How Aadhaar Works — and Why It Remains Controversial
Aadhaar — derived from the Hindi word for "foundation" — is the world's largest biometric identification system, providing a unique 12-digit identity number to every Indian resident based on demographic data (name, address, date of birth, gender) and biometric data (ten fingerprints and iris scans). Launched in 2009 by the Unique Identification Authority of India (UIDAI) under the then-Planning Commission, Aadhaar issued its first number in September 2010; by April 2025, 142 crore (1.42 billion) IDs had been generated, representing approximately 95% of India's population.
The system has crossed 100 crore face authentications (January 2025); recorded 1,470 crore e-KYC transactions by March 2023; and serves as the identity foundation for DBT, banking access, mobile SIM verification, and dozens of government scheme enrollments.
 |
| Representational Image: How Aadhaar Works — and Why It Remains Controversial |
The Supreme Court's Puttaswamy judgment (K.S. Puttaswamy v. Union of India, 2018) upheld Aadhaar's constitutional validity but imposed significant restrictions: Aadhaar cannot be made mandatory for private entities (only government services and bank accounts directly linked to government benefit delivery); it cannot be used to establish citizenship; it cannot be made mandatory for school admission of children.
The judgment simultaneously
established privacy as a fundamental right under Article 21 — a landmark
constitutional development — while permitting Aadhaar to continue for
government welfare purposes. The same 2018 judgment (often called the Right to
Privacy judgment) is the constitutional foundation for India's subsequent data
protection legislation.
What the Evidence Shows
- Aadhaar
technical architecture: 12-digit unique ID backed by fingerprint + iris
biometrics; Aadhaar number is not a secret (it can be shared) —
authentication requires biometric or OTP verification that a fraudster
cannot easily replicate; UIDAI maintains the central biometric database;
authentication happens in real-time (response within 3–5 seconds).
- Supreme
Court Puttaswamy judgment (2018): upheld Aadhaar's validity for government
benefit delivery with a 4:1 majority; struck down its mandatory use by
private companies (banks, telecom) except where linked to government
benefit delivery; established right to privacy as a fundamental right;
struck down Section 57 of the Aadhaar Act that allowed private entities to
use Aadhaar for verification.
- Welfare
impact: 5.87 crore fake ration cards cancelled; 4.23 crore duplicate LPG
connections removed; DBT savings of ₹3.48 lakh crore (2015–2023); these
represent genuine elimination of ghost beneficiaries and fraudulent
claims; they also include genuine beneficiaries excluded by database
errors (estimates of exclusion errors range from 0.5–2% of beneficiaries).
- Privacy
concerns: reframeTech documented a 2019 incident where Aadhaar numbers of
6.7 million people were exposed on an Indane (government LPG) website;
multiple security researchers have documented Aadhaar authentication API
vulnerabilities; the DPDPA 2023's Rules (notified November 2025) create a
data protection framework that applies to Aadhaar-linked data fiduciaries
with a compliance deadline of May 2027.
- The
exclusion debate: Supreme Court and Right to Food Campaign have documented
cases of individuals dying after being excluded from PDS due to Aadhaar
authentication failures; the government maintains failure rates are below
0.3%; civil society estimates are higher; UIDAI acknowledges biometric
failure rates are higher for elderly and manual labour populations.
How It Works in Practice
1. Aadhaar authentication modes: Three authentication
modes exist: biometric (fingerprint or iris scan), OTP (one-time password sent
to registered mobile), and TOTP (time-based OTP via TOTP app). Each mode has
different use cases and failure patterns: biometric fails for worn fingerprints;
OTP requires a registered mobile number and active SIM; TOTP requires
smartphone access. The diversity of authentication modes reduces (but doesn't
eliminate) exclusion risk.
2. e-KYC as the commercial application layer:
Aadhaar's e-KYC (electronic Know Your Customer) service allows any entity with
UIDAI authorization to verify a person's identity within seconds by matching
presented biometric against the central database and receiving demographic
information. Banks use e-KYC to open accounts; telecom companies to activate
SIMs; fintech companies to onboard customers. The 1,470 crore e-KYC
transactions by March 2023 reflect the commercial adoption of this service.
