While the Election Commission has said Form 7 applications cannot immediately lead to deletion from rolls, the use of software systems including ERONet, ECINet have raised questions of how these systems function in aiding maintenance of voter lists.
New Delhi: Rahul Gandhi’s latest allegations of wrongful additions and deletions in voter lists being facilitated in a centralised way have once again raised questions about the sanctity of electoral rolls, but more crucially they have sown doubts on whether the voter lists are vulnerable to a technological breach.
In responding to Gandhi’s allegations, the Election Commission curiously spoke in two voices. While at first it called his allegations “incorrect and baseless”, a day later it provided thrust to the Congress leader’s allegations by stating that FIRs were registered in both Aland and Rajura following “suspicions of the genuineness of large numbers” of deletion and addition applications, respectively.
Around a week later, in what appeared to be a corrective measure, it then rolled out a new ‘e-sign’ feature on its ECINet portal and app, which now uses Aadhaar-linked phone numbers as verification for those applying for addition or deletions, The Indian Express reported. The Election Commission, however, did not make any mention of whether this was done to address the recent allegations of centralised systems being used to tamper electoral rolls.
Gandhi had alleged in a press conference last week that “someone ran an automated programme”, following which about 6,018 votes in Karnataka’s Aland constituency were deleted by impersonating voters, using mobile numbers outside the state, through a software to systematically target booths where the Congress was winning.
He claimed that a software was used to use those voters who were numbered serial number 1 in their booths to file these applications for deletions.
While the Election Commission has said Form 7 applications cannot immediately lead to deletion from rolls, experts say that the use of software systems including ERONet and ECINet have raised questions on how these systems function in aiding maintenance of voter lists, and the conduct of the Election Commission in analysing these threats and taking action.
Can voters delete names themselves?
Under the Registration of Electors Rules, 1960, anyone who seeks to make corrections and deletions from electoral rolls can do so by filling Form 7 that can be used for “objection for proposed inclusion/deletion of name in existing roll”.
The form can be used by an elector themselves to delete their own name, or if they want to raise an objection against any other elector in their constituency. It can be downloaded and handed over to the BLO (booth level officer) concerned or can be done online on ECINet app.
“The electoral roll cannot face any such centralised attacks because the database is unapproachable. Submissions of Forms 6 (registration of new voters), 7 (objections and deletions), 8 (shifting residence, corrections) are followed by field visits, and then notices are issued, given opportunity for hearing and only then any deletion or correction is made,” said former chief election commissioner O.P. Rawat.
The Election Commission in its response to Gandhi’s allegations on September 19 too had said that “no deletion of any vote can be done online by any member of the public”, although electors can fill Form 7 to apply.
However, the commission added that FIRs were registered in both Aland and Rajura following “suspicions of the genuineness of large numbers” of deletion and addition applications respectively.
This has raised questions of online systems being vulnerable to misuse.
The push towards centralisation through technology
While the process laid down requires Electoral Registration Officers (EROs) to take the final call, including field visits by Booth level Officers (BLOs), the poll body has also sought to develop systems that aid the process of maintaining electoral rolls.
Since 2018, the ERONet functions as a centralised portal for all EROs across the country. Prior to this, each state had their own systems called the ERMS (electoral role management system).
However, earlier this year, the Election Commission launched the ECINet, a single portal and app that combined around 40 earlier apps and portals meant for voters and officials, including ERONet.
“The idea is that these software systems will act as decision support systems, they will suggest potential duplicates, people who may have shifted, who have died. These systems were initially brought in to give a certain kind of support to the EROs in taking the final call in maintaining and updating the electoral rolls. However, there is ample evidence that such systems can be manipulated,” said Srinivas Kodali, digital rights activist and researcher.
In the 2018 Telangana assembly elections, lakhs of voters in the state, mostly from Greater Hyderabad region, found their names missing from the electoral rolls and were unable to cast their votes.
Later, an RTI revealed that voter verification undertaken as part of linking of Aadhaar with voter IDs under the National Electoral Roll Purification and Authentication Programme (NERPAP) deleted nearly 30 lakh voters from the rolls across the state using a software meant to identify duplicate and bogus voters.
Kodali has moved the Supreme Court in the case.
He also pointed to the ERONet, developed by the Tata Consultancy Services (TCS). In its annual report 2024-25, TCS says that it collaborated with the Election Commission to develop a “flagship web-based application ERONet 2.0, that revolutionised electoral roll management in India.”
“The application managed the end-to-end life cycle of electors, and was available nationwide. ERO Net 2.0 application has a centralised database that serves as the single source of truth for the election body. A standout feature is the executive dashboard, which is updated daily and offers a 360-degree view of the life cycle of electors,” the report says.
Kodali said that even through this, the ERO essentially remains the final authority but transparency remains a concern.
“All the parts of the electoral rolls should be very transparent, but it’s rarely transparent. We really don’t know what the software is suggesting and what the ERO is doing. It is the network, not just the ERO. It is the ERO, BLOs and the ECI – all forming a system,” he said.
