👋 Dear reader, hope you’re healthy and happy. In this post we will cover:

• What is Aadhaar biometric system of India (think: SSN on steroids)

• How Aadhaar access is expanding

• Privacy quagmire it will lead to

Buckle up!

Imagine you walk into a bar. Not just any bar, but one where they don’t check your ID at the door. Instead, they scan your face, fingerprint, and maybe even ask for a DNA sample just to serve you a beer. The bartender assures you it’s all for your own good—better service, no fake IDs, and an overall smoother experience. You hesitate, but hey, the beer is cold, and you don’t want to be that guy making a fuss.

Next thing you know, every bar in town starts doing it. Then the donut shops. Then restaurants, grocery stores, and even gas stations. Soon, it’s impossible to buy anything without handing over your biometrics. And the kicker? You never explicitly agreed to any of this. You just wanted a drink.

That, in a nutshell, is the Aadhaar expansion story in India.

Aadhaar, a 12-digit identity system, is linked to the biometrics of more than 1.4 billion people in India. Let that number sink in for a moment. It’s 2x the population of entire Europe. And 4x the US population. Imagine if your Social Security number was paired with your fingerprints and iris scans, and then made available not just for government services and core services (like banking) but also for private businesses e-commerce apps, concert tickets or pizza delivery.

Originally, Aadhaar was supposed to be a simple fix for an age-old problem: making sure government subsidies reached the right citizens. And it is true that Aadhaar has made life simpler, it is an ID that's accepted everywhere in the government. I recall once trying to get my Indian passport renewed and struggling to keep up with which ID is accepted where.

Over time, though, private companies like banks or cellphone companies started tapping into the Aadhaar database to verify customers. A landmark Indian Supreme Court ruling in 2018 thankfully put strict limits on that practice.

Now, in 2025, the Indian government has decided to loosen those restrictions again. Private companies in e-commerce, healthcare, travel, and hospitality will be able to use Aadhaar authentication to verify customers.

From the original Press Release:

The amendment enables both government and non-government entities to avail Aadhaar authentication service for providing various services in the public interest for related specific purposes like enablement of innovation, spread of knowledge, promoting ease of living of residents and enabling better access to services for them.

No evaluation criteria:

Any entity seeking Aadhaar authentication will be required to apply with the details of intended requirements to the concerned ministry or department of the Central or the State government in a format being made available on a portal for this purpose. The applications will be examined by UIDAI and MeitY will issue the approval based on the recommendation of UIDAI.

The government promises this will improve service delivery, reduce fraud, and make life easier for the average citizen. Because why wouldn’t you want to trust your personal data - fingerprints, iris scans, and all - to a bunch of businesses? It’s not like data breaches ever happen, right?

It sounds like progress, until you start asking the hard questions.

Privacy advocates, including yours truly, are nervous. We worry this shift could resurrect elements of the Aadhaar Act that the Indian Supreme Court had already struck down. The Indian government insists all businesses must apply for approval before using Aadhaar authentication, but the criteria for approval remain murky. Who gets access? How will they be monitored? What happens if they misuse it? All valid concerns, all largely unanswered.

A leaked password you cannot ever change

India’s colossal population makes the stakes enormous. In the US, people might fear identity theft if their Social Security number falls into the wrong hands. Multiply that fear by a factor of a billion, and toss in biometric data that can’t exactly be changed if leaked.

Meanwhile, a comprehensive data protection law in India is still pending to be fully operational. So, we now have a system where private companies will have broader access to sensitive biometric authentication, while the rules on how they should handle that data remain vague at best. We are building a highway and punting the traffic laws to later.

Then there’s the issue of voluntary usage. Technically, Aadhaar authentication remains optional. But what happens when private businesses start making it the easiest, or even the only, way to access services? Just as you could technically not use Aadhaar to get a SIM card or open a bank account, but good luck finding a hassle-free alternative, this could quickly become a “voluntary” requirement. That’s how de facto mandates work. You don’t have to comply, but life sure gets a lot harder if you don’t.

India’s experiment is unfolding in real-time. On one hand, it could spark a wave of new tech innovations and supercharge online services. On the other, it tests the boundaries of privacy and fairness on a massive scale. Nobody wants to be locked out of essential services because of a technical glitch, nor do they want Big Brother (or Big Business) tracking their every move.

So, coming back to the bar.

At first, handing over a fingerprint for a beer seemed harmless. But now, every business in town wants a piece of that data, and opting out is becoming less of a choice. Before long, you start wondering: was the convenience really worth it? Or did we all just trade a little too much privacy for the promise of a smoother experience?

Aadhaar is at that tipping point. The system has undeniable benefits, but this latest expansion could be a turning point, either towards seamless, secure digital identity verification or a sprawling privacy crisis waiting to happen.

And once you hand over your data, there’s no taking it back.