7.8 crore Aadhaar records from Andhra Pradesh and Telangana were found on the hard disks of IT Grids Pvt. Ltd, the firm which operates the Telugu Desam Party’s Sevamitra app. The Cyberabad police last week lodged a FIR against IT Grids’ management, based on a complaint filed by the UIDAI’s Hyderabad Regional Office. The complaint and FIR note that the IT Grids’ possession of extensive Aadhaar data likely meant that the data was sourced from either the Central Identities Data Repository (CIDR) or the State Resident Data Hub (SRDH). The investigation revealed that the structure and size of the database, and the fact that the database contained Aadhaar Enrolment IDs (EIDs), strengthened this suspicion.

Further, forensic investigation by the Telangana State Forensic Science Laboratory (TSFSL) found that IT Grids’ stored Aadhaar data of crores of people on the AWS cloud. The FIR alleges that this may have possibly exposed sensitive Indian data and compromised national security.

IT Grids, a company that consults for the Telugu Desam Party (TDP), has been in attention over the last month, when it came under investigation after a complaint by YSR Congress party against Sevamitra, a mobile app run by the TDP. Sevamitra was presumably used by the party for voter profiling and to allow booth-level workers to better understand voter preferences.

(See copies of FIR against IT Grids’, and the UIDAI’s complaint at the bottom)

IT Grids illegally accessed and used personal data of 7.8 crore people in AP and Telangana

Filed by T V Bhavani Prasad, deputy director of the UIDAI’s Hyderabad regional office, the complaint references the initial FIR against IT Grids, filed by the Cyberabad police on March 2nd. The FIR was filed on the basis of a complaint by Hyderabad resident T Lokeswara Reddy. The complaint alleged that IT Grids was illegally accessing and misusing Aadhaar number, Voter ID details including coloured photographs, and beneficiary details of various government services, and “data related to surveys conducted by the Government of Andhra Pradesh” for use in the Sevamitra app.

The current FIR is based on further investigation and search of the offices of IT Grids on 2nd-3rd March 2019, where seven hard disks and other digital evidence were seized and sent to the Telangana State Forensic Science Laboratory for forensic examination. The lab found 7.8 crore Aadhaar records from Andhra Pradesh and Telangana on the drives – for use in the Sevamitra app. The databases contained the following personal data: Aadhaar number, Aadhaar enrolment ID, name, name of father, husband or guardian, Date of Birth, Village name, Mandal name, District ID and Name, and state.

CIDR or SRDH likely breached, and source of data

Most importantly. the complaint notes that the Aadhaar numbers were stored in a “particular structural database” and the “structure and size of the database is surprisingly similar to that of databases that could have been originally owned by the UIDAI”. The app is using stolen voter information and Aadhaar data of AP and Telangana for voter profiling, targeted campaigning, and even deletion of votes. The presence of the Enrolment ID raises “strong suspicion” that the data was obtained from the CIDR or one of the State Resident Data Hubs aligned to the CIDR. Both the UIDAI and the Union government have traditionally denied any breaches of Aadhaar data via the UIDAI or via private parties.

Availability of such unique information of an Aadhaar Number indicates that the accused in the case might have illegally accessed CIDR or SRDH and has used such information or data for wrongful gain.”

As The Wire explains, the UIDAI has helped build the SRDH over the years in several states including Andhra Pradesh. The Andhra Pradesh government essentially tracks everybody’s Aadhaar information and links it to every other database it has created and built, for real-time governance. It has managed to do so by collecting data KYR Plus as part of the SRDH and another database created via the Smart Pulse Survey.

Wasn’t SRDH data destroyed?: In fact, in February 2018, the UIDAI had told the Supreme Court that all biometric data stored in the State Resident Data Hubs had been destroyed. The UIDAI had said that all biometrics were now stored in the CIDR.

IT Grids stored Aadhaar data AWS servers, ‘very likely’ to have stored other’ states’ Aadhaar data on off-shore servers

The evidence so far has found that IT Grids was storing Aadhaar data possessed by it on Amazon Web Services servers in the USA, which is in contravention of Section 44 of the Aadhaar Act. Further, its “strongly suspected” that IT Grids could have illegally stored Aadhaar database of a few others states apart from Telangana and Andhra Pradesh in an off-shore storage facility.

This may have compromised national security: “There is every possibility that sensitive data of Indian citizens could be accessed and used by countries hostile to India or International organized crime syndicates in a manner which could seriously be detrimental to National Security.”

The UIDAI “strongly believes” that IT Grids’ management is using the Aadhaar data to map of voters “with beneficiaries of various Government Schemes and results of surveys conducted by the Government in contravention.”

According to UIDAI’s complaint, IT Grids’ possession of the data and its storage on hard disks violates several provisions of the Aadhaar Act 2016 pertaining to sharing and usage of Aadhaar data under Section 38(g), 38(h). IT Grids has also been booked under Section 40 (fine and imprisonment of up to 3 years for failing to inform Aadhaar holders of how their data was being used), Section 42 (fine and imprisonment of up to one year), Section 44 (contravention of the Act, committed outside India). IT Grids allegedly violates laws which disallow UIDAI or any private agency (handling CIDR data) to reveal information stored on the CIDR. Under the Aadhaar Act, Aadhaar or biometric data can be used only to generate Aadhaar numbers or for authentication. Further, the identity information and biometric data can be used for any other purpose only with the prior consent of the individual owning the biometrics. Further, the complaint states, IT Grids’ “illegal access and possession” of Aadhaar data violates provisions of the IT Act, 2008, specifically Sec 72(A), Section 65 and Sec 66(8).

Aadhaar Act, 2016 – Sections under which IT Grids’ was booked

Section 38
(g) reveals any information in contravention of sub-section (5) of section 28, or
shares, uses or displays information in contravention of section 29 or assists any
person in any of the aforementioned acts;
(h) destroys, deletes or alters any information stored in any removable storage
media or in the Central Identities Data Repository or diminishes its value or utility or affects it injuriously by any means; or

40. Whoever, being a requesting entity, uses the identity information of an individual in contravention of sub-section (3) of section 8, shall be punishable with imprisonment which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.

42. Whoever commits an offence under this Act or any rules or regulations made
thereunder for which no specific penalty is provided elsewhere than this section, shall be
punishable with imprisonment for a term which may extend to one year or with a fine which
may extend to twenty-five thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees, or with both.

*

Cyberabad Police’s FIR against IT Grids:

UIDAI’s complaint: