Author: Princy Sawant,  National Law University Jodhpur

India’s Aadhaar program launched in 2009 and statutorily recognized by the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 has emerged as the world’s largest biometric ID system. By linking fingerprints and iris scans to a 12-digit unique number, Aadhaar has sought to eliminate duplicate identities, plug welfare leakages, and foster financial inclusion. However, centralized biometric repositories raise fundamental human rights questions, particularly concerning privacy, data security, state surveillance, exclusion of vulnerable groups, and emergent frauds.

This paper employs a doctrinal-policy methodology to examine the legal framework underpinning Aadhaar including recent proposed amendments to align with the Digital Personal Data Protection Act, 2023, to review scholarly, judicial, and news-media literature identifying cryptographic vulnerabilities, consent deficits, transparency lacunae, and high-profile Aadhaar scams (such as the 2023 Madhya Pradesh police recruitment scam and the widespread “digital arrest” fraud in late 2024) analyze the implications of mass biometric storage for civil liberties; and propose policy and technical reforms. Through a systematic literature review, doctrinal analysis of statutes and case laws and comparative insights, the paper fills a research gap by integrating technical audits with human rights discourse. The findings reveal that while Aadhaar has delivered tangible social welfare benefits, its architectural centralization, insufficient consent mechanisms, weak independent oversight, and recent large-scale frauds threaten the inviolable right to privacy and risk state overreach. To reconcile digital innovation with fundamental rights, recommendations include adopting privacy-by-design principles, decentralizing biometric storage, strengthening grievance redressal, and curbing misuse that has enabled multi-crore scams.

KEYWORDS

Aadhaar; Biometric Data; Privacy; State Surveillance; Right to Privacy; Data Protection; Exclusion; Human Rights; Digital Fraud

In the last 10 years, digital identity projects have transformed public administration in many countries. The Aadhaar project in India, which was developed by the Unique Identification Authority of India (UIDAI), aims to provide each resident in India with a unique 12-digit identification number linked to biometric (fingerprints, iris scans) data and demographic (name, date of birth, address) data. As of March 2023, Aadhaar included more than 99.9 percent of India's adult population, making it the world's largest biometric database. The Indian government emphasizes that Aadhaar has reduced "leakages" from welfare schemes (e.g., Public Distribution System, LPG subsidies), enabled direct benefit transfers, and improved financial inclusion for historically disadvantaged groups. However, while Aadhaar may have certain benefits, the centralized and immutable nature of Aadhaar's biometric data raises significant human rights issues. Scholars and civil rights activists point out that as long as Aadhaar remains centrally constructed and there are limited data-protection mechanisms, millions of Indians will remain vulnerable to data breaches, identity theft, and state surveillance. Although the Supreme Court of India finally acknowledged in its landmark ruling of Justice K.S. Puttaswamy (Retd.) v. Union of India that privacy is a fundamental right and imposed restrictions on mandatory Aadhaar linkages, statutory oversight, effective technical safeguards, and the rapid mobilization towards newer data-protection standards under the Digital Personal Data Protection Act, remains incomplete. 

Recent media-covered Aadhaar scams, such as the 2023 Madhya Pradesh police recruitment scam, where a "Solver Gang" used technology to swap out candidates' Aadhaar photos and fingerprints in order to allow impersonated examinees, as well as the "digital arrest" scheme that diverted over ₹20 crore from an 86-year-old woman in Mumbai, highlight the need to examine Aadhaar as a service-delivery mechanism and simultaneously as a repository of dynamic cybercrime and state surveillance. This paper analyzes (a) the legal framework around Aadhaar and Biometric Data (and proposed changes to achieve alignment with DPDP Act, 2023); (b) privacy and security vulnerabilities present in biometric systems deploying large-scale (required) biometric data collection; (c) the implications for state surveillance and civil liberties; (d) exclusion-based harms to vulnerable populations; (e) new Aadhaar scams and fraud schemes; and (f) approaches to imagining a framework and generating recommendations. This student authored yet comprehensive analysis identified the pressing need for a balance between India's digital era transition and human rights protections, based on scholarly and policy related literature, court decisions, and some media coverage. 

AADHAAR ACT, 2016 

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 was enacted to give legal legitimacy to the Aadhaar effort, which had existed in practice since 2009. The Unique Identification Authority of India (UIDAI) is charged under the Act to collect demographic and biometric information and to issue a unique identification (UID) number consisting of 12 digits. The Act defines biometric information in section 2(g) to include fingerprinting, iris scans and facial photographs, while demographic information in section 2(k) includes data like name, date of birth, and address.

Section 7 allows the government to require UIDAI authentication in order to qualify for, receive, or use subsidies or benefits granted by the Consolidated Fund of India. The sizable discretion conferred by the language in this provision has led to increased use of Aadhaar for purposes well beyond the identifiable welfare focus of the law. Section 8 provides that requesting entities may authenticate requests using their Aadhaar information submitted to UIDAI, while section 29 provides a regulatory framework for sharing information but does not protect against access by state authorities with judicial oversight.

Despite containing data security provisions the Act has been criticized for lacking independent oversight and enforceable user rights. Notably, it does not provide users with a right to withdraw consent, request data erasure, or obtain details of entities that have accessed their data. 

PROPOSED AMENDMENTS IN LIGHT OF DPDP ACT, 2023

In August 2023, India enacted the Digital Personal Data Protection (DPDP) Act, which aims to develop legislative data protection standards that are broad in scope. The DPDP Act defines biometric data as "sensitive personal data" and requires purpose limitation, data minimization, and user consent. The DPDP Act is the first legislation to impose a limit on the collection of personal data in India and introduce obligations about storing personal data. However, in contrast to the DPDP framework of personal data related to the individual linked UID or Aadhaar number, some concerns have been expressed over the normative dissonance between the two laws because the Aadhaar Act existed before the DPDP Act.

To respond to these concerns, the government has proposed amendments to the Aadhaar Act to align it with the DPDP Act. In particular, one of the amendments proposes that upon submission of purpose-based consent as required to provide authentication of benefits to an individual, Aadhaar holders can use masked Aadhaar numbers, share only encrypted QR codes when requested to authenticate and consent to a function or device control using an option to consent to certain lines...the government has also proposed that when giving consent for authentication, the user will have the ability to consent to not share personal data such as the Biometric Identifier/Aadhaar number as part of a principle of data minimization and allow non-sharing of personal data because the action is not needed.

These changes are designed to support more consent options which would provide increased control for users, reduce the issue of "function creep" and help reinforce protections against profiling. The government has also raised conversations about if it would be possible to allow judicial review of UIDAI's decisions to share authentication data with enforcement agencies consistent with the Supreme Court's privacy jurisprudence, which will help develop statutory safeguards.

SUPREME COURT VERDICTS: PUTTASWAMY I (2017) AND PUTTASWAMY II (2018)

The legal course Aadhaar takes bears substantial influence from the Supreme Court's two momentous decisions in Justice K.S. Puttaswamy (Retd.) v. Union of India. In the 2017 judgment (Puttaswamy I), a nine-judge bench of the Supreme Court unanimously determined that the right to privacy is a constitutional right protected by Article 21 of the Constitution. The Court emphasized that any intrusion into privacy must satisfy a three-part test: legality, necessity, and proportionality. 

In Puttaswamy II (2018), the Court heard in detail the constitutional validity of the Aadhaar Act itself. The Court upheld the use of Aadhaar for the limited purpose of accessing welfare schemes in Section 7 of the Act, while declaring that the law requiring Aadhaar to acquire a mobile phone connection or a bank account, and for children to access school admission, was unconstitutional on some terms. The Court reiterated that Aadhaar must not become an instrument of total surveillance, or a means of forcing everyone to access services. The Court also ordered private parties to delete all data validly obtained under Aadhaar, and additionally directed UIDAI to retain bodies for only six months.

Overall, these two decisions provided a great degree of constitutional protections for Aadhaar, but some gaps for enforcement remained: the Court intended to restrict/manipulate Aadhaar in an acceptable manner to access services, while various dining’s and practices with the clients pressed a linkage to Aadhaar Directly, sometimes coercing the consumers indirectly through notions.

JUDICIAL AND REGULATORY DEVELOPMENTS POST 2018

Following the Puttaswamy case, judicial and administrative authorities have continued to shape the operability of Aadhaar. In R.K. Garg v. Union of India (2019), for example, the Delhi High Court found that the requirement of a unique Aadhaar as part of the appointment process at AIIMS was unconstitutional under Articles 14 and 21, reinforcing the understanding that Aadhaar cannot be admissibly coerced as a prerequisite or default. The UIDAI has also amended regulations in light of that finding, including the Aadhaar (Authentication and Offline Verification) Regulations, 2021 and continually updated the enrolment and update process. 

Notably, the Aadhaar (Enrolment and Update) Regulations were updated in June 2025 to promote offline modes of verification with a significant simplification of re-verification provisions. Nevertheless, activists see the disadvantages of no independent data audits and biometric data being stored in a centralized data repository. 

In sum, while the Aadhaar project provides a legal itinerary, the actual use of Aadhaar remains plagued by enduring concerns regarding national interest versus proportionality, informed consent and data security. The evolving legal framework, especially apropos the provisions of the DPDP Act, provides a unique opportunity to place the Aadhaar system back into constitutional and human rights compliant existence.

