Part 1: The dangers of DigiYatra & facial recognition enabled paperless air travel #SaveOurPrivacy

tl;dr

The Ministry of Civil Aviation’s DigiYatra scheme is scheduled to take flight this year. The scheme aims to make air travel paperless by using facial recognition to authenticate the identities of passengers. It presents privacy risks of profiling and data exploitation without any remedies or regulatory framework.

Background on the DigiYatra Scheme

With an aim to make air travel paperless and hassle-free, the DigiYatra Scheme (“Scheme”) was launched by the Ministry of Civil Aviation on June 8, 2017 by the then Minister of State for Civil Aviation, Shri Jayant Sinha as per a Press Release from Press Information Bureau (link). The Scheme will facilitate the ​​digital processing of passengers at the airports. According to the website of the Scheme (link), digital processing of passengers will be done by using facial recognition to check the identities of passengers at the entry point check, entry into the security check, self-bag drop, check-in and aircraft boarding.

Wait! Does this mean that passengers will remove their masks during a raging pandemic to access this service? This is only one of the many issues with the Scheme, read on…  

The website also details the enrolment process for passengers.

While the initial date of launch of the Scheme was end of February, 2019 (according to the October 4, 2018 PIB press release linked above), the Scheme has faced multiple delays. However, according to a response submitted by the Minister of State in the Ministry of Civil Aviation Gen. (Dr.) V. K. Singh in the Lok Sabha to a parliamentary question, “(t)he proposed Digi Yatra Central Eco-system is planned to go live in March 2022”. (Response to Unstarred Question No.: 867 linked here).

The Scheme will be rolled out first in the Varanasi, Pune, Kolkata, and Vijaywada airports. For more information on these individual projects as well as the DigiYatra Scheme, visit them on the Project Panoptic platform (Varanasi, Pune, Kolkata, Vijaywada, and DigiYatra). The response also states that the Airports Authority of India has engaged M/s NEC Corporation Private Limited for the implementation of the Scheme.

The DigiYatra Policy

An accompanying DigiYatra Policy (“Policy”), which contains “standards for digital processing of passengers at airport(s) to ensure uniform implementation and passenger experience across Indian airports through a connected ecosystem”, was launched on October 4, 2018 (refer the press release from the Press Information Bureau here).

According to the Policy, the objectives of the Scheme are:

1. Enhance passenger experience and provide a simple and easy experience to all air travellers.
2. Achieve better throughput through existing infrastructure using “Digital Framework”.
3. Result in lower-cost operations.
4. Digitize current manual processes and to bring better efficiencies.
5. Enhance security standards and improve current system performance.
6. Rollout of “Digi Yatra” system with a digital “ID” backed by a strong verifiable government issued identity like AADHAAR, passport & others, enabling a seamless travel experience for Passengers at all airports across India.

To understand the objectives behind the Scheme in detail, please refer to pg. 8 of the Policy document here.

For our reference, the part of the Policy which is important to peruse is the “High-Level Data Privacy Guidelines” (Refer page 47 of the Policy).

1. Compliance with missing data protection norms: The Policy states that the airports using the DigiYatra Biometric Boarding System (BBS) will conform and adhere to the data protection laws as applicable and mandated by the Government Of India, however presently India does not have any specific law on data protection. (An analysis of the Scheme and Policy in light of the Right to Privacy decision of the Hon’ble Supreme Court and the Draft Data Protection Bill, 2021 has been done in the next section)
2. Reference to Aadhaar Act: The Policy further states that, the BBS data management will be compliant with the Information Technology Act, 2000 and Information Technology Amendment Act, 2008 as well as the Aadhaar (Targeted Delivery Of Financial And Other Subsidies, Benefits And Services) Act, 2016 (refer to the Act here) for all the Aadhaar related transactions.
3. Policy prescribes privacy principles: The Policy states that airports using the BBS shall be compliant to certain data security techniques (page 47), privacy principles (page 47-48), data privacy by design techniques (page 48), and personal data guidelines (page 48-49). However, such principles within the policy are not legislative safeguards and will have a limited application, if any.
4. Security audits: According to the Policy, periodic audits of the platform shall be conducted by CERT-IN and/ or the Standardisation Testing and Quality Certification Directorate, or any other Govt. of India nominated agency every two years.

