Passengers of Air Asia India flights, boarding from Bengaluru’s international airport, can now choose to authenticate their identity via facial recognition systems installed at the airport as part of the Indian government’s DigiYatra scheme. The airport, in a statement on August 3, said that passengers can choose to either board an Air Asia flight by going through the biometric authentication process, or through the existing manual process. We’ve reached out to the airport with more questions.

Air Asia is the second airline at the airport to start this facility, following Vistara, which has allowed this facility since July 2019. The Indian government had launched the DigiYatra scheme in 2018, which allows automatic processing of passengers’ identity based on a facial recognition system at check points like: entry to airport, security check and aircraft boarding.

How the flow works: Here’s how the face authentication is supposed to work, on paper. A passenger

  • Registers for DigiYatra using one of 11 registration kiosks at the airport
  • Proceeds to departure entry e-Gates, scan your boarding pass at a kiosk and match their face
  • At security check, validates their credentials by allowing a camera to scan their face
  • Scans their face yet again for validation and boards the flight.

How the data is handled: The airport claimed that passengers’ biometric data is used only for “authentication and verification” of passengers to assist the boarding process and “not for recognition”. The passenger data is deleted within a “few hours” of flight completion, it added. 

Passengers’ biometric data is stored on “dedicated data centres”, the airport said, without specifying where these data centres are located and who operates them. 

Who built the system? The biometric authentication system has been developed by Vision Box, a Portuguese multinational company. Facial recognition systems deployed at the Delhi international airport were also supplied by the same company. 

As per its website, Vision Box’s solution, called Orchestra, “meets legal and regulatory requirements of data privacy and security” and is “100% compliant with European Union General Protection Data Regulation (GDPR) Law”. However, the airport did not explain what kinds of data security practises are being adopted for Indian citizens. 

“At BLR Airport, we have been following stringent safety and hygiene protocols and we believe that the tech-enabled biometric journey, is another step towards healthy, secure and hassle-free travel. This project will continue the process of transforming passenger journeys — unleashing the power of the Country’s first all-biometric flow operation, where ‘your face is your boarding pass. … We are committed to offering innovative ways to simplify the passenger journey, while maintaining the highest standards of safety, security and privacy,” Hari Marar, MD and CEO of Bengaluru International Airport Limited said in the statement

Is this really a ‘seamless’ way to travel?

The DigiYatra initiative says that biometric authentication of passengers will “facilitate paperless travel” and “avoid identity check at multiple points”. The government has been portraying this as a more “seamless” way to travel. However, that isn’t entirely true:

  • When a passenger signs up for the initiative, they have to submit an ID proof. If this ID is an Aadhaar, then its verification can be done online. But, for any other proof of identification, a CISF personnel will manually verify the document at the airport. This isn’t seamless, and in fact, adds more time to entire checking-in process.
  • The problem of passengers entering airports on fake tickets (or possibly using fake identification) cannot be eliminated while this process is non-mandatory, as those passengers will continue to enter airports using existing methods.
  • Privacy concerns: It’s unclear for now where the data collected by the airports will be stored, how long it will be retained for, and how they will deal with data protection and privacy concerns around biometric authentication. Will these systems be integrated with larger criminal detection surveillance systems such as the CCTNS (Crime and Criminal Tracking Network and Systems)?
  • The Personal Data Protection Bill, 2019, which is currently being deliberated by a Joint Parliamentary Community has carved out exemptions for government agencies to adhere with provisions of the Bill. This suggests that the government can possibly store and process biometric data of passengers without necessarily adhering to the provisions in the Bill by exempting them from the provisions of the Bill.
  • Under the DigiYatra scheme, data purge settings can be changed based on security requirements on a “need basis”.