Govt Has Cleared Linking Of Aadhaar & Voter Data. Past Experience Reveals How It Can Be Manipulated

27 Dec 2021 15 min read  Share

Predicting millions of voting choices. Deleting inconvenient voters. A world of manipulative possibilities could be opened by the government’s decision—controversially pushed through Parliament—to link Aadhaar, India’s national identity database, and election commission data. We report what investigations into two unresolved data leaks involving India’s current and Andhra Pradesh’s former ruling party revealed.

A representative photo of Indian voters queuing to vote in Madhya Pradesh/CREATIVE COMMONS

New Delhi: When A Anand, a political activist in Puducherry, received a message on his mobile phone early in March 2021 asking him to join Prime Minister Narendra Modi and the Bharatiya Janata Party (BJP) in building “a new Puducherry”, it appeared at first to be an innocuous bulk SMS campaign. 

When he clicked on a link in the SMS, however, he found that it was a carefully designed data-driven campaign by the BJP to herd prospective supporters to receive messages from the party a month ahead of the assembly election in the Union Territory.


The link asked Anand to join a BJP WhatsApp group of voters registered to cast their ballot at the polling booth in his locality. The WhatsApp group was named after the polling booth. 

Anand’s family members and colleagues, too, received similar messages to join WhatsApp groups specific to their respective polling booths. Anand, who heads the Puducherry unit of the Democratic Youth Federation of India, found that only mobile numbers linked to Aadhaar, the biometrics-based 12-digit identification number of citizens, received the text message.


On 18 March, he  filed a public interest petition in the Madras high court alleging that the BJP obtained personal details of voters, including Aadhaar numbers and phone numbers, without their permission, and that the party was “profiling” and targeting voters at the booth level using these pieces of information. He told the court that such profiling violated privacy and could lead to bribing voters by online money transfer, which is difficult to track, instead of the traditional vote-for-money cash handouts. 

Concerns around voter profiling—harvesting voters’ personal data to infer and predict political behaviour—have grown around the world ever since the Cambridge Analytica scam, when a UK-based political consultancy mined the social media data of individuals to predict political inclinations and social anxieties, which politicians misused to manipulate voting choices , often with individually targeted misinformation, without public scrutiny. 


The BJP denied Anand’s allegations, but on 1 April the Madras high court found the allegation that the BJP mined and misused personal data of voters was “credible.” It ordered an investigation into how the phone numbers and location information of voters  were collected, mapped and used by the BJP to reach individual voters. 


Two years earlier, a special investigation team (SIT) of the Telangana Police raided the Hyderabad offices of a private company named IT Grids (India) Pvt Ltd and found that the company had access to “stolen” voter information and Aadhaar data of over 78 million residents of Andhra Pradesh and Telangana. The company combined this information to build a mobile application for the then incumbent Telugu Desam Party (TDP) in Andhra Pradesh, which used it for “voter profiling”, “targeted campaigning” and even “voter deletion” during the assembly elections, the SIT’s investigation report said. 


The Unique Identification Authority of India (UIDAI), which manages Aadhaar, admitted that the data of 78 million people had indeed been illegally accessed  and used to profile voters. Around the same election, Andhra Pradesh and Telangana deleted about 5.5 million voters from electoral rolls after their Aadhaar numbers were linked to voter identity cards, without the mandatory door-to-door verification. Many voters protested.


The two cases present a template of how Aadhaar-enabled voter profiling can be misused by political parties to manipulate elections, said experts. As the BJP-led union government on 20 December rammed through Parliament a law to link Aadhaar data with the electoral rolls, amid protests from the opposition, The Reporters’ Collective examined internal documents of investigations conducted by state police and the Election Commission of India (ECI) in the two cases to detail the modus operandi of the political parties involved and the role of watchdog agencies.

The Election Laws Amendment Act, 2021, which was passed through voice vote, bypassing the regular processes of consultation, allows electoral registration officers to ask for Aadhaar numbers of citizens at the time of entering and authenticating their names in the electoral rolls.


While the government claims the law was needed to clean duplicate and bogus voters from the electoral rolls, opposition parties and transparency organisations protested, saying the law could potentially disenfranchise citizens and allow manipulation of elections.  


How BJP, TDP Obtained & Used Personal Voter Data   

The reports of investigators reveal that in the two cases, the political parties involved used personal information of voters, likely without their consent. 

The parties studied personal voter information, such as location, phone number, caste, government benefits and political preferences, possibly garnered from Aadhaar and other government data to reach them during the campaign and even possibly delete the non-supporters from electoral rolls.


In both cases, the (ECI), responsible for conducting free and fair elections, and the UIDAI, responsible for preventing misuse of the Aadhaar data, did not appear to take corrective action. Even after the malpractices were brought to their notice, neither did the ECI nor the UIDAI pursue the cases against the political parties nor did they establish measures to prevent misuse of voters’ personal data, the documents show. 


We sought comment from the ECI and the UIDAI, but there was no response. Questions were also sent to the BJP and the TDP about allegations related to the Puducherry and Andhra Pradesh elections respectively. Neither party has responded. We will update this story if they do.


