Speakers: Srikanth Lakshmanan, Anushka Jain, Ria Singh Sawhney
Moderator: Sankarshan Mukhopadyay
This session stemmed from an article on the Bihar Panchayat Elections in September 2021 which was written by Anushka Jain, a reporter at MediaNama.
Anushka Jain described how the Bihar State Election commission had a company from Gujarat, which won the tender, manage the video recording and video streaming of the elections, which had 11 stages.
A Gurgaon based startup called Staqu, was used to perform optical character recognition of the electronic voting machines (EVMs) and tally the results. This company is touted to have a 99.7 accuracy rate.
The panchayat elections also had biometric (fingerprint) verification. This was done with the help of Broadcast Engineering Consulting India limited and also, Common Service Centre (CSC) agents, MediaNama reports. This was done as they were seen as the most familiar with such technology.
It was reported that these agents got voters to verify their fingerprints twice, in one district it happened to 10 to 15 victims in a row, and money was stolen upto 10,000 rupees. In another district 40 to 50 people were affected and the losses were about 50,000. A case before these major incidents had come to light, but the State Election Commissioner called it a one-off issue and assured people that the CSC agent had been apprehended and penalised.
In spite of this, both Jharkhand and Delhi (for municipal elections) are looking to adopt this technology-first approach of the Bihar state government.
Ria Singh Sawhney of ReThink Aadhaar gave a short history of Aadhaar. The project began in 2009, people’s biometrics were collected with no safeguards put in place. When it was challenged in court the Supreme Court said that the right to privacy wasn’t a fundamental one. Only later in 2017 the constitutional bench upheld privacy as a fundamental right, but enrolling still continued.
She mentioned the main reasons that Aadhaar was being resisted, namely; threats to privacy, and to exclusion, the act of recording a person’s intimate biometric details without consent (lack of ability to refuse, becomes forced compliance), the use of anuntrustworthy database and the fact that this was an untested technology.
At the time of this Bihar Panchayat election, there was no law authorising this system of making biometric verification for voting mandatory. There were no work arounds put in place for people whose biometrics failed. (A person’s biometrics can fail for any number of reasons, they work with glass, cement, cleaning supplies, are elderly or were born with faint fingerprints.)
Srikanth Lakshmanan detailed the functioning of an app that was used by the Bihar State Election Commission to carry out this voter verification before they were allowed to vote on the EVMs. There was a confusion as to whether an Aadhaar card was mandatory for the individual to vote, but from the app, one could see that it supported other forms of identification as well, those that are generally accepted in polling stations.
The app first captured the voter’s finger print, in the next screen, the operator selected the ‘not voted’ option. Lakshmanan assumed that two things were recorded next, a photograph of the ID as well as the ID number being recorded. After this the voter had to give their fingerprint again. After this the voter was allowed to vote.
Whatever ID the voter produced, could have been linked to other IDs in the State Resident Data Hubs (SRDH) database. He believed that this is a parallel enrollment process, to the Aadhaar one. Since the authenticate need not have been the Aadhaar card, it is a sort of fusion authentication. He says that the Bihar government has basically built a new database with the voter’s ID card as the main key, with photography and thumb impression adding to it.
Describing the report written by Anirban Guha Roy in the Hindustan Times, Lakshmanan talks of the 2 instances of payment fraud. The first being in the Munger District, where people who had voted in one specific polling booth found that money had been debited from their accounts, the amount being 5000- 10000 rupees. The report by Roy says that the CSC agent recorded the fingerprints of voters twice and then did an Automated Payment Systems (APS) transaction to take the money.
Lakshmanan says that this is highly unlikely as the agent would need to have a dozen APS apps running to take the money. What probably happened, he said, was that there was a local database, where all the voters’ fingerprints were stored and the agent used his personnel ID login and a dummy fingerprint. He assumed the reason the police were able to catch the agent was because they were able to trace him via his system login ID.
In the second case of people being defrauded, 27 people had their money stolen after they had cast their vote, however, 3 people found that their money had gone before the elections. This is interesting because it is hard to back date bank transactions. However, he admits that these could be rural cooperative banks where they may not be using Core Banking Solutions (CBS) so such date alterations could be possible.
In this second case, the culprit has not been found. Lakshmanan says it must be because the local database must have been linked to the server and someone managed to access the server via a ghost account, making it impossible to trace them.
He compared this situation to a case in Telangana where one agent had managed to obtain 6000 sim cards with the help of a gummy finger which he had created, because he had access to property documents.
These Aadhaar enabled payment systems are vulnerable to replay attacks. In these cases, either it is because the same person who was manning the voter enrollment booth made a gummy finger and committed fraud, or the database was linked to the central system and any person with access to that system can make transactions.
For further information about the performance of Aadhaar, refer to the Comptroller and Auditor General of India (CAG) report https://cag.gov.in/en/audit-report/details/116042
