SC Warns Against Publicising EVM Source Code. But What Does It Mean?

That disclosing the source code will make the machines vulnerable to hacking is an argument the Supreme Court has put forward time and again.

New Delhi: The Supreme Court has said that making the source code of the software of EVMs public could result in its misuse. Seeking a clarification Wednesday (April 24) on a clutch of petitions regarding EVMs, Justice Sanjiv Khanna said, “The source code should never be disclosed. If it is disclosed, it will be misused.”

While the judge did not clarify the nature of the misuse or whether it is the software or the machines that are prone to misuse, the remark has muddied the water further. The judgement has been reserved.

This stand is contradictory to what the Election Commission of India has been saying time and again that the machines are 100% tamper-proof and cannot be hacked. Experts are pointing to what appears to be two seemingly contradictory stands.

“[The] Supreme Court of India acknowledges EVMs can be manipulated if the source code is made public. What protections/methods does it propose to detect if the source code got leaked somehow and manipulation is already happening?” activist Srinivas Kodali pointed out.

“Integrity of the code can be detected without having to make it public. There needs to be a verifiable, auditable mechanism for source code,” he told The Wire.

That disclosing the source code will make the machines vulnerable to hacking is an argument the Supreme Court has put forward time and again.

In September last year, a three-judge bench headed by Chief Justice D.Y. Chandrachud had disallowed a petition for an audit of the source code public, saying this would make the machines vulnerable to hacking. “If we start putting out the source code in the public domain, you know who will be able to hack that,” the bench had told the petitioner.

Last year, The Wire had reported that the source code of the software used for the EVMs has never been audited by any public authority.

Written by handpicked employees of Bharat Electronics Limited, the source code of the software used in the EVMs has never been shared with the Technical Evaluation Committee (TEC) mandated to audit the software or the Ministry of Electronics and Information Technology’s Standardisation Testing and Quality Certification cell, the third party that cross-verifies the TEC’s audit.

It has definitely also never been shared with the ECI – the body tasked with conducting elections.

The source code is a set of human-readable instructions that tells the machine what to do. If altered, the source code can change the outcome of an election.

While the Supreme Court has clubbed a bunch of petitions on various aspects of EVMs, a petition on the source code is yet to be listed. Lawyer and petitioner in the source code case, Sunil Ahya, has asked the court to get the source code audited by any standard, such as the BIS recognised by the Centre. Ahya says it is not his case to make the code public like the Supreme Court is suggesting.

For the record, Australian EVMs use Linux, an open-source software for operating the machines. Venezuela audits its source code before every election. The US keeps its source codes and hashes in a public repository and Germany and several other countries have got rid of electronic voting machines.

The Supreme Court also told the advocate for petitioners that the court has to rely on the technical data given by the ECI. At one point, the bench asked the petitioner, “Can we issue a mandamus on the basis of suspicion?” The court also said, “We cannot control the elections,” and added that conduct of the elections is the purview of the executive.

Lawyer Prashant Bhushan unsuccessfully tried to convince the court that the micro-controllers or chips in the machines are not one-time programmable as the ECI said it was. Some of the chips, as per RTI data, have a ‘Flash’ memory and are imported from a Dutch semiconductor company in the Netherlands, NXP. The court said this chip, located in the VVPAT machine, only has the candidate’s “symbol and no other software”.

One of the interveners tried to point out unsuccessfully that the Election Commission has very little control over the conduct of the elections, including the manufacture of the hardware and software of the machines, which is in clear violation of Article 324 (i) of the Constitution. The court did not entertain this plea either.