24 March,2018 08:08 AM IST | Mumbai | Gaurav Sarkar
Illustration/Uday Mohite
Over the last few months, an alleged Android developer and cyber security expert, who goes by the Twitter moniker Elliot Alderson, has had the Indian government at its wits' end. Alderson has - one tweet at a time - blown the lid off the government's mAadhaar app, showing Twitter users how third-party security breaches are being committed with Indian citizens' Aadhaar data.
The ethical hacker and self-proclaimed vigilante first stirred up a storm in January, when he revealed that mAadhaar app's developers were saving users' biometric data in a local database, the password of which could easily be obtained. Earlier this month, he claimed to have accessed over 20,000 Aadhaar card specifics on a single day by just hacking into the app. On Saturday, Alderson had tweeted about how the #narendramodi app was taking all the "device info and personal data and sending it without consent to a third-party domain called in.wzrkt.com".
Alderson - he claims his real name is Robert Baptiste and that he is a 28-year-old French national - is no stranger to the world of hacking, having previously exposed Facebook, OnePlus, Xiaomi, PayPal, and MakeMyTrip for committing data breach. However, his latest revelations have put the Indian government on the back foot, forcing UIDAI - the authority responsible for Aadhaar enrolments - to even issue a statement.
ALSO READ
Challenge Ashwini Vaishnaw to implement AC local train plan for Mumbai: NCP (SP)
Have not resigned as state Congress chief: Nana Patole dismisses media reports
Aaditya Thackeray elected Shiv Sena (UBT) legislature party leader
Salvador Dalí's iconic bronze sculpture Cosmic Rhinoceros comes to Mumbai
"No leader in the opposition for the first time in Maharashtra," says Shaina NC
In a no-holds-barred email interview with mid-day, Alderson explains that he is only trying to assist the Indian government and revealed plans of launching a portal to help Indian citizens find out if their security has been breached. Edited excerpts:
Could you tell us about your professional background?
I followed the classic path to become an engineer in France. Today, I'm an Android Freelance developer. I'm making Android apps and customising the Android Open Source Project (AOSP) for phone makers.
Since how long have you been tracking Aadhaar?
My first Twitter publication related to the official Aadhaar Android app has been made on January 10. One of my followers asked me to check this app. At first, I didn't know what Aadhaar was. mAadhaar just seemed like any other app that I had previously analysed. I quickly noticed that with a single Google search query, it was possible to find thousands of Aadhaar cards on the web. The Aadhaar data was/is accessible to everybody very easily.
What is unsafe - the Aadhaar programme, or the linking of personal accounts to Aadhaar?
Today, a lot of third-party websites ask for Aadhaar details. A majority of these have poor security, which allow attackers to get the data.
How many times have you tried reaching out to the authorities?
To be honest I don't know; a lot of times. Everything is on my feed.
You recently spoke of plans to launch a portal called ismyaadhaarpwned.com. How will it work?
The idea of this portal is to be like haveibeenpwned.com, but for Aadhaar. You will enter a hash of your Aadhaar number and you will be able to find if your number has been found in a data breach.
When do you think the portal would be up and running?
No idea, I have a lot of things on my to-do list right now.
Also read: Congress condemns FIR against Tribune journalist who reported breach in Aadhar Card data
Once you find out that a number has been breached, is there any way to determine how it has been breached i.e. which service linked to Aadhaar was compromised?
You will have some details on the breach. The level of details has to be defined.
Some of your followers on Twitter pointed out that this portal is an attempt to collect their Aadhaar data. Your thoughts.
This is justified and I have tried to answer everybody to explain the idea below this website. The idea is not to collect the Aadhaar numbers. It will not ask the user to enter his number.
On March 18, you tweeted saying that you will not work on topics related to Aadhaar anymore. Is this true?
We will see. I have the right to change my mind.
There is a national election coming up in India next year, and Aadhar might play a major role in swinging the voter base. Why plan to stop talking about it now?
Don't worry, I will keep publishing on Twitter.
What steps can the UIDAI take to ensure the same?
UIDAI has to put some strong security requirements on their partners. If a website wants to ask an Aadhaar number, this website must meet some minimal security requirements. If it is not the case, it can't collect the Aadhaar data.
How would you like to respond to all those denying that their Aadhaar data is unsafe?
My work is based on facts. I managed to find thousands of Aadhaar cards on the web. If you want to think otherwise, be my guest but this is not the reality.
Do you believe that the price of whistle-blowing should be so high that one has to flee to another country?
I'm not hiding and it is not very complicated to find me. Anyway, I will be going public soon.
What are the perils that a whistle-blower has to face?
I received death threats. People are quick to interpret things today, and don't read. Even if you have a foolproof publication, they will yell "fake news". It is like this today.
Do you think it is easy for governments to accept that they have been in the wrong?
There are very good people in governments. Technical guys like me want to improve global security. A majority of the companies/governments I have contacted have been nice to me.
Do you believe that we can actually fix the Aadhaar problem?
My goal is just to make people aware that security is an important topic. The real solution has to come from Indian researchers, from your representatives. A new policy has to be voted to make India a friendly country for security researchers.
Also read: Statute can rectify defect during Aadhar data collection says Supreme Court