Support

Explore

HomeNo Image is Available
About UsNo Image is Available
AuthorsNo Image is Available
TeamNo Image is Available
CareersNo Image is Available
InternshipNo Image is Available
Contact UsNo Image is Available
MethodologyNo Image is Available
Correction PolicyNo Image is Available
Non-Partnership PolicyNo Image is Available
Cookie PolicyNo Image is Available
Grievance RedressalNo Image is Available
Republishing GuidelinesNo Image is Available

Languages & Countries :






More about them

Fact CheckNo Image is Available
LawNo Image is Available
ExplainersNo Image is Available
NewsNo Image is Available
DecodeNo Image is Available
Media BuddhiNo Image is Available
Web StoriesNo Image is Available
BOOM ResearchNo Image is Available
BOOM LabsNo Image is Available
No Image is Available
Deepfake TrackerNo Image is Available
VideosNo Image is Available

Support

Explore

HomeNo Image is Available
About UsNo Image is Available
AuthorsNo Image is Available
TeamNo Image is Available
CareersNo Image is Available
InternshipNo Image is Available
Contact UsNo Image is Available
MethodologyNo Image is Available
Correction PolicyNo Image is Available
Non-Partnership PolicyNo Image is Available
Cookie PolicyNo Image is Available
Grievance RedressalNo Image is Available
Republishing GuidelinesNo Image is Available

Languages & Countries :






More about them

Fact CheckNo Image is Available
LawNo Image is Available
ExplainersNo Image is Available
NewsNo Image is Available
DecodeNo Image is Available
Media BuddhiNo Image is Available
Web StoriesNo Image is Available
BOOM ResearchNo Image is Available
BOOM LabsNo Image is Available
No Image is Available
Deepfake TrackerNo Image is Available
VideosNo Image is Available
Explainers

Why Experts Aren't Convinced By Scindia's Clarification On DigiYatra Privacy

While civil aviation minister Jyotiraditya Scindia issued a clarification about DigiYatra's data-sharing process, experts tell us why it doesn't resolve concerns about data privacy.

By - Hera Rizwan | 21 March 2023 4:17 PM IST

Last week Minister of Civil Aviation Jyotiraditya Scindia clarified that Digi Yatra — an app that uses facial recognition for security clearance and terminal entry — doesn't store data from users in a "central repository". 

Responding to Medianama founder Nikhil Pahwa, Scindia said, "Nikhil Ji, passengers' personal information data is not stored in any central repository or by the Digi Yatra Foundation. The data is stored in the passenger's own phone in the Digi Yatra secure wallet. Rest assured, no data is being collected or stored." 

 Pahwa said in his tweet that the Ministry of Civil Aviation had said in an RTI response that "Digi Yatra is managed by a private non profit entity, and hence not under RTI".

"So they've structured collection of facial data to avoid accountability. Why should we trust them?" Pahwa asked. 

Since its announcement in 2018, the DigiYatra app has been marred by concerns about privacy over its usage of facial recognition technology. The Government of India's DigiYatra programme is a facial recognition technology, meant to facilitate passengers by avoiding multiple identity checks at the airport. It, therefore, enables paperless travel by essentially making the passenger's face their boarding pass.

The app was first launched at airports in Delhi, Bengaluru, and Varanasi and is being gradually implemented in all airports across the country. The airports in Kolkata, Pune, Vijayawada, and Hyderabad will also likely see it implementation by March 2023. 

But does Scindia's clarification resolve concerns surrounding data privacy? Here's what experts said

How does DigiYatra collect data?

The Digi Yatra app is a free app available for both Android and iOS phones and can be downloaded on any smartphone with Google Play Store for Android and App Store for iPhones.

By providing information such as their name, email address, mobile number, and specifics of an identification (Aadhaar, driving license, voter ID.), travelers can obtain a DigiYatra ID. After entering this data, a DigiYatra ID will be created; it must be shared when buying tickets. The airlines will send this ID and the passenger information to the departing airport.

According to a press release by the Ministry of Civil Aviation, all the passenger's data is encrypted and stored in the wallet of the passenger's smartphone and shared only for a limited time duration with the airport of travel origin where the passenger's Digi Yatra ID needs to be validated. "The data is purged from the system within 24 hours of the flight," the release said. 

As per the data shared by the ministry, the total number of passengers who have used the Digi Yatra app at the airports from December 1, 2022 to February 14, 2023 is more than 1.6 Lakh. The user base of the Digi Yatra app on the Android Play Store and iOS Apple App Store stands at 422K.

Ease at the cost of privacy

According to Srinivas Kodali, a researcher with the Free Software Movement of India, the DigiYatra app is shrouded in privacy concerns. "Firstly, face recognition technology is more susceptible to breaches than fingerprint biometrics as it is easier to take someone's photo than their fingerprints. Secondly, we do not have a Digital Privacy law, it is still a bill. So, the app has no legal framework to abide by," Kodali told BOOM. 

Kodali further explained why there are security concerns with the mobile-based ID storage platform. He said, "The passenger data is transferred from the app to the airport system but their deletion within 24 hours is just being claimed. We do not necessarily know that it will be deleted."

Explaining the flaw in DigiYatra's privacy policy, Kodali said that the policy mentions DigiYatra as an 'ecosystem' and not as a single mechanism, which means a third party is involved. "During the 24 hours the data can go to a third party which can be a private entity," Kodali said.

Speaking to BOOM, Mishi Choudhary, a technology lawyer with Software Freedom Law Centre, said that oral assurances from ministers or bureaucracy are never sufficient to protect any legal rights, pointing out that the '24-hour policy' mentioned by Scindia and the press release of the Ministry of Civil Aviation was not mentioned on  Google Play and App Store. "If you see the Terms and Services of the app on Google play, there's no way for anyone to request any data deletion. It also says this app may share data with other apps that include health data," she added.

Choudhary pointed out that section 13 of DigiYatra's privacy policy on the Apple App Store says, "As long as it is necessary for the stated purpose, and/or for compliance with legal requirements under applicable laws, Information will be retained in a secure environment and access to it will be restricted according to a 'need to know' basis." According to this section, any policy of the app can be changed at any time.

Exclusionary by design

According to Kodali, the real danger posed by all of these cutting-edge technological systems is how the government might abuse them to add people to no-fly lists and increase profiling. "No-fly lists are a good way to discipline rowdy travelers, but because there is no accountability or due process throughout the system, it is open to abuse," Kodali said. 

"By virtue of their socio-economic and political circumstances, some people are disproportionately affected by the nationwide travel surveillance than others. As there is no surveillance regulation in India, the entire system will become arbitrary." Kodali said.

Choudhary added to this, saying, "Data breaches involving face recognition technology increase the potential for identity theft, stalking, and harassment because, unlike passwords, faces cannot be changed."

Tags: