Imagine a single 12-digit number that promises to unlock welfare, banking, and voting for 1.4 billion people. That was Aadhaar in 2009. Sixteen years later, the world’s largest biometric database is a cautionary tale of over-promised efficiency, under-delivered security, and millions left behind. As Sri Lanka races toward its own SL-UDI rollout in 2026, India’s meltdown offers a free masterclass in what not to do. Let’s dissect the corpse politely, analytically, and with an eye on Colombo’s inbox.
The Honeymoon: Scale That Dazzled the World
Aadhaar enrolled 1.2 billion residents in under a decade, using ten fingerprints, two iris scans, and a photo. Ghost beneficiaries vanished from pension rolls; subsidies reached real bank accounts via the “India Stack.” The World Bank applauded. Paul Romer called it “the most sophisticated ID programme on the planet.” For a moment, it felt like India had hacked poverty.
Then the leaks began.
The Breaches: A Thousand Cuts
2018 alone saw four headline-grabbers:
- A Tribune reporter bought unrestricted access to every Aadhaar record for ₹500 via WhatsApp.
- A state utility leaked 1.6 million Jharkhand residents’ details because someone forgot to password-protect a folder.
- 210 government websites published names, addresses, and Aadhaar numbers in plain text UIDAI only noticed after an RTI forced disclosure.
By 2023, Aadhaar dumps were being tracked on dark-web forums alongside PAN cards and passports. The 2024 dark-web sale of 815 million records complete with passport scans was merely the loudest alarm in a long symphony of silence from UIDAI.
Centralised honey-pots are hacker catnip. Every village enroler, every bank, every ration shop became a potential hole.
Exclusion: When “Mandatory” Starves the Poor
Aadhaar was sold as inclusion theatre. In practice, it became exclusion machinery.
- Fingerprint failure rates hovered at 6–12% for manual labourers, the elderly, and anyone whose ridges had been sanded away by life. Iris scans fared little better in dusty villages.
- CAG audits revealed that 73% of biometric updates were “voluntary” fixes for repeated authentication crashes yet the onus stayed on the citizen, not UIDAI.
- Starvation deaths in Jharkhand were reported when ration machines blinked “no match.”
The Supreme Court finally clipped mandatory linking in 2018, but the damage was done. Trust evaporated faster than diesel in a power cut.
Privacy Theatre Without a Script
India built the database first, legislated later. The 2016 Aadhaar Act arrived seven years late and toothless.
- No independent data-protection regulator existed until the 2023 DPDP Act, still awaiting rules in 2025.
- Section 57 allowed any “body corporate” to demand Aadhaar; it was eventually struck down, but private databases had already mushroomed.
- UIDAI’s response to every breach was the same: “Biometrics are safe.” Meanwhile, researchers demonstrating flaws received police visits.
Mission Creep: From Subsidy to Surveillance
Aadhaar began as a welfare key. It ended as a master key.
- It became mandatory for mobile SIMs, bank accounts, school admissions, mutual funds, and even hotel check-ins.
- Proposals to link voter rolls in 2024 sparked protests: “One ID to rule them all.”
- Facial recognition trials at airports and CCTV networks quietly absorbed Aadhaar numbers.
Sri Lanka’s Fork in the Road
Sri Lanka’s SL-UDI blueprint already borrows the good bits: MOSIP open-source architecture, local data ownership, encrypted biometrics. That’s a strong start. Now it must avoid the landmines.
Five Non-Negotiable Guardrails
- Legislate before you enrol. Pass the Personal Data Protection Bill with an independent commissioner who can fine 4% of GDP and jail rogue officials.
- Decentralise the crown jewels. Store only cryptographic hashes on-chain; let citizens hold verifiable credentials in eLocker wallets.
- Build fallback from day one. Accept NRC, passport, or two witness affidavits when biometrics fail. Zero tolerance for starvation-by-software.
- Cap mandatory use. Welfare and taxes? Fine. Hotels and dating apps? Hard no.
- Sunset foreign vendors. Indian MSI for build, yes. Lifetime keys to the kingdom, no! Hand over to a local MSP by 31 December 2026, audited by Sri Lanka CERT.
Final Note
People in Tamil Nadu queue three times because the reader disliked calloused thumbs. Yet in Colombo, there’s already appetite for “Aadhaar-style” apps that don’t exist yet. Technology is a mirror: it magnifies whatever governance you feed it. Feed it haste and centralisation, and it will reflect India 2018. Feed it law, consent, and fallbacks, and Sri Lanka can write the success story Aadhaar never finished.
Latest News:
