Introduction: The World’s Largest Digital Identity

India’s Aadhaar system, launched in 2009 by the Unique Identification Authority of India (UIDAI), is far more than a simple ID card. With over 1.3 billion enrolments, it is the largest biometric identity programme anywhere on the planet. Every resident receives a 12-digit random number linked to their fingerprints, iris scans, and basic demographic data. The stated mission is to eliminate duplicate identities, plug leaks in welfare delivery, and provide every person with a verifiable identity—especially the poor who lack traditional documents. But as the system has grown, so have tensions between the efficiency it unlocks and the privacy it potentially erodes.

This article examines how Aadhaar has reshaped governance in India, where privacy risks lie, and what steps are being taken to ensure that the world’s most ambitious digital ID system serves its citizens fairly.

How Aadhaar Transforms Governance

Plugging Leaks in Welfare Delivery

The clearest governance win from Aadhaar is the Direct Benefit Transfer (DBT) programme. Before Aadhaar, subsidies for food, cooking gas, fertiliser, and pensions often disappeared into the pockets of middlemen or ghost beneficiaries. The government now uses Aadhaar-based authentication to verify recipients before releasing funds directly into their bank accounts. According to government data, DBT saved more than ₹2.7 lakh crore ($36 billion) between 2013 and 2021 by weeding out fakes and reducing transaction costs.

For example, the PAHAL (Pratyaksh Hanstantrit Labh) scheme for LPG cylinders uses Aadhaar to confirm that a consumer actually purchases a subsidised cylinder. The subsidy is then transferred to their linked bank account. This shift eliminated a vast network of dealers who were pocketing the difference. Similar authentication is used for the Pradhan Mantri Kisan Samman Nidhi (PM-KISAN), income support for farmers, and the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS).

Enabling Financial Inclusion

Aadhaar’s role extends far beyond subsidies. Its electronic Know Your Customer (eKYC) framework allows anyone with an Aadhaar number to open a bank account, get a mobile SIM, or buy insurance in minutes—without stacks of paper documents. India’s Jan Dhan Yojana programme, which has opened hundreds of millions of accounts for the unbanked, depends heavily on Aadhaar for low-cost authentication. The combination of Aadhaar, mobile phones, and cheap data (the “India Stack”) has created a digital public infrastructure that powers everything from peer-to-peer payments (UPI) to paperless lending.

For citizens in remote villages, this means they no longer have to travel for hours to a bank branch just to verify their identity. A local banking correspondent with a handheld device can authenticate a thumbprint and complete a transaction on the spot. The World Bank has praised this model as a scalable template for developing nations.

Reducing Duplication in Public Records

Beyond welfare, Aadhaar is being used to clean up other government databases. Voter rolls, income tax records, and pensioner lists are being de-duplicated by linking to Aadhaar. While the Supreme Court has limited mandatory linking for some services, the voluntary use of Aadhaar to detect duplicate entries has improved the integrity of public rolls. For instance, the Election Commission of India uses Aadhaar to identify and remove voters who are registered in multiple constituencies, a problem that historically inflated turnout figures and enabled voter fraud.

Privacy Concerns and Risks

The Surveillance Question

Critics argue that Aadhaar creates a “golden key” to a citizen’s entire relationship with the state. Because the system stores biometrics centrally, the government can potentially track where and when a person uses their Aadhaar number. This creates a metadata trail that could be mined for behaviour profiling. In 2018, journalists reported that unauthorised access to Aadhaar data was sold for as little as ₹500 ($7) on WhatsApp, though UIDAI denied a comprehensive breach. Such reports fuel fears that the system is a surveillance tool rather than a simple ID.

The architecture itself is a point of contention. Aadhaar stores biometrics in a centralised database, unlike decentralised systems such as Estonia’s e-ID. A central store is an attractive target for hackers. The 2017 leak of details of 135 million Aadhaar numbers from the Jharkhand government’s public portal demonstrated how vulnerabilities at the state level could compromise the entire system.

The Supreme Court’s Balancing Act

In September 2018, the Supreme Court of India delivered a landmark judgment (Puttaswamy II) that upheld Aadhaar’s constitutionality but circumscribed its reach. The court ruled that Aadhaar could not be made mandatory for school admissions, bank accounts, or mobile connections—services that do not involve government funds. It struck down Section 57 of the Aadhaar Act, which had allowed private companies to demand Aadhaar for authentication. The judgment also required that biometric data cannot be retained indefinitely and must be deleted after a certain period.

The court’s reasoning explicitly acknowledged the tension between governance and privacy. It argued that the right to privacy (recognised as a fundamental right in Puttaswamy I) is not absolute and can be limited by a legitimate state aim—provided the measure is proportionate. However, dissenting justice D.Y. Chandrachud argued that Aadhaar’s mandatory nature created a “surveillance architecture” incompatible with a free society. The debate continues.

