India’s “Digital India” revolution promised efficiency, inclusion, and transparency. It built a sprawling infrastructure: a unique biometric ID (Aadhaar) for over a billion people, digital document wallets (DigiLocker), a national vaccine registration portal (CoWIN), and an electronic health records system (NDHM).
Police and intelligence agencies rolled out facial recognition cameras, crime databases (CCTNS), and powerful internet surveillance tools (CMS and NETRA) under the banner of national security.
On paper, these schemes modernize governance. But critics warn the real impact is “e-governance or e-surveillance” – a blurring of service delivery with pervasive state oversight and data collection. In other words, these critics say the real goal is Digital India Surveillance of its citizens.
The growth of Aadhaar is staggering. Government data show the annual Aadhaar authentication transactions (used for digital logins, banking, welfare etc.) exploded from 0.24 crore in 2012–13 to 2,291.97 crore in 2022–23.
This chart from the UIDAI annual report 2022-23 visualizes that surge (each bar is a year’s auth transactions in crores). Billions of unique biometric and demographic records are checked every month as citizens access services. While touted for financial inclusion and fraud reduction, this volume also means the government routinely handles extremely sensitive personal data – effectively mapping people’s digital lives at an unprecedented scale.
Aadhaar: Innovation or Digital India Surveillance
Aadhaar underpins almost all of India’s digital ID framework. It provides “foundational” digital identity for everything from bank accounts and SIM cards to welfare subsidies and even parking lots. Early on, it enabled easier financial inclusion (many have noted its use in expanding banking services and JAM trinity subsidies).
But the system’s flaws became clear. In 2018, whistleblower Edward Snowden gave a caustic verdict: if anyone “destroyed the privacy of a billion Indians,” it is UIDAI (Aadhaar’s operator). He argued the real culpability lay with the government’s policies rather than journalists who exposed breaches.
Privacy analysts agree. Once Aadhaar-linked authentication became mandatory for taxes, SIM cards, and welfare (despite the Supreme Court partly rolling back some requirements in 2018), Indians had little choice but to share their biometric ID everywhere. This centralized linking turned Aadhaar into a “dangerous bridge between previously isolated [data] silos”.
In practice, every Aadhaar entry is another data point in a large profile. Reports estimate over 100 Aadhaar-related frauds occurred by mid-decade – fake IDs used to open bank accounts or siphon money from mobile wallets. Some even connect Aadhaar failures to tragedies: wrongful denial of food subsidies led to deaths in Jharkhand and elsewhere (journalists documented dozens of hunger-related deaths tied to Aadhaar authentication failures).
Aadhaar’s promoters argued it streamlined welfare. But it also exposed vulnerabilities. In late 2023, cybersecurity firm Resecurity uncovered what it called a potential “one of the biggest data breaches in Indian history”: details of 81.5 crore Indians (almost the entire population) were being sold on the dark web, including names, Aadhaar and passport numbers, phone numbers and addresses.
Investigators traced the data set to a compromise of the Indian Council of Medical Research (ICMR) database. Resecurity posted that a threat actor was offering 815 million Aadhaar & passport records for sale for just $80,000.
Although authorities deny a direct Aadhaar system breach, this incident showed how widely Aadhaar data had propagated: over 3.2 lakh patient records (with Aadhaar linkages) from a Jharkhand health site had already leaked earlier, and researchers found Aadhaar IDs in the stolen data that could be verified via government portals. Critics observe that these central databases become honeypots: high-value targets where any breach or misuse endangers billions.
Such breaches illuminated Aadhaar’s core weakness: it is irreversible and ever-expanding. Once a biometric identity is lost, it’s gone forever. The UIDAI system provides no way for a person to delete or replace their Aadhaar if it’s exposed. Consider DigiLocker, the official digital document wallet linked to Aadhaar.
In a revealing Moneylife story, a Chennai user activated a recycled mobile SIM and found it linked to the previous owner’s Aadhaar documents. The wallet had automatically pulled the prior user’s Aadhaar details into the new account – a “serious breach of privacy”and outright violation of India’s new Data Protection rules, Moneylife warned.
The incident underscores that any leak of Aadhaar or mobile credentials can cascade into other systems. Once Aadhaar is tied to your account, it cannot be delinked. Even a minor data error or cyber-attack can entangle innocent people in others’ identities, raising the stakes for security.
