Delhi Assembly Elections 2025: How to Protect Yourself from the Risks of Electoral Mis/Disinformation
Mr. Neeraj Soni
Sr. Researcher - Policy & Advocacy, CyberPeace
PUBLISHED ON
Jan 27, 2025
10
Introduction
The 2025 Delhi Legislative Assembly election is just around the corner, scheduled for February 5, 2025, with all 70 constituencies heading to the polls. The eagerly awaited results will be announced on February 8, bringing excitement as the people of Delhi prepare to see their chosen leader take the helm as Chief Minister. As the election season unfolds, social media becomes a buzzing hub of activity, with information spreading rapidly across platforms. However, this period also sees a surge in online mis/disinformation, making elections a hotspot for misleading content. It is crucial for citizens to exercise caution and remain vigilant against false or deceptive online posts, videos, or content. Empowering voters to distinguish facts from fiction and recognize the warning signs of misinformation is essential to ensure informed decision-making. By staying alert and well-informed, we can collectively safeguard the integrity of the democratic process.
Risks of Mis/Disinformation
According to the 2024 survey report titled ‘Truth Be Told’ by ‘The 23 Watts’, 90% of Delhi’s youth (Gen Z) report witnessing a spike in fake news during elections, and 91% believe it influences voting patterns. Furthermore, the research highlights that 14% of Delhi’s youth tend to share sensational news without fact-checking, relying solely on conjecture.
Recent Measures by ECI
Recently the Election Commission of India (EC) has issued a fresh advisory to political parties to ensure responsible use of AI-generated content in their campaigns. The EC has issued guidelines to curb the potential use of "deepfakes" and AI-generated distorted content by political parties and their representatives to disturb the level playing field. EC has mandated the labelling of all AI-generated content used in election campaigns to enhance transparency, combat misinformation, ensuring a fair electoral process in the face of rapidly advancing AI technologies.
Best Practices to Avoid Electoral Mis/Disinformation
Seek Information from Official Sources: Voters should rely on authenticated sources for information. These include reading official manifestos, following verified advisory notifications from the Election Commission, and avoiding unverified claims or rumours.
Consume News Responsibly: Voters must familiarize themselves with dependable news channels and make use of reputable fact-checking organizations that uphold the integrity of news content. It is crucial to refrain from randomly sharing or forwarding any news post, video, or message without verifying its authenticity. Consume responsibly, fact-check thoroughly, and share cautiously.
Role of Fact-Checking: Cross-checking and verifying information from credible sources are indispensable practices. Reliable and trustworthy fact-checking tools are vital for assessing the authenticity of information in the digital space. Voters are encouraged to use these tools to validate information from authenticated sources and adopt a habit of verification on their own. This approach fosters a culture of critical thinking, empowering citizens to counter deceptive deepfakes and malicious misinformation effectively. It also helps create a more informed and resilient electorate.
Be Aware of Electoral Deepfakes: In the era of artificial intelligence, synthetic media presents significant challenges. Just as videos can be manipulated, voices can also be cloned. It is essential to remain vigilant against the misuse of deepfake audio and video content by malicious actors. Recognize the warning signs, such as inconsistencies or unnatural details, and stay alert to misleading multimedia content. Proactively question and verify such material to avoid falling prey to deception.
The Expanding Governance Challenge of Artificial Intelligence
Artificial intelligence (AI) systems are increasingly embedded in economic and social infrastructure. They are being adopted in financial services, healthcare diagnostics, hiring systems, and public administration. But while these systems improve efficiency and decision-making, they also introduce new forms of technological risk.
Unlike conventional software, AI systems learn patterns from data and continue to evolve as they run. This poses governance issues since risks can arise throughout the AI life cycle, whether at the coding level or in their implementation.
The latest regulatory frameworks, such as the European Union’s AI Act (EU AI Act) and the UNESCO Recommendation on the Ethics of Artificial Intelligence, note that responsible AI governance depends on the realisation of where risks emerge across the development process.
This article maps the AI system lifecycle, identifies the risks that emerge at each stage and evaluates the policy tools used to mitigate them using the lifecycle framework developed by the Organisation of Economic Co-operation and Development (OECD).
The Lifecycle of an AI System
AI systems are developed through a structured process that includes problem definition, dataset collection and preparation, model development, testing and validation, deployment, and monitoring.