What Happened In Puducherry

According to Anand’s petition, the BJP created separate WhatsApp groups for each of over 900 polling booths spread across 30 assembly constituencies. 

To bolster his argument that only mobile numbers linked to Aadhaar numbers received links to join these WhatsApp groups, Anand submitted a chart of mobile numbers. “For instance, if a person uses two mobile numbers, which is very common nowadays, SMS is only sent to the mobile number linked with Aadhaar and not to the other mobile number,” he said in the petition.


Anand presented records that revealed how even those who changed their address less than six months ago received the message to join a WhatsApp group for their current location. “The voter rolls do not have phone numbers,” Anand said in a phone interview. “This was only possible because the resident had updated the address in their Aadhaar records and the BJP had access to it.” 


Anand told the court that he spoke to the administrators of some of these WhatsApp groups, who told him, he said, that none of them were from Puducherry. He concluded they were operating from the BJP’s centrally controlled offices in other states.


Apart from the bulk text messages, the BJP also sent out bulk voice calls as part of its campaign, also personalised for phone numbers, Anand claimed. “I have received one such call where the caller even before my introduction clearly gives my name and the booth and constituency in which I have my vote,” he said in the petition.


The petition said that the fact that the ruling party misused its power to access the mobile phone numbers of the residents of Puducherry made it clear that money transactions could also be made to the accounts of the residents through mobile phone payment apps such as Google Pay. “There is no mechanism to check these kinds of money transactions, which makes the conduct of free and fair elections preposterous,” the petition said. 


The BJP did not deny mapping personal information of voters to individually target them.  

“For the sake of identification and convenience the links to the WhatsApp groups were created on the basis of the constituency and booth-wise,” said the party’s affidavit, signed by its state president V Saminathan. “This was done with the sole intention of concentrating on the local issues.”  

The BJP denied the other allegations in court. It said the campaign relied on data collected by activists, field workers, registered members, candidates and information available in public domain to send SMS messages and to create WhatsApp groups. “I reiterate that no data which is not available in public domain has been used for the purpose of sending SMS,” the BJP affidavit said.  


On the court’s directions, the election commission asked the cyber crime cell of the Puducherry police to investigate the use of data in the BJP’s bulk SMS campaign. The initial inquiries by the cyber cell revealed that the BJP had provided a template for their bulk SMS campaign, “along with constituency- wise and booth-wise mobile numbers” to a company called Half Circle Media Pvt Ltd for sending bulk text messages. 

The BJP’s Puducherry unit told the cyber crime cell that the mobile numbers of voters were collected through a “field survey” but did not present any evidence to support this claim. In March 2021, the police told the court that the inquiry was still underway.


The election commission also found that  BJP had not submitted to it the content of its SMS and voice calls, and had not reported the expenditure on these campaigns, both violations of the election rules. 


The court found a “serious breach” by the BJP “in how it conducted its campaign in Puducherry”. It didn’t find the BJP’s response that the mobile numbers of voters had been collected by a field survey convincing. It agreed with the petitioner that it was unlikely that the residents of Puducherry would have handed over personal details and phone numbers to such BJP activists on a door-to-door mission. Anand told the court that he had collected statements of citizens who claimed they had never given their details to the BJP but had still received its customised messages.


In its 1 April order, the court said that apart from the “unfair mileage” that the BJP may have gained in resorting to a form of campaign without obtaining prior permission, there is “the more serious matter of the privacy of the citizens being breached”.

It ordered the ECI and the UIDAI to conduct a further investigation and give “appropriate answers” within six weeks. 


Since then, the matter has not been listed for hearing. Meanwhile, the judge who was heading the bench that gave this order was controversially transferred from the Madras high court. 


The Andhra Pradesh Case  

In Andhra Pradesh, the voter-profiling scam went even further. The Telangana police investigation claimed that the incumbent TDP was not only using the Aadhaar and the government beneficiary data to target voters for its campaign in the assembly elections but also to potentially delete the voters who were likely to vote for the opposition from the electoral rolls. 

Ostensibly to clean the electoral rolls, about 2.5 million voters were deleted in Andhra Pradesh that year, after Aadhaar and voter-ID data were first linked in the state. 


The scam began to unspool when workers of the then opposition party, the YSR Congress (YSRCP), found that the TDP was collecting data about the families, caste and political leanings of voters through a mobile application. The screenshots of the mobile application show, among other things, that the application collected information about voters on “what is their political preference? Who are they likely to vote for?”


On YSRCP’s complaint, the Telangana police raided offices of IT Grids (India) Pvt Ltd, which developed the mobile application for TDP. The police, while communicating the investigation’s findings to the UIDAI, said: “Investigation so far revealed that (TDP’s) Seva Mitra Application is suspected to be using stolen voter information along with Aadhaar data of the State Governments of Telangana and Andhra Pradesh for voter profiling, targeted campaigning and even deletion of voters.” 


A “forensic examination” of records seized from IT Grids India by the Telangana State Forensic Science Laboratory revealed “that a whopping 7,82,21,397 records of Aadhaar data belonging to the states of Telangana and Andhra Pradesh were found and used by IT Grids (India) Pvt Ltd, for the purpose of Seva Mitra Application belonging to Telugu Desam Party.” 



