India’s electoral rolls are the bedrock of our democracy. Their integrity is not a partisan aspiration but a constitutional necessity. Recent events—particularly the revelations around mass online applications for deletions from voter lists in Karnataka’s Aland constituency—have surfaced legitimate anxieties about the security of the Election Commission of India’s (ECI) digital workflows. At the same time, they risk being framed in absolutist terms that obscure the actual problem and the path forward.
The truth sits somewhere careful and precise: it is not evident that the previous online system was universally porous or “waiting to be exploited” in every respect. Rather, there was a specific, front-end identity-verification weakness that made impersonation at the filing stage too easy. That weakness appears to have been exploited at scale. The subsequent introduction of an Aadhaar-based e-sign requirement is, therefore, an important corrective step that deserves acknowledgement. But it has come—let us be honest—after extended public criticism, repeated red flags, and at least one high-profile case that forced the issue into the open. Appreciation is due; complacency is not.
What actually went wrong
Under the earlier online workflow, a person could initiate an application—particularly Form-7 for objections/deletions—after linking a mobile number to a voter’s EPIC (voter ID) on the portal/app. The system did not reliably establish that the mobile used actually belonged to the elector whose EPIC was being referenced. In effect, the “front door” identity check was a soft target. The law’s substantive safeguards remained intact—no deletion could occur without notice, hearing, and field verification by the Electoral Registration Officer and the Booth Level Officer—but the filing stage was susceptible to misuse, as the Aland episode appears to demonstrate.
Rahul Gandhi’s intervention brought political and public attention to the scale of the attempted misuse. On the public record, what is firmly established is the existence of a coordinated effort to file thousands of dubious deletion requests. What is not established is that mass wrongful deletions actually occurred; the legal process reportedly rejected the overwhelming majority of those applications. Politically, that distinction may be unsatisfying. Institutionally, it matters. It tells us the legal “locks” eventually worked—but the “latch” at the front door was too loose, enabling large-scale nuisance and creating scope for intimidation, confusion, and mistrust.
A welcome fix—arriving late
The ECI’s new e-sign requirement, routed through a government-grade service and tied to the Aadhaar-linked mobile number, is a long-overdue safeguard. By making impersonation at the filing stage far harder, it squarely targets the precise abuse we witnessed—no one can now casually use a random phone number to initiate deletions in another person’s name. This deserves recognition. But recognition must come with a caveat: the fix arrives only after years of warnings from civil society and repeated red flags from former officers—including Kannan Gopinathan, who had resigned from the IAS in protest—were brushed aside. Those concerns about the fragility of identity checks were not acted upon when they should have been. In that light, this change is welcome but belated: the right fix, but forced by exposure rather than foresight.
Nor should anyone pretend that e-sign is a silver bullet. Any OTP-based system inherits risks—SIM-swap frauds, compromised Aadhaar-mobile linkages, and the exclusion of voters without Aadhaar-linked phones. The fix closes a major exploit; it does not end the need for vigilance, layered controls, and robust offline alternatives.
Accountability must run to its logical conclusion
The first information report (FIR) arising from the Aland affair should proceed to its logical conclusion. This is non-negotiable. If bad actors attempted to weaponise the filing process, they ought to face legal consequences—not simply to punish wrongdoing, but to deter future attempts. Here, the ECI’s role as a constitutional authority is important. It must be visibly and proactively cooperative with the Karnataka Police and any Special Investigation Team: preserving and producing logs, IP trails, OTP metadata, device fingerprints, and administrator action histories; explaining system changes and access controls; and certifying chain-of-custody for digital evidence. Any perception of opacity will only compound mistrust and politicise what should be a technical and forensic exercise.
A concrete improvement plan
The conversation must now move from blame to design. Below is a compact, actionable programme to make the system better—more secure, more resilient, and more citizen-centred—without sacrificing access:
Layered authentication (“step-up” security). Keep e-sign for sensitive actions (deletions, address changes, bulk submissions), but allow multiple strong options beyond Aadhaar where feasible: DigiLocker-based KYC, passport-grade e-KYC, or in-person verification codes collected from BLOs. Do not bind security to a single ID rail.
Real-time elector notifications. For any Form-7 filed against an elector, send an immediate SMS/e-mail/IVR alert to the mobile/e-mail on record and, where unavailable, a physical postcard. Include a secure link and helpline to contest or confirm. This converts every voter into a sensor against impersonation.
Cooling-off window for effect. Introduce a mandatory 72-hour “hold” between filing and any administrative action, except where the elector affirmatively confirms. This reduces the risk of coordinated blitz filings creating panic before hearings.
