India explainer

Aadhaar and UPI: The Genius — and the Quiet Danger — of India’s Digital ID

India built the most impressive digital public infrastructure on earth — cheap, fast, inclusive. That is exactly why the quiet part deserves attention: it is also the largest behavioural ledger ever assembled.

Ask anyone who has watched a vegetable seller in a small Indian town wave a phone at a QR code and get paid in seconds, and they will tell you something quietly historic happened here. The debate over Aadhaar UPI privacy can make us forget that first fact: India built a payments-and-identity layer that works, at a scale and cost the rest of the world is still studying. Before we get to the danger — and there is a real one — it is only fair to sit with what went gloriously right. The genius and the risk live in the same system, and pretending otherwise helps no one.

What DPI got gloriously right

“Digital public infrastructure” — DPI — is the unglamorous phrase for something genuinely radical: treating identity and payments as public rails, the way we treat roads or the electricity grid, rather than as products owned end to end by a handful of firms. India built three layers — a digital identity (Aadhaar), a real-time payments network (UPI), and a consent-based data layer on top — and made them interoperable. The story of digital public infrastructure India is, at heart, a story about who the rails were built to serve. And the results are hard to argue with.

Start with cost. UPI transactions are, for most users, effectively free, and the system reportedly runs at a per-transaction cost that legacy card networks cannot approach. That is not an accident; it is a design choice about who the rails are meant to serve. Compare it to the interchange-fee model most of the world runs on, where a small toll on every swipe flows to intermediaries, and you see how unusual the Indian bet was.

Then access. A street vendor with a cheap phone and no card-machine contract can accept digital money. A migrant worker can send wages home instantly. The old barriers — a minimum balance, a banker’s approval, a card reader you had to rent — mostly fell away. And the reliability has largely held up: a national payments system reportedly processing billions of transactions a month, with uptime that many richer countries’ banking apps would envy.

Most importantly, financial inclusion. Hundreds of millions of people who were effectively invisible to the formal financial system now have an account, an identity number, and a way to receive government benefits directly rather than watching them evaporate through layers of middlemen. Leakage in welfare delivery — the money that never reached the person it was meant for — was a real, grinding tax on the poor. Direct transfer over these rails cut into it. That is not a small thing. It is, by many honest measures, one of the largest expansions of financial access in recent history.

The genius and the danger are not two systems. They are the same system, seen from two distances.

The new ledger: identity, payments, and interoperability stitched together

Here is where the story turns, and it turns not because anyone did anything villainous but because of what the architecture is. The power of DPI comes from stitching three things together: who you are (Aadhaar), what you pay for (UPI), and the interoperability that lets any app talk to any bank talk to any service. Each layer is a genuine public good. But joined up, they become something new: a single, queryable ledger of a nation’s economic life.

Every convenience has a mirror image. The same identity number that lets a benefit reach the right person also lets transactions be linked to that person across contexts. The same interoperability that lets you pay any merchant from any app also means the trail does not stop at one bank’s walls. The same real-time settlement that makes the vendor smile is, from another angle, a real-time feed of who bought what, where, and when.

None of this is hidden or conspiratorial. It is simply the nature of a ledger that is both universal and identified. In the pre-digital era, your cash purchases were unlinkable by default — privacy was the accident of friction. Remove the friction, add a unique identifier, and privacy stops being the default and becomes something that has to be deliberately engineered back in. The question is whether it will be.

From welfare tool to behavioural-data goldmine

Aadhaar was sold, and largely built, as a welfare instrument: a way to make sure the ration, the pension, the subsidy reached a real, unique person. That framing matters, because it set the expectations. A tool for delivering benefits feels different from a tool for watching citizens, even when the underlying capability overlaps.

The direction of travel is what critics watch nervously. In early 2025, the government moved — as a stated policy direction — to open Aadhaar authentication more widely to private entities, not just government departments and regulated banks. The official rationale is reasonable on its face: let trusted businesses verify identity cleanly, reduce fraud, ease onboarding. But every expansion of who can query the identity layer expands the surface across which behaviour can be linked. A welfare tool asks, “Is this the right person?” A commercial ecosystem asks, quietly, “What else do we now know about this person?”

It is worth being careful here. There is no need to invent a breach or cite a leak that hasn’t been verified to make the point. The concern is structural, not a single scandal: as authentication spreads to more private hands, the identified transaction record becomes, by degrees, a behavioural-data goldmine — a resource whose value lies precisely in linking payments to a real name across every context a person moves through. This is also, quietly, how UPI surveillance would arrive if it arrived: not as a dramatic act of watching, but as the ordinary accumulation of a linkable record. Whether that resource is ring-fenced by law or slowly mined is a governance choice not yet fully made. And this is the heart of the is Aadhaar safe question: safe from what, exactly, and safe under whose rules?