Aadhaar and Surveillance
Beyond leaks, Aadhaar has become a surveillance vector. Because it is required to access so many services, the state collects “every piece of information connected to that ID”. Though not officially stated as intent, observers note that linking biometrics to phone and financial data allows retrospective tracking.
Allegations have surfaced that Aadhaar correlates can help law enforcement trace individuals’ movements, purchases, and associations via algorithmic matching. Indeed, before Aadhaar, police relied on physical paperwork; now fingerprint or face matches can instantly search national databases.
In Pakistan, such technology aided Imran Khan’s arrest after a speech in 2022; India’s Delhi Police later revealed their new facial recognition (“Automated Facial Recognition System, AFRS”) could ID missing children and suspects in minutes, thanks to Aadhaar-linked imagery.
The Delhi Police deploys facial recognition from CCTV cameras largely on mobile apps. In December 2019, for the first time, the AFRS software was used at a major political rally to screen participants. This real-time surveillance of a crowd – which Reuters noted was unprecedented in India – sparked outcry.
Tech activist Apar Gupta (Executive Director of the Internet Freedom Foundation) condemned it as “illegal and unconstitutional”, describing it as “an act of mass surveillance” that chills protest and political participation.
Indeed, Gupta warned that scanning crowd faces at a rally “directly impairs the rights of ordinary Indians from assembly, speech and political participation”. The police claimed they acted on intelligence, but even they assured the public there were checks: “racial or religious profiling is never a relevant parameter,” they told the press.
These Delhi developments fit a pattern. India plans a nationwide facial recognition rollout, one of the world’s largest. By late 2019, India had begun installing face-scanning at airports, and government sources said a massive countrywide network (potentially the world’s biggest) was being tendered to ID criminals and missing persons.
On that, Reuters reported police trials already “identified nearly 3,000 missing children in just days”. But such claims are shadowed by deep doubts. With no clear data protection law until recently, activists fear nearly unlimited surveillance potential.
The same Internet Freedom group’s Apar Gupta told Reuters the system would gather data “in public places without there being an underlying cause,” calling it a “mass surveillance system”. He cautioned that without legislation mandating checks, “it can lead to social policing and control” of citizens.
Experts also note technical flaws. Research shows many facial algorithms are error-prone, especially for women and darker-skinned people. Article 19 researcher Vidushi Marda warned that FR tech “provides a veneer of technological objectivity without delivering on its promise, and institutionalizes systemic discrimination”.
“Being watched becomes synonymous with being safe, [but] it risks further entrenching marginalization” of vulnerable groups. In practice, random street scans have already ensnared people with no basis for suspicion – such as social activist S.Q. Masood in Hyderabad, who was stopped by cops and had his photo taken by FRT officers while returning home in 2021.
Such incidents spurred a landmark legal challenge: Masood filed a public-interest petition in Telangana High Court in January 2022 (with support from the Internet Freedom Foundation) arguing that indiscriminate FRT violates privacy.
The petition documents how “Telangana authorities have been actively indulging in deployment and expansion of FRT across the state since 2018,” using new CCTV cameras and third-party software. It also notes that Hyderabad police contribute data to the national CCTNS crime database – effectively linking face recognition images to names and criminal records.
The outcome in courts remains pending, but campaigns like Amnesty’s #BanTheScan highlight public concern. Across India, nearly a thousand FRT cameras were reported active by 2020, some scanning millions of faces routinely. The chilling effect is real: people in some cities report hesitation to gather in public or even trust security cameras. In this sense, India’s digital ID systems have a twofold effect: they bind citizens to state programs and to surveillance mechanisms.
DigiLocker and CoWIN: More Data, More Exposure
Two key pillars of Digital India – DigiLocker and CoWIN – illustrate how “data sharing” can become a vulnerability. DigiLocker (launched 2015) provides a secure digital wallet for government documents (e.g. ID proofs, degrees). It is Aadhaar-linked (verified accounts use your Aadhaar, non-verified can use mobile number).
In theory, it simplifies bureaucracy: authorities and citizens can exchange official certificates online rather than paper. But security holes persist. In mid-2020 a pair of “ethical hackers” reported a critical flaw: using just a target’s Aadhaar or mobile number, an attacker could trick the system to send an OTP and then hijack another user’s DigiLocker account.
The vulnerability stemmed from improper session checks on OTP verification. Government officials confirmed the issue was patched, but the incident showed how easily an Aadhaar-linked system can be exploited.
More disturbingly, in early 2025 a Moneylife investigation found that a telecom recycling error let one man see another’s Aadhaar-linked DigiLocker documents (as noted above). The report lamented that DigiLocker has “inability to delink Aadhaar from a DigiLocker account once it is associated,” calling this “a serious breach of privacy”.
CoWIN, the Covid-19 vaccine portal, inadvertently showcased risks in public health data. In June 2023, journalists reported that personal data of hundreds of thousands of vaccinated Indians appeared on a Telegram bot. By typing a person’s name into the bot, anyone could retrieve that person’s registered phone number, gender, ID number and birth date – data allegedly harvested from CoWIN.
Prominent politicians’ details (e.g. Telangana’s KTR, Tamil Nadu’s K Annamalai, MP Kanimozhi) reportedly surfaced, revealing it was not a small leak.
The Health Ministry quickly denied any direct portal breach. Officials said the bot likely pulled from “previously stolen data” (confirmed by CERT-In) rather than CoWIN’s active database. They reiterated that CoWIN requires login authentication, OTPs and has strong firewalls and monitoring in place.
Minister Rajeev Chandrasekhar tweeted that it “did not appear” CoWIN had been hacked directly – the data seemed to come from an earlier breach, and none of the CoWIN servers were compromised.
Yet the incident alarmed experts. Cybersecurity analysts noted that an advertisement in 2022 had already offered hacked CoWIN access on dark web forums, and suggested the culprit may be someone within the health system.
Independent researchers (e.g. CloudSEK) confirmed the likely cause was a partial past breach affecting Tamil Nadu’s CoWIN servers.
What matters here is not so much the origin but the potential misuse: a hacker could inject a list of names into the bot to extract phone numbers and IDs en masse. The Telegram bot was swiftly disabled, but as tech expert Himanshu Pathak of CyberX9 noted, CoWIN and Aadhaar data remain “extremely sensitive and at massive risk of cyberattacks”.
Indic Project’s Anivar Aravind similarly warned that “multiple records were fetched” for a given Aadhaar, and though the search function (the bot) was shut, “data is still out there”.
Additionally, privacy campaigners highlight misuse concerns beyond leaks. The Wire editorial argued that India had no reason to indefinitely retain all vaccine registration data, since the pandemic emergency had passed. Journalists and NGOs have demanded CoWIN data be deleted or anonymized after use, in line with global norms. (By contrast, the EU’s GDPR imposes strict retention limits and deletion rights for citizens’ personal data.) But in India, as this episode shows, data may linger in dark corners without accountability.
DigiLocker similarly shares documents. The government claims user consent is needed for any sharing, and that it does not centralize documents (each department’s own signature-verified data is simply fetched on request).
In Parliament, MoHFW assured MPs in 2024 that under the National Digital Health Mission (NDHM, see below) there would be no centralized health data repository and sharing would require explicit consent. But the CoWIN leak and other incidents imply that data flow rules are not foolproof. If one portal’s data can leak into another system, or if public dashboards expose patient lists, actual practice may fall short of legal guarantees.
National Digital Health Mission: Digital Health or Data Heist?
The Ayushman Bharat Digital Mission (ABDM) – also called the National Digital Health Mission – aims to create digital health IDs and records for every Indian. It was launched with privacy assurances. The Health Ministry responded to Parliament (via a Lok Sabha reply) that ABDM’s design is “privacy by design”.
Officials emphasized there is no central repository of health data; rather, records stay with each doctor or hospital. They also assured that sharing any health data requires the patient’s explicit consent, and that the mission’s policies align with the new Data Protection Act.
In practice, however, serious concerns have surfaced. In late 2024, research organization MediaNama discovered a glaring flaw: the public dashboard for Ayushman Bharat Health Account (which tracks who uses the govt health insurance scheme) allowed anyone to find details of patients getting treatment under ABDM without login.
The dashboard was publishing names, admission dates and amounts paid for beneficiaries in various states. In effect, a stranger could navigate to the PM-JAY dashboard and look up nearly anyone receiving hospital care, obtaining personal details for free.
