Public Specifications for e-EPIC QR

Background

Election Comission of India launched e-EPIC (a digital version of the Voter ID card) sometime around January 2021. The ECI website describes it as:

e-EPIC is a portable document format(PDF) version of the EPIC which can be downloaded on mobile or in a self-printable form on the computer. A voter can thus store the card on his/her mobile, upload it on Digi locker or print it and self-laminate it. This is in addition to PCV EPIC being issued for fresh registration.

You can get yours at https://voters.eci.gov.in. The PDF file is not digitally signed.

This is how mine looks on the back

The ECI website doesn’t explain what the QR code does. A PDF presentation on the CEO, Delhi website says the following:

Secure: QR code with image and demographics
QR code with the serial number, part number, date of poll, etc

The EPIC itself contains the following text: “eEPIC can be verified using authentic and secure QR code reader application.”

The QR on my e-EPIC scans to gibberish, however scanning the QR from the sample(?) EPIC in the above presentation gives us details of the poll:

{"ac_no":"1","pc_no":"1","part_no":"1","slnoinpart":"5","epic":"UIM2033679","slno_in_remote_ps":"5","remote_ps_no":"1","Poll_date":"17-06-2020" }

RTI

I filed an RTI against ECI asking for information on the verification procedure:

My e-EPIC Card contains the following text: “eEPIC can be verified using authentic and secure QR code reader application.” I request the following information regarding the same:

  1. A functional download link to the above mentioned QR code reader application which can verify eEPIC cards by scanning QR codes.
  2. Whether the following information is included in the e-EPIC QR code: Name (YES/NO) Father’s Name (YES/NO) Date of Birth (YES/NO) EPIC Number (YES/NO) Address (YES/NO) Download Date (YES/NO)
  3. A copy of the application source code used to generate the e-EPIC cards on the Voters' Services Portal website.
  4. A technical specification of the e-EPIC QR code, providing details on the generation and validation of eEPIC QR code.
  5. Verification procedure of verification of the e-EPIC QR code.

The response from ECI was very unhelpful:

  1. The Voter Helpline Mobile application which is used to read QR code of e-EPIC, is available on both Google Play Store and Apple App Store
  2. By scanning the QR code of e-EPIC, by using Voter Helpline Mobile application, the information available in the QR code will be shown on the mobile app.
  3. The required information cannot be provided under Section 7(9) of Right to Information Act, 2005 as sharing application source code, technical specification & verfication procedure w.r.t. e-EPIC would be detrimental to the safety or preservation of the record in question. (Same response for 4,5)

See RTI response here: 24039_RTI-2.pdf (164.8 KB)

The Voter Helpline app doesn’t seem to have any such feature to scan the QR code, so (1,2) seems incorrect. I’ve filed a follow-up RTI for the same.

Public Specifications

However, this becomes a policy issue due to the response for questions 3-5, where ECI refuses to provide any information about the specification or the source code, citing Section 7(9) of the RTI Act claiming that it would be “detrimental to the safety or preservation of the record in question”.

Wondering if anyone has suggestions on how to go about this? Has anyone managed to file an RTI to get access to source code?

5 Likes

Minor Update: My RTI is still pending, I’ll be filing an appeal on Monday.

3 Likes

I finally got a response on the RTI Appeal with details on how to use the app properly (Classic PEBKAC).

Figured out how it works (unfortunately, it doesn’t “sign” the data so there is zero authenticity - will do a proper security writeup later).

But, for the FOSS aspect - we now have an open-source implementation: GitHub - captn3m0/epicqr: EPIC QR Code Decoder (MIT) along with a specification.

7 Likes