Aadhaar Identity Fraud: Balancing National Security with Data Privacy in Digital India

Author:RITU PARNA, National Law University, Meghalaya

To the Point

Aadhaar, introduced in 2009, was initially envisioned as a voluntary identity program aimed at plugging the gaps in India’s welfare delivery mechanisms. It promised to eliminate ghost beneficiaries, reduce subsidy leakages, and provide a unique biometric-backed identification to every resident. Over the years, however, what began as a social welfare tool has evolved into a foundational infrastructure for India’s digital governance, affecting nearly every aspect of a citizen’s life.

Today, Aadhaar is far more than just an ID card. It has become the backbone of a complex and growing authentication and identity verification ecosystem. It is used not only for government welfare schemes like direct benefit transfers (DBTs), pension distribution, and LPG subsidies but also in critical private sector domains such as telecom (SIM verification), banking (KYC compliance), insurance, education, and healthcare. Aadhaar has even become integral to schemes like the Ayushman Bharat Health Mission, DigiLocker, and the Unified Payments Interface (UPI).

This unprecedented integration, however, has not come without cost. As Aadhaar’s reach expanded, so did the volume of personal and biometric data collected, stored, and shared—often with limited consent, transparency, or oversight. Multiple reports of data breaches, unauthorised profiling, identity theft, and exclusion from essential services have raised alarm bells among privacy advocates, legal scholars, and ordinary citizens alike.

The situation came to a head in 2017 and 2018, when the Supreme Court of India delivered two landmark judgments in the Justice K.S. Puttaswamy cases, first recognising the right to privacy as a fundamental right under Article 21 of the Constitution, and then examining Aadhaar’s legality in light of that right. In the second Puttaswamy case, the Court upheld Aadhaar’s constitutional validity for welfare purposes but struck down its mandatory usage by private entities. It also laid down a stringent “three-part proportionality test” to assess future Aadhaar-related state actions affecting privacy.

Despite these judicial pronouncements, Aadhaar continues to be embedded in public and private sector operations. In many cases, citizens feel compelled to furnish their Aadhaar number even when it is not legally required, due to either misinformation, lack of alternatives, or institutional pressure. Though providing some safeguards, the Aadhaar Act, 2016, has often been criticised for lacking robust enforcement provisions and for concentrating too much power on the UIDAI, the agency overseeing Aadhaar.

India’s Information Technology Act, 2000, which governs electronic data, and its recent successor in personal data protection, the Digital Personal Data Protection (DPDP) Act, 2023, aim to address data misuse, consent, and security concerns. However, their effectiveness in handling the sheer scale and sensitivity of Aadhaar-linked data remains under scrutiny. For instance, the DPDP Act places considerable authority in the central government and lacks a fully independent data protection authority, raising questions about oversight and accountability.

This article examines whether India’s current legal infrastructure is adequate to safeguard the personal data of over a billion citizens, especially in an era where data is currency and surveillance is increasingly normalised. By analysing key legal frameworks, reported fraud cases, relevant doctrines, judicial interpretations, and comparative international models, we attempt to answer a crucial question:

Is India’s digital identity architecture, built around Aadhaar, both legally sound and ethically sustainable—or does it risk undermining the very citizens it was meant to empower?

Use of Legal Jargon

Understanding the Aadhaar debate requires more than just knowledge of the technology behind it; it demands a grasp of the legal principles that underpin data protection, state power, and individual liberty in the digital age. Below is a breakdown of key legal doctrines and statutory provisions often cited in the context of Aadhaar:

Informed Consent Doctrine

This doctrine emphasises that personal data should only be collected or processed after individuals are fully informed of the implications and give explicit, voluntary consent. In Aadhaar’s case, this principle has often been compromised—citizens are frequently coerced into linking Aadhaar to services without being told why, how long their data will be stored, or who may access it. This violates the spirit of consent and the emerging norms under India’s DPDP Act, 2023.

 Purpose Limitation

This foundational principle of the General Data Protection Regulation (GDPR) insists that data collected for one specific purpose should not be repurposed for another without explicit consent. In the Aadhaar ecosystem, however, personal and biometric data are often used across domains—from welfare delivery to telecom verification—without re-consent, leading to widespread function creep.

 Data Minimization

Collecting only the minimum data necessary for a particular purpose is a gold standard in data protection laws. Yet, Aadhaar mandates extensive biometric and demographic data even when simpler proofs (e.g., ration cards, voter ID) might suffice. Critics argue that the system’s over-reliance on biometric identifiers violates this principle, particularly when the stored data is vulnerable to leaks or misuse.

Reasonable Expectation of Privacy

This standard was solidified by the Supreme Court in Justice K.S. Puttaswamy (2017), affirming that citizens have a legitimate expectation of privacy in all spheres of life, including digital interactions. Centralised storage of Aadhaar data and opaque data-sharing practices often undermine this constitutional safeguard.

