SC Refuses to Hear Plea Seeking Audit into Source Code of Software Used in EVMs

A three-judge Bench, headed by Chief Justice D.Y. Chandrachud, disallowed the petition on the grounds that making the source code public would make the machines vulnerable to hacking.

EVM

New Delhi: The Supreme Court on Friday, September 22, refused to entertain a public interest litigation (PIL) that sought an audit into the source code of the software used in electronic voting machines (EVMs).

A three-judge Bench headed by Chief Justice D.Y. Chandrachud disallowed the petition on the ground that making the source code public would make the machines vulnerable to hacking.

“If we start putting out the source code in the public domain, you know who will be able to hack that,” the Bench told the petitioner.

A source code is a human-readable set of written software commands that instructs the hardware of an electronic device on how to function, or in other words, it is the brain of the machine. If the source code is public, the presumption is it will be hard to manipulate the software being used.

The petitioner, Mumbai-based lawyer Sunil Ahya, told the court that IEEE1028 is the international standard for audit of source code but whether this or any other standard is being used by the Election Commission of India (ECI) is not known. The last time he approached the court on the same subject in 2018 (which came up for hearing in 2019) it was clubbed with another PIL and his plea was not entertained. However, during that hearing, the ECI had told the court that a technical evaluation committee (TEC) of the ECI audits the code and any information is available with the TEC.

The TEC coincidentally also designs the machine and is overall responsible for all technical specifications of EVMs and voter verifiable paper audit trail (VVPATS). Ahya told The Wire, “How can an agency that designs and writes the software for the machines also do an audit of its own work? This has to be done by an independent agency.”

So while the ECI says the audit is done by TEC, the TEC says it is done by the Ministry of Electronics and Information Technology’s (MEITY’s) audit cell called the Standardisation Testing and Quality Certification (STQC). Ahya says when he filed a right to information (RTI) appeal with STQC, their response was this information is in the domain of the Election Commission.

The RTI was significantly transferred to the ECI under Rule 6 (3) of the RTI Act, which says that if information is not available with a particular arm of the government, the appeal should be transferred to the one that has the information. Since the ECI and MEITY have stonewalled his appeals, he said he was forced to approach the court once again.

The court, however, said, “On such a policy issue, we are not inclined to issue directions which have been sought by the petitioner. There is no material before this court to indicate that the Election Commission is not taking suitable steps to fulfill its mandate.”

The court also said, “Be rest assured these standard guidelines are being followed. The moment it is put out in the public domain, there is a danger that it will be subject to misuse. We are not inclined to entertain the petition.”

Former Indian Institute of Technology (IIT) professor of Computer Science Subhashis Banerjee says, “It is known since the time of Julius Ceasar that security by obfuscation does not work.”

Banerjee, who now teaches at Ashoka University, says elsewhere in the world source codes are published in newspapers. “No one keeps source codes secret. The machines should be secure even after the source code is made public amongst other things. In fact, it is the responsibility of the Election Commission to prove that the machines are secure against a threat model including insider attacks. The protocol should be secure because the assumption should be that EVMs by design are rigg-able.”