In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Thursday, August 9, 2018

13837 - Exclusive: Top security expert exposes dangerous flaws of Aadhaar - Sabrang India




Date: 
August 1, 2018


Scientist Dr. Sandeep Shukla’s confidential studies highlighted the loopholes in Aadhaar but nothing has been done to beef up data security by the government yet.


Prof. Dr. Sandeep Shukla is one of the foremost system security experts and scientists in India. Professor Shukla currently heads Computer Science and Engineering Department, Indian Institute of Technology, Kanpur. He also serves as the Editor-in-Chief of ACM Transactions on Embedded Systems, and associate editor for ACM transactions on Cyber Physical Systems.

He has raised concerns on UIDAI Aadhaar’s security from time to time. One of his confidential studies highlighted the loopholes in Aadhaar but nothing has been done to beef up data security by the government yet, he observes.

In an exclusive interview, he spoke to Ujjawal Krishnam.

What is your general view of digital identifiers like passport and Aadhaar which contain sensitive information like biometric and demographic data?

I think that citizen’s privacy is not being taken seriously in India. A recent news article I read about the report by Justice Srikrishna committee on data privacy scared me. The report said that NASSCOM and other interested parties diluted the provisions for privacy, and any measure was not to be retroactive to data already available in the public domain. This is exactly the opposite of what Europe has done. Even in the US, when I went there as a student, social security number was used as a roll number for students in the university. By 1995, that was made illegal, and universities had to assign a local 9 digit number to students. But this number was related to the social security numbers of the students. When I was a faculty back in 2008 or so, new laws came into effect about privacy, and Universities had to create special computer programs that they supplied to faculty and staff to find any email or files on their personal computers where a student name and his/her roll number were in the same email or file. This program was meant to expunge all such files, emails etc. We were not allowed to display grades against roll numbers, and in no circumstances write an email where a student name and roll number were together. This is retroactive privacy. This was done to avoid in any way to divulge a student’s social security number give his/her name. Note that social security numbers are just numbers against names, and social security administration never ever collected biometric data. In fact, in the US, a person’s biometry cannot be requested without his/her informed consent on how that data will be used. Any use beyond that will require a judge’s permission.

So, while digital identifier is a requirement for many functionalities of governance, especially in the domain of taxation, immigration or international travel; adequate provisions of privacy in the law its and proper enforcement are extremely important. That is what is missing in India and from the recent reports on digital privacy commission, it is not very hopeful. Lobbying by large industrialists with vested interested will dilute it.

So It is very scary to think of how the digital identity is in the hands of one particular body without any oversight, no ombudsman to address citizen’s concerns, and no legal framework and sufficient safeguards against misuse. If today, UIDAI wants to turn off the Aadhaar authentication for someone they do not like, they can do that, and short of supreme court intervention, nothing can be done about it.

So no matter what one thinks about the need for digital identity with biometry for efficient e-governance, due to lack of the right mindset, awareness of privacy issues, awareness of threats and regulatory and oversight framework, they are very disturbing, to say the least, and outright violation of citizen’s right to liberty.

You being a computer scientist can tell us better about the constraints related to technical safety measures generally faced while maintaining web-accessible data. Are they vulnerable?

Any data that is accessible via the web, can be hacked. For example, the softwares used to build a website are written by human programmers, and they often carry many vulnerabilities. Only a few months ago, one of the most popular website building software Drupal was found to have such a vulnerability that by using it, a hacker can easily install malware into your web server and get root access, compromise your encryption key and exfiltrate all data. In fact, our website was running on Drupal 7.57 and our system administrator did not update it to 7.59 in spite of being warned and we got completely hacked. In 2016, Linux operating system Kernel was found to have a bug called ‘dirty cow’ which allowed anyone to become a root administrator of a web server running on Linux that was not updated, and again we ourselves hacked our system administrator’s website. So, anyone who exports an interface to the world through web technologies can fall prey to hacking and data exfiltration or worse. The system administrator has to be always on his/her toes, keep watching out for advisories from security agencies and update their software immediately – otherwise, they will be attacked very easily.

However, much of the Aadhaar data leaks happened not even because of these, but because the database behind the web server was seeded with Aadhaar data because of poor choice in using Aadhaar as the identity of people in these databases.

