While civil aviation minister Jyotiraditya Scindia issued a clarification about DigiYatra's data-sharing process, experts tell us why it doesn't resolve concerns about data privacy.
Last week Minister of Civil Aviation Jyotiraditya Scindia clarified that Digi Yatra — an app that uses facial recognition for security clearance and terminal entry — doesn't store data from users in a "central repository".
Responding to Medianama founder Nikhil Pahwa, Scindia said, "Nikhil Ji, passengers' personal information data is not stored in any central repository or by the Digi Yatra Foundation. The data is stored in the passenger's own phone in the Digi Yatra secure wallet. Rest assured, no data is being collected or stored."
Pahwa said in his tweet that the Ministry of Civil Aviation had said in an RTI response that "Digi Yatra is managed by a private non profit entity, and hence not under RTI".
"So they've structured collection of facial data to avoid accountability. Why should we trust them?" Pahwa asked.
Since its announcement in 2018, the DigiYatra app has been marred by concerns about privacy over its usage of facial recognition technology. The Government of India's DigiYatra programme is a facial recognition technology, meant to facilitate passengers by avoiding multiple identity checks at the airport. It, therefore, enables paperless travel by essentially making the passenger's face their boarding pass.
The app was first launched at airports in Delhi, Bengaluru, and Varanasi and is being gradually implemented in all airports across the country. The airports in Kolkata, Pune, Vijayawada, and Hyderabad will also likely see it implementation by March 2023.
But does Scindia's clarification resolve concerns surrounding data privacy? Here's what experts said
How does DigiYatra collect data?
The Digi Yatra app is a free app available for both Android and iOS phones and can be downloaded on any smartphone with Google Play Store for Android and App Store for iPhones.
By providing information such as their name, email address, mobile number, and specifics of an identification (Aadhaar, driving license, voter ID.), travelers can obtain a DigiYatra ID. After entering this data, a DigiYatra ID will be created; it must be shared when buying tickets. The airlines will send this ID and the passenger information to the departing airport.
According to a press release by the Ministry of Civil Aviation, all the passenger's data is encrypted and stored in the wallet of the passenger's smartphone and shared only for a limited time duration with the airport of travel origin where the passenger's Digi Yatra ID needs to be validated. "The data is purged from the system within 24 hours of the flight," the release said.
As per the data shared by the ministry, the total number of passengers who have used the Digi Yatra app at the airports from December 1, 2022 to February 14, 2023 is more than 1.6 Lakh. The user base of the Digi Yatra app on the Android Play Store and iOS Apple App Store stands at 422K.
Ease at the cost of privacy
According to Srinivas Kodali, a researcher with the Free Software Movement of India, the DigiYatra app is shrouded in privacy concerns. "Firstly, face recognition technology is more susceptible to breaches than fingerprint biometrics as it is easier to take someone's photo than their fingerprints. Secondly, we do not have a Digital Privacy law, it is still a bill. So, the app has no legal framework to abide by," Kodali told BOOM.
Kodali further explained why there are security concerns with the mobile-based ID storage platform. He said, "The passenger data is transferred from the app to the airport system but their deletion within 24 hours is just being claimed. We do not necessarily know that it will be deleted."
Speaking to BOOM, Mishi Choudhary, a technology lawyer with Software Freedom Law Centre, said that oral assurances from ministers or bureaucracy are never sufficient to protect any legal rights, pointing out that the '24-hour policy' mentioned by Scindia and the press release of the Ministry of Civil Aviation was not mentioned on Google Play and App Store. "If you see the Terms and Services of the app on Google play, there's no way for anyone to request any data deletion. It also says this app may share data with other apps that include health data," she added.
Exclusionary by design
According to Kodali, the real danger posed by all of these cutting-edge technological systems is how the government might abuse them to add people to no-fly lists and increase profiling. "No-fly lists are a good way to discipline rowdy travelers, but because there is no accountability or due process throughout the system, it is open to abuse," Kodali said.
"By virtue of their socio-economic and political circumstances, some people are disproportionately affected by the nationwide travel surveillance than others. As there is no surveillance regulation in India, the entire system will become arbitrary." Kodali said.
Choudhary added to this, saying, "Data breaches involving face recognition technology increase the potential for identity theft, stalking, and harassment because, unlike passwords, faces cannot be changed."
Do you always want to share the authentic news with your friends?