The OECD conceptualises this development process as the AI system lifecycle. Each stage entails various technical and administrative procedures, since choices made during these stages will dictate the goals and limits of an AI system. Further, the quality and representativeness of training sets will have a strong effect on the behaviour of models after implementation.
Since this is an iterative and not a linear procedure, risks can be introduced at each stage of the AI lifecycle. New data can be retrained into different models, and systems are regularly updated once they have been deployed, to address performance degradation, model errors, or unintended outputs. This iterative process means governance must address risks across the entire lifecycle, not just at deployment.
Where AI Risks Emerge
AI risks usually emerge earlier in the development process, especially in the phases when system objectives are formulated and training data are chosen. The EU AI Act and the UNESCO Recommendation on the Ethics of AI outline the following risks: bias and discrimination, privacy and data security violations, the absence of transparency in automated decision-making, and risks to fundamental rights.
AI Governance Risk Landscape: Core Risk Categories Under International Frameworks
Risk categories jointly identified by the EU AI Act and UNESCO Recommendation on the Ethics of Artificial Intelligence
Outlining the risks throughout the AI lifecycle helps understand the areas where governance interventions are most necessary. For example, discriminatory outcomes often result from biased or unrepresentative training data, while safety failures are typically linked to inadequate testing before deployment. Risks such as misinformation arise post the development process, when generative AI systems are deployed at scale on digital platforms.
AI System Lifecycle: Key Risks at Each Stage
Risks identified per the EU AI Act and UNESCO Recommendation on the Ethics of AI
Understanding where risks emerge across the lifecycle explains why governance frameworks classify AI systems by risk and apply oversight at multiple stages.
Policy Tools for Mitigating AI Risks
Governments and international organisations have developed regulatory tools to help mitigate AI risks in the lifecycle. These tools are meant to make sure that AI technologies are identified as up to standard in safety, accountability and fairness prior to and after deployment.
For example, the OECD AI Policy Observatory recommends that governments adopt policy instruments such as risk evaluations, algorithmic auditing necessities, regulatory sandboxes, and transparency necessities of AI systems. The European Union’s Artificial Intelligence Act (AI Act) is one of the most comprehensive systems of governance that introduces a risk-oriented regulation strategy. It mandates adherence to requirements concerning data governance, documentation, human oversight, and robustness, and cybersecurity. Such requirements bring regulatory checkpoints to the lifecycle of AI systems.
Mapping these policy tools across the lifecycle illustrates how governance mechanisms can intervene at different stages of AI development.
Governance Overlay: Policy Interventions Across the AI Lifecycle
Regulatory tools mapped at each stage of AI development per the EU AI Act and UNESCO Recommendation on the Ethics of AI
Several policy tools are directed at the risks that occur in the pre-developmental stages. In one example, algorithmic impact assessment has been applied in various jurisdictions to measure the possible consequences of automated decision systems on society before implementation. On the same note, the requirements of dataset documentation, including dataset transparency requirements and model cards, are aimed at enhancing accountability during the training and development stages of the AI systems. Therefore, lifecycle-based policy design allows regulators to intervene before harmful outcomes occur, rather than responding only after AI systems have caused damage in real-world environments.
The Policy Gap in AI Governance
The misalignment between risks and governance tools across the AI lifecycle indicates a critical structural gap in existing regulations. Numerous governance processes become activated after AI systems are classified as “high risk” or after they are implemented in the real world. But the most serious sources of damage have their roots in earlier stages of the development procedure.
An example is that prejudiced or unbalanced training data is almost inevitably a source of discriminative results in automated decision systems. When these types of models are applied in areas like staffing, credit rating, or in providing services to the public, such biases can quickly spread to large populations and undermine democratic rights. In the same way, the lack of transparency in model design might result in the fact that the regulator or individuals are affected by the decision-making process. This reflects a broader timing gap in AI governance, where risks originate during design and development, but regulatory intervention typically occurs only after deployment.
Analysis
1. Key risks originate before deployment: As depicted in the lifecycle mapping, the data collection and model development phase presents several significant governance risks as opposed to the deployment phase. Structural issues can be entrenched within AI systems even before they are deployed in practice due to bias in data sets, incomplete reporting of training sets, and obscured network designs.