This happened to Andhra government database for MNREGA recipients and it showed the caste and longitude-latitude of their homes, and it was available through that website. Given the large-scale atrocities against Dalits and other minorities, this made it very dangerous kind of data to be made available so easily.

In December 2011 the Parliamentary Standing Committee on Finance, led by Yashwant Sinha, rejected the National Identification Authority of India Bill, 2010, and suggested modifications. The Committee noted that the project was being implemented in an unplanned manner and bypassing the Parliament. As per reports, Intelligence Bureau too slammed Aadhaar as residence proof. Taking a U-turn, BJP led government too adopted Aadhaar. What technical difference do you find between Aadhaar of UPA regime and Aadhaar of incumbent NDA regime?

My understanding is that Aadhaar under UPA regime was meant only for identifying the recipients of government subsidies such as MNREGA, food safety provisions etc. However, even then the privacy concerns were the same. In the current regime, they have forced us to link our bank accounts, our mobile numbers, and whatnot. This has now become draconian compared to the original motivation of Aadhaar. However, even the original motivation would have had the same problems if done the way it was designed. Today UIDAI claims that their servers are very secure behind physically strong walls, 24x7 sentries, and also strong encryption etc. But the point is that 30 per cent of all important cyber-attacks in the world are known (through various industry surveys) to be due to insider attacks. That may mean some disgruntled employee or a vindictive system administrator can run havoc on a secure system. Also, if a citizen is disliked by the authorities, they can willfully destroy that person’s Aadhaar record and thereby disable his bank transaction abilities, rendering his mobile connection illegal and what not. The other issue is that most of the leaks that happened are not from the main servers at UIDAI but from all kinds of databases that are seeded with Aadhaar numbers. Those databases are under the control of various other jurisdictions and hence may not have adequate technical knowledge or wherewithal to take cybersecurity measures to protect the data. Also, biometry-based authentication can be faked using fingerprints lifted from various places one touches and using a 3D printer or a mould. Recently, it happened in Mumbai – an enrolment agent gave a copy of his fingerprint mould to someone else to use for authenticating himself to enrolment software in his absence. A number of back channels created for convenience led to use of those back channels for Rs. 500 as was reported last year. There are numerous scenarios one can think of that can get a person into trouble because of Aadhaar. If the authorities took cognizance of these and had taken the measure by not allowing everyone to ask for Aadhaar number or Aadhaar card (my UPS package delivery guy refused to hand over a package without a copy of my Aadhaar card) and regulated any agency that seeds their database with Aadhaar number – things would be safer; But their reaction is always denial and often aggressively dismissive – which is a huge problem in even fixing this problem. So technically even if the UIDAI servers may be better protected, I do not see that as adequate as the leaks are everywhere but at those servers.

"UIDAI authorities have created core security and encryption mechanism very well, but as you go outwards into the ecosystem, your control over those entities starts loosening,” you had said as flaws in the NIC developed app surfaced. What were the concerns you were raising then? Did the authority take a note of it?

This was my comment during the hack by a computer scientist back in 2016 of the E-hospital app created by NIC using Aadhaar based authentication. The app was created by NIC and using the app one could book a hospital appointment anywhere in India. In order to identify the patient, it required the patient’s Aadhaar number and OTP to his/her mobile. The app authenticated itself to the user agency servers using a hard-coded password in the program (which is an extremely poor security practice and should never be used). The hacker used the app, some network monitoring while the app interacted with the NIC servers, and a code disassembly to discover the hardcoded password as well as the protocol. Then he created his own app which used the same server and got Aadhaar details of many people.

While speaking to Hindustan Times, I commented that NIC had shown extreme negligence and incompetence because any software company should first do a cybersecurity audit before the software is released to the public which they seemingly did not do. A couple of NIC employees threatened to go to court for calling them out. This is not the way. If one has made a mistake, which anyone can, it is best to understand the mistake, withdraw the product, fix the product and fix the software development process, and then re-release it. This kind of approach to keep things under the wraps, or to threaten the people who criticize the lack of cybersecurity audit process cannot lead to security.