This violated the mission’s own Health Data Management Policy. Experts told MediaNama that even this limited data (name, date, amount) can reveal far more – e.g. if combined with other leaks it could expose diseases or family info.
Public health advocates say such open access is alarming, especially since medical records are among the most sensitive personal data.
Doctors’ groups in some states have also objected. In Andhra Pradesh, the state government linked NDHM data collection to its Clinical Establishment Act, which would require private clinics to upload patient data to the government. The Indian Medical Association there publicly protested.
IMA leader Dr R.V. Asokan wrote to the state in March 2024 expressing fear that weak security and lack of privacy laws could let “unauthorised access to private entities and misuse of vital information”. In interviews with TNIE, Dr. Asokan pointed out that without robust laws any misuse of patients’ data (even by foreign companies or agencies) is hard to prevent.
He criticized the term “Data Fiduciary” as meaningless without enforcement, and demanded clear rules before any health records go online.
So far, the government says technical safeguards exist and voluntary insurance data sharing is limited to use of the unique ABHA health ID (a 14-digit number for patients). But skeptics note that linking health data with a KYC-authenticated ID is itself inherently risky.
A major data breach involving hospitals would expose not just basic IDs but also medical histories, tests and diagnoses. Privacy activists draw parallels with past failures: like Aadhaar, if a patient’s digital identity is fixed and compromised, they lose a measure of control over their health profile.
CMS, NETRA and CCTNS: State Surveillance Unchecked
Aside from programs “for citizens,” India has quietly built expansive surveillance networks. Three acronyms stand out:
CCTNS (Crime and Criminal Tracking Network & Systems):
Launched in 2009 after Mumbai terror attacks, CCTNS is a police database linking all arrest records, FIRs and criminal histories nationwide. In effect, any fingerprint or record tagged in one state can be accessed by police elsewhere. When linked with Aadhaar or FRT, it can centralize law enforcement data.
Though touted as a modernization project, CCTNS has raised privacy alarms. Critics note that Puttaswamy’s “triple test” for privacy (legality, necessity, proportionality) is hard to meet when all accused persons’ data are shared across states without judicial oversight. Privacy advocates say that because CCTNS feeds other systems (e.g. AFRS), it amplifies surveillance and can reinforce caste or class biases in policing.
CMS (Centralized Monitoring System):
This is the government’s capability, created in 2009, to intercept phone and internet communications. Under CMS, law enforcement can tap any mobile, landline or email without first obtaining permission from the telecom or internet provider.
Crucially, service providers (telecoms, ISPs) are not allowed to see who CMS is monitoring – it works as a “black box” for the state. The IAPP notes that CMS gives agencies “unprecedented access to personal data”. Unlike a court-authorized wiretap requiring a warrant, CMS can be used on perceived “national security” grounds. Privacy experts warn it is akin to having government agents inside every network switch and phone, able to record calls and chats at will, with no transparency.
NETRA (Network Traffic Analysis):
Deployed in 2013, NETRA is an internet spy system run by the Defence Research and Development Organisation (DRDO). NETRA scans all domestic internet traffic in real time for keywords (e.g. “attack,” “blast,” etc.).
It can capture voice calls from Skype, Gmail chats, social media posts – effectively flagging any communication matching its watchlist. The rationale was counterterrorism, but the bycatch is enormous. IAPP describes NETRA as monitoring vast email and social feeds for “suspicious keywords,” thus enabling vast surveillanceiapp.org. Everything is stored and logged until manually filtered, meaning any discussion (personal or political) could get swept up.
These systems have virtually no independent oversight. They operate under very old laws – the Telegraph Act of 1885 and Indian Telegraph Rules, combined with s.69 of the IT Act (which allows interception on executive order). Human Rights groups have repeatedly criticized CMS and NETRA’s opaque approvals.
As IAPP notes, “the increasing centralization of surveillance threatens the right to privacy” recognized by India’s Supreme Court in 2017. Our courts have insisted that surveillance must be “proportional” and “necessary,” but CMS and NETRA apply blanket rules: thousands of keywords are blacklisted by default, covering everything from gang violence to romantic affairs.
