Following the mass voter deletion controversy in Karnataka’s Aland constituency, serious questions are now being raised about the security of India’s electoral digital systems. Former IAS officer and activist from Kerala, Kannan Gopinathan, has independently conducted a security review of the Voter Helpline App (VHA) and the ECI’s voters.eci.gov.in portal. His findings — posted publicly on his verified X (formerly Twitter) account — have raised serious questions about the Election Commission of India’s preparedness to manage and secure sensitive voter data in a digital age.
Mozilla observatory score: 15/100, a big whooping F
Gopinathan began by revealing the alarming results of his security scan using Mozilla Observatory — a widely respected tool for web application security benchmarking.
Dear @ECISVEEP, after the Aland mass-deletion attempt came up, I ran a security review of your VHA app and voters portal at voters eci gov in.
The Mozilla Observatory score was 15/100 (F). A big whooping F
The Content-Security-Policy header is invalid. CSP is effectively… pic.twitter.com/w4LIYWTbxw
— Kannan Gopinathan (@naukarshah) September 24, 2025
“The Mozilla Observatory score was 15/100 (F). A big whooping F,” he wrote, exposing the systemic neglect of baseline security standards on platforms that handle enrolment, deletion, and sensitive personal data of millions of Indian voters.
CSP is disabled, HSTS missing, and cookies lack SameSite
Delving deeper into the technical deficiencies, he highlighted critical flaws in the platform’s backend configuration. “The Content-Security-Policy header is invalid. CSP is effectively disabled,” he pointed out, referring to a vital browser-side protection that prevents cross-site scripting attacks.
“There is no HSTS. Session cookies lack SameSite,” he added, calling attention to the absence of basic protections that prevent man-in-the-middle attacks and cross-site request forgeries. In other words, the platforms lack the digital seatbelts necessary to guard voter data from hijacking and tampering.
You’re rendering the portal inside WebViews, that’s dangerous: Kannan
Criticism wasn’t just aimed at the backend. Gopinathan tore into the mobile design of the Voter Helpline App, specifically its use of WebViews — a design shortcut that allows websites to be rendered within mobile applications but significantly increases the attack surface.
“Your apps render the portal inside WebViews. That amplifies every server-side flaw and makes attacks practical,” he warned, adding that such architecture essentially turns every small vulnerability into a gateway for full-blown exploitation.
This is how you guys’ half-ass it?
It wasn’t just a technical takedown. The former bureaucrat also questioned the larger systemic mindset that allowed these vulnerabilities to persist in platforms that directly serve the democratic process.
“As sensitive as a service like voter enrolment and deletion, and this is how you guys half-ass it?” he asked in frustration.
Gopinathan condemned what he described as institutional apathy toward digital security in public infrastructure.
“Using public money to make a mockery of voter services and not even doing a basic security review before going live?” he wrote, calling out the ECI for what he termed a reckless approach to safeguarding democracy.
Fix accountability — or fire the ones responsible
Gopinathan didn’t mince words when it came to consequences. He called for immediate accountability — either through administrative action or criminal prosecution.
“If it is negligence or incompetence, fire whoever is responsible immediately. They are not competent to run this,”he demanded. “If it is deliberate, pursue criminal investigation to the fullest extent.”
His comments reflect a larger frustration among civil society actors who view weak digital infrastructure as not just a technological issue but a democratic failure.
Take the services offline until a full audit is done
In a bold call to action, Gopinathan asked for the immediate suspension of both enrolment and deletion services until a full, independent security review and remediation is carried out. “Take the enrolment and deletion services offline until a full independent security audit and remediation are complete,” he advised, emphasising the risk of continuing to operate these services in their current state.
Preserve forensic artifacts and issue SHA-256 hashes
Moving into a detailed digital forensics playbook, Gopinathan laid out specific steps that the ECI should take if they are serious about fixing the problem and uncovering any past tampering.
“Preserve and export all forensic artifacts now: CDN, load-balancer, DB audit and SMS gateway logs,” he said. He urged the Commission to compute and publish “SHA-256 hashes and issue a 65B certificate for the exports so CID can forensically examine them.”
This level of technical clarity, rarely seen in public policy debates, reflects both Gopinathan’s bureaucratic background and his evolving role as a civic technology watchdog.
Commission a penetration test and publish the report
He concluded his review with a final recommendation — that the ECI hire independent experts to conduct a thorough penetration test on their infrastructure, and more importantly, make the full findings public.
“Commission an independent penetration test and publish the full report and remediation plan,” he insisted, arguing that democratic trust can only be rebuilt through complete transparency and accountability.
Who is Kannan Gopinathan?
Kannan Gopinathan is a former IAS officer from Kerala, known nationally for resigning from the service in 2019 to protest the communication blackout and civil rights clampdown in Jammu & Kashmir after the abrogation of Article 370. A technocrat with an engineering background, he gained respect for his hands-on work during the Kerala floods and has since emerged as a vocal activist advocating for democratic accountability, digital transparency, and civil liberties.
Through his X handle (@naukarshah), Gopinathan regularly scrutinises government systems—especially digital public infrastructure—backing his critiques with data-driven analysis and technical insight. His work bridges bureaucracy and activism, driven by a deep commitment to public interest and constitutional values.
Related:
Elections Under Scrutiny: Can We Trust the System? Kannan Gopinathan | Teesta Setalvad
IAS Gopinathan who quit in protest of J&K clampdown gets chargesheet from Centre
Gujarat Police books lawyer Prashant Bhushan and former IAS officer Kannan Gopinathan