India’s Election Commission Implements Fixes to Protect Citizens’ Data. The Indian federal election commission has corrected a number of flaws on its website, which exposed information that related to citizen request for information regarding their eligibility to vote as well as local political parties and candidates as well as technical information about the electronic machines for voting. India is set to hold the next general election which are scheduled for April between April and May, to choose the members of the lower house that will create the government of the future.
The Election Commission of India fixed the issues with their Right to Information (RTI) portal. It allows users to request access to documents of constitutional authorities along with central and state government agencies as well as private organizations that receive substantial money through government funds. Indian government.
The bugs permitted access to RTI requests as well as download transaction receipts and the responses of officials without authenticating user logins.
Some of the data exposed comprised some of the data exposed included RTI file date, question that were asked, the applicant’s name and address of mailing and the applicant’s income status, as well as RTI responses.
The security researcher Karan Saini found the bugs in February and contacted TechCrunch to assist in revealing the bugs to authorities following the Election Commission, the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Center were not initially responsive to his requests for fixes to the bugs. The bugs were corrected in the last week, following the intervention of CERT-In.
“CERT-In has been in contact regarding this issue with the relevant authority. Recently, CERT-In has been informed by the relevant authority that the vulnerability was reported to have been addressed,” the Indian cybersecurity agency confirmed.
They also confirmed that the fix was found with the scientist.
Despite the fact that RTI requests and responses are not considered to be confidential under Indian law however, an ruling (PDF) from the Kolkata High Court in 2014 directed authorities who had RTI applicant’s personal information “to hide such information and particularly from their website so that people at large would not know of the details.”
By default the election commission’s RTI portal is not able to give access to the individual RTI applications or responses without login, which implies that external access to data as well as the ability to be scraped because it’s accessible with an account login — makes the security flaws an issue for privacy.
The Election Commission of India did not respond to a request for comments.