RISKS OF BIOMETRIC STORAGE

Biometrics, including fingerprints, iris scans, and facial recognition patterns, are all permanent and immutable forms of identification. Unlike passwords, once someone has breached biometric identifiers for an individual, we can only assume that the identifiers are permanently compromised in the same way that we could never change the use of someone else's face as an identifier. Because of the permanence of the identifiers, how they are stored and used is especially sensitive. For all intents and purposes, Aadhaar's purpose-built architecture is one of centralisation, and the UIDAI's central database contains the biometric templates of more than a billion residents. The risks are compounded because UIDAI relies on a dated security protocol AES-128 key encryption, which despite being relatively secure and so long as the UIDAI doesn't reverse its course, no longer provides the same security guarantees as some of the profiled options and at some point may be considered too vulnerable for use cases with such risk. The fact that there continues to be a single point of failure means that we have a "honeypot" ripe for downstream reliance from a cybersecurity perspective. A breach of UIDAI's servers will not compromise fewer than millions of identities at a time.

CONSENT ISSUES

Informed consent is a cornerstone of data protection. However, multiple field studies have revealed that Aadhaar enrollment often occurred without proper explanation of the nature, scope, and future use of the data being collected. Many individuals do not understand the implications of sharing their biometric data. Many were told that Aadhaar was mandatory for accessing subsidies or bank accounts, often without being informed of alternative verification options.

Furthermore, Section 7 of the Aadhaar Act permits the use of Aadhaar authentication for government benefits, but its implementation often blurs the line between voluntary and mandatory use. The result is a form of coerced consent, where individuals feel compelled to submit to biometric authentication for fear of exclusion from essential services. This practice contradicts the principle of proportionality laid down by the Supreme Court in Puttaswamy (2017), which mandates the least intrusive method for achieving legitimate state aims.

TRANSPARENCY AND AUDIT PROBLEMS

A robust data protection regime requires not only secure systems but also transparency about how data is used, stored, and shared. While UIDAI publishes basic operational reports, there is a significant lack of detail regarding third-party access to Aadhaar data, data-sharing agreements, breach incidents, and the outcomes of internal audits. 

In 2021, the Comptroller and Auditor General (CAG) flagged inadequate access controls and audit trails in UIDAI data centres. Yet, as of mid-2024, UIDAI has not publicly confirmed whether these recommendations were implemented. Without an independent oversight body or public audit reports, citizens are left in the dark about how securely their most sensitive information is handled.

AADHAAR RELATED SCAMS AND FRAUDS

The vulnerabilities of the Aadhaar system are not just theoretical; they have already been used in significant frauds. In October 2023, there was a police recruitment fraud uncovered in Madhya Pradesh in which a "Solver Gang" hacked into the Aadhaar records of candidates to allow a proxy to take the exam for the candidate. The gang forged photos and biometric data to impersonate the real candidates. Police identified over 1,500 hacked Aadhaar records, and there were arrests in a number of districts including Morena, Alirajpur, and Sheopur. 

In another unbelievable incident, in March 2025, an 86-year-old woman in Mumbai lost more than ₹20 crore in a “digital arrest” scam where the criminals were impersonating police officers and saying her Aadhaar was linked to criminal activity. Using fake UIDAI notifications and making threats, they coerced her to transfer money to “safe accounts.” The sophistication and psychological manipulation clearly illustrates how trust in Aadhaar can be abused.

In another shocking example, in January 2025, a gang operating in UP, was found to have hacked over 1,500 Aadhaar profiles across 12 states, altering random photos along with mobile numbers and addresses in order to access ration benefits and bank accounts illegally. These cases highlight organised structural weaknesses in the Aadhaar authentication system, and they also highlight that there appears to be no timely alerts or remedies for affected victims.

In order to protect constitutional rights and help avoid the misuse of biometric data, it is essential that Aadhaar’s system is expansively restructured through appropriate legal, technical, and administrative measures. Aadhaar’s legal framework should be reformed in accordance with Digital Personal Data Protection Act, 2023 to facilitate mandatory purpose limitation, data minimization, and explicit consent. Revisions are necessary on Sections 7 and 29 to insert necessary steps for judicial oversight step into, or similar to Section 43 and Section 53 of the Act will be amended such that, no data can be accessed, relevant enforcement agencies without a warrant. The serious risk it is undertaken by having biometric templates and data centrally located cannot be overlooked. UIDAI should immediately move to federated architecture as a method of accountability, where individuals store/or choose to store their encrypted biometric data. For example, UIDAI could explore storing biometric data on smartcards, secure mobile chips, transactions and backup. This would reduce the attack surface, with a corresponding increase in control for individuals. The UIDAI must add differential privacy and purpose-bound encryption keys to authentication. For example, suppose UIDAI captures the individual’s biometric data through authentication for a purpose (e.g., ration access). UIDAI would require the individual to provide similar identification and/or consent for a different purpose (i.e., bank verification). UIDAI must have a statutory Data Protection Authority, so that there is audit, investigation, and compliance reporting under 2023 Data Act. The reports must be public, to provide transparency and accountability. A centralized and unified online grievance portal with live complaint tracking should be established. Mobile Aadhaar service units should also be embedded in the services of rural areas to mitigate exclusion, particularly due to failed authentication. Outreach should be done extensively in vernacular media, schools, and NGO's; this will help educate citizens about their rights under Aadhaar, safe authentication practices, and how to revoke/lock biometrics. In combination, these changes will allow the continued utility of Aadhaar, while ensuring the protection of privacy, avoidance of fraud, and compliance with constitutional liberties.

