Digital rights advocates have raised urgent concerns over Indian Railways’ new e‑Aadhaar authentication requirement for Tatkal ticket bookings, warning that the initiative may threaten passenger privacy and legal safeguards without resolving fundamental system flaws. The policy, rolled out in phases from 1 July, has drawn criticism for being overly invasive and technologically inadequate.
The Internet Freedom Foundation (IFF) has sounded the alarm, describing the measure as a “dangerous detour” that risks privacy infringements, ineffective enforcement, and exclusion of genuine users. Under the reforms announced by Railway Minister Ashwini Vaishnaw, Tatkal booking via IRCTC’s online portal now mandates Aadhaar linkage, with OTP verification required from 15 July for ticket counters and authorised agents. EFFORTS TO curb high‑speed scalping and AI‑assisted bot use underlie the government’s rationale, including a prohibition on authorised agents booking in the first 30 minutes of Tatkal release. However, IFF and the Software Freedom Law Centre (SFLC.in) argue these reforms sidestep deeper issues of capacity constraints and cybersecurity vulnerabilities.
Historically, the IRCTC system has suffered major data breaches: a 2016 hack compromised over 10 million user records, and a vulnerability exposing 200,000 accounts persisted for two years. In June 2025, 25 million fake accounts were deactivated. IFF contends that coupling Aadhaar—a centralised biometric identity system—with this insecure infrastructure drastically escalates risks such as identity theft, linking railway data to banking, telecom, and welfare profiles. Legally, critics assert the policy may conflict with several statutes. The Digital Personal Data Protection Act, 2023, demands purpose‑limited data collection and prompt breach notifications—standards allegedly unmet by IRCTC. Provisions under the Information Technology Act, 2000 (Sections 43A and 72A), require robust security practices and notification protocols—areas where IRCTC’s track record is lacking. Furthermore, the Supreme Court’s Puttaswamy judgement mandates that Aadhaar mandates uphold legality, necessity, and proportionality—requirements deemed unfulfilled by advocates.
SFLC.in has formally requested suspension of the Aadhaar e‑authentication rollout, and recommended a comprehensive technical audit and scaled‑up server capacity instead. IFF has echoed these calls, demanding a CERT‑In security evaluation, public disclosure of any breaches, and implementation of two‑factor authentication measures. Independent reporting has uncovered that a parallel black market already trades Aadhaar‑linked IRCTC accounts and OTP access, raising questions about the policy’s efficacy.
This controversy highlights wider debates over digital identity in public services. While anchored in legitimate goals of transparency and fairness, the Aadhaar mandate may compromise inclusivity and trust unless supported by technical resilience and legal clarity. As New Delhi’s railway network ages toward modernisation, advocates say reforms must balance efficiency with data rights and equitable access—especially in critical, last‑mile digital services such as Tatkal.
Also Read: Gurugram Faces Environmental Crisis as Bandhwari Landfill Leachate Seeps Into Villages