Similarly, various cases of Aadhaar leaks have come to surface since then, and in all cases, we saw denial to the effect that “UIDAI servers did not get hacked – so your data is safe” – instead of “oh we need to take adequate measures against those companies that designed poor software, or did not protect the data and privacy.” Shooting the messenger is not the proper response to security problems.

So the major problem with Aadhaar does not stem from the servers – although it could – if one employee with the keys to the encryption system goes rogue – which can happen – the main problem stems from the fact that it is being connected to each and every piece of information. Even my Air India frequent flyer account now demands e-KYC. Even though the Supreme Court has put a suspension to the requirement of connecting bank accounts or mobile numbers to Aadhaar – we can no longer open a bank account – or get a mobile subscription without Aadhaar. Even cable tv subscription is asking for Aadhaar. So our privacy and data security and our financial security is getting more and more in danger every day. The fact that UIDAI servers are safe has nothing to do with it.

One confidential study of yours was discussed in the government and in MeitY. The report highlighted that digitalisation of the banking sector post-demonetisation led to a sharp increase in cyber-crime. Since the government is pushing towards Aadhaar-based financial transactions, securing the Aadhaar database should be accorded top priority. With the Aadhaar number being integrated to various services, leakage of UID data is a matter of serious concern. Your study also signalled that Digital wallets promoted post-demonetisation like Paytm and BHIM are unsafe. What are the concerns here? Are there any developments shown by the government on the technical aspect?

We did that report and we were told that the committee would take it up in the parliament. But to our knowledge that never happened. I think in September, it will be two years since we did that report.

Recall, that Paytm app was asking for root access to our phone until a hacker found out and tweeted about it. Now Paytm says that they withdrew that functionality. Why does a wallet need root access of a phone? That sounds pretty suspicious. But our concern was somewhere else. In 2016, 70 per cent of Indians were using Android 5.1 or below. Even now, a lot of Indians use old android phones. Also, a lot of Indians do not download the latest patches on their phone. May cheap phone companies do not even make the latest updates available to their users in time. Recently google fixed a large number of security problems in android 8.0 but a lot of cheaper phone makers did not provide those patches to users yet. Now, without the patch, any phone can be hacked with malware, or apps laced with malware. Therefore, anyone using any wallet on such vulnerable phone could be subject to losing his/her banking credentials.

Your study also suggested that a Cyber Security Commission needs to be urgently established modelled on the Atomic Energy Commission with similar powers and mandate since it also involves defence risks as well as finance-related concerns. Please outline the model and concerns.

I feel that cybersecurity is not taken seriously enough. Cybersecurity is a serious business today. Recall the Russian hacking of US election or the Ukraine power grid being hacked and many other such incidents. Even today, the report on MH 370 flight came out with a suspicion that the trajectory might have been manipulated. The cars can be hacked as shown by many researchers and breaks may be made to fail. The android phones had a remote management problem that was recently discovered. So, it is in the interest of national security to take cybersecurity seriously.

A cybersecurity commission would work independent of the government of the day, like the atomic energy commission or space commission and protect the privacy of citizens, and hold government entities responsible for the breaches. There seems to be no regulatory framework for cybersecurity weakness assessment of any data or the operations of various critical services. The commission should employ cybersecurity experts and not bureaucrats whose cybersecurity knowledge is limited. Also, it seems that most bureaucrats take any criticism personally as can be seen by UIDAI’s response after every data breach. No one can design a cyber-secured system perfectly and those who say they can are not being truthful or are ignorant. So under proper experts, this problem of taking things personally and persistent denial when some privacy concerns are raised will hopefully disappear and more scientific temperament will be there.

A recent report published in 'People's Archives of Rural India' highlighted the problems revolving around biometric records of beneficiaries. The report illustrated woes of Lucknow's Parwati Devi whose fingers were damaged due to leprosy. So this waste worker in Lucknow – and possibly thousands similarly afflicted – couldn't get an Aadhaar card too, and without it, she cannot get disability pension or rations as well. What are some technical alternatives which can be used in such critical cases?