Section 29 of the Aadhaar Act, 2016

This section explicitly prohibits sharing core biometric information—fingerprints and iris scans—with anyone, including other government departments, without the individual’s consent, except in cases involving national security (and even then, with approval from a designated officer). Despite this, multiple reports of unauthorised data sharing have emerged, indicating weak enforcement.

Sections 43A and 72A of the Information Technology Act, 2000

These provisions provide civil and criminal liability in cases of wrongful disclosure or failure to protect sensitive personal data. Section 43A mandates compensation for victims of data breaches, while Section 72A criminalises intentional disclosure without consent. However, these laws remain underused in Aadhaar-related cases, partly due to procedural complexities and low public awareness.

Surveillance Capitalism

Coined by Shoshana Zuboff, this term describes a model where private or public institutions commodify personal data to predict and influence behaviour. Aadhaar is increasingly viewed through this lens due to its expansive data collection, centralisation, and potential for profiling. The concern is not just who holds the data, but how they may monetise, analyse, or weaponise it.

Doctrine of Constitutional Morality

This evolving legal doctrine, often invoked in cases involving personal freedoms, asks whether state action is aligned with the fundamental values of the Constitution, including dignity, liberty, and equality. In the Aadhaar context, critics argue that coercive Aadhaar mandates—especially for welfare schemes or basic services—may violate this doctrine by subordinating rights to administrative convenience.

Why These Jargon Terms Matter

These legal concepts are not mere academic terms—they shape the boundaries of what the State can and cannot do in a digital democracy. Aadhaar sits at the crossroads of convenience and control. The extent to which it respects informed consent, protects privacy, limits surveillance, and complies with constitutional morality will determine whether India’s digital future is empowering or authoritarian.

The Proof

Real-World Incidents:

1. The Tribune Leak (2018): Access to the UIDAI database was sold online for ₹500, exposing loopholes in Aadhaar vendor control.
2. Jharkhand Pension Leak (2017): Aadhaar numbers and personal data of over 1.6 million pensioners were published on a state website.
3. Airtel Payments Bank e-KYC Fraud (2018): Bank accounts were opened without consent using Aadhaar data, rerouting LPG subsidies.
4. COVID-19 DBT Scam: Fake Aadhaar IDs diverted government funds during pandemic relief transfers.
5. Rural Authentication Failures: In Jharkhand and Rajasthan, worn-out fingerprints led to denied food rations and pensions.
6. Dark Web Aadhaar Kits: Unauthorised sale of biometric devices raises grave concerns over decentralised misuse.

These cases highlight technical vulnerabilities and the human cost of Aadhaar failures—denied rations, stolen money, and privacy breaches.

Abstract

This article explores the intricate balance between national security objectives and the protection of individual privacy rights in the era of India’s Aadhaar-based digital identity infrastructure. Initially conceived as a transformative tool to enhance efficiency, transparency, and inclusion in public welfare schemes, Aadhaar—administered by the Unique Identification Authority of India (UIDAI)—has grown into one of the most extensive biometric identity programs in the world, covering over 1.3 billion residents.

What began as a voluntary initiative to streamline service delivery has, over time, evolved into a deeply embedded system used for everything from banking and telecom verification to healthcare, taxation, and education. While Aadhaar has undoubtedly improved administrative reach and reduced certain forms of corruption, it has also introduced serious risks, particularly in identity theft, unauthorised data profiling, exclusion from essential services, and data breaches.

Numerous incidents—ranging from phishing scams and SIM swap frauds to leaks from government portals—highlight systemic vulnerabilities in the Aadhaar architecture. Insufficient legal safeguards, accountability, and limited citizen awareness compound these issues. The article critically examines the legal framework surrounding Aadhaar, with particular attention to the Aadhaar Act, 2016, relevant provisions of the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023. Central to this legal discourse is the Supreme Court’s landmark ruling in Justice K.S. Puttaswamy v. Union of India, which upheld the constitutional validity of Aadhaar while significantly limiting its use.

Through a doctrinal and case-based approach, this article questions whether India’s legal system is adequately equipped to handle the challenges of Aadhaar’s widespread integration. It evaluates the legal doctrines of proportionality, informed consent, purpose limitation, and constitutional morality. It also reflects how India’s digital identity project aligns with global data protection standards, such as the EU’s GDPR.

The analysis also considers the implications of emerging digital programs like the Ayushman Bharat Digital Health Mission, DigiLocker, and Digital India Stack, which increasingly rely on Aadhaar for identity verification. While promising service delivery, these integrations significantly expand the scope for state surveillance and private sector profiling, raising urgent concerns about the erosion of civil liberties.

