How document leaks really happen in India

Think about the last time you handed over a photocopy of your Aadhaar.

Maybe it was for a new SIM card. Maybe a rented flat, a hotel check-in close to midnight, a gym membership, or a small loan against your salary. You signed across the photo, slid the paper across the counter, and walked out. You have probably done this dozens of times. You almost never think about where that paper goes next.

That paper is the leak.

The leak is rarely a hacker

When people imagine a data breach, they picture someone in a hoodie breaking into a server. In India, the far more common story is quieter and much closer to home. It is a single sheet of paper that gets copied, saved, forwarded, and then forgotten in a place you will never see.

No firewall protects a photocopy lying in a drawer.

Follow one copy

Take one xerox of your Aadhaar and follow it.

It goes to the shop near the station, where the operator scans it on a machine that quietly keeps a copy of every job in its memory. It lands in a folder on a shared computer that three part-time staff log into with the same password. The local "agent" who is helping you with a SIM or a loan keeps a photo of it on WhatsApp, because that is faster for him, and now it also sits in a cloud backup he never configured and cannot delete.

Most of these people are not criminals. They are busy, and they are careless. But a chain of carelessness only needs one weak link. One disgruntled employee, one sold-off old hard drive, one phone that gets lost, and your identity document is now somewhere it was never meant to be.

What a stray copy is actually worth

A photocopy of your ID is not just paper. To the wrong person it is raw material.

With a copy and a forged signature, someone can try to activate a SIM in your name, which then becomes the phone number behind a scam. It can be used to push through a quick loan from an app that does light verification, leaving the debt and the recovery calls pointed at you. It can seed a fake KYC, open accounts, or simply be sold in bulk to people who specialise in exactly this. Guides on Aadhaar safety now openly warn that photocopies can be used for fake registrations, loans, and SIM cards obtained through collusion or forged paperwork (ClearTax, Shriram Life).

You usually find out months later, when a bill or a notice arrives for something you never did.

The government noticed, and then blinked

In May 2022, a regional UIDAI office advised people not to share photocopies of their Aadhaar with any organisation, because they could be misused. Two days later the warning was withdrawn, with the clarification that it was only routine caution and that the original notice had been published in the context of a specific misuse attempt (Tribune India).

It is easy to read that as "so photocopies are fine after all." That is the wrong lesson. The real signal was that the country did not yet have a better default than handing over paper. Since then UIDAI has pushed masked Aadhaar, QR-based checks, and OTP-based verification, so that agents and private companies do not need to hold a full copy of your card at all.

The direction is clear. The less of you that sits in someone else's drawer, the safer you are.

"Just be careful who you trust" is not a real fix

The usual advice is to only share with people you trust, to write the purpose and date across the copy, and to use masked versions where you can. All of that helps a little. None of it solves the actual problem.

You cannot audit the xerox shop. You cannot wipe the agent's phone. You cannot follow your document through every hand it passes. The flaw is not who you trust. The flaw is permanence. A photocopy has no expiry date. It works exactly as well for a fraud six months from now as it does for the genuine purpose today.

The fix is to stop leaving copies behind

The cleanest way to avoid a leak is to never create the lasting copy in the first place.

That means sharing something the other side can see but cannot keep. A view that closes on its own. A file that deletes itself after it has done its job. No drawer, no shared folder, no forgotten WhatsApp forward.

This is the entire idea behind Fliko. You share a document, set a short timer, and it self-destructs once the other person has seen it. There is no permanent copy sitting around waiting to be misused, because the file is built to disappear. If you want the mechanics, read what "the file is destroyed" actually means and how Fliko works.

You will still need to prove who you are from time to time. You just do not need to leave a piece of yourself behind every time you do.