“Under Digi Yatra, passengers’ data is stored in their own device and not in centralized storage In the Digi Yatra process, there is no central storage of passenger’s Personally Identifiable Information (PII) data. All the passengers’ data is encrypted and stored in the wallet of their smartphone,” the Ministry of Civil Aviation (MoCA) said in a press release issued on March 17, 2023.
The press release was issued after Union Minister of Civil Aviation Jyotiraditya Scindia tweeted in response to MediaNama Editor Nikhil Pahwa’s tweet pointing out that the government has “structured collection of facial data to avoid accountability”. Pahwa’s tweet was based on an RTI filed by MediaNama, to which the MoCA replied stating that Digi Yatra does not come under the purview of the RTI Act because the project is managed by the Digi Yatra Foundation, a non-profit entity of participating airports.
Pls avoid giving your data to Digi Yatra. In RTI response to us, Ministry of Civil Aviation said Digi Yatra is managed by a private non profit entity, and hence not under RTI.
So they've structured collection of facial data to avoid accountability. Why should we trust them? https://t.co/AO9SmqiweB
— Nikhil Pahwa (@nixxin) March 14, 2023
Here’s what Jyotiraditya Scindia replied:
Nikhil Ji, passengers' personal information data is not stored in any central repository or by the Digi Yatra Foundation. The data is stored in the passenger's own phone in the Digi Yatra secure wallet. Rest assured, no data is being collected or stored.
— Jyotiraditya M. Scindia (@JM_Scindia) March 15, 2023
The press release further stated that the data is shared only between “the passenger and the airport of travel origin, where passenger’s Digi Yatra ID needs to be validated”. “The data is purged from the airport’s system within 24 hours of departure of flight. The data is shared by passengers directly, only when they travel and only to the origin Airport,” it adds. Further, the Ministry says that the process is voluntary and since the data shared is encrypted, cannot be used by any other entity.
STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!
Why it matters: The MoCA is planning to expand Digi Yatra to other cities amid concerns related to the use of facial recognition technology–such as storage, sharing, and security of data and privacy of travelers–in the absence of a data protection regime. We have pointed out that it is unclear why one cannot seek information about the project under RTI, especially when the project has been circulated as a national policy since 2018. The press release issued by the Ministry does not really address this and many other questions raised by Twitter users in response to the Minister’s tweet.
MediaNama’s RTI on the Digi Yatra project:
In order to get a preliminary update on the status of the Digi Yatra facility, which will soon be extended to more airports, we filed an RTI with the MoCA inquiring about the airport-wise details of the number of individuals who have registered for and used the facility, and the number of downloads recorded by the Digi Yatra application until February 4, 2023 (the date when the RTI was filed).
Digi Yatra uses facial recognition tech to enable a “contactless” boarding process at the airport. The unaddressed technical concerns with regard to facial recognition systems—as pointed out by the Internet Freedom Foundation—calls for an assessment of these potential problems. To start with, we asked the Ministry if they had any data on the grievances and the reasons for them recorded on the app or through their website about Digi Yatra, after it was launched. Additionally, the RTI inquired if the Ministry has addressed any of the grievances. The Ministry provided no answers to any of these questions. We have filed another RTI asking for more details on the project and the data collection process. We are yet to receive a response to it.
Unanswered questions:
Pahwa’s tweet gained much attention on Twitter initiating discussion about where and how people’s biometric data is collected and stored under the Digi Yatra project. The Minister’s response stating that user data is not collected in any central repository or by the Digi Yatra Foundation raises pertinent questions: how is it possible that the facial biometric data and photos used for authentication are not read by the system? And if the data is purged from the airport’s system within 24 hours, as stated in the press release, do passengers have any mechanism to delete their biometrics from the Digi Yatra app on their phones?
With all due respect sir, how does is it possible for a system to authenticate my data without reading the data. The scanner at airport, and the app connecting my selfie and boarding pass to airport – all of that transmits/stores my photo and facial data.
— nullpointer@mastodon.world (@nullpointer57) March 15, 2023
Further, tech researcher Srinivas Kodali pointed out that Avinash Komireddy, founder and CEO of Dataevolve, the company that designed the DigiYatra system, said in an interview with MoneyControl that “the facial recognition authentication process takes place on the Amazon Web Services (AWS) cloud platform”. “That’s the only touch point where your data is going into AWS, because doing it (the verification) on the phone is not very practical,” Komireddy said, adding that no data is stored on AWS, or with the start-up themselves. But, this does suggest that the data doesn’t just remain between the passenger and the airport system, as stated by the Minister.
Why is it then the co-founder of the company which developed #Digiyatra saying facial recognition happens on Amazon Web Services? Who is mis informed? The minister or the engineer?https://t.co/ZNIZ1QNAiP https://t.co/RdfUsQc8Yy pic.twitter.com/pswicXRl1C
— Srinivas Kodali (@digitaldutta) March 15, 2023
While the Ministry is reiterating that the data is not stored in any central repository, and thus there’s no information on the queries mentioned in our RTI, Pahwa pointed out the most pertinent question: “Who is Digi Yatra then accountable to for citizen privacy?” This still remains unanswered.
Thank you for responding Scindia ji. Why has a non profit foundation which is not under RTI been chosen for this important project? Why does Ministry of Civil Aviation say it has no data on Digi Yatra? Who is Digi Yatra accountable to for citizen privacy? https://t.co/BCMdI8MHSO
— Nikhil Pahwa (@nixxin) March 15, 2023
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
- India’s Civil Aviation Ministry Says Information On Digi Yatra Cannot Be Sought Under Right To Information
- IFF’s Response To Niti Aayog’s Draft Discussion Paper On Facial Recognition Technology
- FRT-Based Digi Yatra Project Begins In Three Indian Airports On Opt-In Basis
- Obtain “Explicit Informed Consent” From People Signing Up For Digi Yatra: SFLC On NITI Aayog Paper
- How Can Digi Yatra’s Biometrics-Based Boarding System Comply With ‘Responsible AI Principles’?
