On 24 October 2017, an Android applications developer and cyber security expert, using the moniker Elliot Alderson, asked the CNRS or the French Centre for Scientific Research: “Seriously?”
Attached with this comment were screenshots used by Alderson to prove that the CNRS website was not quite as secure as its owners would like to think. Soon after, Alderson tweeted a list of patents registered by the CNRS, after having blacked out the names. This was information that was meant to be private but Alderson had found it using a simple Google search. Alderson’s message was simple: Fix your security.
Over the next few months, Alderson specifically targeted Android phone makers and applications that were compromising the cyber security of their customers by extracting user information without the customer’s knowledge or by being lackadaisical or incompetent about protecting private user information. Companies that had to face the sharp end of his stick include Facebook, OnePlus, Xiaomi, PayPal and MakeMyTrip, among others.
Fast forward to January 10 2018.
Acting on an anonymous tip, Alderson chose to look into just how watertight the security of mAadhaar, the Aadhaar Android application is. Alderson went on to find a host of issues with the mAadhaar application, the mobile security practices of the Unique Identification Authority of India, and most importantly, how third party websites are using Aadhaar data. Soon enough, the UIDAI sat up and took notice albeit with a combative stance.
Alderson’s first investigation into the mAadhaar application revealed that its developers were saving users’ biometric data in a local database whose password could easily be obtained.
Alderson’s revelations about Aadhaar generated immense interest from the Indian information security community. With tweet after tweet, Alderson began to poke holes into the UIDAI’s claims of being invulnerable to cyber attacks, and, sometimes, he just embarrassed the UIDAI with silly discoveries such as this one:
Alderson’s interest in Aadhaar grew with each passing day and he went on to make startling discoveries. On February 25, Alderson tweeted that he had accessed the database of the Telangana government’s benefit disbursement portal TSPost. This database contained user information, including Aadhaar numbers, of 56 lakh National Rural Employment Guarantee scheme beneficiaries and 40 lakh beneficiaries of the social security pensions.
On March 11, Alderson claimed that he found details of 20,000 Aadhaar cards within a span of three hours. Having made the statement, Alderson, with the characteristic tone of mockery present in his tweets, taunted the UIDAI which had so far been unresponsive: “Do I need to create a Twitter bot which is doing this work automatically and publish the result on Twitter to have a reaction from your side?”
The UIDAI called Alderson’s revelations and the subsequent media reports “irresponsible” and “far from the truth”. “It is reiterated that Aadhaar remains safe and secure and there has not been a single breach from its biometric database during that last eight years of its existence,” the UIDAI stated on its Twitter account.
In response, Alderson wrote to the UIDAI that instead of disinforming the Indian public, it should stop being in denial and discuss ways to fix its problems.
On March 13, Alderson upped the ante by releasing a video that depicted a simple process to bypass the password protection in the mAadhaar application within just a minute.
The same day, Alderson exposed how the website of the English and Foreign Languages University publicly exhibited, without knowledge, the bank details, the voter identity card details, ration card details, and, of course, Aadhaar card details of not just the university’s students but also the applicants during the pre-admission process.
The next day, Alderson tweeted how the website of the Andhra Pradesh Panchayat Raj, a government body, had made publicly available the Aadhaar biometric data of thousands of citizens. Both the links directing to the Aadhaar data leaks were taken down after Alderson’s revelations.
In response to being repeatedly asked on Twitter about his intentions to expose Aadhaar-related mobile and cyber security vulnerabilities, Alderson wrote, “I want to say something. I’m not against Aadhaar. Not I’m in favour of Aadhaar. I just think that a project of this size deserves maximum security.” – a repetition of the philosophy that drove Alderson to target international Android phone and applications makers in the first place.
In fact, in one tweet, Alderson showed that he had received a request from someone to buy the details of the Aadhaar cards that he had found access to. “The answer is a big NO” was his response.
So, who is Elliot Alderson? What are his motivations? And are they as altruistic as Alderson claims them to be?
Who is Elliot Alderson?
Alderson’s first moniker on Twitter was Baptiste Robert. Two of his earliest targets were the French organisation CNRS and the French mobile company Wiko. One of his first interviews was done by the French news website Numerama in November. The article referred to Alderson as “Baptiste R”, a 28-year-old Frenchman. In an interview with Androidpit, Alderson said that he is indeed a 28-year-old French man. Subsequent interviews in several publications, international and Indian, continued to call him Baptiste Robert or Robert Baptiste – a French cyber security expert, 28 years of age.
When asked by Scroll.in, Alderson confirmed by email (he would not do an audio/phone or a video interview) that he is indeed from France and that his “family name” is Robert. He said that his formal educational qualification is that of a network and telecommunications engineer, and professionally, he is a freelance Android developer. “I develop Android apps and customise the Android Open Source Project [AOSP] for phone makers,” Alderson said. “All my career has been made in the Android sector.”
