Trai chief RS Sharma, also a former chairman of UIDAI, set the cat among the pigeons when he gave out his Aadhaar number and invited people to see how it could be misused. In response, many put out details of his mobile number, e-mail, date of birth and even some bank account numbers that belonged to him. In response to this, UIDAI put out a note saying that none of these details were accessed from UIDAI and were probably accessed from various government websites which routinely contain such information on bureaucrats. As for his bank account details, Sharma tweeted to say the account numbers were all incorrect. Since NPCI’s UPI allows people to deposit money in bank accounts, or to request payments from them by just using the Aadhaar number—the bank account number is hidden—Sharma tweeted screenshots to show how he had declined various requests for money made using his Aadhaar number. Where Sharma was wrong, though, was in saying that people had not been able to deposit even one rupee into his account—the UPI-Aadhaar ecosystem allows anyone to deposit money into an account using an Aadhaar number, without the account-holder needing to authenticate this. It is true that anyone who has your bank account details can also deposit any money in it without your permission, but this is something NPCI needs to fix.
As for UIDAI’s assertions of getting personal details from various public websites, as this newspaper has pointed out several times, the Election Commission website allows you to download voter rolls for every area—it also gives you the person’s age and the name of the father/husband, apart from the address. Put in any surname in the municipal records, and you get the property ID of everyone in a colony with that surname—enter that ID and, if the tax has been paid online, you can even know how much tax was paid; even if it has not been paid online, you can get details like the phone number and email ID for the owner of each property. As for bank records, when a bank transaction requires an Aadhaar authentication—say, when you pay for your groceries via AadhaarPay—the details of the bank account do not travel to the UIDAI servers, but remain on the bank servers.
None of this is is to absolve UIDAI for leaking personal data when its vendors have leaked this information as an India Today sting found. But, were the same sting to be done on, say, a phone vendor, several personal details will also be available since people submit passports, etc, as address proof. Similarly, various government departments also put out personal details of ration-shop or pension beneficiaries, say, in the open. Once the government comes out with a privacy law, hopefully, much of this will stop. Meanwhile, Sharma has done well with this dare since it shows how robust the Aadhaar eco-system is.