A French Security researcher who goes by the pseudonym “Elliot Alderson” has been on a rampage of security testing Indian sites for vulnerabilities and data breaches after the denial prone UIDAI dismissed issues raised by him and repeated their assertions of Aadhaar being safe. This, frankly, is bait to any security conscious person who knows that any tech being deemed perfectly safe is meaningless and when claimed by the creator about their own tech signifies ignorant arrogance. Alderson, whose core area of competence appears to be Android apps and penetration testing proceeded to bring up increasing examples of security issues, leaving developers of various sites scrambling to respond to them.

He has pointed out security flaws in several Indian sites including Punjab police, ISRO, India Post, Apollo hospitals, Aligarh University, Mumbai University, Telangana NREGA, Bangalore City Police and PayTM among others. In most of the cases, he was able to get in touch with developers (India Post, ISRO, PayTM and others) and have the issues fixed before revealing details about them. Others have maintained silence. Others like PayTM or BSNL may have attempted to save face, but also fixed the reported issues and stopped defending them.

Alderson has brought up issues faced by Indian researchers in getting attention to security issues due to disinterest shown by the government in responding to bug reports. Only the UIDAI appears to have persisted along the route of dismissing the issues as unimportant.

Among the security issues he flagged were the details of Aadhaar cards found on various government websites. This, by no means is a new issue. Indian researchers and tech savvy individuals have been flagging these for years. However, the typical response of the state being to shoot the messenger, there is an increasing reluctance to take on problems by trying to prevent problems for the state.

What is proving different with Alderson, is that besides knowing tech, he is not under Indian jurisdiction and not intimidated by the typical tactics of the UIDAI in silencing reports of security issues. Instead, they seem to provoke him to do more to make his point indisputable. On his part, like a lot of tech professional objecting Aadhaar, he has stated that he is not against Aadhaar, but sees the lack of seriousness about security as a problem.

While most organizations he reported vulnerabilities to, have addressed the issues promptly and with minimum fuss—as is the norm in tech world—the UIDAI in its typical style has dismissed them and discredited him, instead of transparent disclosure. This has clearly backfired and Alderson is focusing on Aadhaar with increasing tenacity.

The resultant back and forth played out on Twitter, much to the amusement of those who have tried unsuccessfully to get UIDAI to take data breaches seriously.

The data leaks tweets

Alderson had, in the past brought up issues with the mAadhaar app, security of websites providing Aadhaar bridge related services and more. He then tweeted about finding details of some 20,000 Aadhaar cards on government websites.

The UIDAI responded to this by saying that it was not a problem. “Putting such information is perfectly fine and is consistent with UIDAI policy of proactive disclosure and transparency under RTI. And no way it can be termed as leak by any stretch of imagination.”

He then went on to discover 20,000 details of Aadhaar cards on Indian government sites within 3 hours.

The UIDAI responded to this with a series of incomprehensible tweets that veered from its standard assurance that all was well, to subtle threats about revealing Aadhaar card details and from asserting that there was no harm in Aadhaar data being revealed, as Aadhaar could not be misused, to saying that it contains private information and thus it should not be shared. The overall tone was that Alderson had not shown any security issue and was trying to raise baseless fears.

And of course,

Alderson was not impressed.

Reacting sharply to the “unscrupulous elements” from UIDAI’s tweets, he tweeted a link to a folder left open on the PRIS site for Andhra Pradesh containing Aadhaar card images, including biometrics.

He further said that he would start a bot to find Aadhaar card information left unsecured on the internet to tweet about the leaks.

And the war continues. It is the classic story of someone with nothing to lose and someone with too much to lose to admit anything. There seems little doubt that Alderson will continue his rampage making Aadhaar security issues public. There is little hope that the UIDAI will finally develop a sense of professional ethics and work to address flaws or ensure that the project does not continue to prevent further harm.

What happens next remains to be seen.

However, one important question Alderson’s security reports and the UIDAI’s responses have raised remains:

If the UIDAI is not able to prevent a determined researcher reporting security issues, what is the chance they could prevent a determined hacker exploiting them?

But we know the answer to that one. They don’t care.