Wednesday, April 10, 2024

Why Experts Aren’t Convinced By Scindia’s Clarification On DigiYatra Privacy

Date:

While civil aviation minister Jyotiraditya Scindia issued a clarification about DigiYatra’s data-sharing process, experts tell us why it doesn’t resolve concerns about data privacy.

Last week Minister of Civil Aviation Jyotiraditya Scindia clarified that Digi Yatra — an app that uses facial recognition for security clearance and terminal entry — doesn’t store data from users in a “central repository”. Responding to Medianama founder Nikhil Pahwa, Scindia said, “Nikhil Ji, passengers’ personal information data is not stored in any central repository or by the Digi Yatra Foundation. The data is stored in the passenger’s own phone in the Digi Yatra secure wallet. Rest assured, no data is being collected or stored.”

Pahwa said in his tweet that the Ministry of Civil Aviation had said in an RTI response that “Digi Yatra is managed by a private non profit entity, and hence not under RTI”.

“So they’ve structured collection of facial data to avoid accountability. Why should we trust them?” Pahwa asked. 

Since its announcement in 2018, the DigiYatra app has been marred by concerns about privacy over its usage of facial recognition technology. The Government of India’s DigiYatra programme is a facial recognition technology, meant to facilitate passengers by avoiding multiple identity checks at the airport. It, therefore, enables paperless travel by essentially making the passenger’s face their boarding pass.

The app was first launched at airports in Delhi, Bengaluru, and Varanasi and is being gradually implemented in all airports across the country. The airports in Kolkata, Pune, Vijayawada, and Hyderabad will also likely see it implementation by March 2023.

But does Scindia’s clarification resolve concerns surrounding data privacy? Here’s what experts said

How does DigiYatra collect data?

The Digi Yatra app is a free app available for both Android and iOS phones and can be downloaded on any smartphone with Google Play Store for Android and App Store for iPhones.

By providing information such as their name, email address, mobile number, and specifics of an identification (Aadhaar, driving license, voter ID.), travelers can obtain a DigiYatra ID. After entering this data, a DigiYatra ID will be created; it must be shared when buying tickets. The airlines will send this ID and the passenger information to the departing airport.

According to a press release by the Ministry of Civil Aviation, all the passenger’s data is encrypted and stored in the wallet of the passenger’s smartphone and shared only for a limited time duration with the airport of travel origin where the passenger’s Digi Yatra ID needs to be validated. “The data is purged from the system within 24 hours of the flight,” the release said.

As per the data shared by the ministry, the total number of passengers who have used the Digi Yatra app at the airports from December 1, 2022 to February 14, 2023 is more than 1.6 Lakh. The user base of the Digi Yatra app on the Android Play Store and iOS Apple App Store stands at 422K.

According to Srinivas Kodali, a researcher with the Free Software Movement of India, the DigiYatra app is shrouded in privacy concerns. “Firstly, face recognition technology is more susceptible to breaches than fingerprint biometrics as it is easier to take someone’s photo than their fingerprints. Secondly, we do not have a Digital Privacy law, it is still a bill. So, the app has no legal framework to abide by,” Kodali told BOOM.

Kodali further explained why there are security concerns with the mobile-based ID storage platform. He said, “The passenger data is transferred from the app to the airport system but their deletion within 24 hours is just being claimed. We do not necessarily know that it will be deleted.”

Explaining the flaw in DigiYatra’s privacy policy, Kodali said that the policy mentions DigiYatra as an ‘ecosystem’ and not as a single mechanism, which means a third party is involved. “During the 24 hours the data can go to a third party which can be a private entity,” Kodali said.

Speaking to BOOM, Mishi Choudhary, a technology lawyer with Software Freedom Law Centre, said that oral assurances from ministers or bureaucracy are never sufficient to protect any legal rights, pointing out that the ’24-hour policy’ mentioned by Scindia and the press release of the Ministry of Civil Aviation was not mentioned on Google Play and App Store. “If you see the Terms and Services of the app on Google play, there’s no way for anyone to request any data deletion. It also says this app may share data with other apps that include health data,” she added.

