New Delhi: Amid privacy concerns over Digi Yatra, the system through which air travellers will be digitally processed with the use of facial recognition technology, the Union civil aviation ministry has said that passenger data is stored in their own devices and not in any centralised storage facility.
“In the Digi Yatra process, there is no central storage of passenger’s Personally Identifiable Information (PII) data. All the passengers’ data is encrypted and stored in the wallet of their smartphone,” the civil aviation ministry said in a press statement.
The data shared is only between the passenger and the airport of travel origin, where the passenger’s Digi Yatra ID needs to be validated. The data is “purged” from the airport’s system within 24 hours of departure of the flight, and is shared by passengers directly, only when they travel and only to the origin Airport, the statement added.
According to the ministry, the data cannot be used by any other entity since it is encrypted. “This process is voluntary and provides the convenience of smooth, hassle-free, and health risk-free travel,” the statement said.
Jyotiraditya Scindia, civil aviation minister, also sought to underscore the same on Twitter on Wednesday, March 15, when a Twitter user highlighted concerns regarding the privacy of air travellers with the launch of Digi Yatra.
Scindia’s tweet said, “Passengers’ personal information data is not stored in any central repository or by the Digi Yatra Foundation. The data is stored in the passenger’s own phone in the Digi Yatra secure wallet. Rest assured, no data is being collected or stored.”
According to the ministry, Digi Yatra is a biometric boarding system that employs facial recognition technology. It aims to provide a “seamless and hassle-free experience” for passengers at airports, and the main objective is to enhance the passenger experience by eliminating the need for verification of tickets and ID at multiple touch points. It aims to achieve better throughput through existing infrastructure using a digital framework.
It was launched in December 2022 in Delhi, Bengaluru and Varanasi airports. It will be soon rolled out in Kolkata, Pune, Vijayawada, and Hyderabad airports too, the ministry said.
Ever since it was launched, rights activists and technology experts expressed concerns over the use of facial recognition technology – its storage, sharing and security as well as the privacy of travellers – especially in the absence of a data protection regime.
More concerns emerged when the civil aviation ministry said that information about Digi Yatra cannot be sought via a Right to Information (RTI) application because the system is being run by a private “non-profit body of participating airports”, called the Digi Yatra Foundation.
Even after Scindia’s clarification, concerns continued to be expressed.
Srinivas Kodali, in an earlier piece for The Wire, highlighted concerns with facial recognition technology and particularly its use in Digi Yatra. “At present, Digi Yatra uses a 1:1 facial authentication process – where your facial biometric data is only compared to your photos. But the civil aviation ministry’s long-term plan is to extend this to 1:N facial recognition – where your data will be compared with the biometric data of other people. As more and more people register and submit their biometric data, the system will be updated and improved upon technologically. There are also plans to monetise this information by sharing it for advertising and revenue generation, with exclusive offers to frequent travellers,” Kodali wrote.
The Internet Freedom Foundation has also highlighted challenges and issues with Digi Yatra. It says in the absence of data protection laws in India, the data collected could be misused.
“While the Policy [of Digi Yatra] does state that the airports using the DigiYatra Biometric Boarding System (BBS) will conform and adhere to the data protection laws as applicable and mandated by the Government Of India, presently India does not have any specific law on data protection. Moreover, since the Policy does not have the force of law, due to being untethered to any policy or legal framework, even the privacy protection principles included in it directly will not be enforceable against any authority,” says IFF.