The Great Voters’ Data Heist in Karnataka

Not much appears to have moved since April 24, when an unusual first information report (FIR) was lodged in Bengaluru by the police.

• The FIR provided information about a company selling voters’ data in poll-bound Karnataka

• The data format matches the one used by the Election Commission of India, indicating the strong possibility of an insider job and leakage from the ECI database

• The FIR named a company and its website, for which the domain name was registered in New Delhi in April 2023

An independent candidate in Karnataka is said to have blown the whistle when the company offered him details of all the voters in his constituency.

Candidates are in any case entitled to receive the electoral roll, and the electoral rolls are also available online. However, what the company offered the candidate was a lot more. It included the entire demographic details of the voters—age, occupation, addresses—as well as their phone numbers.

While the police remained tight-lipped, there was consternation within the ECI at these hints of a massive leakage of data from its allegedly secure servers. News portal The News Minute (TNM), which accessed the website with the login code the company had shared on payment with the whistle-blower, found the name of the domain owner and links to various UPI gateways and private commercial banks.

It is possible that the company was also being used as a conduit to make payments to voters. With UPI payments, it is now easy to transfer a few thousand rupees to people over a phone. The risk of carrying cash to bribe voters then gets reduced.

Distribution of freebies, silver or cash to voters has been widespread in the elections, it would seem. Media reports suggest that till April 12, the ECI had seized unaccounted cash, liquor and metals worth Rs 140 crore in the state, a four-fold increase over a similar period (two weeks after the model code of conduct kicked in) during the last assembly election in 2018.

While payments directly through UPI may help avoid seizures, they should also be easier to track by law-enforcing agencies, though. Yet, even as election campaigning for the May 10 polls enters the last stretch, curiously no action appears to have been taken on the FIR by the police or the ECI.

The independent candidate, identified only as ‘Raju’ by ECI officials, approached the officer in charge of enforcing the model code of conduct in the state and furnished the details when the company contacted him. He was persuaded to pay up a modest initial amount of Rs 25,000 to access the website.

The same login provided by the company was shared with thenewsminute.com. The login provided the user access to data associated with 6.50 lakh voters, covering approximately three state assembly constituencies. It is possible that higher payments would have been necessary to access data for more constituencies.

The website curiously claimed that the amount was just a ‘refundable’ deposit. ‘Election losers can claim their refund of the deposit after the election rules are made liberal,’ it mysteriously added, suggesting that the company’s services included a guarantee of victory. Indeed, the welcome page on the website invited potential clients to ‘win this election’. A thorough inquiry alone can unravel the truth behind such claims.

Even more astonishingly, the website offered a separate dashboard for ‘Election Day’. It offered details of booths, votes polled and, more importantly, ‘votes unpolled’, besides the number and break-up of voters on the basis of their religion, caste, age and gender. How was the company so confident of providing real-time and booth-wise data on the polling day?

Despite so many red flags, the investigation does not seem to have progressed much. The owners reportedly are yet to be traced, although their name and phone numbers are with the police. Nor is it known how many such companies are in the business or how many of the 3,000-odd candidates have opted to bite the carrot and at what price.

ECI officials in Bengaluru concede the strong possibility of the unfolding ‘voter data scam’ being an insider job. This is indicated by the ‘format of the data on sale being similar to the data stored on ERONET, a government portal with ECI data on voters that only election officials can access,’ reported TNM. However, the possibility of the server having been hacked can also not be ruled out, they point out.

ERONET stores applications that voters submit for enrolment into the electoral rolls. The form contains their phone numbers and addresses, and even details of other family members. While on ERONET, the data are displayed in 13 columns, the company selling the data apparently replicated only the first eight columns. ‘It was as if somebody just copy-pasted our data on an Excel sheet,’ confided ECI officials to TNM.

The table on the company’s website, however, has the data spread across 12 columns. It includes details such as the EPIC (elector’s photo identity card) number, electoral part number, serial number, as well as phone numbers on which they can be called or sent an SMS or WhatsApp message—all information that the ECI provides, barring the phone numbers.

If the ECI’s network and server can be breached or hacked to access voters’ data, is any other data with it secure?

Speaking to the National Herald, Dhanya Rajendran, editor-in-chief of TNM, said, “I believe this is how the election process will be (increasingly) vitiated with [the help of] data and technology. This is the new-age voter manipulation.’’ She recalled how she and her team were surprised to find several UPI IDs linked to the website and various bank accounts in HDFC, ICICI and Axis Bank—all in the name of one person.

TNM did not reveal the name, she said, because an FIR had just been lodged and the owner was yet to be traced. “We thought it better to withhold it as police were still investigating,” she said.

The news portal had also investigated last year in November how the Bruhat Bengaluru Mahanagara Palike had distributed fake identity cards to an NGO’s ‘volunteers’ to let them pose as official booth-level officers (BLOs). The NGO had offered to help the ECI in increasing voter awareness and in the revision of electoral rolls under the Systematic Voters’ Education and Electoral Participation (SVEEP) programme.

Three people arrested in the case are now out on bail and nobody seems to know what has happened to the case. Nobody has asked or answered what the political affiliation of the NGO was or why the BBMP allowed the NGO to hoodwink the people.

The NGO, Chilume Educational, Cultural and Rural Development Institute, was engaged by the ECI although its promoters were also the promoters of a company called Dap Hombale, which is engaged in ‘electoral and political management’.

The fake BLOs obtained information on voters’ caste, gender, marital status, address, mother tongue, education and employment details, along with their Aadhaar and phone numbers. The TNM investigation had revealed that the group operated a voter survey app called ‘Digital Sameeksha’. Instead of educating the public about the ECI’s voter registration applications, such as Garuda and the Voter Helpline, the NGO’s field workers uploaded voters’ personal information on Digital Sameeksha, including their political grievances. Significantly, the group maintained its server abroad.

An inquiry was conducted by the Bengaluru regional commissioner, Amlan Aditya Biswas. In his report submitted on 7 February 2023, he recommended that the task of voter data collection be given only to authorised BLOs and the data be stored only on Indian servers.