Hyderabad: A fresh first information report (FIR) has been registered by the Cyberabad police, on the back of a complaint by the Unique Identification Authority of India (UIDAI) against ‘IT Grids Pvt Ltd’ for allegedly illegally storing and using Aadhaar data.

IT Grids, a company that does work for the Telugu Desam Party (TDP), has been in the eye of the storm over the last month. The firm came under the radar of investigation agencies after a complaint by YSR Congress party against a mobile app run by the TDP called ‘Seva Mitra’.

After a series of raids by the Cyberabad Police on the office of IT Grids in Madhapur, forensic investigations were conducted on material seized part of the raids. The Telangana State Forensic Science Laboratory (TSFSL) has in its initial probe concluded that the data of 7.8 crore people from Telangana and Andhra Pradesh were being stored by the company with the cloud storage services of Amazon Web Services.

The Seva Mitra application was allegedly being used by the Telugu Desam Party for voter profiling – or allowing booth-level workers to better understand the preferences of voters.

Also read: Six Reasons Why the Aadhaar Amendment Ordinance Undermines Democracy

The application had voter details, including photos, with more space for TDP volunteers to collect further field information. It also contained information about beneficiaries of government subsidies programmes, indicating (but not confirming) that personal data was sourced from the government databases.

For its part, the TDP has maintained that all data was collected in a legal manner, primarily through surveys carried out by party workers with the consent of voters.

Most importantly perhaps, the investigation has revealed that the data parameters that IT Grids was storing was very similar to the format used by Aadhaar-centric databases like the state resident data hubs (SRDH) and the central identities data repository (CIDR).

The alleged presence of Enrolment Identification Numbers (EID) in the data that has been examined has reportedly strengthened this suspicion and the UIDAI has requested the police to carry further investigation by lodging the complaint.

How did we get to such a position, where potential violations of privacy went largely unnoticed?

A united Andhra Pradesh was one of the first states to adopt the Aadhaar project in 2010, part of the early experiments made by the UIDAI to roll out the project.

The Aadhaar programme by itself has many databases in its pipeline and it’s not simply the CIDR which is the primary database that houses the project’s information. The UIDAI has over the years helped build SRDH for several states including Andhra Pradesh.

The process is quite simple: the UIDAI collects Aadhaar enrolment data in partnership with the state governments, with an option for states to collect extra personal information through a mechanism called called Know Your Resident Plus (KYR Plus). The UIDAI actively shared back all Aadhaar numbers against enrolment EIDs along with 44 other parameters post the deduplication process. This was, in some cases, literally given to states in the form of excel sheets (.csv files) for storing it in their SRDHs.

Also read: Indane Leaked Millions of Aadhaar Numbers, Claims French Researcher

The government of Andhra Pradesh has also separately been actively collecting data from its citizens using what it calls the “Smart Pulse Survey”. The survey used Aadhaar to build a 360 degree profile database called “People Hub” (an SRDH) which is one of the components of state’s real-time governance architecture called “e-Pragati”.

In essence, Andhra Pradesh tracks everyone’s Aadhaar information and links it to every other database for real-time governance. The geo-location of everyone in the state was also collected as part of e-KYC of every resident in the state. Nearly every government official has access to the state’s SRDH portal. The problem, though, is all of this information was made public for years and several complaints of data leaks were reported to both the UIDAI and the AP government.

Aadhaar-based voter profiling

The final piece of the puzzle was the Election Commission. As part of its National Electoral Roll Purification Authentication Programme (NERP-AP), there is some evidence to show it has shared voter data including photographs with the SRDHs in 2015.

The SRDHs were then actively used to find duplicate voters in the states of Telangana and Andhra Pradesh. This has prompted some to ask whether this method was used to cause large scale voter deletions in the region. This data sharing — and in some cases, wrongful deletions — were carried out without supervision and caution until the Supreme Court shut down the project in August 2015.

Incidentally, all the programmes including Smart Pulse Survey, People Hub, e-Pragati, the pilot project on Aadhaar Voter Id linking were carried out by the UIDAI’s man on ground and M. Chandrababu Naidu’s trusted bureaucrat – Ahmed Babu. This was done under the umbrella of the Real-time Governance Society of AP.

Also read: Jharkhand Survey Pokes Holes in Modi’s Claims on Digital Service Delivery

In a press conference held after the raids on IT Grids’ offices, Babu and the IT secretary of AP defended the security and integrity of the SRDHs, contradicting the initial claims of Cyberabad Police and publicly reported Aadhaar data leaks from Andhra Pradesh.

Forensic investigations have always been demanded after each publicly reported Aadhaar leak. The UIDAI has always ignored this demand and has denied the role of Aadhaar in causing severe problems to the society. This has resulted in wrongful use of the technology to cause harm and even helped political parties in micro-targeting voters.

While the probe into IT Grids is yet to conclude, with nobody guilty yet, it’s time the UIDAI takes the misuse of Aadhaar data seriously and adopts this same standard of investigation into other incidents across the country.

Srinivas Kodali is a independent researcher working on data and the internet.

Note: This story was edited at 4:30 PM on April 15 to add clarity on the allegations made in the FIR.