Choudhary pointed out that section 13 of DigiYatra’s privacy policy on the Apple App Store says, “As long as it is necessary for the stated purpose, and/or for compliance with legal requirements under applicable laws, Information will be retained in a secure environment and access to it will be restricted according to a ‘need to know’ basis.” According to this section, any policy of the app can be changed at any time.

Exclusionary by design

According to Kodali, the real danger posed by all of these cutting-edge technological systems is how the government might abuse them to add people to no-fly lists and increase profiling. “No-fly lists are a good way to discipline rowdy travelers, but because there is no accountability or due process throughout the system, it is open to abuse,” Kodali said.

“By virtue of their socio-economic and political circumstances, some people are disproportionately affected by the nationwide travel surveillance than others. As there is no surveillance regulation in India, the entire system will become arbitrary.” Kodali said.

Choudhary added to this, saying, “Data breaches involving face recognition technology increase the potential for identity theft, stalking, and harassment because, unlike passwords, faces cannot be changed.”

Additional Information:

The Digi Yatra app is not owned by the government, but by a consortium called the Digi Yatra Foundation whose shareholders comprise the Airports Authority of India and five private airports, including Delhi, Mumbai, Bengaluru, Hyderabad and Kochi

Digi Yatra is not under ministry of civil aviation. It’s a private company.

The centre-backed platform is managed by Digi Yatra Foundation, a Not-For-Profit company made under Section 8 of the Companies Act, 2013. It does not fall under the purview of the Right to Information (RTI) Act.

In the past few weeks, there has been a surge of complaints from passengers about Digiyatra. Their main complaint is about security personnel and airport staff collecting their biometrics for the app, using coercion and deception.

According to travellers, CISF personnel at the entry gates were asking them to scan their boarding pass and capturing their photos, and then enrolling them in the Digi Yatra app without even informing them. The element of coercion is especially startling as the Ministry of Civil Aviation, when it unveiled the Digi Yaytra policy in 2018, had made it clear that it would be entirely voluntary.

File picture of Union Minister for Civil Aviation Jyotiraditya Scindia at the launch of Digi Yatra. Digi Yatra is purely voluntary; data can be collected only after passenger’s consent: Scindia. There have been complaints that biometric data for Digi Yatra were being gathered from passengers without their consent and the issue was flagged to the minister by Rajya Sabha member Saket Gokhale.

Ref: https://www.thehindu.com/news/national/airports-to-ensure-digi-yatra-registration-is-voluntary-and-consensual-scindia/article67782525.ece

Digital rights experts have highlighted several other concerns about the Digi Yatra app, related to privacy, surveillance, exclusion, lack of transparency and accountability, and violation of the passenger’s dignity and autonomy. The Ministry, on its part, has said that the only objective of the Digi Yatra’s biometrics-enabled, digital processing of passengers is to usher in “paper-less and seamless movement through various checkpoints” at airports.

Editor’s Note: Is the safety of the Digi Yatra app guaranteed? Can it be relied upon? What are the procedures followed by airports in other countries for passenger processing?

The Digi Yatra app seems to lack value and perhaps it should be discontinued.

Source: BOOM, apacnewsnetwork-Image, Quora-Image, youtube-image,

Also Read:

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related articles

Democracy in the Digital Age: MIT Experts Caution Against Using Blockchain For Voting.

"Election Security Concerns and Blockchain-Based Voting" • Discusses concerns about election security, including potential foreign interference, unauthorized voting, voter...

Bill Gates-backed, Blockchain, AI, and Big Data-powered Virus-fighting App Launched

The Bill & Melinda Gates Foundation Embracing Blockchain Technology In recent years, the Bill & Melinda Gates Foundation has...

Day after EC notice, Atishi asks ED to reveal action against BJP in ‘money laundering’ cases

New Delhi: A day after getting a notice from the Election Commission, Delhi minister Atishi on Saturday asked...

NIA vehicle attacked in Bengal: Police

Kolkata: A vehicle carrying NIA officials was on Saturday attacked by villagers in Bhupatinagar area of West Bengal’s...