The new Aadhaar App, launched by the Unique Identification Authority of India, promised citizens something they never had before — control over their own identity data. Selective sharing. Consent-based verification. Digitally signed credentials. A privacy-first design for 1.4 billion people.
The headlines were generous. The applause was deserved. The gaps, however, are significant.
The QR Code That Never Forgets — But Never Tells You Either
Every Aadhaar card carries a QR code. Every e-Aadhaar PDF does too. So does every PVC card ever issued.
That QR code contains your name, address, photograph, date of birth, gender, and contact details — all digitally signed and permanently embedded. It does not expire. It cannot be refreshed. It carries no scan counter. It sends no alert when read.
Someone who photographed your Aadhaar card three years ago is holding a fully valid, infinitely reusable copy of your identity data today.
Scanned in Mumbai. Scanned Again in Kolkata. You Will Not Know Either Time
When a hotel desk scans your Aadhaar QR today, no record of that event reaches you. When the same code gets scanned again tomorrow by someone else, the system does not notice. The hundredth scan is treated identically to the first.
UIDAI confirmed this directly in its own documentation. The app does not capture location. No scan history exists for static QR reads. No notification mechanism reaches the identity holder. No audit trail is accessible to the citizen.
Your identity can be read silently, repeatedly, and indefinitely. You will never know it happened.
Consent Exists — Just Not When It Matters Most
The new Verifiable Credential flow inside the app does require active citizen approval before any data moves. An OVSE generates a session QR. The citizen scans it, reviews the request, and approves or declines. This is good design. This is meaningful progress.
But the moment a physical Aadhaar card appears — or a printed e-Aadhaar, or an older mAadhaar screen — the consent layer vanishes entirely. Any QR scanner, registered or not, can read that data. No permission is sought. No record is created. No limit applies.
The regulated ecosystem and the unregulated reality exist side by side. And in most real-world interactions across the country today, the unregulated version is still winning.
Twelve Scans in One Day. Zero Alerts Sent.
Picture this. The same person's Aadhaar QR gets scanned twelve times across four cities in a single afternoon. Under the current architecture, this pattern is completely invisible. No system flags it. No alert reaches the citizen. No OVSE is questioned.
There is no rate limiting. No geo-fencing. No anomaly detection. No step-up authentication triggered by unusual frequency. The system has no concept of suspicious scanning behavior because it has no memory of scanning behavior at all.
Dynamic Generation — But on the Wrong Side
The new app does introduce dynamic QR generation. The OVSE creates a fresh session QR each time it initiates verification. That is useful.
But the citizen's own identity QR remains static for life.
No expiry timestamp. No forced refresh. No facility for a citizen to regenerate their QR if they believe it has been compromised. Meanwhile payment systems across the same country expire a transaction QR in thirty seconds. A banking OTP dies in two minutes. India's primary identity QR operates on no such logic. It was as valid the day it was generated as it will be a decade from now.
Selective Sharing Stops at the Door
Citizens can now choose exactly which attributes to disclose before sharing. Name only. Photo only. Age status only. That is a genuine leap forward.
But the control ends the moment the credential leaves the phone.
Once shared, a Verifiable Credential reaches the OVSE permanently. No revocation mechanism exists. No data expiry is enforced on the receiving end. No technical barrier prevents the OVSE from retaining that credential indefinitely or using it beyond its stated purpose.
The protection against post-sharing misuse is entirely regulatory — meaning a violation must first occur before any action is possible. Technical enforcement and legal prohibition are not the same thing.
One-Time Use Does Not Exist
For a single onboarding event, a specific venue entry, or a one-use service registration — situations where identity verification should happen exactly once — the current system offers no one-time-use credential option.
A static QR can be scanned again. A shared credential can be replayed. There is no mechanism anywhere in the current architecture to generate an identity proof that self-destructs after a single successful verification.
One Phone. Five Identities. One Theft.
The new app allows up to five family Aadhaar profiles on a single device. Convenient for families managing elderly parents or young children. Catastrophic if that device is stolen.
One physical theft becomes a five-person identity incident. The documentation on credential recovery for lost or stolen SIM-bound devices is absent from every publicly available resource released alongside the launch.
The Verdict
The new Aadhaar App is genuinely better than what came before it. The Verifiable Credential architecture is sound. The selective sharing model is thoughtful. The offline face verification is a meaningful capability.
But better is not the same as complete.
The system that launched in January 2026 gives citizens more control than they have ever had — while simultaneously leaving the most common real-world identity interaction, a static QR scan on a physical card, completely outside any control at all.
Scan limits. QR expiry. Location awareness. Suspicious scan alerts. One-time-use credentials. Post-sharing revocation. These are not experimental ideas. They exist in payment systems, access control platforms, and secure credential frameworks operating at scale around the world today.
The gaps in India's new identity system are not technical mysteries. They are known problems with known solutions. The question now is whether they get addressed before they get exploited.