Ultimately, the article argues for a privacy-centric legal regime that includes independent regulatory oversight, clear consent frameworks, data minimisation principles, and stronger punitive measures for breaches. As India modernises its digital infrastructure, public trust in identity systems like Aadhaar will rest on the’ strength, clarity, and enforceability of its privacy protections.

Case Laws

1. Justice K.S. Puttaswamy v. Union of India (2017)

Recognised the right to privacy as a fundamental right under Article 21. Introduced the proportionality test to validate state intrusion into personal data.

2. Justice K.S. Puttaswamy (Aadhaar Judgment, 2018)

Upheld Aadhaar’s constitutionality but struck down Section 57 (use by private entities) and ruled Aadhaar non-mandatory for services like telecom and banking.

3. Binoy Viswam v. Union of India (2017)

Validated Aadhaar-PAN linkage for tax purposes, framing it as a reasonable restriction on privacy.

4. Internet Freedom Foundation v. UIDAI (Ongoing)

Seeks UIDAI’s accountability in biometric data protection and demands transparency in data breach responses.

5. Supreme Court of Jamaica (2019)

Struck down Jamaica’s national ID law, citing the Aadhaar dissenting judgment, showing Aadhaar’s international legal influence.

Comparative International Models

• United Kingdom: Scrapped its national ID project in 2010 due to privacy risks.
• Estonia: Offers a digital ID with complete citizen control. Citizens can view data access logs in real-time.
• European Union: GDPR enforces data subject rights, including access, rectification, and objection. Aadhaar lacks equivalent guarantees.
• China: The Social credit system uses centralised data for behavioural profiling. While Aadhaar is not identical, concerns about similar misuse exist.

These models reveal that digital identity can be both efficient and rights-respecting—if designed with citizen control at the centre.

Conclusion

Aadhaar is an undeniable pillar of India’s digital ecosystem—but its growth has far outpaced the legal and ethical safeguards meant to govern it. While Aadhaar has improved efficiency in welfare delivery, its unchecked expansion has raised credible fears of mass surveillance, corporate misuse, and systemic exclusion.

Despite the Supreme Court’s privacy ruling, UIDAI’s functioning remains largely opaque. Redressal mechanisms are underutilised, and grievance systems lack teeth. India’s 2023 Digital Personal Data Protection Act is a step forward but still lacks robust enforcement mechanisms and independence from executive control.

To move from surveillance risk to digital empowerment, India must:

• Enforce data minimisation and purpose limitation norms,
• Establish a truly independent Data Protection Authority,
• Empower citizens to access logs and control their Aadhaar data,
• Legally require proportionality assessments for every new Aadhaar integration.

Aadhaar’s future legitimacy depends not just on tech security but constitutional fidelity.

FAQs

Q1. What is Aadhaar fraud?

Aadhaar fraud involves unauthorised access, identity theft, or misuse of Aadhaar data for financial, commercial, or surveillance purposes.

Q2. Is Aadhaar mandatory for all services?

No. According to the 2018 SC ruling, Aadhaar is only mandatory for welfare schemes and income tax filings, not bank accounts or SIM cards.

Q3. What legal remedies exist for Aadhaar misuse?

Affected individuals can file complaints under IT Act Sections 43A & 72A, and approach UIDAI or courts, though enforcement remains weak.

Q4. Can I use alternatives to Aadhaar for KYC?

Yes. Voter ID, passport, and utility bills are valid documents. Aadhaar is not the sole KYC option.

Q5. How secure is biometric data in Aadhaar?

Biometric data is encrypted, but stored centrally. While UIDAI claims strong security, leaks and misuse have occurred.

Q6. What is UIDAI’s role?

UIDAI manages Aadhaar enrollment, authentication, and security, but operates with limited transparency and public accountability.

Q7. Can Aadhaar be delinked?

Yes. Citizens can ask service providers to delink Aadhaar from private services. Enforcement may require persistence.

Q8. What is a Virtual ID?

You can use a temporary, revocable 16-digit ID instead of your Aadhaar number to prevent overexposure.

Q9. Are there global standards Aadhaar violates?

Aadhaar lacks features like access logs, purpose limitation, and data portability, which are found in GDPR-compliant systems.

Q10. Is India moving toward surveillance like China?

While Aadhaar isn’t a social credit system, its wide data linkage raises similar risks if left unchecked.

Q11. Has anyone been punished for Aadhaar misuse?

Despite repeated breaches, very few have faced legal consequences, raising questions about deterrence.

Q12. What reforms are urgently needed?

Independent audits, stronger encryption, transparency in UIDAI, and enforceable citizen rights under data protection laws.

Q13. What can citizens do?

Use alternatives, enable Virtual IDs, file RTIs, and educate others about digital rights and Aadhaar limitations.