NEW DELHI — The Election Commission of India has deployed teams of private contract workers, with a minimum work experience of just one year, to Maharashtra and Haryana, where they are conducting “first-level checks” on Electronic Voting Machines (EVMs) for state assembly elections scheduled for later this year, HuffPost India has learnt.
These engineers told HuffPost India they had previously been tasked with critical aspects of the voting process — including setting EVMs and loading symbols into vote verification machines called VVPATS — in the 2019 general elections.
Opposition leaders in these states told HuffPost India they were unaware that first-level checks on EVMs had begun, and that these checks were being performed by engineers who were not full-time employees of Bharat Electronics Limited (BEL) and Electronics Corporation of India Limited (ECIL), two state-owned companies that manufacture and maintain EVMs for the Election Commission.
The Election Commission has never admitted to the use of contract workers, and the commission’s own guidelines require that representatives from all political parties be present when first level checks on EVMs are conducted.
This HuffPost India report suggests that the nature of electronic voting makes it impossible for the Election Commission of India to maintain full control over all aspects of the voting process, despite its protestations to the contrary. The Commission’s submissions in Supreme Court indicate, at best, a fundamental ignorance about the nature of cybersecurity threats.
In an interview, Ashok Tanwar, Congress party leader from Haryana, stated that they did not receive any communication from the District Election Officers or Chief Election Officer. In Maharashtra too, the party did not receive any communication at its state headquarters, party leader Sanjay Nirupam said. Same was the case with NCP, MNS and CPI(M).
The Congress’s Sanjay Nirupam and the CPI(M)’s Nilotpal Basu told HuffPost India they were filing a complaint with the Election Commission in this regard.
Earlier this month, The Quint reported on ECIL’s use of contract workers through a Mumbai-based labour contractor called T&M Services Consulting Private Limited. Sheyphali Sharan, a spokesperson for the Commission, told The Quint,“No private company was engaged to provide engineers by BEL & ECIL.”
This HuffPost India report includes new information on ECIL and BEL’s use of contract workers, and the manner of their recruitment and deployment, and the fact that these workers have begun work on the Maharashtra and Haryana elections without informing the opposition.
The presence of these contractors poses a significant security risk to the sanctity of India’s election process. Yet, rather than confront these risks and proactively address possible vulnerabilities, the Election Commission has chosen to retreat behind a veil of silence and obfuscation.
BEL, ECIL, and the Election Commission did not respond to HuffPost India’s queries sent a week ago. This copy will be updated if and when they do.
Contract Work Force
In the summer of 2018, BEL announced 480 vacancies for “contract engineers to be posted across India on Contract basis for FLC of EVM & VVPATprojects for Elections of 2019 (Loksabha/State Assembly) for a period of ONE YEAR”, as per a recruitment notice reviewed by HuffPost India.
These engineers were meant to assist BEL’s regular employees in the mammoth task of conducting India’s general elections. BEL is one of two companies involved in the election. The other, as noted earlier, is ECIL.
The job, the BEL recruitment notice stated, involved “Field Testing /Operation / Repair / Maintenance and demonstration of electronic equipment”. The job would pay Rs 23,000 per month (all inclusive), and the eligibility criteria required that the candidate be less than 26 years of age on 1 June 2018, have a B.tech or Bachelor of Engineering degree and a minimum of one year of industrial experience.
Short-listed candidates were asked to provide a routine police verification certificate, from their local police station, in lieu of a background check. The Election Commission, a former Chief Election Commissioner told HuffPost India, does not perform its own background checks on these contract workers.
“Contract workers have long been used,” another former Chief Election Commissioner told HuffPost India. “But my understanding is that they only assist regular employees of BEL and ECIL, who do the sensitive work.”
However, in interviews, contract engineers for BEL told HuffPost India they were involved in all aspects of the election process including loading candidate names into EVMs and loading party symbols in VVPATS.
An unusual case from Uttarakhand indicates that contract employees involved in elections far outnumber the regular full-time workers, making it unlikely that the degree of supervision of these young, inexperienced engineers is as thorough as the Election Commission would like the public to believe.