2. Data governance is a primary point of vulnerability: Most of the instances of algorithmic discrimination listed above are associated with training material that is not representative of some population groups or is historical. Since machine learning models are optimisations of patterns that exist in datasets, these biases can be carried through the whole lifecycle and reproduced after deployment.
3. Regulatory approaches remain mismatched across jurisdictions: Different countries adopt varying approaches to AI governance, ranging from risk-based frameworks such as the EU AI Act to more sector-specific or voluntary guidelines in other regions. This divergence creates inconsistencies in safety, accountability, and enforcement standards, allowing risks to persist across borders and potentially undermining the protection of users in globally deployed AI systems.
4. Governance interventions remain uneven across the lifecycle: Whereas the various regulatory instruments aim at deployment and monitoring, fewer instruments systematically tackle the risks that are posed by the previous design and development phases.
Recommendations
1. Introduce mandatory lifecycle risk assessments: The regulatory systems need to demand systemic risk evaluation at the beginning of AI development, especially at the problem design and dataset selection phases. This would assist in detecting possible harmful applications in advance, before systems are constructed and installed.
2. Strengthen dataset governance standards: Training datasets must be supplemented with documentation as to their provenance, composition and limitations. Standardised documentation frameworks of data sets can assist in the discovery by regulators and auditors of the potential sources of bias or privacy threats.
3. Expand independent algorithmic auditing: AI systems can be assessed by regular third-party audits based on fairness, strength, and security weaknesses. The auditing mechanisms especially apply to high-risk systems employed in employment, finance or the public services.
4. Integrate continuous monitoring requirements: AI systems may be monitored regularly after implementation to identify model drift, unforeseen consequences, or abuse. Reporting systems can facilitate the process where the regulators can see the emerging risks and modify the governance systems.
Conclusion - The Need for Global AI Governance
Despite growing regulatory attention, global air governance remains fragmented. Different jurisdictions adopt varying approaches to risk classification, oversight, and enforcement, leading to inconsistencies in safety and accountability standards. Given that AI systems are often developed, deployed, and used across borders, this lack of coordination allows risks to persist beyond national regulatory frameworks.
Addressing these challenges requires a shift towards greater international cooperation and lifecycle-based governance. Developing shared standards, improving cross-border regulatory alignment, and embedding oversight across all stages of AI development will be essential to ensuring that AI systems are safe, transparent, and accountable in a globally interconnected environment.
On 20th October 2022, the Competition Commission of India (CCI) imposed a penalty of Rs. 1,337.76 crores on Google for abusing its dominant position in multiple markets in the Android Mobile device ecosystem, apart from issuing cease and desist orders. The CCI also directed Google to modify its conduct within a defined timeline. Smart mobile devices need an operating system (OS) to run applications (apps) and programs. Android is one such mobile operating system that Google acquired in 2005. In the instant matter, the CCI examined various practices of Google w.r.t. licensing of this Android mobile operating system and various proprietary mobile applications of Google (e.g., Play Store, Google Search, Google Chrome, YouTube, etc.).
The Issue
Google was found to be misusing its dominant position in the tech market, and the same was the reason behind the penalty. Google argued about the competitive constraints being faced from Apple. In relation to understanding the extent of competition between Google’s Android ecosystem and Apple’s iOS ecosystem, the CCI noted the differences in the two business models, which affect the underlying incentives of business decisions. Apple’s business is primarily based on a vertically integrated smart device ecosystem that focuses on the sale of high-end smart devices with state-of-the-art software components. In contrast, Google’s business was found to be driven by the ultimate intent of increasing users on its platforms so that they interact with its revenue-earning service, i.e., online searches, which directly affects the sale of online advertising services by Google. It was seen that google had created a dominant position among the android phone manufacturers as they were made to have a set of google apps preinstalled in the device to increase the user’s dependency on google services. The CCI felt that Google had created a dominant position to which they replied that the same operations are done by Apple as well, to which the commission responded that apple is a phone and app manufacturer and they have Apple-owned apps in Apple devices only, but Google here in had made a pseudo mandate for android manufactures to have the google apps pre-installed which is, in turn, a possible way of disrupting the market equilibrium and violative of market practices. The CCI imposed a penalty of Rs. 1,337.76 for abusing its dominant position in multiple markets in India, CCI delineated the following five relevant markets in the present matter –
The market for licensable OS for smart mobile devices in India
The market for app store for Android smart mobile OS in India
The market for general web search services in India
The market for non-OS specific mobile web browsers in India
The market for online video hosting platforms (OVHP) in India.
