[arihant]

No, no, no. The link they send requires Aadhaar verification, your will get an OTP, which you will give to the agency. They can get the copy of the document only if they provide the right OTP. It is the same way you are logging in to this website.

The whole UID infrastructure is two-factor auth by default. Think of the URI like Facebook Graph API URLs. They are static, REST-ful endpoints that require two-factor authentication.

While there are no strong laws to protect scans of your IDs, the biometric data does come under The Privacy Bill, 2013. So does any identification typically used by financial institution. Your other IDs, like Voter ID are public information anyway, except for biometric identifiers.