not know his position on the ballot unit. Randomisation hereis a further safeguard introduced by the ECI. | This will help only if someone has been able to replace the PCB or change the chip in some machines at or after the pre-election stage. This will not prevent tamperability of the EVM if a Trojan is already sitting in the fused software at the time of manufacture or if it has been planted subsequently. Suspicion of the latter happening increase because at this stage too the BEL/ECIL deputed engineers have access to the machines. Why they are there is again a mystery. Technical personnel drawn from departments of the Government could have performed any role that is expected from engineers deputed by these two companies. |
| 23. Storage with sealing with signatures of candidates | Adequate so far as it goes. | |
| 24. Polling in presence of candidates and Observers; Mock poll. | Mock poll is merely an eye wash to convince the candidates about the non-tamperability of the machines if Trojan is already sitting in the fused chip. It is said that in the new machines a new date-time function has been added that will record if any key, including keys that are pressed to activate the Trojan. Since these are stand-alone machines, even if there is a Trojan it would need to be activated in all the 12 lac odd booths in the country. Large number of people will therefore have to be part of a conspiracy, not very likely in a ‘loud’ democracy like ours. | Remember, Trojans can be activated at any stage by one who has the code. It could be done by a voter as he comes to vote or, if the chip has been appropriately dressed, even by a wireless device. The position in the new machines is even worse because for the activation of the date-time function either a new chip has been fitted to the ballot unit or the control unit has been appropriately programmed. In the former, a Trojan in the ballot unit chip can foil the plans; and in the latter the Trojan program just has to be modified to ensure that the ‘riggers’ key presses are not recorded. That the new machines were only given to states ruled by the opposition (apart from a few very small states) adds a new dimension. It needs to be noted that we don’t need to rig all the 12 lac booths; a study has shown that 7000 booths all over the country selectively chosen could make all the difference between victory an defeat for a party. |
| 25. Sealing, moving to Counting Centres and stored. | Safe as far as it goes | |
| 26. Counting Centres in front of candidates and political parties | The totaling key is pressed and the result can be seen by all and recorded. Here too BEL/ECIL deputed engineers are there to help if anything goes wrong. | The presence of BEL/ECIL deputed engineers here is highly unnecessary and raises reasonable suspicions of doubtful intent. This is the stage when it is easiest to activate Trojans. One or two people can activate Trojans in most if not all the machines. The RP Act does not permit anyone but poll personnel and government servants on duty to enter the Counting Centres. How these non government employees enter these centres is a matter which needs serious investigation and by itself raises a serious question mark on the entire voting process. |
| 27. After counting, the machines are again stored in sealed rooms. | It is not clear if any post-election check is made. It is not clear if any check is made of the soldering device, serial no and so on to check if they are the same as per factory records. It is also not clear with what security the factory records are being kept and why these have not been handed over to the ECI. | Before any claim is made of the trustfulness of these machines, a proper post-election audit of these machines, especially of the PCB, must be made by an independent authority directly under the control of the ECI. |
| At the very least, what ECI should do to at restore some trustfulness to EVMs? | The most potent leaks are the ones above from items 14-18 and items 20-26. In the former, the maximum danger is because the chip is sent to a foreign company in the latter because ECIL/BEL engineers handle these machines at the time of the polls. This is a clear breach of security and leads to questions on the trustworthiness of EVMs. | Short term: 1. Change the chip in the existing machines and replace them with another processing chip fused in India under direct control of ECIL/BEL engineers. This should be an embedded one-time programmable (OTP) non-volatile memory on the processing chip.Thereafter, ECI should get a third company (maybe NIC) to write a ‘sentry’ program and fuse that into the chip as well before soldering them onto PCBs. Parties and Candidates be enabled to check sentry software through an open standard specification. This will fulfill essential conditions of ‘public scrutiny of elections’. 2.In the stages from 20-26, ECIL/BEL engineers should not be allowed and ECI should deploy experts and engineers from other departments of the government, like NIC. They should directly report to ECI. LongTerm: The time for simplistic solutions is over. A more comprehensive study is needed to incorporate the data bank on National ID, Voters ID, and security and safety measures before the EVM of the future can be devised. |
No comments:
Post a Comment