Supreme Courts Opinion
In October 2022, the Competition Commission of India (CCI) ruled that Google, owned by Alphabet Inc, exploited its dominant position in Android and told it to remove restrictions on device makers, including those related to the pre-installation of apps and ensuring exclusivity of its search. Google lost a challenge in the Supreme Court to block the directives, as the learned court refused to put a stay on the imposed penalty, further giving seven days to comply. The Supreme Court has said a lower tribunal—where Google first challenged the Android directives—can continue to hear the company’s appeal and must rule by March 31.
Counterpoint Research estimates that about 97% of 600 million smartphones in India run on Android. Apple has just a 3% share. Hoping to block the implementation of the CCI directives, Google challenged the CCI order in the Supreme Court by warning it could stall the growth of the Android ecosystem. It also said it would be forced to alter arrangements with more than 1,100 device manufacturers and thousands of app developers if the directives kick in. Google has been concerned about India’s decision as the steps are seen as more sweeping than those imposed in the European Commission’s 2018 ruling. There it was fined for putting in place what the Commission called unlawful restrictions on Android mobile device makers. Google is still challenging the record $4.3 billion fine in that case. In Europe, Google made changes later, including letting Android device users pick their default search engine, and said device makers would be able to license the Google mobile application suite separately from the Google Search App or the Chrome browser.
Conclusion
As the world goes deeper into cyberspace, the big tech companies have more control over the industry and the markets, but the same should not turn into anarchy in the global markets. The Tech giants need to be made aware that compliance is the utmost duty for all companies, and enforcement of the law of the land will be maintained no matter what. Earlier India lacked policies and legislation to govern cyberspace, but in the recent proactive stance by the govt, a lot of new bills have been tabled, one of them being the Intermediary Rules 2021, which has laid down the obligations nand duties of the companies by setting up an intermediary in the country. Such bills coupled with such crucial judgments on tech giants will act as a test and barrier for other tech companies who try to flaunt the rules and avoid compliance.
Rapid growth in India’s Digital Economy has opened up various options for companies to utilise digital technology as part of their operations. Examples of these technologies include cloud computing; online payment systems; digitally enabled supply chains; and platforms that facilitate remote working. As small and medium enterprises(SMEs) represent a major part of India’s economy, they have quickly been able to capitalise on the benefits these technologies provide in improving their operational efficiency and developing an increased presence within the market. However, this rapid pace of digitalisation creates an exposure to a much greater breadth of cyber-security threats than ever for SMEs. Today, perhaps the greatest cyber-threat facing SMEs in India is ransomware, an increasing frequent type of cyber-attack that has been increasing on a global scale over the past few years and in response, there have been numerous initiatives by various government agencies, industry organisations, and cyber-security firms designed to educate the general public on the risks of ransomware.
What is Ransomware?
Ransomware is a type of malware, which prevents all users being able to access their file system or access their data until they pay a ransom. In a standard ransomware event an attacker will breach the company's network, and encrypt all critical files so that they are unable to be used. The attacker usually demands payment in bitcoin because it is a difficult trace and promises to provide a key to unlock the data in exchange for the payment. Attackers gain access to company networks by using social engineering techniques such as phishing email, stolen password, or exploiting an unpatched vulnerability in the software that is running on the company's network.
The Rising Threat of Ransomware
Cybercriminals have created one of the most destructive varieties of cybercrimes around the world through ransomware; while experts in the cybersecurity field project losses to global ransomware damage may reach $30 billion by 2025. There has also been a marked increase in SMEs being attacked by ransomware-based cybercriminals throughout India. NASSCOM has done research and found that many SMEs in India have experienced attempted ransomware attacks in the past few years alone. According to incident reports provided through CERT-In, there has been a noticeable increase in the number of cybercrime occurrences throughout different sectors of India’s economy since those reports began. These developments have shown an increase in the size and level of sophistication of ransomware related threats.
