IRCTC’s Aadhaar Mandate and the Test of Proportionality

Beginning 1 July 2025, the Indian Railways has made Aadhaar authentication mandatory for booking Tatkal tickets via the Indian Railway Catering and Tourism Corporation (IRCTC) platform. From 15 July, travellers would also be required to complete a One-Time-Password (OTP)-based Aadhaar verification, regardless of whether tickets are booked online, offline, or through agents. The intent is to enhance transparency, prevent fraudulent intermediary practices, and improve user verification for time-sensitive travel.

While curbing fraud in Tatkal bookings is a legitimate policy goal, the method in question—compulsory Aadhaar authentication—raises serious legal and operational concerns. To understand its implications, it is necessary to trace the evolution of the Tatkal scheme itself, assess whether the Aadhaar mandate has statutory or constitutional support, and ask whether this requirement is proportionate to the goals it seeks to achieve.

Tatkal: Origins and Nature of the Scheme

The Tatkal scheme was launched in 1997 as a targeted intervention to meet urgent travel needs. Initially restricted to select trains and classes, it allowed passengers to book tickets at short notice, generally one day before travel. Over time, the scheme was expanded nationwide and across multiple classes. To manage demand and deter speculative bookings, Tatkal fares were deliberately priced higher than the base fare, sometimes significantly higher on popular routes.

The surcharge which one has to give under the Tatkal scheme is not a subsidy but a cost-recovery and demand-management tool. This structure places Tatkal outside the category of “subsidy, benefit, or service” contemplated under Section 7 of The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

Although it operates within the subsidised passenger rail network, the Tatkal scheme does not qualify as a welfare measure under the law. It is available for both AC and non-AC classes and can be availed by any passenger willing to pay the higher Tatkal fare, which is calculated as a percentage of the basic fare. The pricing is only moderately higher than standard fares and is intended to manage last-minute demand rather than confer a financial benefit on passengers. The greater challenge lies in availability; Tatkal tickets often sell out within minutes of the portal opening, meaning the scheme’s intended benefit of enabling urgent travel is rarely realised in practice.

Why This Mandate Lacks Statutory Basis

To assess the legality of IRCTC’s Aadhaar mandate, it is important to begin with the statutory framework. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, permits,  under Section 7, the use of Aadhaar authentication in two contexts: first, where a government department is delivering a subsidy, benefit, or service funded from the Consolidated Fund of India. Secondly,  where its use is voluntary and based on consent, meaning that such authentication must remain optional and shall not become a condition for availing a service, unless supported by a specific enabling law.

The surcharge, one is expected to furnish under the Tatkal scheme, is not a subsidy but a cost-recovery and demand-management tool. This structure places Tatkal outside the category of “subsidy, benefit, or service” contemplated under Section 7 of the Act.

This provision was also the focal point of the Supreme Court’s scrutiny in Justice K.S. Puttaswamy v. Union of India (2018) (Puttaswamy II). The Court struck down Aadhaar mandates for bank accounts and SIM cards precisely because there was no statutory footing for them, even though they too involved identity verification. The majority upheld the constitutionality of Section 7 of The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, but adopted a narrow construction:

• Mandatory Aadhaar can be required only where the service in question is a targeted welfare measure involving expenditure from the Consolidated Fund.
• Services outside Section 7’s scope require separate legislative authorisation before Aadhaar can be made compulsory.
• Even where Section 7 applies, the measure must meet the proportionality test laid down in Puttaswamy I (2017).

As the Court in Puttaswamy II clarified, any form of Aadhaar authentication, if made compulsory, requires legislative backing. Since there is no separate statutory provision authorising the Ministry of Railways or IRCTC to mandate Aadhaar authentication for Tatkal, the measure lacks a clear legal foundation. The fact that this authentication is OTP-based rather than biometric does not cure the defect at hand.