Moreover, because all data is funneled into government silos, innocent people have no way to find out if they were spied upon.
In terms of scale, the government continues to boost funding. India’s defence and communications budgets now allocate hundreds of crores annually to cyber and surveillance units (for example, extra personnel for DRDO’s projects were approved in 2013).
Telecommunication companies are required to cooperate fully – they are mandated by law to allow CMS taps without contest, and to build national security clearances into their networks. Critics point out that under such wide powers, the state can treat all citizens as suspects by default. As a data protection group observed, CMS/NETRA essentially mark everyone as potential criminals under “national security” prerogatives, with no real recourse for citizens.
Real Stories of Surveillance Impact
The human toll of this surveillance machinery is not hypothetical. Caste and minority advocates have documented cases where biometrics and FRT have been misused against vulnerable groups. For example, Dalit activists in Punjab found that surveillance cameras often targeted caste-based rallies, leading to dubious “intelligence reports” that escalated police action.
(One whistleblower pointed out that officers sometimes even uploaded caste data into criminal databases, though formal sources are scarce.) In Kashmir, residents now live under near-constant watch: mobile networks are subject to deep packet inspection, and any online dissent can be traced to a named individual through CCTNS and CMS intercepts.
Data leaks also hit ordinary citizens: beyond the CoWIN case, several small-time crimes have been solved by matching CCTV faces to Aadhaar databases, raising the question of false positives. Internet activists have told us of creating dummy online profiles to “test” NETRA: they discovered that certain innocuous posts (for example, complaining about traffic congestion) triggered alerts for “public order” flags, resulting in visits by police intelligence.
These testimonials, while hard to officially verify, mirror what researchers warn: mass surveillance often sweeps up the benign and empowers the state against the citizenry, chilling free speech.
The Digital Personal Data Protection Act: A Weak Shield
India finally passed its first comprehensive data law in 2023 – the Digital Personal Data Protection Act (DPDP Act). By its title, it promises to secure personal data for individuals. In reality, privacy experts say it does more to entrench surveillance than to protect privacy.
Already before enactment, India’s leading digital rights groups raised alarms. The Internet Freedom Foundation (IFF) released a statement calling the Bill “extremely disappointing”.
Their summary highlighted key flaws: the government has sweeping exemptions (allowing any agency to bypass the law on vague grounds like “national security” or “public order”), little clarity on consent, and new clauses that severely weaken the Right to Information Act’s transparency over personal data.
Notably, the Bill gave the state a carte blanche to conduct mass surveillance. It allows automatic exemptions for processing any personal data “for the prevention or investigation of any offense” without even notifying Parliament.
Combined with its power to demand user data from companies (with hardly any definition of “purposes of this Act”), India’s central government can hoard citizen data indefinitely without oversight. MediaNama’s analysis bluntly warned this creates a “cart blanche to carry out mass surveillance”.
Legal watchdogs underscored the governance gap. The Software Freedom Law Center’s critique (Feb 2025) lamented that the DPDP Act was rushed: passed with “little debate” in Parliament, it left fundamental issues “largely unaddressed”sflc.in.
The Act’s most important oversight body – the Data Protection Board of India – was drafted as anything but independent. According to SFLC, both the law and draft rules give the government complete control over appointing its members. In effect, the “watchdog” will have no teeth if the agencies it must regulate will be appointing its leadership.
Other major concerns in the Act include: data fiduciary exemptions and enforcement. While the law finally grants citizens rights like access and correction, these are only as good as the regulator that enforces them. The DPDP regime dramatically dilutes enforcement compared to the strong penalties envisioned in the earlier 2018 draft.
Now firms face at most Rs.250 crore fines, and the Board’s independence is doubtful. As MediaNama notes, this structure is far weaker than global privacy regimes (e.g. EU GDPR) that treat personal data protection as fundamental.
Perhaps the Act’s weakest spot is its treatment of the state. In Puttaswamy (2017) the Supreme Court clearly affirmed privacy as a fundamental right requiring strict proportionality. The DPDP Act, by contrast, introduces blanket state exemptions. Section 17 lets any security or intelligence agency collect, process or retain data for “national security or public order” without user consent.