Well the UIDAI authority would show in the Aadhaar Act, they have kept provisions for such cases and forbade such denials due to lack of biometric authentication. For example, a blind person cannot provide Iris scan, or people employed in labour intensive job may lose the fingerprints. However, the reality on the grounds is different. It seems that providers of the services are not aware of the Aadhaar act, and there is no attempt by authorities to strongly punish those services who deny services due to lack of a biometric match. This is really an implementation problem, and without the authorities making all such service providers aware of the specific provisions of the Aadhaar Act, and levying penalty on such service providers when they do not abide by the law – this cannot be handled.

The alternative to biometry is often OTP sent to the registered mobile of the user – but for a poor person – not having a mobile phone or someone who changed mobile number this won’t work.

While a lot of people are unable to get Aadhaar card due to these reasons, a lot of fake Aadhaar cards are getting created by various follies of the enrolment software.

So I think this biometry based identification and authentication was abandoned by UK and other countries just because of these kinds of situations. I will stick to my point that using biometry which cannot be changed when compromised unlike password which can be changed if compromised, is a really bad idea.

Just some days ago TRAI Chairman R S Sharma put out his unique ID on Twitter with a challenge to anyone who could "do any harm", this came as an attempt to showdown critics of the Aadhaar system. Following this, some self-claimed hackers replied to him with his personal information. While authority has denied of Aadhaar breach as information shared was available in the public domain. What is your reaction to Mr Sharma's challenge?

As I said before, UIDAI always responds that the database they maintain is safe – but it does not matter. Why does a UPS mailman ask for a copy of my Aadhaar? Because his boss does not trust him and wants my Aadhaar copy to believe he delivered. But if my Aadhaar number is known to him the first time, he can easily make a fake Aadhaar and from then on never deliver my order, and just show his boss a copy of my Aadhaar. This has come to that kind of stupidity in the country – mindless use of Aadhaar everywhere. The reason for this is some even educated people with vested interests such as Mr. Sharma tells citizens that Aadhaar is flawless and promotes its use everywhere.

Another defence we heard from Mr. Sharma and his supporters is that the personal information the hackers showed within hours of knowing his Aadhaar number was all in the public domain. First of all, that itself is no defence because that means he is one of our regulators do not take data privacy seriously. Why is making his mobile number which he also uses as registered mobile for Aadhaar public? Does he not know fake SIM based attacks? He was lucky that white hat hackers who responded to him did not go beyond legal limits – they can exact much more harm to him than they did as they usually do not go beyond legal limits. But at the same time, he should be aware that many black hat hackers also saw his tweets and might be working in silence and he will know it sooner or later but it may be too late.

The simplest kind of attack that he faced was connecting the dots of various disparate sources of public information easily as every piece of information now is somehow attached to Aadhaar number and that too because of him and his allies. Someone even faked his Aadhaar card with simple software and used it to make accounts in his name in cloud hosting services. They could also run an illegal site on that host in his name – and get him into trouble. Of course, being connected to government – nothing of that sort probably happen to HIM, but if regular citizens do not treat their Aadhaar number as sensitive information following his lead, they might get into serious trouble like that.

Last night, Mr. Sharma said that he is getting 100s of Aadhaar authentication request message on his phone which is draining his mobile battery – that is called a denial of service attack. Any student of cybersecurity knows of this kind of simple threat models because it can be done with IoT devices, mobiles and many other devices. Why did he not think of this before making his Aadhaar number public? That shows how little he knows about cybersecurity, and little knowledge is a very dangerous thing.

Following the challenge, a Twitter user put a thread mentioning that he made a fake Aadhaar of R S Sharma with the available information and digital platforms like Amazon have accepted it as an identity proof too. Doesn't that mark a feeling grave disquiet among citizens?

Yes, indeed. He misled citizens and if others do the way he did – and they do not have the government muscle power that he has – they could jeopardize their identity and life in many ways. It was absolutely imprudent and irresponsible message to send to people, and a lot of white hats got back at him for that. But who knows what black hats are plotting silently against him. We will know in the coming months.

Dylan Curran, a data consultant and The Guardian contributor spent three weeks studying FreeHacks, one of the dark web’s biggest platform for hackers. He found that nothing is safe- from passports to credit cards. What is your opinion on the dark web with regards to the vulnerability Indian digital identifiers are facing?

