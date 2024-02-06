In response to multiple questions regarding the data collection process employed for the Digi Yatra system at airports, the Ministry of Civil Aviation (MoCA) stated that there is no central storage of a passenger’s Personally Identifiable Information (PII) data under the Digi Yatra Central Ecosystem (DYCE).

Minister of State for Civil Aviation Gen. (Dr) V. K. Singh (Retd) also revealed that the DYCE is built on the fundamental tenets of “privacy by design/default” and that the processes are subjected to audits and certification by CERT-In empanelled agencies to ensure data privacy and security standards.

The Digi Yatra policy is an initiative by the MoCA to introduce a “biometric boarding system ” that uses facial recognition technology (FRT) for verification at Indian airports. Ever since its implementation, the project has received much criticism due to a lack of transparency regarding security of people’s data that is being collected, privacy issues related to the use of FRT, and ambiguities related to the authority that manages the Digi Yatra ecosystem. Most recently, people have also taken to X to report instances of passengers being forced or tricked into using Digi Yatra at airports.

Information on Digi Yatra cannot be accessed under RTI:

When Rajya Sabha member K.C Venugopal enquired about the organisation managing Digi Yatra, the Ministry informed, “Digi Yatra Central Ecosystem is managed by Digi Yatra Foundation, a Not-For-Profit company made under the Section 8 of the Companies Act, 2013 and hence does not come under the ambit of Right to Information (RTI) act.”

MediaNama had first brought to light the information that Digi Yatra does not come under the purview of the RTI Act in March 2023. In response to an RTI filed by MediaNama regarding the registrations recorded for Digi Yatra, the Ministry had stated that such data regarding Digi Yatra cannot be provided under RTI. The Indian government says that Digi Yatra is an initiative of the MCA; it is then unclear as to why one cannot seek information about the project under RTI, especially when it has been circulated as a national policy since 2018. You can read more about the RTI and the response here .

Back then, the government had not informed that Digi Yatra processes are subject to audits by CERT-In empanelled agencies. It is important to note that CERT-In is also exempted from the RTI Act and the government has refused to disclose the reasons for such exemption.

Do passengers have complete control over their data?

Replying to questions related to guidelines for ensuring data privacy and security standards for safeguarding people’s biometric data, the Ministry informed that Digi Yatra Guidelines have been issued by the Directorate General of Civil Aviation (DGCA) through the Aeronautical Information Circular (AIC) No. 09/2022 dated 18.04.2022.

The MoS further explained, “These Digi Yatra guidelines provide for decentralised mobile wallet-based identity management platform. The personal information of the passenger are stored in the mobile-wallet of the traveller. The same are shared with the departure airport in the encrypted format and data is purged from the system after 24 hours of departure of flight. This addresses the data protection issues in implementation of Digi Yatra.”

In March 2023, following questions by MediaNama Founder-Editor Nikhil Pahwa, the Ministry of Civil Aviation had also issued a press release stating that the data is shared only between “the passenger and the airport of travel origin, where passenger’s Digi Yatra ID needs to be validated”. Further, the Ministry says that the process is voluntary and since the data shared is encrypted, cannot be used by any other entity.

Unanswered questions:

Rajya Sabha member Niranjan Reddy enquired whether passengers have full transparency and control over the data collected through Digi Yatra, including the right to access, rectification, and deletion of their data. The government did not address the question in detail. Further, while the data is purged from the airport’s system within 24 hours, it is not known whether passengers have any mechanism to delete their biometrics from the Digi Yatra app on their phones.

Reddy also asked if there are plans to bring Digi Yatra under government control to ensure security and transparency, and the Ministry did not specifically answer this question. Similarly, in response to multiple questions on the government’s efforts to prevent misuse of passenger data while they are using Digi Yatra, the Ministry reiterated that the data is stored in the passenger wallet and is deleted from the airport system within 24 hours.

However, Avinash Komireddy, founder and CEO of Dataevolve, the company that designed the DigiYatra system, said in an interview with MoneyControl that “the facial recognition authentication process takes place on the Amazon Web Services (AWS) cloud platform”. “That’s the only touch point where your data is going into AWS, because doing it (the verification) on the phone is not very practical,” Komireddy said, adding that no data is stored on AWS, or with the start-up themselves. Experts had pointed out on X that this does suggest that the data doesn’t just remain between the passenger and the airport system, as stated by the Minister.

Further, the Digi Yatra Foundation website also states that users’ personal data may be shared with DYF employees, agents, and even third parties that provide services to DYF. This further raises questions about how exactly user data is being processed, shared, and strengthens uncertainties about the system providing robust security for users’ data.