The pattern should feel familiar to anyone who has watched technofeudalism take hold in the West, where public life increasingly runs on infrastructure privately owned and privately read. India’s twist is that its rails began public — which is both its protection and, if the protection erodes, the reason the stakes are so high.

A three-movement reading of a slow capture

The deeper pattern is an old one: every technology revolution across ten thousand years follows the same five-step move — the same move, a new machine, every time. Someone builds something that genuinely helps; people come to depend on it; the dependency is quietly enclosed; the terms shift; and by the time anyone objects, opting out is no longer a real option. India’s digital public infrastructure is the newest chapter of that very old story — a slow capture arriving in three movements.

The first movement is the gift. The rails are built, they are cheap or free, they genuinely work, and adoption is voluntary and delightful. This is the granary that fed the village, the road that opened the market. It is real generosity, and it earns real trust. Nothing about this stage is a trick.

The second movement is dependence. The tool becomes the water you swim in. Cash acceptance thins; a business that refuses digital payments loses customers; a service that cannot verify you through the identity layer becomes friction you avoid. No one is forced, exactly — but the alternatives quietly wither, and “choice” becomes theoretical. The same soft compulsion drives the attention economy, where you are technically free to log off and practically unable to.

The third movement is the turn — the enclosure. The layer that was a public gift becomes a site of extraction: access widened to private interests, the data linked and monetised, the terms rewritten by parties the ordinary user never negotiates with. Crucially, the argument here is not that this turn is inevitable or complete. It is that the architecture permits it, the incentives pull toward it, and history rhymes with it. The capture is slow precisely because each step feels like progress.

The same move, a new machine, every time: build something people love, wait for them to need it, then change the terms.

How to get the convenience without sleepwalking into the capture

The honest conclusion is not “tear it down.” The inclusion gains are real and worth defending. The task is to keep the genius and refuse the capture — and that is partly a matter of what individuals do and much more a matter of what the rules require.

For individuals, a few habits help without demanding you exit modern life:

  • Use virtual and masked IDs. Where the system offers a masked Aadhaar or a virtual ID for verification, prefer it over handing over the raw number.
  • Lock your Aadhaar biometrics when you are not actively using them, and unlock only when needed — a feature that already exists and is under-used.
  • Notice consent screens. When an app asks to authenticate you through the identity layer, ask what it actually needs to know, and whether a lighter check would do.
  • Keep some friction alive. A world with zero cash and zero alternatives is a world with zero fallback. Plurality of payment methods is itself a privacy protection.

But individual hygiene is not where this is won or lost. The real safeguards are governance asks, and they are worth naming plainly:

  1. Purpose limitation with teeth. Data collected to deliver a benefit should be legally barred from being repurposed into a commercial profile — with enforcement, not just a policy line.
  2. Data minimisation by default. Verification should confirm the narrowest fact necessary (“yes, this person is eligible”) rather than returning a rich identity payload every time.
  3. Independent oversight. An empowered, genuinely independent data-protection authority that can audit and penalise misuse across both government and private users of the rails.
  4. Transparency on private access. As authentication opens to private entities, the public deserves to know who has access, to what, and under what limits — the 2025 direction makes this urgent rather than academic.
  5. A real right to say no. Alternatives to identity-linked verification must survive, so that consent means something and dependence never hardens into compulsion.

India did something the world genuinely admires, and the admiration is earned. The point of watching the danger is not cynicism about the achievement; it is the opposite — a wish to protect what is good about it from the oldest move there is. These systems consume resources and attention and trust the way every large infrastructure does, from the data centres behind modern AI down to the hidden water cost of AI; the least we can do is keep our eyes open about who ends up owning the ledger we all now live on. The convenience is worth having. The capture is worth refusing. The difference between the two is being decided now, while the terms are still ours to write.

Kenney Jacob is the author of Captured, a history of who takes, who pays, and who fights back.

Frequently asked questions

What is Digital Public Infrastructure (DPI)?

Shared, open digital rails a whole country can build on — in India, chiefly Aadhaar (identity), UPI (payments) and the data-sharing layer that connects them. It dramatically lowered the cost of verifying who you are and moving money.

Is Aadhaar safe and private?

The system is genuinely useful and has strong uptime, but privacy risk comes from linkage: when identity, payments and services are tied together, they create a detailed behavioural record. The 2025 opening of Aadhaar authentication to private companies widened who can query that record.

How is UPI related to surveillance?

UPI is brilliant for payments, but every transaction is data. Aggregated across a billion people, it becomes a map of what everyone buys, where and from whom — valuable to whoever can access it, which is why the governance question (who sees it, and under what limits) matters as much as the technology.

← All articles