Ahead of DigiYatra Scheme’s first phase of launch, scheduled at Varanasi, Pune, Kolkata and Vijayawada airports in March, the Internet Freedom Foundation (IFF), on Tuesday, said privacy risks are likely to occur due to features such as facial recognition for check-ins and data recall. The digital rights advocacy group also mentioned that this might lead to passengers’ data being commercialised by the government.

The Ministry of Civil Aviation’s DigiYatra Scheme was first launched in June 2017 to improve passengers’ airport experience by making it paperless and digitised. This digital framework planned involves digitising existing manual processes, enhancing security standards and ultimately rolling out the Digi Yatra system that requires passenger’s digital ID backed by verifiable government-issued documents such as Aadhaar, passport and others, enabling seamless travel experience.

The scheme will then facilitate digital processing of the passengers at the airports through facial recognition, which, as per its website, will be required for entry point check, security check, aircraft boarding, self-bag drop, check-in and data recall.

IFF argued that in the absence of any personal data protection laws and data storage framework, which is still in the making, providing such data would leave passengers vulnerable to data misuse and other risks.

Data protection laws

“The policy states that the airports using the DigiYatra Biometric Boarding System (BBS) will conform and adhere to the data protection laws as applicable and mandated by the Government of India; however, India does not have any specific law on data protection,” IFF said in a blog post.

Further, the DigiYatra policy uses references to standard privacy principles such as lawfulness of processing, data minimisation, accuracy, and storage limitation among others, but added that “BBS shall have an ability to change the data purge settings based on security requirements on a need basis” and “any Security Agency, BOI or other govt agency may be given access to passenger data based on the current/ existing protocols prevalent at that time”.

“While the scheme is opt-in, it does not mean that the people opting in are ready to trade their privacy for convenience,” IFF added.

Commercialisation of data

Mark D Martin, Founder and CEO, Martin Consulting, told BusinessLine: “Privacy and rights to disclosures of information either from Aadhaar or based on facial recognition should be consensual and optional. I see no reason for an airport to capture data as it is merely a portal for aircraft with a robust aviation security/AVSEC screening process that complies with the ICAO requirement. Facial recognition has no relevance with travel and with an entity that focusses its revenue from direct and indirect aero revenue.”

Emails sent to the Ministry of Civil Aviation and Bureau of Civil Aviation Security went unanswered at the time of publication.

“They are collecting biometric data along with Aadhaar details. Imagine if this data gets leaked in absence of legal framework on processing the data,” Anushka Jain, Associate Counsel (Surveillance & Transparency), IFF told BusinessLine.

In the 2018-19 Economic Survey, the government had discussed under ‘data of the people, by the people and for the people section’, how data could be used for welfare schemes for better targeting and enabling evidence-based policies. “The survey also talked about how data can be commercialised by creating aggregated databases. Making those databases available to third parties for various ‘research’ purposes and also letting the government monetize the same,” she added.

She said: “Though the government has spoken about this being aligned with the privacy law that’s expected to come, the Bill is still pending. In the absence of this, what are the safeguards in place to ensure nothing goes wrong.”

Jain mentioned a similar incident had already occurred in February 2020 during communal unrest. When Vahan, the national vehicle registration portal’s database was made public under their bulk data sharing policy and sold to research organisations, it was somehow accessed by certain miscreants through Parivahan Sewa website to target vehicles owned by Muslim citizens.