NurPhoto via Getty Images

HYDERABAD, Telangana — As investigations continue into Hyderabad-based IT Grids (India) Private Limited, forensic analysis of recovered hard drives has revealed 2 crore Aadhaar records, this time from Punjab. This is in addition to the 7.8 crore from Telangana and Andhra Pradesh which had been revealed earlier this week. Speaking to HuffPost India, IG Stephen Raveendra, who is leading the SIT investigating this case said that the police is examining all the recovered hard drives, but it appears that the voter related information collected for the Seva Mitra app used by TDP cadres was used to try and remove voters from electoral rolls. Aside from this, he also raised concern about the origin of the data, as the recovered database contained many fields that could only have come from the UIDAI’s central database, the CIDR, or the State Resident Data Hubs (SRDH). “We are forensically examining the hard drives to trace where the data came from. But there are several columns of data that are an exact replica of the format used in the SRDH and CIDR,” he said. For the latest elections news and more, follow HuffPost India on Twitter, Facebook, and subscribe to our newsletter. IG Raveendra’s statements, that an investigation is still on-going and that the police are still uncovering the scale of the data theft, are at odds with that of the UIDAI. The authority has already issued a blanket statement denying any possible hacks. The UIDAI’s response to the forensic examination unfortunately falls in line with its knee-jerk denial of security issues in the past.

That this data was held by an IT company working for the TDP, which holds power in Andhra Pradesh, raises further troubling questions about data theft by the state. AP’s Real Time Governance Society has successfully centralised information about voters in the state through the use of government data, on-ground surveys, and used Aadhaar to bridge information. Such data could be used to manipulate voters, and sideline political opponents if misused. “We are seeing the centralisation of information without accountability,” said Srinivas Kodali, a security researcher. This concentration of data, he said, made it prone to misuse. Was this data stolen—or given? “There are three main questions — did they have the data, where it came from, and what did they do with it? We know they have the data, of both states [Telangana and AP] and maybe more. The forensic lab is working on this but it is a huge database,” said IG Raveendra. Another source in the police said that a further 2 crore records have come up from Punjab as well, although the lab is still verifying this data. IG Raveendra added that right now the police is working with only a fraction of the data that IT Grids likely held. “These are just the hard drives that we recovered from the raid, but we believe that more hard drives were there, and more data was also stored on AWS cloud, outside the country. We don’t know the scale right now.” “We are still collecting evidence of where it came from. Whether they hacked a live platform, or if someone gave them a data dump. While the latter implies that there was collusion at some level, it might be better than the former scenario, which could imply that the security measures in place around the CIDR or SRDH have been compromised. “The UIDAI is also very keen to get to the bottom of this, and we have asked them for IP logs to see if we can track any unusual activity and identify how the data was taken.”

NurPhoto via Getty Images

However, the UIDAI has issued a statement on the matter denying that any data was taken from its CIDR. In typical fashion, the UIDAI has dismissed all reports, without revealing any details of an accompanying investigation. The UIDAI said that it’s CIDR and servers are completely safe and fully secure and no illegal access was made to its CIDR and no data has been stolen from its servers. It said: “ UIDAI has filed a complaint on the basis of a report from Special Investigation Team (SIT) of Telangana Police that IT Grid (India) Pvt. Ltd has allegedly obtained and stored Aadhaar numbers of large number of people in violation of the provisions of the Aadhaar Act. Nowhere in the report, the SIT has found any evidence to show that the Aadhaar number, name, address, etc., of the people have been obtained by stealing them from UIDAI servers.” Using stolen data to delete voters The Seva Mitra app used by TDP workers used the wide range of data that the forensic lab has been able to uncover. This, in turn, was used to profile voters, and determine how likely they were to support the party. Leaving aside the source of the data for a second, this kind of surveying is common behaviour. But, according to IG Raveendra, what came next was a complex scheme to get people who weren’t supporters removed from the electoral rolls. “They used it to do some profiling of voters. They were seeding it with Aadhaar linked information to profile voter data,” he said. “After that, you draw up a list, showing how likely a candidate is to vote for you. To do this, we think they were using an IVRS [automated voice calling — one of the many digital services political parties now rely on] to reach out to all the potential voters.” “They would ask questions about whom you will support, and based on your rating, assign a score. They repeated this process to work out a list of people who weren’t supporting them, and then they filed Form 7 requests about these people, to have them removed. It’s a very complex scheme.” Form 7 is an objection to a name being included in the voter list — it can be filed by anyone about anyone else. Once filed, the EC physically verifies whether the person has shifted, or is deceased, or is a duplicate, and if that is the case, removes the name. But thousands of people in both states, as well as in the rest of the country, have been taking to social media to talk about how they’ve been robbed of their votes. In fact, cricketer Rahul Dravid, who was one of the people in the EC’s ads to exhort people to vote, found his name missing as well.

Tony Marshall via Getty Images