Why Indian SMEs Remain Vulnerable Despite Awareness
Despite increased awareness about cyber threats, there is a large number of Indian SMEs that continue to be vulnerable to ransomware. The main reason is financial limitations. Many small businesses typically have limited financial resources and those limited resources more often than not, go towards operations, including production, logistics, and marketing - cybersecurity costs are usually viewed as additional costs.
Another significant problem facing SMEs is a shortage of skilled cybersecurity professionals. Large enterprises typically have dedicated security teams responsible for protecting the enterprise, whereas SMEs will employ IT staff generally without any specific expertise in detecting/countering cyber threats. Human error are also significant contributors to these cyber incursion events. An employee can inadvertently click on an email link or download an infected attachment, or use a weak password - all of which could provide opportunities for cybercriminals to access the company's network. Phishing emails continue to be the most common approach for initiating ransomware.
Furthermore - many SMEs have implemented digital platforms, such as cloud-based applications and payment processing, without appropriately executing cybersecurity planning prior to implementation. Many of the issues that have arisen from such rapid digitisation are due to a lack of sufficient planned cybersecurity measures as part of the implementation process. This has also resulted in a situation where technological advancements such as Ransomware as a Service (RaaS) have created an even larger pool of potential perpetrators (cybercriminals) with little-to-no expertise being able to launch a widespread ransomware campaign using readily available/pre-manufactured tools.
Real-World Cyber Incidents Affecting Indian SMEs
As several examples recently demonstrate, Indian SMEs continue to experience significant cyber attack risks. Recently, a logistics firm located in Gurugram found itself locked out of nearly 4,000 shipments due to a ransomware attack, which cost them ₹12 lakhs to fix because they had poor backups and another incident in Gurugram which highlights how vulnerable many SMEs in the country continue to be to ransomware attacks. In the case of a garments company, a hacker compromised the company's server by placing ransomware on its system. The company was forced to shut down its computerised warehouse system as a result of the attack. Only after the company had lost access to its system, did it receive a ransom demand from the hacker, in the form of an email requesting payment of 15 bitcoins (approximately ₹25 lakh), in order for the hacker to restore the company's access to the system. The hacker also threatened to delete the company's financial and banking records if the ransom were not paid. Gurgaon Police's Cyber Cell received the report of the incident, and registered a first information report (FIR) against unknown hackers. The case represents an opportunity for SMEs to evaluate the risks associated with ransomware.
Bridging the Gap Between Awareness and Implementation
Although awareness campaigns can show organisations what types of cybersecurity risks they’re exposed to, these campaigns will not keep businesses from being victims of a ransomware attack by themselves.. The most critical step forward is the implementation of the principles of cybersecurity from an understanding viewpoint to that of an active action. Organisations need to go beyond being aware of the risks related to cyber and then put measures in place to mitigate those risks.
To improve cybersecurity, organisations may need to spend money on developing and maintaining systems; set up regular training for employees on handling cyber threats and implementing an incident response plan to address security incidents; back up data regularly; maintain the hardware and software used in the organisation's computer systems at least once a month (or more often if necessary); and monitor all aspects of its computer systems continuously for weaknesses or problems.
The Way Forward: Strengthening SME Cybersecurity
In order to truly address the ransomware threat, collaboration by businesses, government agencies and cyber security professionals is mandatory. One of the biggest roles in this collaboration is through governmental initiatives to enhance the overall level of awareness of digital security among SMEs (small to medium-sized enterprises). Improved SME understanding of cyber risks will be based on the availability of affordable security solutions that are specifically tailored for small businesses.
Industry partnerships as well as public-private partnerships also aid the sharing of threat intelligence to strengthen collaborative defense against all cybercriminal activity.
Conclusion
Despite Indian SMEs being aware of cyber threats, they have been unable to implement safeguards or Cyber Security plans due to limited financial resources, insufficient qualified personnel, human errors, and the rapid pace at which digital technology is being adopted without adequate Cyber Security measures. In order to respond effectively to the growing threat of Ransomware, Indian SMEs must evolve from being aware of cyber threats to proactively developing Cyber Security strategies that will allow them to prevent, prepare for, and recover from the increased cyber threat posed by the rapidly growing digitalisation of business within an increasingly globalised economy.
Your institution or organization can partner with us in any one of our initiatives or policy research activities and complement the region-specific resources and talent we need.