Aadhar data leak stories keep appearing in India, but an investigation of the US companies that handle Aadhaar’s biometric data collection and processing has thrown up a shocking revelation: not only are they deeply intertwined with the US intelligence and defense establishment but there are known links with Cambridge Analytica, the UK firm accused of harvesting Facebook data and using it to fix elections. In other words, these service providers to Aadhaar are potentially in a position to access Aadhaar’s personal information database, and use it for other purposes.

The recent expose of how Cambridge Analytica (CA) harvested Facebook data for use in election campaigns of President Trump has shown how personal information has now been weaponised by profit hungry companies, to be deployed not just for selling products but for political gain.

It is well known that in 2010-2012, Unique Identity Authority of India (UIDAI) awarded contracts to three US companies for collecting biometric data (fingerprints, iris scans) from all Indians, cleaning up the data and maintaining the storage. These three companies were: L-1 Identity Solutions, Morpho-Safran, and Accenture Services Pvt. Ltd.

These three companies have an intricate web of relationships with Cambridge Analytica and the biggest of data collating and analysis firms, Palantir Technologies which is the front runner in data mining technologies and works almost exclusively for the US (and maybe UK’s) defense and intelligence agencies including the NSA, CIA, FBI, and various other arms of the US govt.

Hedge fund billionaire Robert Mercer, an investor in Accenture, had funded the formation of Cambridge Analytica in 2013 as an arm of an existing firm SCL. He was instrumental in getting Cambridge Analytica to tie up with the Ted Cruz presidential campaign in the US primaries. At that time, the campaign’s chairman was Chad Sweet who had earlier worked for the CIA’s National Clandestine Service and then was chief of staff at the US Dept. of Homeland Security (DHS). His boss at DHS was Michael Chertoff, secretary of homeland security during the Bush years. After Obama’s win in 2009, Chertoff and Sweet left DHS and set up the Chertoff Group. Another member of the Group was Jay M.Cohen who was president of the board of directors of Morpho Detection. Sweet, on the other hand was strategic adviser on mergers to L 1 Identity Solutions. Sweet’s wife Julie was CEO of Accenture North America. Incidentally, George Tenet, CIA chief during the crucial years 1997-04, became director of L 1 during 2006-2008.

So, all three of the biometric service providers for UIDAI, were interconnected and deeply tied to the US defense-intelligence establishment and the slew of private companies that receive money from it in out contracts. Cambridge Analytica was part and parcel of this network.

Now Morpho was acquired by Safran, a French defense conglomerate in 2009. In 2010, UIDAI signed the contracts with the three companies. A few weeks later Safran acquired L 1 Identity also and merged it with MorphoTrust. Who acted as strategic adviser to this? None other than Chad Sweet. Meanwhile L 1 sold its intelligence arm to BAE, the British aerospace and defense giant in 2010, and a few months later Chertoff joined BAE on its board of directors.

Morpho formed a consortium with Techmahindra owned Satyam, and along with L1 and Acceture provided biometric software to authenticate enrollments and they designed, configured and maintained the system for Aadhaar till 2012. After that they continued to maintain and service it.

The trio was also contracted to de-duplicate the data which necessarily means that they had access to all the data. Although UIDAI has argued that biometric data and demographic data are kept separate and not matched contracts with the trio seem to indicate that they were responsible for tagging “all the data relating to an applicant, together with the photographs and biometrics”, according to media sources.

The trinity of L1-MorphoSatyam-Accenture is also tasked with protecting the data. Although UIDAI has repeatedly assured that the data is safe and impenetrable, L1 had reportedly said in its filings before the US Securities Exchange Commission that “security measures used in these systems may not prevent security breaches”. This is of course standard disclaimer lingo but the fact remains that the company is not dismissing leakage or breaches as readily as UIDAI.

(This report is based on investigations conducted by Fountainink.)