New Delhi: Last week, Congress leader and Rajya Sabha MP Husain Dalwai asked the ruling government whether a French national nicknamed Elliot Alderson was hacking/penetrating into several government websites. In response, Minister of State for Electronics and Information Technology KJ Alphons said that neither the ministry nor CERT-In were not aware of any such incident or person.
The question came barely days after Android application developer and cyber security expert Alderson put the security credibility of Aadhaar split wide open on his Twitter feed.
It was in January 2018 that Alderson decided to look into Aadhaar. He acted on an anonymous tip, he told News18. He found a host of problems with mAadhaar, the Android application for the unique identity card, and went deeper and put forth tweets describing how third parties were using its data.
The Unique Identification Authority of India took notice but defended its practices by saying that reports that appeared on social and other media on the security of the Aadhaar system were ‘far from the truth’.
But Alderson didn’t stop there. One tweet at a time, he punched holes into UIDAI’s security claims and he continues to believe that the threat is real.
So, who really is Elliot Alderson, the man big enough for the opposition to question the government and the man menial enough to be dismissed by the ruling party?
Alderson identified himself to News18, confirming that his name is Robert Baptiste, and he’s a 28-year-old French citizen. A freelance Android developer, Alderson customises Android Open Source Project (AOSP) for phone makers.
But why zero in on Elliot Alderson as a pseudonym? It was his interest in a character in the TV show, Mr. Robot, that he chose this name. “It was just fun to choose this name,” he said.
His Twitter bio states that he is the founder of ‘fsociety’, inspired from Mr. Robot yet again, wherein a group of hackers had the same name and their goal was to take down a leading conglomerate.
“Today, the biggest threat for Aadhaar is how third-party websites are securing the data. A lot of companies ask for Aadhaar data and so create their own “Aadhaar database”. The problem is in a lot of cases, these databases are poorly secure or not secure at all. This is why I managed to find thousands of Aadhaar cards by making only Google search query,” he told News18.
Beyond Mr. Robot, it was ‘curiousness’ that led him to delve more into cyber security.
“I like to understand how things are working,” he added. But doesn’t making public ways to get Aadhaar data kills the purpose of securing it in the first place?
“This is a difficult decision but there is no choice. UIDAI continue to deny it and don’t want to discuss. Security researchers are harassed and arrested. I decided to make public how to get the information in order to change this situation. After the publication, I saw that a lot of companies start to take down the links where the Aadhaar cards where available and this is a very good thing,” he told News18. He was expecting a response from UIDAI and seems to be disappointed that they haven’t engaged with him yet.
“My goal is to help them, not the opposite. If they want to discuss with me and if I can help them it will be a pleasure for me,” he added.
He’s not for or against Aadhaar or its linking, but said, “If you create a system where 1.2 billion link all their lives, the system needs the highest security in the world.”
It’s not UIDAI, he also pointed loopholes in PayTM wherein it was asking its users for root access to their devices. Once Alderson pointed it out, the e-wallet application has stopped asking for root access, which Alderson says “is the holy grail of Android. An application with root rights is able to do everything on your phone.”
The expert also pointed out flaws in Prime Minister Narendra Modi’s mobile application, NaMo and the Congress application, accusing both Modi and Congress of stealing user data. He has also pointed out security concerns in BSNL, ISRO, and India Post.
While the BJP-led government may have a different thing to say, Alderson says that he does have his eyes on a few Indian websites. “Follow me on Twitter and you will see.”
“Personal data is really valuable and can be used for different purposes. You can see for example, what Cambridge Analytica was capable of. I’m happy that the Parliament is discussing of the security of the Indian governmental websites. If it leads to security audits and so a better security of these websites it will be a great achievement,” he added.