REUTERS/Fabrizio Bensch
The better to target you with, my dear.
78 MILLION

A data theft case amid Indian elections sparks fears of voter manipulation

By Aria Thaker

Some of the worst fears surrounding the Indian elections and the country’s biometrics-backed identity programme may be coming true.

According to a complaint filed with the police in the southern Indian state of Telangana, sensitive data of over 78 million Indians may have been misused to influence voting in at least two states in the country.

A company called IT Grids, which worked for the Telugu Desam Party (TDP), a regional outfit active in Telangana and neighbouring Andhra Pradesh, indulged in the “misuse” of sensitive information, according to an April 12 case registered with Cyberabad Police to investigate illegal storage of data related to Aadhaar, India’s biometrics-backed ID programme.

This data included information such as citizens’ “Aadhaar number, voter identity details, including colour photographs, beneficiary details of various government schemes, and the data related to surveys conducted by the government of Andhra Pradesh,” the police’s first information report (FIR) says.

IT Grids is alleged to have used this data to create a mobile app for the TDP called “Seva Mitra.” The app reportedly served to classify voters and profile them by caste, family background, and the government benefits they receive, among other things. Seva Mitra became controversial after the TDP’s rival, YSR Congress, filed a complaint alleging “illegal access to digital data of citizens.”

Although the app has been under investigation for weeks, the question of whether the data it contained had been stolen from the Unique Identification Authority of India (UIDAI), the organisation that administers Aadhaar, remains unresolved.

The TDP has claimed that such allegations are “politically motivated.”

Bhavani Prasad, deputy director of the UIDAI, who filed the complaint, told Quartz the organisation had “not yet confirmed” the reports. However, after receiving word from the police, the UIDAI decided to file an FIR, he said.

A forensic investigation

Srinivas Kodali, a Hyderabad-based security researcher who has analysed Seva Mitra and Aadhaar, says this is the first instance of a forensic probe into claims of data theft. Despite many such alleged leaks, rarely has there been a public-facing investigation.

Why now, then?

The extent of this particular data theft, as well as “how it was being used in the elections,” were contributing factors, Kodali told Quartz.

The TDP is far from the only party to be collecting and using data to profile voters. Creating WhatsApp groups divided by community, for example, is a common form of voter targeting that has been extensively reported. Prime minister Narendra Modi’s Bharatiya Janata Party (BJP) has reportedly relied on electricity-bill data to deduce voters’ socioeconomic statuses, in order to better categorise them.

Besides, Telangana and Andhra Pradesh aren’t the only susceptible states. State Resident Data Hubs (SRDH), state-based repositories of Aadhaar data mixed with many other datasets, exist in many different states, and have for long been looked at by journalists and civil society members for their potential to be exploited for voter profiling.

“If you go back and ask every single party, there would be an app or an equivalent website, which fundamentally targets and profiles voter data,” said Anand Venkatanarayanan, a cybersecurity researcher who has written extensively on Aadhaar.

This inquiry, hence, may be an important first step in ending such practices. This investigation could bring about “tangible evidence which UIDAI can’t deny, compared to any of other security reports—which the court might not consider tangible evidence,” according to Kodali. “A forensic investigation holds an important significance for future litigations, because this becomes evidence in courts.”

The letter quoted in the UIDAI’s complaint adds that certain Aadhaar data was being stored on Amazon Web Services servers, posing a national security risk. “There is every possibility that sensitive data of Indian citizens could be accessed and used by countries hostile to India or international organised crime syndicates in a manner which could seriously be detrimental to national security,” it reads.