Former IAS officer Kannan Gopinathan has questioned the Election Commission of India over what he described as serious shortcomings in the security of its voter enrolment and deletion systems. In a detailed note on X, he referred to the recent Aland mass-deletion episode and said it prompted him to examine the Commission’s VHA app and voter portal. According to his assessment, the portal performed poorly on Mozilla’s Observatory test, securing only 15 out of 100 points.
He highlighted that the Content-Security-Policy header was invalid, HSTS was missing, and session cookies lacked SameSite safeguards. He also observed that the reliance on WebViews to render the portal heightened existing server-side vulnerabilities, making them easier to exploit.
Gopinathan, who resigned from the civil services in 2019 over the government’s abrogation of Article 370 and bifurcation of Jammu and Kashmir into two Union Territories, described the state of voter services as a waste of public resources. He urged that those responsible for the lapses be held to account, Maktoob Media reported.
“If it is negligence or incompetence, fire whoever is responsible immediately. If it is deliberate, pursue criminal investigation to the fullest extent,” he wrote on X.
He suggested that the voter enrolment and deletion services should remain offline until an independent security audit is carried out and corrective measures are put in place. He further recommended preserving and exporting forensic evidence — such as CDN, load-balancer, database audit and SMS gateway logs — along with computing and publishing SHA-256 hashes, issuing a 65B certificate for the exports to enable CID scrutiny, and commissioning an independent penetration test with its full report released publicly.
His remarks come as controversy deepens over alleged fraudulent voter deletions in Karnataka’s Aland Assembly constituency. Rahul Gandhi has accused the Election Commission of concealing evidence from the state police, alleging that more than 6,000 deletion applications were submitted by individuals posing as genuine voters with mobile numbers from other states.
The Election Commission, however, has rejected the allegations, maintaining that no deletions were carried out and that a police case had already been registered.
“No deletion of any vote can be done online by any member of the public, as misconceived by Gandhi,” the poll panel posted on X.
Gopinathan, in response to this, said the Commission’s stance was like saying, “there was an attempted mass shooting, but since no one died, no need to find the shooters or their network.”
“This isn’t about unsuccessful attempts,” he stressed. “It’s about WHO did it, WHO funded them, WHERE else they operated, and HOW deep this electoral sabotage network goes. Six thousand fraudulent and targeted deletion attempts look clearly like an organised racket. An organised attack on democracy. And an organised attack on the country. Do not trivialise this by a file and forget FIR!”