Data Breaches and the Myth of Safety

UIDAI insists that Aadhaar data is safe because the system uses “virtual IDs” and “limited KYC” tokens, meaning that service providers never see the full biometric data. In practice, several breaches have occurred at the level of state databases that collect Aadhaar numbers. For instance, the Jharkhand leak exposed names, addresses, and Aadhaar numbers. In 2019, a chatbot called “Aadhaar Bot” on Telegram allowed anyone to query personal details by entering an Aadhaar number. UIDAI took down the bot, but the fact that such a service could exist indicated poor enforcement of data access controls.

There is also the risk of biometric spoofing. While Aadhaar’s fingerprint sensors have liveness detection, critics note that high-resolution photographs or silicone replicas have been used to fool cheaper scanners. In a country where welfare depends on biometric verification, a compromised thumbprint can literally mean a lost meal.

Impact on Citizens: Inclusion and Exclusion

The Exclusion Problem

For all its efficiency, Aadhaar has created new forms of exclusion. The “failure to authenticate” is a common complaint. Fingerprints wear off with age, manual labour, or diabetes. A 2020 study by the Indian Institute of Science found that female manual labourers and the elderly have significantly higher authentication failure rates. When a biometric fails, the fallback (one-time password or iris scan) is not always available. The result: a family’s ration is denied at the point of sale, or a pension payment is missed.

In Rajasthan, a 2019 survey by the Right to Food campaign found that nearly 30% of households had faced at least one episode of denial of food because of Aadhaar authentication failures. The government has since introduced “offline” verification and alternative modes, but in remote areas where network connectivity is poor, digital identity can become a barrier instead of a bridge.

Women and Marginalised Groups

Aadhaar has exposed gender gaps in digital access. Women, particularly in rural areas, are less likely to own a mobile phone or have their own bank account. If a woman’s Aadhaar is linked to her husband’s mobile number, she cannot authenticate independently. The Economic and Political Weekly documented cases where women lost their widow pensions simply because their thumbprints could not be read. Even when authentication works, the system assumes that one person controls their own identity—a problematic assumption when household power dynamics are not equal.

Balancing Governance and Privacy: The Path Forward

Stronger Data Protection Laws

India currently lacks a comprehensive data protection framework. The Digital Personal Data Protection Act, passed in 2023, is a step forward, but it exempts government processing of data for “specified purposes,” including national security and welfare delivery. Critics say this gives the state too much latitude. A robust privacy law with independent oversight, mandatory breach notifications, and a right to data portability would reassure citizens that Aadhaar cannot be used arbitrarily.

Architecture Reforms

Technical changes can mitigate risks. UIDAI now allows residents to generate a 16-digit Virtual ID (VID) that changes with each use, so the actual Aadhaar number is not shared. The “limited KYC” token system lets service providers verify identity without seeing biometrics. A further reform would be to decentralise biometric storage (as done in Estonia) or to use zero-knowledge proofs that prove identity without revealing underlying data. These changes would be costly but would address the core privacy complaint—that the central database is a honey pot.

Transparency and Grievance Redress

Exclusion is often a process failure. The government has set up grievance redress mechanisms, but awareness is low. For instance, the UIDAI website allows residents to check their authentication history and lock their biometrics. Public campaigns that teach people how to opt-out of certain uses and how to file complaints could reduce the digital divide. Some states have introduced “Aadhaar camps” to re-enrol those with worn fingerprints, but the coverage is patchy.

International Lessons

India can learn from other jurisdictions. Estonia’s ID system does not rely on a central biometric store; instead, it uses distributed authentication via X-Road. The United Kingdom’s GOV.UK Verify system allowed users to choose from certified third-party identity providers, reducing government control over data. Brazil’s digital ID programme (Identidade Digital) links to a citizen card but does not require biometrics for all services. These models show that efficient identity verification does not require centralised biometrics—a lesson India has been slow to adopt.

Conclusion: The Unfinished Project

Aadhaar is neither a dystopian surveillance tool nor a flawless governance panacea. It has demonstrably reduced corruption in subsidy distribution, expanded banking access, and simplified identity verification. At the same time, it has exposed millions to the risk of data breaches, created new forms of exclusion, and raised legitimate concerns about state overreach. The Supreme Court’s 2018 judgment provided a temporary balance, but implementation is uneven.

India now faces a choice. It can continue down the path of mandatory Aadhaar-linked services, accepting the privacy trade-offs, or it can invest in a more decentralised, privacy-respecting architecture while maintaining governance gains. Public trust will depend on which path is chosen. The ultimate test is not whether Aadhaar is used, but whether it empowers the poorest citizen without stripping them of their dignity and control over their own identity.

  • Strengthening data protection: Enforce the Digital Personal Data Protection Act with independent oversight and meaningful penalties for breaches.
  • Technical safeguards: Expand Virtual ID usage, phase out the sharing of raw biometrics, and consider decentralised authentication.
  • Inclusion measures: Ensure offline alternatives are always available, improve grievance redress, and target enrolment support for vulnerable groups.
  • Public accountability: Publish regular audits of authentication failures and data breaches, with clear timelines for resolution.

As India moves deeper into its digital transformation, the Aadhaar system will remain a test case for how nations balance efficiency with rights. The answer will shape not only governance but the very meaning of citizenship in the digital age.