The Uttarakhand Case
In 2017, a dispute over the outcome of the Uttarakhand state assembly election results sparked a surprising disclosure.
A man called Raju Binjola, said to be a close aide of Bharatiya Janata Party candidate Munna Singh Chauhan, posted a detailed booth wise “prediction” of the poll results of that particular constituency on his Facebook wall a week before the results were formally announced. Congress candidate Nav Prabhat, Binjola predicted, would get 32,572 votes. When the results were out, Nav Prabhat had 32,477 votes.
“In some booths like Dhalipur, Bhimwala and Kata Pathar, the numbers predicted by Binjola were right on the mark for both BJP and Congress. At Dhalipur, for instance he had predicted 750 votes for Congress and the party got exactly that many,” the Times of India reported on April 27, 2017. “Similarly, in Badwa, he predicted 260 votes for BJP, and the party got 287. At Nawabgarh, the prediction for BJP was 1,200 votes and the party got 1235 votes.”
This startling coincidence prompted a flurry of legal action from losing candidates, who insisted that the poll had been rigged. The legal process that followed resulted in the disclosure — through the Right To Information — that ECIL had deployed 52 contract workers from Mumbai-based T&M Services Consulting Limited and only 8 of its own regular staff in the election. T&M Services declined to answer HuffPost India’s questions, explaining it had a non-disclosure agreement with its clients.
The case is still being heard in the Uttarakhand High Court, but marks a concrete instance of a contested result, and of contract engineers handling EVMs.
The Election Commission of India has long maintained that it retains full control over the sanctity of the voting process from start to finish.
On 29 March 2019, the Election Commission of India submitted an affidavit to the Supreme Court stating there was “no credible or concrete proof to even remotely suggest that the EVMs of ECI were handled / accessed by private persons without getting the necessary security clearance from the Election Commission of India.”
In the same affidavit, the Commission stated, “The administrative safeguard put forth by ECI leaves nothing to chance, whether in manufacturing, storage, transportation, or during use in election thereby, ensuring that the EVMs of ECI are not tampered with in any manner or accessed by unauthorized persons.”
The Commission, understandably, appears to be focused on ensuring that no one political party can game EVMs. Yet, it appears not to have considered that possibility that the threat to the process could come from a more sophisticated adversary.
For instance, in the same affidavit before the Supreme Court, the Commission also submitted that “as per section 61A of the Representation of the People Act, 1951, the design specification of the ECI EVMs used in the elections in India is approved by the ECI (based on the advice of the Technical Expert Committee). The Election Commission of India has directed BEL and ECIL that the design of EVMs and VVPATs used by the ECI shall not be shared with anyone.”
Yet these technical details have been published by the manufacturers themselves over a period of time. When BEL applied for the patent of their EVM design in 2002, theysubmitted these details and drawings which have been online ever since. ECIL, for instance, has published diagrams of components of VVPAT machines on their website as part of a global tender for components of these machines.
A tender, released in January 2018, lays out the internal cable harness used in VVPATs, while another tender, for the thermal printer that generates the VVPAT’s paper trail, includes details on EVM connectors, and also details on how the printer shall interact with the VVPAT. These might appear innocuous details but offer potential adversaries an opportunity to study these machines and think of how to infiltrate the system.
In interviews, contract engineers told HuffPost India their list of tasks included running checks, changing of broken parts like buttons in the Ballot Units, and loading party symbols into VVPAT machines, using customised laptop-like rigs provided by BEL and ECIL. This disclosure, coupled with the knowledge that the machines that decide the fate of Indian democracy are handled by short-term contract employees, barely four years out of engineering college, opens up frightening possibilities.
A young engineer, with barely a few months of training on the job, could through unwitting negligence expose this critical infrastructure to potential attack.
Election Commission officials have long dismissed such scenarios by explaining how hacks would make it very hard to help one particular party or candidate win. But as the alleged Russian interference in the 2016 US elections shows, a sophisticated adversary might simply want to sow confusion about the results, rather than help one particular party or candidate.
HuffPost India has written to ECIL and BEL, and will update this copy when they respond.