The TDP denied the allegations and filed a counter complaint that the TRS government in Telangana was working on behalf of the YSRCP to steal TDP workers’ data. Telangana, too, had deleted about 3 million voters that year after Aadhaar-voter identities were linked in the state.  In Telangana, opposition alleged that a large-scale voter deletion was carried out at the behest of the ruling TRS, to remove those profiled as sympathisers of its opponents.


When Telangana police informed the UIDAI about the records obtained from IT Grids, the agency filed an FIR against the company stating that the company had illegally accessed, stored and misused Aadhaar data for “wrongful gains”. No action was initiated against the TDP, which had employed IT Grids. 


The Election-Manipulation Template    

Anand Venkatanarayanan, a privacy researcher and co-author of The Art of Conjuring Alternate Realities, a book on information warfare in the political world, said such scams would become more common with the linking of Aadhaar with voter databases.


“Political parties access voters’ data from public databases, such as electoral rolls, as well as dark data markets where phone numbers and caste data are openly traded,” said Venkatanarayanan, who was an expert witness before the Supreme Court in what has come to be known as the Aadhaar case, a September 2018 judgement that upheld the national biometric identity system and allowed it to enroll recipients of government welfare benefits.

 “Then there is beneficiary data from the state and central government databases,” said Venkatanarayanan. “But to build a complete picture of a voter, you need a common connector to link all these databases. That is why you need Aadhaar.”  


Aadhaar and phone number data, leaked from various public and private Know Your Customer (KYC) databases, are also traded in the market but the quality is low, said Venkatanarayanan. “It requires an immense amount of effort by party workers to correct this data through ground surveys, pre- and post-elections,” he said.


But when the government links Aadhaar numbers to electoral rolls, there will be a common ID across all databases. A party that gains access to this database can build a complete profile of a voter, including his or her caste, religion, location, family, a history of government benefits accessed, an economic and social profile that offers a much better statistical estimate of the individual’s voting preference, said experts.


“With all this polling booth-level data, it becomes very predictable who is going to vote for whom,” said Venkatanarayanan. “It will be the end of the secret ballot.” 

The dangerous aspect of the data, said experts, was the possibility of deleting voters’ names on the pretext of cleaning rolls. “And unfortunately, neither the election commission nor the UIDAI has the will or the capacity to stop this,” said Venkatanarayanan. 


According to the new law, no voter’s name will be deleted in the absence of Aadhaar, as long as they can show other proof of identity. The government will decide what constitutes sufficient proof and what the procedure to claim authenticity will be. “In such a scenario, and going by the Andhra Pradesh and Telangana experience, there is a legitimate fear that genuine voters could be denied voting rights,” said Vrinda Bhandari, a Supreme Court lawyer. 


“So far as the bogus voters are concerned, to my knowledge, the government has never demonstrated what is the extent of the problem and how is Aadhaar going to solve it?” said Bhandari. “Aadhaar’s authenticity itself is based on the individuals’ statement, no house-to-house verification etc. is involved.”  


Watchdogs In Slumber

It has been almost three years since the Andhra Pradesh voter profiling matter was first exposed, and almost a year since the Puducherry incident came to light. Neither investigation has concluded, nor has any action been initiated against the accused political parties.


One reason for this is that the ECI and the UIDAI have taken no action. 

In one of the first hearings in the Puducherry case, on 24 March, the Madras high court said the EC was trying to “pass the buck”. At the next hearing on 1 April, it observed: “The Election Commission appeared to initially treat the matter lightly by saying that the cyber crime cell of the local police was looking into the matter.” Only when the court demanded that the ECI investigate the issue “with the degree of seriousness that it deserved”, the agency “took some steps.” 


The court criticised the UIDAI for not acting. The agency’s responsibility could hardly end by saying it did not hand over such information, “more so since the obvious access of such (sic) political party (BJP) to the authority... is apparent,” the court said.  


The UIDAI has also made no comment on the Andhra Pradesh case, though it filed a first information report (FIR) against the  misuse of Aadhaar for voter profiling. In response to an RTI application by The Reporters’ Collective asking for the updated status and findings of investigations in late 2019, the authority refused to provide information “as the case is sub-judice”. 

In the FIR filed with the Telangana police on 12 April 2019, the UIDAI said the Aadhaar data could have been stolen from its central server, the Central Identities Data Repository (CIDR) or from the State Resident Data Hubs (SRDH), which were created by state governments by copying the CIDR data. 

“There is every possibility that sensitive data of Indian citizens could be accessed and used by countries hostile to India or International organized crime syndicates in a manner which could seriously be detrimental to National Security,” the UIDAI added in the FIR. 

When this was reported in the media, the authority issued a statement five days later, claiming its servers were never breached and IT Grids might have collected Aadhaar numbers “directly from individuals”.

It is not clear whether the UIDAI changed its statement in the FIR—saying data could have been stolen from its servers—in the ongoing case against IT Grids and whether it could establish how the Aadhaar data of 78 million people was leaked and misused. 


(Kumar Sambhav is a member of The Reporters’ Collective.)