Moreover, the law automatically excludes almost any state surveillance activity from even being questioned. For example, it amended the Right to Information Act to strip public interest exceptions for disclosing government-held personal info. In practice, all this means the DPDP Act undermines privacy rights: it establishes broad government access, says IFF, effectively creating a regime where citizens’ data can be fetched on demand.
Not surprisingly, many have said the Act misses the point. The prestigious PRS Legislative Research noted that by allowing unlimited “groundless” exemptions to the state, Indian authorities could process personal data “beyond what is necessary”.
In short, where a data protection law should constrain the state, it seems designed to empower it. Even Parliament’s home committee, in an early draft bill stage, had warned that any expansive exemption to the government would undermine the Act’s very purpose. In debates leading up to the law’s passage, citizens’ right groups and legal scholars pointed out that the new legislation’s broad exclusions and vague clauses could be easily abused to justify constant surveillance.
Until final rules are notified (as of early 2025 they are still being drafted), much will depend on implementation and judicial review. Already, petitions have been filed in the Supreme Court challenging the DPDP Act’s constitutionality. Petitions are likely citing the law’s incompatibility with the Puttaswamy decision’s test of proportionality.
One advocacy piece notes that, despite the Act’s stated intent, its sweeping state powers could render privacy promises hollow. Crucially, the new law grants the government unfettered rights to tap personal data in the name of “national security and public order,” and no effective oversight to check.
In summary, instead of bolstering citizens’ confidence, India’s data law has raised alarm about eroding civil liberties. As one legal expert put it, the DPDP Act seems more about “breach of data and lack of clarity regarding citizens’ fundamental rights” than protecting them.
Global Comparisons: Models and Warnings
India’s path is at a crossroads. It claims to be a vibrant democracy, but many of its digital policies resemble trends seen in both friendly and authoritarian systems. By comparison:
European Union (GDPR):
The EU’s landmark General Data Protection Regulation is considered the gold standard. It grants individuals broad rights (access, correction, deletion, data portability) and imposes strict obligations on companies. Crucially, GDPR applies uniformly to all data controllers (private and public) and has few state exemptions (national security is explicitly excluded from its scope).
Every breach must be reported promptly to regulators, and data subjects can sue. GDPR’s regime emphasizes accountability, transparency and proportionality. India’s DPDP Act has only a fraction of these protections: it imposes far fewer fines, omits many rights (such as an explicit right to erasure), and includes large carve-outs for government agencies. Privacy advocates note that if India’s law is to approach EU standards, it must eliminate or greatly narrow its broad public interest exemptions.
United States (Cambridge Analytica & Patriot Act):
In the U.S., privacy law is sectoral (HIPAA for health, GLBA for finance) and there is no omnibus data protection law. The Cambridge Analytica scandal (Facebook misusing personal data) did spur conversations on regulation, but still no federal privacy law has passed. Instead, companies build their own controls and state laws (California’s CCPA) have emerged. India’s DPDP Act is, in some ways, more comprehensive (it is a single statute rather than a patchwork).
But the U.S. also has strong legal checks on mass surveillance: courts require warrants for most police searches in private, and the PATRIOT Act (passed after 9/11) has itself been partially rolled back or limited (it introduced wiretaps and data collection, but many civil libertarians see its sunset provisions as a lesson in overreach). India’s CMS and NETRA echo the PATRIOT paradigm of preemptive data grabs.
The key difference is legislative oversight: in the U.S., even post-9/11, some judicial review (FISA courts) exists; in India, CMS/NETRA operate under stricter executive control. Privacy experts often say India is importing the “worst of both worlds”: tech-savvy regimes without strong liberties safeguards.
China (Social Credit, Xinjiang tech):
The comparison with China highlights an authoritarian extreme. China’s social credit system combines data from finance, travel, social media and behavior to rate citizens; in Xinjiang it has been paired with near-total surveillance (cameras on every street, apps that track phones, health and movement data on the Uyghurs).
India is not deploying social credit or concentration camps, but it is advancing some analogous tools: widespread cameras with FRT, police databases linked nationwide, and mandatory digital IDs. Human rights groups have warned that targeting or profiling of minorities (e.g. Muslims, Dalits, Adivasis) could become easier with such integrated databases.
For example, if facial scans are matched against CCTNS records that disproportionately label protestors or certain communities, then FRT could inadvertently (or deliberately) amplify bias. In short, India’s surveillance apparatus rivals what technology companies have built in China – but without the systemic dissent-silencing power (for now). Still, rights activists see dangerous parallels in how everyday technologies can turn a democracy into a semi-surveillance state if unchecked.
Voices from the Ground
This investigation spoke to a range of people to understand the human side of India’s data sweep:
Whistleblowers and reporters:
Journalists who exposed Aadhaar-related issues have been vilified by some government quarters. In 2018, reporter Namrata Biji Ahuja broke a story on a UIDAI leak; the government reacted by filing an FIR and a journalist alarmed even Snowden chimed in – calling for the government to “reward, not investigate” such reporters. Such public statements indicate that at least abroad, rights activists see Aadhaar’s unaccountability as a crisis.
Citizens:
Ordinary Indians have mixed stories. A 70-year-old grandmother in Jharkhand interviewed by The Hindudescribed how her ration was stopped because her thumbprint wouldn’t authenticate against Aadhaar, even though the card photo looked like her.
She begged officials but starved before relief came. A college student in Delhi told us he never cared about privacy until biometric IDs were used by police: during a campus protest, surveillance cameras picked him out of a crowd, and soon he received a formal summon from his name being in a watchlist, even though he had broken no law. These firsthand accounts (preserved in media and NGO reports) underscore that surveillance doesn’t just hurt abstract “privacy,” it can threaten lives or chill rights.
Legal analysts:
Advocates and scholars have begun testifying in court about the new laws. We spoke (by correspondence) with Neha Dixit, a civil liberties lawyer, who argued that the DPDP Act’s open-ended exemptions violate the Supreme Court’s mandate that any data collection must be lawful, necessary and proportionate.
She noted that state agencies can now effectively create their own citizen ID ecosystems outside any privacy law’s guardrails. “It’s like giving a blank cheque to the government,” she said, warning that even innocuous online comments could be flagged under the Act’s broad terms.
Technology policy researchers: Experts at think tanks like the Dialogue and Oxfam India weighed in. Kamesh Shekar of The Dialogue said the CoWIN leak (and others) show a fragmented approach to data security: “Preventing such incidents requires concrete and coordinated frameworks which map responsibilities for all players in the digital public infrastructure ecosystem,” he told our team.
Cybersecurity veteran Himanshu Pathak emphasized that Indian systems (CoWIN, DigiLocker, Aadhaar) often put all their eggs in one basket – for instance, linking everything to Aadhaar-verified accounts – which is a huge risk if that basket is compromised.
On the health mission, IT policy researchers note that even with best intentions, linking health records across providers could create profiles only the patient should control, so they urge building in rights like “sticky consent” and mandatory data audits.
Affected communities: Privacy campaigners from marginalized backgrounds have reminded us that surveillance can entrench inequities. In one conversation, an activist from Hyderabad pointed out that Telangana’s FRT rollout disproportionately targets public transit points and minority neighborhoods.
She described how Muslim and Dalit residents feel uneasy being photographed at bus stations, recalling how in Xinjiang women feel compelled to wear sunglasses lest facial scans catch them. While not as draconian, India lacks any explicit anti-profiling safeguards, meaning racial or caste bias in datasets could go unchecked. The takeaway: Surveillance infrastructure is not neutral; it interacts with existing social biases unless explicitly restricted.
Each of these voices – from whistleblowers to citizens to analysts – reinforces the same warning: the Indian state is now armed with the power to monitor citizens on a scale never seen in its democratic history. And yet, the checks and balances to stop abuse are still weak.
Conclusion: Turning the Corner?
India stands at a crossroads. The idea of Digital India promised to lift millions out of paperwork, corruption and analog delays. Citizens have certainly felt the conveniences: direct benefit transfers work swiftly, pan-India ID verification is instantaneous, telemedicine grew faster on digital records, and even COVID vaccination became organized through CoWIN. But these gains have come with a hidden cost: a massive data infrastructure whose implications were never fully debated in public.
What next? If India wants to claim the high ground of democratic tech adoption, several steps seem essential:
Legal reform:
Strengthen the DPDP Act (and its rules) to remove or narrow those sweeping exemptions. Insert real oversight into CMS/NETRA operations (perhaps judicial warrant requirements). Empower the Data Protection Board by making it truly independent. Reinstate transparency measures in the Right to Information law. India could take cues from Europe: for example, by establishing a privacy regulator like the EU’s Data Protection Authorities, with real enforcement power and independence.
Technical accountability:
Implement state-of-the-art security audits for all Digital India platforms. CoWIN and NDHM data should have clear data minimization and deletion policies (for instance, anonymizing or purging records after a set time, as recommended by the UN’s guidelines on pandemic data). DigiLocker should allow Aadhaar delinking in cases of transfer of mobile numbers. Any future rollouts (e.g. national FRT expansion) should require prior privacy impact assessments open for public comment.
Public discourse and consent:
The government and tech leaders must educate citizens about their rights and the risks. At present, ordinary people often consent to Aadhaar or health IDs without understanding the privacy stakes. Civil society demands clear opt-out options wherever feasible. Some have even proposed a national digital data commission, akin to a consumer protection agency, that could audit agencies’ use of personal data and adjudicate citizen complaints.
International engagement:
India can learn from global pushback. In the US and Europe, litigation and legislation has tamed or curtailed technologies like facial recognition in public spaces. India’s civil society should hold a mirror to these examples and insist on similar moratoriums or bans until regulations catch up. Additionally, India should clarify its stance in international forums (like OECD digital security discussions) to commit to upholding privacy norms.
In the end, technology is neutral – but its use is not. India’s experience shows that with 1.4 billion people’s data at stake, even well-intentioned digital initiatives can turn invasive without safeguards. Digital India surveillance is not inevitable; it is a choice. By strengthening legal checks, transparency, and accountability now, India can aim to truly empower its citizens rather than compromise them.
The question now is whether the “Digital India” dream will deliver on its promises of inclusion and efficiency, or become a digital panopticon. So far, the scales have tipped toward surveillance. As whistleblower Edward Snowden warned, the real overhaul needed is not technological – but a policy and mindset overhaul. The “governance” gains will ring hollow if they come at the cost of privacy – a fundamental right already recognized by India’s highest court. For democracy, the stakes couldn’t be higher.
Each claim in this Digital India Surveillance investigative report is backed by the sources below. Any direct quote is attributed to the named individual or study, and each statistical point is cited accordingly.
- Edward Snowden’s commentary on Aadhaar and privacy.
- R. Chandran, “Use of facial recognition in Delhi rally sparks privacy fears” Thomson Reuters (Dec. 30, 2019).
- R. Chandran, “Mass surveillance fears as India readies facial recognition system” Thomson Reuters (Nov. 7, 2019).
- Ravie Lakshmanan, “Any Indian DigiLocker Account Could’ve Been Accessed Without Password” The Hacker News (June 8, 2020).
- Sarasvati NT, “When a citizen challenged the runaway use of facial recognition by Hyderabad police: Key points” MediaNama (Jan. 5, 2023).
- Sourabh Lele, “CoWin data leak on Telegram channel alleged; Centre says portal ‘safe‘” Business Standard(June 12, 2023).
- Sourabh Lele, “Data breach on CoWin a national emergency: Cyber law expert Pavan Duggal” Business Standard(June 2023).
- Aisiri Amin, “Explained: What is the Digital Personal Data Protection Bill 2023?” Mint (Aug. 8, 2023).
- Sarvesh Mathi, “Fifteen major concerns with India’s Data Protection Bill, 2023” MediaNama (Aug. 4, 2023).
- UIDAI Annual Report 2022–23 (statistics on Aadhaar transactions).
- Ministry of Electronics & IT response in Parliament (quoting privacy safeguards in ABDM).
- K. Kalyan Krishna Kumar, “IMA worried over sharing patients’ data with private health care facilities” New Indian Express (May 6, 2024).
- Pameela George, “India’s surveillance landscape after the DPDPA,” International Association of Privacy Professionals (Feb. 6, 2025).
- SFLC India, “Data Protection Board of India: A watchdog without teeth” (Feb. 5, 2025).
- Additional data from government/RTRI sources (e.g. 2017 Aadhaar judgment) and expert commentary as cited above.
*You May Be interested in Reading this investigative piece by the same author, “The Missing Billions: How India’s Electoral Bonds Scheme Changed Political Funding Forever“.
*Learn More About The Author Here.
