Social media has been flooded with complaints of how people are being coerced into using the Digi Yatra app, which uses facial scanning biometrics. Is it really risky? And what do the stakeholders have to say about it?
Akshay Gupta recently posted on social media platform X (previously Twitter) that he was denied entry at the Varanasi airport because he “did not follow the Digi Yatra lane”.
“All Indigo passengers were forced into it, citing some circular, but no proof shown when demanded,” he wrote. “IDs not presented when asked, even CISF personnel blocked entry,” he said.
He was not alone. In the recent past, social media has been flooded by similar complaints.
On January 16, in a blog on its website, digital rights organisation Internet Freedom Foundation (IFF) said it had written “to the Ministry of Civil Aviation, NITI Aayog, Airports Authority of India, Digi Yatra Foundation and the Delhi, Bengaluru, Mumbai, Kochi, and Hyderabad regional airports, bringing their attention to the worrisome implementation of the Digi Yatra service across airports in India”.
“We urge them to completely withdraw Digi Yatra from Indian airports owing to its large gamut of concerns relating to privacy, surveillance, exclusion errors and lack of institutional accountability and transparency, coupled with the highly disturbing manner in which it is currently being deployed at airports — with reports of coercion and deception, at the cost of passengers’ dignity, privacy, and autonomy,” IFF had said in its post.
The outrage caused the government to take stock and react quickly to concerns about forceful adoption of Digi Yatra at airports.
On January 27, Union Civil Aviation Minister Jyotiraditya Scindia said that he has taken cognisance of the issue and that personnel at all airports in India had been told to strictly ensure that informed consent was taken before enrolling passengers on to Digi Yatra and that the process must be voluntary.
Face off
With massive data breaches in the past few years, critics are sceptical and have raised concerns about privacy. So, are these fears real or just teething troubles with the new way to travel?
Since its roll out, the Digi Yatra application has been downloaded by four million travellers and has been used 10 million times at various airports, sources from the ministry of civil aviation told ET.
It entails passengers being automatically processed based on facial recognition systems at checkpoints like entry points, security checkpoints and aircraft boarding points. It also facilitates self-bag drop and check-in, using facial recognition to identify passengers and data recall.
The Digi Yatra project is being run by a private “non-profit body of participating airports”, called the Digi Yatra Foundation (DYF).
While the Airports Authority of India (AAI) has 26 per cent share in the foundation, the remaining 74 per cent is equally divided between five international airports — Delhi, Mumbai, Bengaluru, Hyderabad, and Kochi — which are run on public-private partnerships.
When asked about the security concerns, Suresh Khadakbhavi, chief executive of Digi Yatra Foundation, said the app is totally safe. “We do not have any access to a passenger’s digital wallet. We only put a signature on the credentials. It is not stored in our repository or any central location. As a systematic process, data is purged within 24 hours.
“Since we do electronic KYC, the picture of the passenger in his or her Aadhaar card gets validated with his or her live face. So, there is no way one can do mischief with the system,” he said.
Bridging the trust deficit
Citing the examples of when hotels take photocopies of Aadhaar cards or when customers submit photographs while buying SIM cards, Khadakbhavi said such data is unencrypted. “In such manual processes, there is scope for data leakage. We prevent data loss, theft and pilferage in one go with our digital processes,” he said.
The entire Digi Yatra ecosystem undergoes audits by CERT-In empaneled agencies every six months, he added. CERT-In is the national nodal agency for responding to computer security incidents as and when they occur.
“This is sacrosanct. Apart from the process audit, the local airport ecosystem architecture is also validated and so is the equipment. These are checks and balances in place,” Khadakbhavi added.
According to Khadakbhavi, frequent flyers enjoy the benefits of Digi Yatra as they don’t have to show their boarding pass and Aadhaar card at every check point. Passengers don’t complain about standing in long queues.
But he admits that there is one place that they have been lacking: “The mistake we made was focusing on the app and its functionality but not so much on communicating with the public, which is what we’re going to do now,” Khadakbhavi said.
Keeping it safe
However, sceptics believe that the implementation model blurs the line between security and commercial exploitation — especially since the airports are managed by private entities.
Take for instance the Delhi and Hyderabad airports, which are run by the GMR Group. The Mumbai airport is run by the Adani Group.
In Bengaluru, the airport is run by the Bengaluru International Airport Limited with stakeholders like Fairfax India Holdings (54 per cent), Siemens Project Ventures GmbH (20 per cent), AAI (13 per cent) and Karnataka State Industrial and Infrastructure Development Corp Ltd (13 per cent).
The Kochi airport is run by the Cochin International Airport Limited with 18,000 shareholders from 29 countries.
A Bengaluru International Airport spokesperson told ET that passengers share their face biometrics and boarding pass data with the airport they are departing from.
This information is used by the airport for validation of passenger ID and boarding pass.
“The data is deleted within 24 hours of the flight departure. The shareholders of Bangalore International Airport Ltd (BIAL) do not have access to any data,” the BIAL spokesperson said.
A Delhi International Airport spokesperson agreed. “It [Digi Yatra] enables the automatic digital processing of flyers with the benefit of reduced wait time at all the touch points like terminal entry, security and boarding,” he said.
At terminals, passengers are offered the opportunity to avail the benefit of Digi Yatra and “it is purely voluntary”, he said, adding that a passenger’s details are stored in their own mobile wallet.
The Cochin International Airport Limited (CIAL) spokesperson said that till date, 83,000 passengers had successfully used the Digi Yatra facility at the Kochi airport.
“CIAL retains the data of passengers uploaded on Digi Yatra as per the policy guidelines of the Ministry of Civil Aviation, which is till 24 hours from the time-of-flight departures. The data is not shared with third parties. No shareholder of CIAL has any access to Digi Yatra data,” he said.
The Mumbai International Airport Limited (MIAL) spokesperson shared that the data is stored at MIAL in an “on-premises” infrastructure and not with any private entity. The on-premises Digi Yatra Infrastructure is protected through MIAL IT cyber policies.
“The Digi Yatra Foundation, with an appointed auditor, had conducted assessment recently and validated the entire solution at MIAL (application, database, infrastructure),” she said, adding that the MIAL solution was found to be fully compliant as per defined Digi Yatra standards
37.3 million at four airports
As an airport operator, AAI has successfully implemented Digi Yatra at four airports — Kolkata, Varanasi, Pune and Vijayawada — its spokesperson said. Till date, more than 37.3 million passengers have used the Digi Yatra facility at these airports, he said.
“The travel and identity data of passengers are encrypted throughout the transaction and are not used for any commercial purposes,” he assured.
AAI is currently in the process of extending the facility to 12 more airports, including Chennai, Bhubaneshwar, Bagdogra, Chandigarh, Coimbatore, Goa (Dabolim), Indore, Ranchi, Patna, Raipur, Srinagar and Visakhapatnam.
Doubts galore
Despite the assurances, concerns loom. Disha Verma, associate policy counsel, Internet Freedom Foundation, told ET that fears around non-transparency remain.
DYF may conduct periodic CERT-In audits to address data vulnerabilities, but it is a private company and can choose not to make this data public at any time, and one cannot exercise their right to information to obtain it as CERT-in has recently been exempted from the RTI Act.
“We also reiterate our concerns with the use of facial recognition technology, which remains at the heart of Digi Yatra. Face recognition technology is unreliable, inaccurate, creates an environment of surveillance, and currently operates in India without proper legal safeguards. Global trials have shown it is also not an efficient tool for decongesting airports and can lead to inaccuracy-based delays,” said Verma.