Risk scoring and anomaly detection. Flag spikes by geography, device, IP, ASN, or account age. Rate-limit high-risk patterns and auto-escalate outliers to manual review. Machine-assisted triage should be standard for bulk or suspicious activity.
Hardened audit trails with immutability. Write critical events (login, linkage, submission, approval/rejection) to an append-only log with cryptographic integrity checks. Maintain retention consistent with evidence needs. Document and publish the log schema.
Penetration testing and red-teaming. Commission independent pentests before major rollouts; publish executive summaries and remediation timelines. Run periodic red-team exercises simulating coordinated abuse of public portals.
Bug-bounty programme. Invite responsible disclosure with time-bound commitments to triage and fix. The best defence against unknown unknowns is an empowered community of testers.
Public change logs and service transparency. Maintain a dated, human-readable change log for the portal and apps: what changed, why, and when. It builds trust and provides investigators with context.
Clear SOPs for police assistance. Codify a standard operating procedure for law-enforcement requests—fields available, lawful bases, turnaround times, and privacy protections—so cooperation is timely and consistent across States.
Offline parity and inclusion. Preserve a robust offline route for citizens without Aadhaar-linked mobiles or stable connectivity. Strengthen BLO capacity: training, checklists, and templated speaking orders to ensure due process at the last mile.
Data minimisation and privacy. Store only what is necessary for authentication and audit; encrypt at rest and in transit; rotate keys; and adopt strict retention schedules. Publish a privacy notice and conduct periodic data-protection impact assessments.
Citizen remedies and dashboards. Provide a simple interface to track one’s pending applications, lodge objections, and appeal outcomes. Publish aggregate dashboards (by State and district) on filings, acceptance/rejection rates, and flags raised by anomaly detection.
This programme recognises the dual reality: technology can increase both efficiency and the attack surface. Security, therefore, has to be layered—procedural, technical, and human.
CEC Sh. Gyanesh Kumar in the presence of ECs Dr. Sukhbir Singh Sandhu Dr. Vivek Joshi inaugurates two-day conference of CEOs at IIIDEM, New Delhi on 23rd May, 2025.
A balanced verdict on the competing claims
How should citizens read the competing political narratives? First, it is accurate to say the earlier system contained a serious identity-verification weakness at the point of online filing. Second, it is equally accurate to say the law’s downstream checks prevented those filings from automatically becoming deletions; the system did not, by default, erase voters without notice or hearing. Third, the ECI has now introduced a targeted fix that should meaningfully reduce the risk of impersonation. Fourth, investigations into the attempted misuse must be completed, with full cooperation from the Commission, to ensure accountability and deterrence.
In that sense, Rahul Gandhi’s highlighting of the attempted misuse has served the public interest by catalysing a necessary change. At the same time, sweeping claims of mass wrongful deletions are, as of today, not sustained by the public record. The right response is not triumphalism from any side, but a renewed commitment to institutional hardening and transparent investigation.
Beyond one State, beyond one episode
This is not about one constituency or one State; the upgraded workflow will be used across the Republic. In a country of our scale, even low-probability vulnerabilities can translate into high-impact incidents. Electoral rolls must meet an especially high bar of integrity because they are upstream of every other democratic safeguard. If we get the rolls wrong, everything downstream can be contested.
The ECI deserves credit for moving to an e-sign gate and for consolidating its sprawling application landscape into a more coherent platform. It equally deserves—and must accept—a responsibility to move faster on red flags, to communicate changes openly, and to stand shoulder to shoulder with investigators when criminal misuse is alleged. That is how confidence is earned: not by insisting that institutions never err, but by showing that they detect, correct, and cooperate.
Our proposed roadmap
We, therefore, strike a principled middle course. We acknowledge the Commission’s corrective step and welcome it. We urge that the Karnataka FIR and related probes be pursued to a clear prosecutorial conclusion. We call upon the ECI, as a constitutional body, to extend full, proactive assistance to the investigators—supplying all relevant technical artefacts with documented chain-of-custody, and explaining system behaviour with candour. And we propose a twelve-point improvement plan that blends stronger authentication, citizen alerts, forensic-grade logging, independent testing, and inclusive offline alternatives, all underpinned by privacy-respecting data practices.
If adopted, these measures will not only address yesterday’s exploit but also shrink the attack surface for tomorrow’s. They will help move our public debate from accusation to assurance. Most importantly, they will protect what we all cherish, regardless of party or preference: the purity of the electoral rolls—central to the legitimacy of India’s democracy.