Nandan Nilekani on the Aadhaar project’s scope, its vulnerabilities and its future
Q. How long does the UIDAI hold transaction data and what steps has it taken to ensure that the privacy of users’ data—demographic & transactional—will be safeguarded from any third party?
We are in the process of finalising the policy for that. UIDAI only gets the location, time and the device from which the authentication request came from. It is a federated database with in-built optimal ignorance among various players. At the design level itself, we don’t have transactional data, except that we had an authentication request. When we do authentication, if we get a claim that it is a ‘false accept’, we, in turn, have to investigate and that’ll decide how long we retain the data. We have to strike a balance between privacy issues and liability issues, looking at practices of banks and switching companies. But let me tell you that we take great care to safeguard the data. We encrypt at source; we anonymise data when we send it for verification; the database itself is encrypted; we have layers and layers of security. In fact, as far as biometrics is concerned, once we have extracted the minutiae, we put it offline.
Q. Is there a core R&D and tech team that will ensure continuous development and upgradation of Aadhar, especially in light of Indiawide field rollouts and scale?
(This story appears in the 18 October, 2013 issue of Forbes India. To visit our Archives, click here.)