The Mexican government is accelerating the rollout of a comprehensive biometric identity system. At its core is the so-called CURP Biométrica, an extension of the existing population registry number. In the future, it will no longer consist solely of letters and numbers but will be tied directly to individuals’ physical identities. Fingerprints, iris scans and facial data will be collected and stored in a central database. Publicly, the initiative is framed as a modernisation of state administration. However, it also marks a profound shift in the relationship between the individual and the state.
The government has justified the project with promises of greater administrative efficiency, the fight against identity fraud and above all, improved efforts to locate missing persons. Biometric data are to be linked with existing registers, including databases of missing persons and forensic archives, in order to establish identities more quickly.
The compulsion to surrender biometric data
Such arguments obscure the full implications of the project. The new infrastructure creates a centralised identity platform in which every individual is comprehensively recorded. The database is intended to merge numerous public and private data sets. Banks, authorities, hospitals and telecommunications providers are expected to gain access in order to verify identities in real time.
Particularly troubling is the system’s effectively compulsory nature. Officially, participation is described as voluntary. In practice, it is already becoming a prerequisite for everyday participation in economic life. By July 2026, all mobile phone connections must be linked to biometric identity or risk disconnection. This coupling of digital infrastructure with physical identity leaves little room for avoidance.
The implications are immediate. Confidential telephone conversations may become a thing of the past. Those who refuse risk losing access to essential means of communication such as mobile telephony and mobile internet. In countries with weak fixed-line infrastructure, this amounts to digital exclusion.
The security risks associated with such systems are also considerable. Biometric data differ fundamentally from other personal information. They cannot be changed. While a password can be replaced, a fingerprint remains the same for life. A data breach would therefore have irreversible consequences. If biometric identifiers fall into criminal hands, control over an individual’s identity may be compromised entirely.
That such scenarios are not merely theoretical is evident in Mexico itself. Previous attempts to establish similar registers failed, in part due to security concerns, and were ultimately ruled unconstitutional by the Supreme Court.
Who controls the data?
Another key issue concerns control over the data. Under current Mexican law, state authorities are not required to inform citizens when or for what purpose their data are accessed. This lack of transparency not only enables misuse but may actively facilitate it. Security agencies and intelligence services could gain access to highly sensitive information without effective oversight.
Even the safeguard of a judicial warrant for investigative access is absent. Critics therefore warn of the emergence of a far-reaching surveillance apparatus. They see the central database as a gateway to abuses of power, data leaks leading to comprehensive identity theft and potential political misuse. The possibility of international data sharing is also under discussion, particularly in the context of migration control and cooperation with foreign authorities.
Security above all
The political logic behind such projects follows a familiar pattern in which security is elevated above all else, while individual freedoms are pushed into the background. Yet freedom, and in particular the right to anonymity, is not a mere convenience but a fundamental condition of an open society. It protects individuals from arbitrary state power and enables the expression of critical views without fear of immediate reprisal.
A biometric identity system undermines precisely this protection. If every interaction, movement and digital activity can be attributed to a clearly identifiable individual, the space for anonymous action disappears. In this way, not only the technical infrastructure changes, but also human behaviour. Even without active surveillance, the mere possibility of constant identification creates pressure to conform, gradually restricting democratic freedoms.
Mexico’s identity system is therefore far more than a national administrative project. It reflects a broader global trend in which states are tempted to establish digital identity systems based on extensive data collection. The cost is high. It lies not only in technical risks but above all in the loss of individual autonomy and trust in the state.
The freedom of the individual, including the right to move anonymously in both public and digital spaces, outweighs promises of efficiency and security. Once such infrastructure is in place, it is rarely dismantled. No system created by humans is ever entirely secure. With its introduction, a perpetual race begins between those who seek to protect data and those who seek to exploit it.