The name “Elliot Alderson”, inspired by the vigilante hacker character of the same name from the television series Mr Robot, was chosen by him because he thought that it would be fun since a lot of people know the series and the Alderson character it revolves around who takes on the global elite using his superior hacking skills. His Twitter bio states that he is the founder of “fsociety”, which is a hackers group from Mr Robot that is on a mission to take down the world’s largest conglomerate E Corp. The entire facade adds to the mystique around Alderson as a real-life version of the fictional character.
However, he said that neither is he a fan of the show Mr Robot nor is he a watcher of “hacker-related movies”.
Alderson said that he had been interested in cyber security and privacy issues for a long time. “The Snowden revelations have been a big boost for me to dig more into the subject,” Alderson said. “By nature, I’m curious and I like to understand how things are working which often leads by finding security flaws.”
As Alderson’s Twitter profile has revealed since October last year, various companies in the telecommunications and the mobile applications development sector obtain private information about people without warning, often illegally, and, sometimes, government bodies, out of laziness or without a clue, end up making citizens’ private data available for all and sundry, such as in the case of the UIDAI. So, when the powers that be are themselves not up to the task of protecting our private information, where can regular citizens turn? More importantly, how can people be made to realise that cyber security is no laughing matter?
Alderson said that people would fall in line to make themselves aware and take steps to protect themselves on the internet if they realised that cyber security is simply no different than protecting one’s house with a lock and key. “For example, in real life would you be open to share your family photos with a stranger?,” Alderson asked. “I don’t think so, so why did you share your photos to Google for example? In real life, would you accept if someone ask you to wear a location tracker? No, I don’t think so. If it’s not acceptable in real life, it’s not acceptable in the digital life too.”
In an interview with FactorDaily, Alderson had said that his end-goal is to publicly condemn the privacy-related abuses done by technology companies. “Are you ready to give your personal info, address, age, gender, sexuality, your personal photos to a stranger on the street?.” Alderson said. “I’ll bet no. It’s the same thing with an app. They collect your data, sell it to third parties, exploit it.”
The problem with Aadhaar
“What I can see is that there is a big issue on how third party websites are handling the Aadhaar data,” Alderson said of his opinion on what is the primary problem plaguing the UIDAI, “ Today, you can find thousands of Aadhaar cards with only one Google search query. The first step for UIDAI in my sense is to make a full review of their partners and to impose some security requirements to these companies.”
Alderson had earlier rated the security of the mAadhaar application as 0 out of 10. He had said that, according to him, interns or junior developers had worked on it. His latest Aadhaar-related revelation happened on March 16 when he shared a screenshot of a few lines of code adding that anyone could simply search these lines on Google and reach details of over a thousand Aadhaar cards.
Though even after having repeatedly reached out to the UIDAI with invitations to discuss Aadhaar’s security-related issues and fix them, the UIDAI has never responded to him directly. Alderson, in fact, has kept an open line of messaging on his Twitter account but the UIDAI continues to snub him. Alderson said that he found the UIDAI’s non-response to his tweets “a little bit offensive and rude”. And did he get trolled or attacked? Yes, by some “UIDAI fanboys”, but that is alright for him as he understands this is how social media works.
But isn’t letting the world know how to find access to people’s Aadhaar details counterproductive? Alderson said that his revelations are not exactly a secret on the internet. Besides, he added, his goal is to get a reaction from the UIDAI. So far, Alderson’s methods have been working, to an extent, as the compromised Aadhaar-related links Alderson has mentioned on his Twitter account have been deactivated.
The UIDAI continues to maintain that one cannot harm a person just by knowing his or her Aadhaar number and that it would require biometric data to authenticte a person’s identity so as to cause further damage. Meanwhile, in February, stolen biometrics were used in Surat to steal subsidised ration items. And in a written response to the Rajya Sabha, the Minister of State for Finance Shiv Pratap Shukla admitted that close to Rs 1.5 crore were withdrawn fraudulently from Public Sector Bank accounts using Aadhaar numbers.
Section 29 of the Aadhaar Act clearly states that Aadhaar numbers or biometric information collected and created for the purpose of generating an Aadhaar identity cannot be published, posted or displayed in public.
As such, the UIDAI’s stance of urging people to not be alarmed by revelations, such as Alderson’s, which showed that biometric data as well as Aadhaar numbers have been made publicly available by third party websites, is perplexing.
So, what kind of damage can a person expect with his or her Aadhaar and biometric data being seemingly available online? Alderson minces no words: “If someone compromised your Aadhaar account in one way, your digital life is screwed.”
“Moreover,” he added. “By linking everything [to Aadhaar], you are giving a lot of information to your government.” Sounds quite like the 34-year-old American cyber security crusader who inspired him, doesn’t he?