Election Commission of India Addresses Privacy Vulnerabilities in Citizen Information Retrieval

India’s federal election commission has fixed flaws on its website that exposed data related to citizens’ requests for information related to their voting eligibility status, local political candidates and parties, and technical details about electronic voting machines. The bugs allowed access to the RTI requests, download transaction receipts, and responses shared by the officials without properly authenticating user logins. Some of the exposed data included the RTI filing date, the questions asked, the applicant’s name and mailing address, the applicant’s poverty line status, and RTI responses. The bugs were fixed earlier this week following CERT-In’s intervention. The Election Commission of India did not respond to a request for comment.

India’s federal election commission has recently addressed vulnerabilities within their website. These flaws were allowing access to sensitive data related to citizens’ voting eligibility, political candidates and parties, and technical details regarding electronic voting machines. With the country preparing for the upcoming general elections in April-May, it was crucial for these issues to be resolved before the new government is formed.

The Election Commission of India has taken action to fix these bugs in their Right to Information (RTI) portal, which allows citizens to request access to records from constitutional authorities, as well as state and central government institutions and organizations that receive substantial funding from the Indian government.

These bugs were allowing unauthorized access to personal information within RTI requests such as the filing date, questions asked, and mailing address. This information, along with responses from officials, could be viewed without proper authentication.

It was security researcher Karan Saini who initially identified the flaws in February. After receiving no response from authorities, he reached out to TechCrunch for assistance in disclosing the vulnerabilities. The Election Commission, Indian Computer Emergency Response Team (CERT-In), and National Critical Information Infrastructure Protection Center all failed to respond until CERT-In intervened, and the bugs were finally fixed earlier this week.

“CERT-In has been in communication with the appropriate authority regarding this issue. They have recently informed us that the reported vulnerability has been addressed,” stated a representative from the Indian cybersecurity agency in an email response to TechCrunch.

While the RTI applications and responses are not legally confidential in India, a 2014 court ruling in Kolkata ordered authorities to conceal the personal information of RTI applicants from their websites. However, the Election Commission’s RTI portal allowed external access to this data without requiring a login, making it vulnerable to scraping and therefore a privacy concern.

The Election Commission of India did not respond to a request for comment on the matter.

Avatar photo
Kira Kim

Kira Kim is a science journalist with a background in biology and a passion for environmental issues. She is known for her clear and concise writing, as well as her ability to bring complex scientific concepts to life for a general audience.

Articles: 867

Leave a Reply

Your email address will not be published. Required fields are marked *