Aadhaar has transformed service provision in a country like India, but Aadhaar's centralised biometric architecture and ineffective legal protections, poses severe risks to privacy, security, and civil liberties. The Supreme Court has taken some positive steps to improve protections, but we see recent scams and exclusions that are the consequence of existing structural problems. To ensure that Aadhaar continues to be a tool of empowerment rather than of surveillance, the Indian Government should develop a rights-based approach underpinned by transparency, consent, and accountability. Legal reform, decentralisation of data systems, independent oversight and extensive public offerings of information are all critical in developing a position where innovation can continue without undermining individual dignity in practice. In developing the emerging digital identity landscape in India, dominant constitutional values should be upheld without compromising autonomy, privacy, or inclusion.

1. Pratyush Ranjan Tiwari et al., India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities, IACR Cryptol. ePrint Arch. 2022:481 (2022), https://eprint.iacr.org/2022/481.pdf.

2. Comptroller & Auditor General of India, Performance Audit on Functioning of Unique Identification Authority of India, Report No. 24 of 2021 (2022), https://cag.gov.in/en/audit-report/details/116042.

3. Nidhi Malhotra & Rohan Singh, Data Breaches in India: Examining the Aadhaar Case and Other High-Profile Incidents, 33 J. Cyber L. & Sec. 89 (2021), https://rhimrj.co.in/index.php/rhimrj/article/view/343.

4. Unique Identification Authority of India, Self Appraisal Report for Year 2023–24, https://uidai.gov.in/images/UIDAI_Transparency_Audit_Report_Year_2023-24.pdf.

5. Anand, New Principles for Governing Aadhaar: Improving Access and Inclusion in India’s Digital Identity Program, 18 J. Sci. Pol'y & Governance 1 (2021), https://www.sciencepolicyjournal.org/uploads/5/4/3/4/5434385/anand_jspg_18.1.pdf.

6. State v. Unique Identification Authority of India, (2021) (Delhi High Court), https://indiankanoon.org/doc/33923333/.

7. Mandatory e-Aadhaar authentication for Tatkal train tickets: What you need to know, Times of India (June 5, 2025), https://timesofindia.indiatimes.com/life-style/travel/news/mandatory-e-aadhaar-authentication-for-tatkal-train-tickets-what-you-need-to-know/articleshow/121643438.cms.timesofindia.indiatimes.com+1economictimes.indiatimes.com+1

8. UIDAI shares non-personal Aadhaar dashboard data to boost transparency, research, Economic Times (May 20, 2025), https://m.economictimes.com/news/india/uidai-shares-non-personal-aadhaar-dashboard-data-to-boost-transparency-research/articleshow/121271868.cms.m.economictimes.com

9. Aadhaar authentication extended to private entities, Economic Times (February 2025), https://m.economictimes.com/news/economy/policy/aadhaar-authentication-extended-to-private-entities/articleshow/117801641.cms.m.economictimes.com

10. Poor, Elderly Face the Brunt of Aadhaar-Based Authentication Errors, The Wire (January 2025), https://m.thewire.in/article/rights/digital-exclusion-poor-elderly-face-the-brunt-of-aadhaar-based-authentication-errors.m.thewire.in+1m.thewire.in+1

11. India's surveillance landscape after the DPDPA, IAPP (March 2025), https://iapp.org/news/a/india-s-surveillance-landscape-after-the-dpdpa.iapp.org

12. India continues its fight against Aadhaar fraud, Biometric Update (February 2024), https://www.biometricupdate.com/202402/india-continues-its-fight-against-aadhaar-fraud.biometricupdate.com+1biometricupdate.com+1

13. A critical survey of the security and privacy aspects of the Aadhaar, ScienceDirect (2024), https://www.sciencedirect.com/science/article/abs/pii/S016740482400083X.sciencedirect.com

14. Ethical challenges of digital health technologies: Aadhaar, India, PMC (2020), https://pmc.ncbi.nlm.nih.gov/articles/PMC7133485/.pmc.ncbi.nlm.nih.gov

15. Government plans Amendment to Aadhaar Act for enhanced privacy and consent controls, SSRana (May 2025), https://ssrana.in/articles/government-plans-amendment-to-aadhaar-act-for-enhanced-privacy-and-consent-controls/.ssrana.in