In the next section, we will analyse the Policy in conjunction with existing and proposed legal frameworks. We hope to demonstrate that DigiYatra is essentially a trojan horse for data maximisation and profiling in the guise of providing public convenience.

A legal analysis of DigiYatra

1. Issues inherent in the Policy: The DigiYatra policy makes reference to various standard privacy principles such as lawfulness of processing, purpose limitation, data minimisation, accuracy, and storage limitation among others. However, it also goes on to state that  “BBS shall have an ability to change the data purge settings based on security requirements on a need basis” and  “Any Security Agency, BOI or other Govt. Agency may be given access to the Passenger Data based on the current/ existing Protocols prevalent at that time” (refer page 49). Therefore, it creates a wide and vague exemption for sharing of passenger data with the government agencies which may lead to eventual abuse of such access. Sharing of biometric data with the government agencies without consent may also lead to violations of specific fundamental rights such as the right to move freely within the territory of India enshrined in Article 19(1)(d) of the Constitution of India. This is because it could result in additional screening measures for those categories which have historically lower facial recognition accuracy rates such as women and people with darker skin as reduced accuracy could result in them not being identified as themselves correctly. (Studies on lower accuracy rates for people of color linked here and women linked here).
2. Fails to fulfil thresholds laid down in the Right to Privacy decision: The Hon’ble Supreme Court of India laid down certain thresholds which have to be fulfilled to justify state intrusion into the right to privacy guaranteed to citizens in its decision in the matter of ​​K. S. Puttaswamy v. Union of India [(2017) 10 SCC 1]. These thresholds are legality, necessity, proportionality and procedural safeguards. The DigiYatra Scheme fails to fulfil the legality threshold as it does not take place within a defined regime of law i.e. there is no anchoring legislation, with a clear set of provisions for remedy. The Policy does not have any force of law as it is untethered to any policy or legal framework and is thus unenforceable. Further, it fails to fulfil the thresholds of necessity (which justifies that the restriction to people’s privacy is needed in a democratic society) and proportionality (where the Government must show that the intrusion is proportional to the necessity and that there are no other alternatives which can fulfil said mandate). This is because mere convenience cannot be justified as a necessary restriction on privacy. The Policy also does not contain any provisions which relate to recourse and/or punishment in case of violations nor does it have any procedural safeguards in place to prevent misuse.
3. Higher risk due to lack of data protection law: India presently does not have any personal data protection laws in place to regulate how the Scheme will collect, process and store data collected. What we do have is the Draft Data Protection Bill, 2021 (refer to our work on the Bill here). However, even this Bill is insufficient to satisfactorily address the privacy concerns of the Scheme. This is because Clause 35 of the Bill grants powers to the Central Government to exempt certain departments from the application of the Bill if it feels it necessary for certain legitimate purposes such as security of state. It stands to reason that therefore exemption under Clause 35 could also be provided to data processed under the Scheme as the Policy itself also discusses sharing data with security agencies and other government agencies. (Read more about the Clause 35 exemption in the 2021 Bill here) Further, in the discussion around Clause 85 of the Bill in the Joint Parliamentary Committee Report, which relates to offences by the State, the Committee discusses the difficulty that the Government, as a significant data fiduciary, would face in processing large volumes of data and creates an arbitrary classification to classify government authorities that are processing data as separate “government data fiduciaries” which would be liable for any offence committed. The Bill further states that where an offence is committed by a government data fiduciary, an in-house enquiry shall be conducted by the Head of Office of the concerned data fiduciary and subsequently the liability may be decided. This creates a situation where the government data fiduciary evaluates its own crime. (Refer to the discussion on Clause 85 of the Bill on page 157, para 2.262 of the JPC Report here).

While the Scheme is opt-in, it does not mean that the people opting in are ready to trade their privacy for convenience. In the second part of our explainer on DigiYatra, we will take a look at how passenger data may end up being commercialised by the government, how common arguments for sacrificing privacy at the altar of convenience do not hold water as well as how foreign jurisdictions have responded to similar schemes.

Important documents

1. Part 2: IFF explains DigiYatra: Turbulence ahead dated January 29, 2022 (link)
2. DigiYatra Project on Panoptic website (link)
3. The DigiYatra Policy dated August 9, 2018 (link)