For years now, Aadhaar has been the magic key that opens almost every door in India. You want a SIM card? Aadhaar. You want to check into a hotel? Aadhaar. You want to rent a car, buy insurance, or open a bank account? Aadhaar again. It has become so casually central to everyday life that most Indians don’t bother asking what happens to their data once they hand over the photocopy or flash their card across a counter.
And yet, this quiet convenience hides an uncomfortable truth: a system that touches the lives of 1.3 billion people cannot afford casualness — especially when the risks are so enormous.
The Unique Identification Authority of India (UIDAI) now wants to tighten the rules governing offline Aadhaar verification. On the surface, this may look like a bureaucratic shuffle. But beneath that is a story about how India’s most ambitious identity project is grappling with its own scale.
Offline Aadhaar verification — the routine practice of hotels photocopying IDs, apartments scanning cards, event organisers collecting details — bypasses UIDAI’s servers. No real-time authentication. No logs. No oversight. Essentially, it leaves data floating around in hands that may or may not know how to protect it.
In an age where your passport number can end up for sale on a Telegram channel, this is hardly reassuring.
A cybersecurity report last year flagged the astonishing scale of leaks: over 800 million Indians exposed through compromised Aadhaar and passport data. You don’t need to be a tech expert to understand the implications. A database so vast becomes a honey trap for fraudsters, phishers, impersonators, and anyone with a motive darker than curiosity. Once this information hits the dark web, there is no putting the genie back in the bottle.
UIDAI’s new proposal — to require establishments that use offline Aadhaar checks to register formally and follow secure verification protocols — is an attempt to plug these leaks. It is not a perfect solution, but it is a necessary one. Because the system today resembles a giant iron vault with the door slightly ajar. Anyone can walk in.
To be fair, UIDAI has always insisted that Aadhaar data, including biometrics, is safe in its central repository. And to an extent, that claim holds. The bigger problem lies not at the vault’s core, but along its edges. Limited oversight across the data supply chain — from the tech vendor who sets up the software to the hotel clerk who stores photocopies in a dusty file — means leakage points are everywhere.
This is the irony of Aadhaar. It was designed to be a secure, centralized identity system. But the ecosystem around it has become decentralized, fragmented, and in certain areas, astonishingly careless.
And Aadhaar-holders share part of the blame. Indians hand out their Aadhaar number with the same nonchalance as offering a visiting card. Few ask questions. Fewer read the fine print. Almost no one checks what an establishment plans to do with the data it collects.
The Digital Personal Data Protection Act gives some protection on paper, but in practice, not enough people have the time, knowledge, or inclination to invoke those rights.
Which is why UIDAI’s move must be seen as a chance to draw a line. To tell the millions of entities that use Aadhaar: convenience cannot come at the cost of security.
But the larger shift must come from citizens themselves. If your data is important — and in 2025, nothing is more important — then you need to guard it with the same seriousness as a passport or bank PIN.
Aadhaar has transformed India. Now it is time to ensure that this transformation does not come with a hidden price.