Incidents of misuse of electoral data have come up recently including when Kodali himself filed a complaint with the Chief Electoral Officer of Telangana that the Telangana government under Bharat Rashtra Samithi (BRS) allegedly misused electoral roll photos for facial recognition to provide government services online.
In 2022, The News Minute had reported that a private NGO, Chilume Educational Cultural and Rural Development Institute, covertly collected personal information from thousands of voters in Bengaluru by making their field agents pose as government officials, enabled by a Government Order that allowed the NGO to “create awareness” about voter rights and revision of electoral rolls.
“So, at the end of the day, a software is a front, it helps to target people as it provides a lot of information in a centralised manner to make deletions, and all this is not happening in isolation in that there is also underground political profiling taking place by parties. And there is evidence of information sharing,” said Kodali.
Security concerns
The security of Election Commission websites has also been flagged recently. In December 2021, Sai Krishna Kothapalli, founder/chief executive officer of Hackrew, a Hyderabad-based cybersecurity firm, came across a critical vulnerability in the National Voters Service Portal (NVSP) that allowed access to unredacted, registered phone numbers of voters in a constituency and then alerted the Computer Emergency Response Team (CERT).
On Wednesday, former IAS officer Kannan Gopinathan, who before resigning served as a secretary in Dadra and Nagar Haveli, and had been the returning officer in the 2019 Lok Sabha elections, said on X that when he ran a security review of the Election Commission’s VHA app, it received just a 15/100 score on Mozilla’s HTTP Observatory site.
“With several voter services including the submission of Forms 6,7,8 moving online, the process is eased but it also allows for a lot more mass coordinated kind of applications to be submitted,” said Gopinathan to The Wire.
Gopinathan also said that the Election Commission’s acknowledgment of “suspicious” large number of additions and deletions in Aland and Rajura and registering FIRs is not enough.
“If there is a shooting at your house and there is little to no damage, do you say nothing has happened so let’s move on or would you like to find the shooters, what their network is, who funded them and is it an organised racket?,” he asked
He said that the Election Commission should look to provide answers to what has been done since.
“Have we seen an increase in such kinds of online-based attempts happening in other constituencies? If it has, where have they happened, what is the deletion or success rate of such attempts, there is a need to verify this. You generally see one anomaly and then you try to use it to understand whether this is just a one off incident or if this is part of a larger syndicate operation,” he said.
“When we know such incidents are happening, accountability should also come with that. That these incidents are taking place, is enough to rehaul the whole process because this is not just an attempt at disenfranchising in an election but influencing the election itself,” he added.
Questions of trust
While the Election Commission has acknowledged that suspicious attempts were found around such deletions and additions, questions of trust remain in its conduct.
In recent months, the poll body, when Gandhi first raised allegations of inconsistencies in the voter rolls in Karnataka’s Mahadevapura, sought an affidavit from him to probe his claims. Over a month on, the poll body has yet to initiate a probe into his allegations.
In its response to Gandhi last week, it first termed them “incorrect and baseless” and then provided a note acknowledging several of his claims while maintaining that deletions cannot be made by members of the public.
“It’s a larger question of trust, so it needs to be addressed by multiple actions that need to be taken by the election commission,” said Apar Gupta, advocate and founder, Internet Freedom Foundation.
“First, a technical audit which needs to be conducted transparently by verified third parties who do not have relationships, which can improve the outcome of audit processes into the technical systems across the various layers of how voter lists are prepared. This needs to be done periodically over a period of time, in addition with public disclosure of who is being engaged, how they are being engaged, what are their findings, what are the deficiencies.
“It is important for the Election Commission to proactively coordinate with CERT-In, and also notify them of attempts at any kind of cyber vulnerabilities, attacks, data breaches, and also publicly disclose them. And finally it does need to pursue legal action. Because an attempt to tamper with the electoral roll using any technical software is not only a breach of electoral laws, it’s also criminal action or forgery or alteration of digital records which falls within the scope of, criminal prosecution both under the Information Technology Act as well as the BNSS,” he said.
Meanwhile, former chief election commissioner N. Gopalaswami said that the Election Commission in 2004 in Tamil Nadu had allowed political parties to file bulk applications to ease individual voters.
“We stopped the facility later because it was found that there were a large number of bogus applications being filed. In this case too, if the Election Commission finds that the online mode of filing applications is being misused they will close that door. But that’s a call for the deciding authority,” he said.
On the other hand, O.P. Rawat said that the way forward is to immediately inquire.
“The Election Commission has the government machinery and the wherewithal to investigate. For instance the C-vigil app invites complaints against any violations and the Election Commission is meant to investigate them within 100 minutes and give feedback. Here the only way forward is to immediately inquire and put the facts in the public domain,” he said.
This article went live on September twenty-sixth, two thousand twenty five, at zero minutes past eight in the morning.
The Wire is now on WhatsApp. Follow our channel for sharp analysis and opinions on the latest developments.
