Next time you visit an Indian airport, beware of security personnel and private staff at the entry gate of passenger buildings who may be collecting your facial biometrics without your knowledge or consent.
As year-end travel peaked at some of the busiest airports in the country last month, air travellers took to social media to express their shock and anger at the flagrant infringement of their privacy at airports, largely through the Digi Yatra initiative being aggressively promoted by the Union government. The app, which allows for digital processing of passengers, promoting paperless and seamless movement through airports, was rolled out as an entirely voluntary programme from December 2022.
On Christmas Eve, Tavish Pattanayak, an aerospace engineering scholar in the U.S. was scheduled to fly with IndiGo out of Delhi. He skipped the queue dedicated for Digi Yatra users, who have downloaded and registered on the app, allowing them to enter the passenger building through electronic gates equipped with cameras that scan their boarding passes and faces. However, Mr. Pattanayak soon realised that passengers in his line were also being requested to look into a camera, following which the CISF personnel would click a button on the screen to give consent on their behalf for a one-time sign up for Digi Yatra.
No informed consent
“The security person checked my identity document and ticket and asked me to look at a screen to capture my photo. At the bottom of the screen, in tiny fonts, you are asked whether you want to enrol for Digi Yatra. It is impossible to read the text and the camera interface takes up the entire screen. But I had read the text when there was another family ahead of me, so I quickly proceeded to click no,” Mr. Pattanayak told The Hindu. However, many passengers in a rush to catch their flight were not aware of what was going on and did not ask any questions, he said.
“I don’t trust the government with my data. India has seen the world’s largest data breach, and our privacy laws are ineffective because nobody takes them seriously or implements them,” Mr. Pattanayak says, explaining why he does not wish to sign up for Digi Yatra. In October 2023, the U.S.-based cybersecurity firm Resecurity reported that personal information of over 81.5 crore Indians sourced from the Indian Council of Medical Research’s database, including Aadhaar and passport details, was being sold on the dark web.
One-time sign-ups
A spokesperson for the Central Industrial Security Force (CISF) claimed that “private airport staff are collecting facial biometrics at various kiosks outside the passenger building, but CISF personnel are not involved in this exercise”. A Delhi airport official, speaking on the condition of anonymity, contradicted this statement, saying, “Our staff are assisting CISF personnel in carrying out validation, and we have now briefed our teams at entry gates to ensure passengers are educated and consent sought from them.”
Suresh Khadakbhavi, CEO of the Digi Yatra Foundation, said that enrollments to the app have been ramped up since the December peak travel season by deploying scanners with CISF personnel as well as separate kiosks manned by airport staff for a one-time sign up of passengers on the day of travel. This was meant to “expose passengers to the benefit of a smoother way to pass through various checkpoints, he said. But since most passengers are not informed that they are being registered, they may not know that they can use the paperless facility.
Zipping through checks
The Digi Yatra Foundation is a not-for-profit company whose shareholders comprise the Airports Authority of India and the five private airports at Delhi, Bengaluru, Cochin, Hyderabad, and Mumbai. While the Digi Yatra policy was unveiled by the government in 2018, it was implemented only after the COVID-19 pandemic had eased. In December 2022, it was rolled out at three airports, including Delhi. Since then, it has been implemented at 11 airports, and will be expanded to 14 more in the months to come. The funding for Digi Yatra comes from the airports, and not the government.
The initiative allows passengers to zip through various check points, from entry gate to security frisking area to boarding gate.Passengers have to scan their boarding passes and faces at the first entry point, following which a single biometric face token is created which should allow them to complete the rest of the journey with just a face scan at the remaining check-points. The aim is to improve operational efficiency by allowing faster processing of passengers and letting airlines track delayed passengers, and to enhance security by ensuring that there is no intentional exchange of boarding passes among passengers or boarding of the wrong aircraft.
Hard to avoid
Soumya Jayanti was traveling through Delhi airport on December 26, when she says she had to circumvent multiple hurdles to avoid being enrolled into Digi Yatra in a “coercive and deceptive manner”. First, a private airport staff escorted her to a kiosk to collect her personal details, including facial biometrics, without any information being provided. When she declined to register, she was sent towards the entry gate where CISF personnel were carrying out one-time enrolment of passengers, where too she put her foot down and refused to have her face scanned and the CISF official relented. Others have complained that airport staff clicked their photos without their permission.
Similar experiences have also been reported at other airports, including Bengaluru, Hyderabad and Kolkata. A Kanpur-based academic, Amitabh Bandyopadhyay, was passing through Kolkata airport on December 27 when he noticed that of the six entry points, there was only one non-Digi Yatra queue. “Though the Digi Yatra programme is a voluntary one for passengers, this is how passengers are being forced to enrol,” he said.
Data security concerns
“There is a lot of confusion about Digi Yatra. We don’t know what is their business model and how they may monetise our data. If it is a private entity, then why is the government promoting its use? Is it even resulting in cost savings on security deployment, as CISF continues to man these gates?” he asked.
The Digi Yatra Foundation maintains that biometric data or any other personally identifiable information is not stored in any database permanently, but in a secure wallet inside the app on the user’s mobile device. It maintains that while the Biometric Boarding System of the local airport has access to this data on the day of travel, it is automatically purged within 24 hours. However, concerns remain, as the policy provides exemptions for airports to share data with government agencies, and India is yet to notify its Digital Personal Data Protection Bill 2023, which was passed in Parliament in August last year.