TECH
19/04/2019 5:16 PM IST

Hacking Democracy: How Stolen Aadhaar Data Of Nearly 10 Cr Voters Was Used To Delete People From Electoral Rolls

Forensic examination of hard drives recovered from Hyderabad based tech company IT Grids have revealed voter profiles of 7.8 crore people from Telangana and AP, and another 2 crore from Punjab.

NurPhoto via Getty Images

HYDERABAD, Telangana — As investigations continue into Hyderabad-based IT Grids (India) Private Limited, forensic analysis of recovered hard drives has revealed 2 crore Aadhaar records, this time from Punjab. This is in addition to the 7.8 crore from Telangana and Andhra Pradesh which had been revealed earlier this week.

Speaking to HuffPost India, IG Stephen Raveendra, who is leading the SIT investigating this case said that the police is examining all the recovered hard drives, but it appears that the voter related information collected for the Seva Mitra app used by TDP cadres was used to try and remove voters from electoral rolls.

Aside from this, he also raised concern about the origin of the data, as the recovered database contained many fields that could only have come from the UIDAI’s central database, the CIDR, or the State Resident Data Hubs (SRDH). “We are forensically examining the hard drives to trace where the data came from. But there are several columns of data that are an exact replica of the format used in the SRDH and CIDR,” he said.

For the latest elections news and more, follow HuffPost India on TwitterFacebook, and subscribe to our newsletter.

IG Raveendra’s statements, that an investigation is still on-going and that the police are still uncovering the scale of the data theft, are at odds with that of the UIDAI. The authority has already issued a blanket statement denying any possible hacks.

The UIDAI’s response to the forensic examination unfortunately falls in line with its knee-jerk denial of security issues in the past.

That this data was held by an IT company working for the TDP, which holds power in Andhra Pradesh, raises further troubling questions about data theft by the state. AP’s Real Time Governance Society has successfully centralised information about voters in the state through the use of government data, on-ground surveys, and used Aadhaar to bridge information. Such data could be used to manipulate voters, and sideline political opponents if misused.

“We are seeing the centralisation of information without accountability,” said Srinivas Kodali, a security researcher. This concentration of data, he said, made it prone to misuse.

Was this data stolen—or given?

“There are three main questions — did they have the data, where it came from, and what did they do with it? We know they have the data, of both states [Telangana and AP] and maybe more. The forensic lab is working on this but it is a huge database,” said IG Raveendra. Another source in the police said that a further 2 crore records have come up from Punjab as well, although the lab is still verifying this data.

IG Raveendra added that right now the police is working with only a fraction of the data that IT Grids likely held. “These are just the hard drives that we recovered from the raid, but we believe that more hard drives were there, and more data was also stored on AWS cloud, outside the country. We don’t know the scale right now.”

“We are still collecting evidence of where it came from. Whether they hacked a live platform, or if someone gave them a data dump. While the latter implies that there was collusion at some level, it might be better than the former scenario, which could imply that the security measures in place around the CIDR or SRDH have been compromised.

“The UIDAI is also very keen to get to the bottom of this, and we have asked them for IP logs to see if we can track any unusual activity and identify how the data was taken.”

NurPhoto via Getty Images

However, the UIDAI has issued a statement on the matter denying that any data was taken from its CIDR. In typical fashion, the UIDAI has dismissed all reports, without revealing any details of an accompanying investigation.

The UIDAI said that it’s CIDR and servers are completely safe and fully secure and no illegal access was made to its CIDR and no data has been stolen from its servers. It said: “ UIDAI has filed a complaint on the basis of a report from Special Investigation Team (SIT) of Telangana Police that IT Grid (India) Pvt. Ltd has allegedly obtained and stored Aadhaar numbers of large number of people in violation of the provisions of the Aadhaar Act. Nowhere in the report, the SIT has found any evidence to show that the Aadhaar number, name, address, etc., of the people have been obtained by stealing them from UIDAI servers.”

Using stolen data to delete voters

The Seva Mitra app used by TDP workers used the wide range of data that the forensic lab has been able to uncover. This, in turn, was used to profile voters, and determine how likely they were to support the party. Leaving aside the source of the data for a second, this kind of surveying is common behaviour. But, according to IG Raveendra, what came next was a complex scheme to get people who weren’t supporters removed from the electoral rolls.

“They used it to do some profiling of voters. They were seeding it with Aadhaar linked information to profile voter data,” he said. “After that, you draw up a list, showing how likely a candidate is to vote for you. To do this, we think they were using an IVRS [automated voice calling — one of the many digital services political parties now rely on] to reach out to all the potential voters.”

“They would ask questions about whom you will support, and based on your rating, assign a score. They repeated this process to work out a list of people who weren’t supporting them, and then they filed Form 7 requests about these people, to have them removed. It’s a very complex scheme.”

Form 7 is an objection to a name being included in the voter list — it can be filed by anyone about anyone else. Once filed, the EC physically verifies whether the person has shifted, or is deceased, or is a duplicate, and if that is the case, removes the name.

But thousands of people in both states, as well as in the rest of the country, have been taking to social media to talk about how they’ve been robbed of their votes. In fact, cricketer Rahul Dravid, who was one of the people in the EC’s ads to exhort people to vote, found his name missing as well.

Tony Marshall via Getty Images

According to ToI, officials visited Dravid’s home to verify his presence, but could not meet him. “Our officials visited his house twice, but we were not allowed inside. We were informed Dravid is touring abroad and there is no message from him to include his name in voters’ list,” said Mathikere sub-division assistant electoral returning officer Roopa.

Rival parties, particularly the YSRCP, have been keen to bring up the issue. YSRCP leader and former Inspector-General of Police Rayalaseema Range, Shaikh Mohammed Iqbal, said: “The TDP, as a last ditch effort, is resorting to theft of private details of citizens and voters. During the Pulse Survey, they collected all the details of the people; be it their assets, their bank details and other details. They have illegally and unconstitutionally transferred to their company, IT Grid, which designed and runs the TDP’s cadre app Seva Mitra.”

However, at a press conference in Vijayawada, TDP spokesperson Lanka Dinakar dismissed the allegations as conspiracy to defeat the TDP in the elections. The UIDAI’s assertion that data has not been stolen, Dinakar claimed, proved that this incident was a conspiracy.

The actual details of whether or not IT Grids and the TDP manipulated voter rolls will depend on analysis from the election commission, which IG Raveendra said was yet to come. HuffPost India also contacted the election commission, at various levels from spokespersons in Delhi, to the CEO’s office in Hyderabad, and officers within, but did not get any response.

Voter deletion has become an extremely important issue in the 2019 elections, and as one police source pointed out, the theft of data to carry this out is very worrying. “The government does not own the data, it is the custodian of data. It belongs to the citizens, and every private company that is working with the government has to abide by regulations on the usage of data they gather. This is a gross violation.”

“What’s more, if you have your name deleted, you have the option of checking online, making a Form 6, and in one week, you can be back on the voter roll. But the poorest and most vulnerable people, for whom elections are much more significant, are also the ones most at risk here,” he added.