The Proportionality Test

Any assessment of the Tatkal Aadhaar mandate must begin with the recognition that Aadhaar authentication—whether biometric or OTP-based—engages the fundamental right to privacy recognised in Puttaswamy I (2017). In this case, the Supreme Court held that privacy includes informational privacy, i.e., the right to control the collection, use, and dissemination of personal data. Linking travel bookings to an Aadhaar number connects an individual’s mobility patterns with a centralised, state-managed identity, thereby engaging this right.

The Supreme Court held in Puttaswamy I and reaffirmed in Puttaswamy II that any infringement of the right to privacy must meet the test of proportionality. This involves four steps:

1. Legality: The action must have a clear legal basis. For Tatkal, as discussed, the statutory footing under Section 7 is doubtful, making it vulnerable on this first ground.
2. Legitimate Aim: Fraud prevention and fair allocation of scarce tickets are valid objectives.
3. Necessity: The measure must be necessary in the sense that no less intrusive alternative would achieve the same goal. In this case, IRCTC already has mechanisms such as CAPTCHA, OTPs sent to email or mobile without Aadhaar linkage, user account verification, and identity checks at boarding. Strengthening these could address fraud without mandating Aadhaar.
4. Balancing: The benefits gained must outweigh the rights curtailed. For a premium, time-sensitive service, the marginal gains in preventing misuse must be weighed against the exclusion of genuine travellers who cannot authenticate in time.

On this test, the mandate fails both in terms of legality and necessity. Less intrusive and equally effective fraud-control mechanisms exist. Moreover, the exclusion risks in urgent travel contexts are not outweighed by the incremental efficiency benefits of Aadhaar linkage.

IRCTC’s Digital Infrastructure: Capacity vs. Readiness

IRCTC’s platform handled over 37 million transactions per month and nearly 7 million daily logins in FY 2023–24, clearly reflecting strong technical capacity. However, the issue is not just transaction handling, but security and governance in managing identity-linked data.

IRCTC has suffered multiple security lapses in the past, including a 2016 security breach, reportedly, which affected over a million users and provided hackers the access to passenger details without their knowledge or consent. In 2020, renowned cybersecurity firm Cyble revealed that personal details of over nine million Indian railway ticket buyers, including their usernames, email addresses, verified mobile numbers, gender, IDs and language preferences, were stolen. More recently, IRCTC identified and deleted nearly 25 million fake or duplicate user IDs in 2025, which were likely being used to manipulate or exploit the booking system, often by unauthorised agents or bots to hoard tickets illegally.

As the Court in Puttaswamy II made clear, any form of Aadhaar authentication, if made compulsory, requires legislative backing. Since there is no separate statutory provision authorising the Ministry of Railways or IRCTC to mandate Aadhaar authentication for Tatkal, the measure lacks a clear legal foundation. The fact that this authentication is OTP-based rather than biometric does not cure the defect at hand.

While these instances demonstrate reactive capability, they also suggest that systemic vulnerabilities remain unaddressed. If Aadhaar authentication is to become the norm even via OTP, IRCTC must ensure encryption, role-based data access, breach reporting protocols, and periodic security audits. Without this, even a well-performing system becomes a soft target for identity theft or data misuse.

Way forward: Voluntariness, Not Compulsion

Digital tools should make public services more accessible, not create new hurdles for identity verification. The Aadhaar mandate for Tatkal tickets, even in its limited form, risks introducing legal and operational complexities that may outweigh its benefits. Instead of compulsion, the focus should be on voluntary, consent-based authentication with clearly defined limits on data use.

Until these conditions are met, the Aadhaar mandate, however efficient it may seem, remains an overstep. From both a constitutional and policy perspective, this measure should be withdrawn. Fraud prevention in Tatkal can be achieved through proportionate, less intrusive measures that respect passengers’ rights and preserve the scheme’s core purpose, which is to enable urgent travel.

Tanusha Tyagi is a Research Assistant at the Centre for Digital Societies, Observer Research Foundation.

• Domestic Politics and Governance
• India
• aadhaar card authentication irctc
• aadhaar verification tatkal tickets
• irctc aadhaar authentication
• irctc aadhaar kyc
• irctc aadhaar mandate
• irctc tatkal ticket booking
• tatkal booking irctc

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.

PREV NEXT