3. The Virtual ID as a privacy protection: UIDAI
introduced the Virtual ID (VID) system in 2018 in response to privacy concerns:
a 16-digit temporary ID linked to the real Aadhaar number that can be used for
authentication without revealing the actual Aadhaar number. Entities that
authenticate using VID receive only a token UID rather than the actual Aadhaar
number, preventing cross-database linking. VID adoption has been mandated for
certain use cases but remains inconsistently implemented.
4. Aadhaar and surveillance concerns: India's DPDPA
2023 provides a government exemption for data processing "in the interests
of the sovereignty and integrity of India" and "security of the
State" — a broad carve-out that civil society argues enables Aadhaar data
to be used for surveillance without data protection safeguards. The NATGRID
(National Intelligence Grid), which aggregates data from multiple government
databases, theoretically could integrate Aadhaar authentication records to
create detailed profiles of individuals' movements and transactions.
5. The children's Aadhaar (Baal Aadhaar): UIDAI has
introduced Baal Aadhaar (blue Aadhaar) for children under 5, linked to parents'
biometrics rather than the child's own; a new biometric enrolment is required
when the child turns 5 and again at 15 to update adult biometrics. The DPDPA's
children's data provisions impose additional requirements on entities that
process children's data, potentially affecting Baal Aadhaar-linked service
delivery.
What People Often Misunderstand
- Aadhaar
does not prove citizenship: This is the most critical
misunderstanding; Aadhaar proves residency and identity, not citizenship;
it is issued to all Indian residents including non-citizens; linking
Aadhaar to the NRC (National Register of Citizens) process would require
legislative change.
- The
Supreme Court's 2018 ruling was narrowly defined: The Court upheld
Aadhaar for government benefit delivery while restricting its expansion to
private sector use; it did not endorse Aadhaar as a comprehensive national
ID for all purposes; subsequent government actions to expand Aadhaar use
have periodically tested these limits.
- The
DPDPA's government exemption is broad: The 2023 data protection act's
exemption for government processing significantly limits data protection
rights in the context most important for Aadhaar — government welfare
delivery; the exemption means that UIDAI itself and government departments
using Aadhaar data are substantially exempt from the Act's individual
rights provisions.
- Biometric
failure rates are disputed but real: UIDAI reports authentication
success rates of 99.7%+; civil society organisations report higher failure
rates particularly among manual labourers, elderly, and people with skin
conditions; both are probably correct in different measurement contexts;
the dispute is about methodology, not the existence of failures.
- India
has the UIDAI and DPDPA as checks: Unlike many countries with
centralised biometric databases, India has a statutory authority (UIDAI)
that manages Aadhaar with defined powers and limitations, and now a data
protection law (DPDPA 2023, Rules notified November 2025) that creates
additional obligations; these are imperfect protections but are genuine
institutional safeguards.
What Changes Over Time
The DPDPA Rules (November 2025) create specific obligations for "Significant Data Fiduciaries" — including those handling large volumes of Aadhaar-linked data — including mandatory Data Protection Impact Assessments and audits; the compliance deadline of May 2027 will require UIDAI and major Aadhaar users to substantially review their data practices.
The
Digital Agriculture Mission's AgriStack — creating Aadhaar-linked farmer
identities for 11 crore farmers — extends the Aadhaar model to a new domain
with significant data concentration implications.
Sources and Further Reading
- UIDAI
— Official: https://uidai.gov.in
- reframeTech
— Aadhaar and DPI: https://www.reframetech.de/en/2024/11/13/aadhaar-and-the-rise-of-digital-public-infrastructure-in-india/
- Institut
Montaigne — India DPI: https://www.institutmontaigne.org/en/expressions/indias-digital-public-infrastructure-success-story-world
- Drishti IAS — 10 Years Digital India: https://www.drishtiias.com/daily-updates/daily-news-analysis/10-years-of-digital-india
- ORF — Decade of Digital India: https://www.orfonline.org/research/a-decade-of-digital-india-mission-achievements-gaps-and-the-way-forward