Over the past few weeks, an anonymous person, claiming to be a French mobile app developer, has been using his Twitter account to flag security concerns in the Aadhaar system. Recently, the account released a video showing a hack into the Aadhaar application (app). The Unique Identification Authority of India (UIDAI) has maintained that Aadhaar remains safe and secure. Mayank Jain spoke to Robert Baptiste, the man behind the Twitter account called ‘Elliot Alderson’, to understand the way forward for citizens to keep their information safe. Edited excerpts: Why are you interested in Aadhaar? I am a freelance Android developer. Someone asked me to check the Aadhaar app. This is how I found security flaws and loopholes. Have you found any significant vulnerabilities in the system? I looked at the Android app, not the Aadhaar system as a whole, and found a lot of security issues that need to be fixed as soon as possible. Did you convey these findings to the UIDAI? I published all my findings on Twitter, tagging the UIDAI. I asked them to take action but they never responded. Why did you publish the details and how can people protect their data? I want to help citizens and the government to protect data.
I want to spread the word that security cannot be taken lightly. To protect their data, especially Aadhaar, people have to be careful about what information they provide to third parties, who are happy to collect this data. In the light of these vulnerabilities, how secure is Aadhaar? The biggest issue is with third party companies collecting Aadhaar data. Aadhaar numbers are spread among companies, some of which have poor security. This can be a serious threat for citizens. Any substantial danger to people’s lives from these security flaws? The biggest threat from Aadhaar is of identity theft. Are you open to working with authorities to fix the system? I am open to working with any authority on fixing these issues. This is the goal of my efforts. I want to communicate with them and help fix the flaws before someone exploits. The implications of your findings? By tampering with the app, you can bypass the password protection. It is easy for a developer to do this. When inside, you can access a person’s Aadhaar details and impersonate them. Are you scared of being legally prosecuted for exposing vulnerabilities in the Aadhaar system? I would not be doing this if I were scared of consequences.