The Unique Identification Authority of India (UIDAI) is planning a new rule to stop hotels, event organisers and other businesses from collecting photocopies of Aadhaar cards.
For years, checking into a hotel or attending an event has often meant handing over a photocopy of your Aadhaar card. These copies then sit in files, get stored on phones, or end up in unsecured digital folders. UIDAI says this widespread practice actually violates the Aadhaar Act and creates serious security risks.
The upcoming rule aims to fix this. Under the new framework, businesses will first need to formally register with UIDAI as 'Offline Verification Seeking Entities.' Only then can they verify identity, and they'll have to do it through approved digital methods such as offline QR codes, API-based authentication, and other verification apps. Photocopies will be off the table entirely.
Everyone agrees that banning photocopies addresses an obvious vulnerability. But critics aren't entirely convinced the problem is solved, they think it's just been relocated.
Tech policy researcher Medha Garg told BOOM that while document misuse is being addressed, new concerns emerge around "system design, implementation failures, and how verified Aadhaar data is stored and shared downstream."
In other words, the risk hasn't disappeared; it's just moved from paper to digital infrastructure. There's also the worry that this system might make Aadhaar feel mandatory, even though other forms of ID remain legally valid.
From court limits to new workarounds
The move aligns with an amendment notified earlier this year, which allows private entities to use Aadhaar authentication under the Aadhaar Authentication for Good Governance Amendment Rules.
At Aadhaar Samvaad, IT Minister Ashwini Vaishnaw also urged UIDAI to align the Aadhaar Act with the Digital Personal Data Protection (DPDP) Act and redesign it as a modern identity law focused on user autonomy and interoperability. Aadhaar, he said, should serve as foundational infrastructure for digital services.
Public interest technologist Anivar Aravind sees this as a continuation of earlier workarounds. While the Supreme Court allowed Aadhaar use by the state for specific purposes, it clearly barred private use, he said. “The government got around this by routing Aadhaar through public contracts—where private players act as service providers for the state.”
What’s happening now, Aravind argues, is a more formal version of the same approach. Aadhaar is being repositioned as a consent-based data-sharing system, “a rail for data exchange, not really for data protection.”
Aadhaar as the default ID
Critics warn that these incremental changes are steadily pushing Aadhaar towards becoming a de facto universal identity infrastructure, even without an explicit legal mandate.
Garg pointed out that Aadhaar is neither proof of citizenship nor date of birth on its own, and remains voluntary—especially in private settings. “But as the government keeps expanding Aadhaar’s infrastructure, it’s becoming practically indispensable,” she said. When Aadhaar becomes the fastest or easiest way to access services, she added, “consent risks becoming nominal rather than meaningful”.
Aravind draws a parallel with demonetisation. Cash wasn’t banned, he said, but over time UPI and QR codes became the default. “This is like an identity demonetisation,” he explained. “Other IDs still exist, but Aadhaar and QR-based identity slowly become the norm.”
Why ‘anonymisation’ doesn’t fix the problem
UIDAI has pitched QR-based and digital verification as privacy-preserving, but experts remain unconvinced.
Garg said that anonymising Aadhaar data doesn’t really make people anonymous. “Even if names or Aadhaar numbers are removed, the data still contains clues, like where someone lives, their age range, when Aadhaar was used, or how often it’s verified,” she said.
The concern grows as Aadhaar is increasingly used across both government services and private settings. Even when individual datasets are anonymised, the risk emerges when multiple Aadhaar-based interactions are viewed together.
For instance, in a small village, if only one household uses Aadhaar every month at the ration shop and also uses Aadhaar-based verification at a nearby clinic or a private service, it becomes easy to infer who that data belongs to—especially when combined with other records or local knowledge.
Garg pointed out, “India’s data protection law does not regulate anonymised data. That means such datasets can be reused, shared, or analysed further with very few legal safeguards, even if people never consented to this kind of tracking.”
According to Aravind, anonymisation isn’t really happening at all. The QR system, he said, emerged after the 2018 Supreme Court judgment as a technical workaround to allow private-party involvement indirectly. “It shifts the burden to the user—who scans or presents the QR—rather than building institutional safeguards,” he said.
In his view, the issue isn’t privacy or security. “It’s about who the government certifies to verify identity, and how it enables large-scale data sharing. Anonymisation here is more of a policy claim than a technical or legal reality.”