Public Infrastructure and Private Surveillance in India’s Aadhaar System

As the United States rolls out its long-delayed REAL ID standard, creating a de facto national ID, critics warn that it centralizes personal data and lowers the barrier to state surveillance. In the meantime, India has already built the world’s largest biometric identity infrastructure: Aadhaar. In the name of inclusion, Aadhaar assigns citizens a 12-digit ID linked to fingerprints, iris scans, and facial data. The system has brought millions into the formal economy and expanded access to essential services. But earlier this year, the Indian government opened this infrastructure to select private companies under a new regulatory sandbox. One of them is HyperVerge, a facial authentication firm whose patented technology relies on behavioral data analysis. That decision could well shape the next decade of digital policy across the Global South.

This policy development deserves attention, not because India is becoming a surveillance state, but because it is pioneering a public-private model where commercial AI deployment is integrated into welfare infrastructure. Other countries in the Global South, such as the Philippines, Morocco and Ethiopia, are already using Aadhaar as a model for their own national digital ID systems. Accordingly, it’s not just the system’s technical merits that matter, but whether its governance can ensure accountability as more countries adopt it as a reference point.

Surveillance capitalism, Indian edition?

The American scholar Shoshana Zuboff coined the term “surveillance capitalism” to describe how companies like Google and Facebook monetize user behavior. But India follows a different approach: state infrastructure could enable private actors to extract behavioral and biometric data at scale, with the state’s consent. This distinction is important, as recent concerns in Indian civil society about growing surveillance tend to focus on government overreach. While the state receives much scrutiny, private actors are increasingly able to profit from citizens' personal data; a development which is largely overlooked in current discourse.

While Aadhaar was originally conceived as a tool to streamline welfare delivery, its architecture was designed with future expansion in mind. Over time, it evolved into a quasi-mandatory infrastructure layer, used for banking, telecom access, and now AI-enabled verification. Aadhaar has received praise as one of the world’s most sophisticated ID systems but it has faced criticism after a series of data breaches, among other privacy concerns. In January 2025, the Indian government started allowing private companies to access Aadhaar's infrastructure. This turns a welfare mechanism into a potential site for behavioral data extraction.

HyperVerge and the new politics of facial data

One of the companies providing identity authentication services connected to the Aadhaar database is HyperVerge, which I examined in a recent working paper. A HyperVerge blog post describes the use of both supervised and unsupervised machine learning models to analyze customer behavior and improve predictive accuracy and highlights the role of data mining in improving fraud detection. It emphasizes its ability to identify 'unusual behaviour in data' and anticipate fraud by uncovering hidden patterns.

Another of its key services include facial authentication. In 2023, the company filed a patent called “Method and System for Image Recognition,” which specifies that the technology uses neural networks to match faces with corresponding Aadhaar entries and detect image tampering. The company’s privacy policy states that “HyperVerge generates two scans of the user’s face” and that it “stores personal information for such period as is contractually required by the client”. Furthermore “HyperVerge may use the user’s personal information to train HyperVerge’s models.” This demonstrates how HyperVerge systematically collects, stores and profits of user data.

Consent in theory, ambiguity in practice

A key question is whether, in practice, individuals understand the connections and chain of custody of their information when they interact with systems connected to Aadhaar. For instance, HyperVerge relies on client institutions to obtain user consent before biometric data is used for model training. While this may fulfill legal obligations, it obscures the lived reality: most users will be unaware that their information be processed by third-party AI vendors.

This can be better understood through a hypothetical yet very possible real-life situation. Let’s say you as an Indian student wish to open a bank account. You go to a major public-owned bank, who then requests you to verify your identity through facial authentication. Eager to start your independent life as a young adult, you happily agree to whatever terms they asked you to sign. You walk out of the bank and some time later start using your new card. Throughout this whole process, you were never truly made aware that a company like HyperVerge collected your personal data. And HyperVerge is not alone. Fintech companies like Hero FinCorp and Leegality, enabling e-signatures for documents, are also using Aadhaar for verification purposes. India’s consent framework is advanced on paper through systems like DEPA and the Consent Artifact. However, this rarely benefits those with limited digital literacy. While consent might technically have been given, a large section of the population will not have exercised any real agency in giving over their data. Still, there are reasons to hold off on making alarmist conclusions.

Corporate access to Aadhaar’s authentication layer remains controlled, as a result of a 2018 Supreme Court ruling protecting Indian citizens’ constitutional right to privacy. In a recent conversation, digital identity expert Ritul Gaur clarified that over half of Aadhaar authentications are still conducted by the government, rather than by private companies. The regulatory sandbox launched in January this year only allows select firms to apply for access. Vetting requirements are overseen by the Ministry of Electronics and Information Technology (MEITY) and the Unique Identification Authority of India (UIDAI).

A global template in the making

As India’s Aadhaar system is exported and implemented in many other countries in the Global South, this raises significant questions. The most immediate risk, according to Gaur, is not the overreach of AI surveillance, but its underperformance. In contexts where face-authentication fails due to technical limitations such as poor cameras, lack of lighting or unreliable internet, users are denied access to essential services. Thus, states will need to prioritize expanding capacity and building a real digital ecosystem to best service their populace. Yet paradoxically, if the technology becomes too effective and ubiquitous, it could lead to pervasive state-corporate surveillance. To avoid this double bind, countries must avoid the mistakes of the past, such as attempting to make one form of authentication mandatory. Safeguards should be incorporated early: limits on data retention, deletion of authentication logs, and independent audit systems.

India’s Aadhaar system remains one of the most ambitious and impactful public tech platforms in the world. It has delivered real benefits. But as its role expands, its governance must evolve. If private-sector integration becomes normalized without rethinking consent and privacy frameworks, Aadhaar may set a global precedent in how surveillance is legitimized through public infrastructure.

India now has the opportunity to set the global standard for ethical digital ID governance. But what’s at stake is not just privacy, nor even state overreach; it is the quiet rise of private surveillance, embedded in systems built for public service delivery. If such a model were to spread without strong safeguards, access to essential services could increasingly depend on how well privatized systems perform, and how much behavioral data they are able to extract.