Digi Yatra: IT wanted guard rails against data misuse, aviation said app will be new normal

The records also show that the Ministry of Civil Aviation (MoCA) suggested Digi Yatra will become the “de facto” process of checking-in and boarding “across all airports in India,” while reducing “human involvement” — a fact that potentially runs counter to its insistence that the technology will remain voluntary.

The study, “Adopting the Framework: A Use Case Approach on Facial Recognition Technology”, was carried out under a Niti Aayog research scheme — although the Government’s top policy think tank does not endorse its findings and recommendations.

Incidentally, the RTI records show, the Principal Scientific Advisor (PSA) submitted for the study that since Digi Yatra was envisaged as a “purely voluntary” scheme, there would be “no reduction in the security framework in terms of human resource” as a population of air travellers may choose not to consent to it.

The Ministry of Home Affairs said facial recognition technology could be effectively used only when combined with other “long-accepted biometric technologies such as fingerprints and iris scans” — since there are issues relating to privacy and negative identification. At the same time, it advocated for the use of facial recognition technology as a “valuable tool” for law enforcement agencies, the RTI records showed.

On the Home Ministry’s suggestion, the study observed that “in the current legal vacuum, where no law prescribes checks and balances on the use of FRT by law enforcement, its deployment arguably violates Article 21 (protection of life and personal liberty) of the Constitution”, the RTI documents showed.

It noted that integrating mass biometric collection technologies into law enforcement and policing efforts, without a data protection law, clear criminal and policing procedural guidelines, or clarity under the Indian Evidence Act, could violate Article 21 of the Constitution.

The ministries of IT, Civil Aviation and Home did not respond to requests for comment from The Indian Express on the study.

This newspaper also spoke to cyber security experts who suggested that the IT ministry may have missed the bus by not including key safeguards on facial recognition technology by private entities in the Digital Personal Data Protection (DPDP) Act draft released in November 2022.

“I believe that such personal data as ‘core biometrics data’ that is collected and processed should be based on a specific enabling law and should not just be left to notice and consent. The existing provision of ‘lawful purpose’ — meaning any purpose which is not expressly forbidden by law — under the DPDP Act does not provide such specific protections, and may not be good enough for such core biometric data,” said Rakesh Maheshwari, who served as senior director and group coordinator for the cyber laws division at the IT Ministry until April 2023.

Earlier this year, former Aviation Minister Jyotiraditya Scindia had clarified that airport operators had been sensitised to take travellers’ consent before capturing their biometric data on Digi Yatra, while keeping its use completely voluntary.

The Digi Yatra Foundation, which operates the platform, was set up as a joint venture company in 2019 under Section 8 of the Companies Act, 2013 whose shareholders are the Airports Authority of India (26 per cent), and five other airports (74 per cent) — Hyderabad, Kochi, Bengaluru, Mumbai and Delhi.

According to the RTI records, the study stated that Digi Yatra’s privacy policy should explicitly clarify rules related to the deletion of passenger information from the database once the travel is complete. As per the policy for Digi Yatra, facial biometrics are deleted from the local airport’s database 24 hours after the departure of the passenger’s flight.

“However, the rules related to deletion of other information collected from the passengers, as well as any facial biometrics that are stored in other registries, must be clearly set out in the policy,” the study said.

On the Home Ministry’s suggestion to club the use of facial recognition technology with other types of biometrics, Vidhi noted that “in the current legal vacuum, where no law prescribes checks and balances on the use of FRT by law enforcement, its deployment arguably violates Article 21 of the Constitution,” the RTI documents showed.

It further noted that integrating mass biometric collection technologies into law enforcement and policing efforts, without a data protection law, clear criminal and policing procedural guidelines, or clarity on the status of FRT output under the Indian Evidence Act, renders its usage beyond the scope of Article 21.