Most advanced governments such as Israel, US, UK, Russia monitor the dark web as it is those dark edges of the Internet which are not accessible via google search or any other easy means. They are known to users of the dark web and one has to access those through anonymous proxies such as Tor. There are some hacker channels which are pretty innocuous but there are deeper channels that are outright illegal stuff. Silk-road is the most infamous dark web activity that was dismantled by FBI – people were doing illegal drug business and apparently even paying professional assassins through that.

As I said – while UIDAI and other Indian authorities often have been very unkind to white hat hackers – they are actually the ones who are showing them what is wrong and what should be improved. But black hat hackers congregate on the dark web and discuss these vulnerabilities and I won’t be surprised that Mr. Sharma is a subject of plots in the dark web discussion forums by really talented but criminal hackers.

A 2017 compendium drafted by UIDAI on Aadhaar observed that Aadhaar can now be de-linked from any account. Is it necessary?

I think if it is enabled – people should delink. But the problem is that most entities like banks, mobile phone companies, insurance companies and anyone else who took your Aadhaar data via e-KYC have already seeded their local databases with Aadhaar. Much of that might not even be under the jurisdiction of UIDAI. You may de-link your data from the UIDAI servers if they allow, but the monstrosity enabled and created by UIDAI over the last few years will not go away easily, and our citizen’s data privacy has been compromised for good.

This is really treacherous territory – and it is really unfortunate that our bureaucrats and politicians forced it down our throat and now they cannot save us from the consequences.

As per our records, there are at least hundred Aadhaar enabled frauds recorded between March 2012 and April 2018. Many of cases include forging Aadhaar. Some cases also saw verified agents providing Aadhaar on fake supporting papers. Last year, a Pakistani national was arrested from Haryana with a forged Aadhaar card. Incidents like these also question Aadhaar's credibility. So, should there be a similar Aadhaar application system like Passport Seva Kendras (PSK)?

There are Aadhaar enrolment centres – and last year UIDAI stated that they will close down all small enrolment centres and only will allow post offices and banks to be enrolment centres. But the passport is not so universal as the majority of our population do not go abroad ever, so passport seva kendras are in big towns and large cities. They made Aadhaar mandatory for everyone – so making seva kendras at the same sparsity as passport kendras won’t suffice. They have to do it much more locally and then the same problem of forgery will happen. So, I think the best is to declare Aadhaar as a bad idea and go for a different model of digital identity.

If you say that you need a nationwide ID to collect birth and death data, our federal system is completely broken. So is our local governance. Such records should be kept at the district level, and consolidated at the state level, and the central level database should get feeds from state databases. Of course, one can imagine a project to computerize such registration system in that hierarchical setup. But doing it through a national identity is basically undermining the federal structure, and also centralization intent based. I do not see why Aadhaar is needed. It seems a posterior justification of draconian Aadhaar system.

Instead, laws should be strengthened to ensure that all district administrations and state administrations have enough IT-enabled systems to feed into the centre’s database on the birth/death and other life events. In fact, such data need not reveal the identity of the persons -- if public health policy decision is the aim of such a system.

Again, adding educational data through Aadhaar suffers from the same issue - education is a state subject - and already there is too much centralization (NEET vs. state medical entrance exams). If the answer to all corruption is to centralize and intrusion into local governance -- then our system of governance is broken and requires a new constitution.

To me, identity should be hierarchical -- not a flat structure. The local government is in a better position to provide identity to a person and then it should be collected from local governments as an when required. I think my biggest problem is that the centralisation and thereby exercising control. I read somewhere that the Aadhaar of the journalist was blocked who showed on TV that with a fake name he could register himself twice? I can understand if UIDAI had filed a police case against him and let the judges decide the punishment - which he did - but on top of that like a tyrant he blocked his ID -- and if this is the only ID one can function with - this person is disabled in all functionality and livelihood. This should be illegal to do so by local governments, but then the person can appeal to the next higher authority and get the ID unblocked. But if there is this flat central structure whom can he approach?


I think PDS should also be hierarchical as was originally designed. Of course, corruption and middlemen need to be cut out through IT-enabled mechanisms but I think Aadhaar is harmful to PDS itself and also harmful for citizen rights.