Since December 2, the Union Ministry of Civil Aviation has started using facial recognition technology for airport security.

Airports will now allow travellers to pass through various checkpoints – entry, access to the security check area and aircraft boarding – through a contactless process by using facial recognition software. This will work as an alternative to the current process involving physical verification by Central Industrial Security Force personnel as part of the security check before boarding the aircraft.

While this will cut down boarding time, the launch of facial recognition-based access as well as its links to other forms of identity has also brought to light concerns regarding passenger privacy.

The new system

A passengers’ facial features will be scanned by the facial recognition system at e-gates located at these checkpoints to establish their identity, which will be linked to their boarding pass.

For the contactless process, passengers’ travel details will have to be linked to a mobile application. More importantly, travellers will require an Aadhaar-based validation, a self-image capture and will need to upload their boarding pass.

Currently, this new process – which intends to provide a “seamless, hassle-free and paperless” experience to passengers – is not mandatory and is only available for some domestic flights at three airports.

In India, the scheme is being rolled out at seven airports in the first phase – Bengaluru, Delhi and Varanasi starting December 2 and Hyderabad, Kolkata, Pune and Vijayawada by March 2023. Even at these airports, the service is currently only available at specific terminals and boarding gates, according to information provided by the Delhi airport. Customers of only some airlines can currently avail this service.

This policy of using facial recognition at airports, called “Digi Yatra”, was first announced by the civil aviation ministry in October 2018.

Privacy concerns

However, concerns have been raised around user privacy given the need to link Aadhaar and provide a self-image. The collected passenger information could be misused, shared or stolen, experts suggest.

“Although technology initiatives like Digi Yatra are used for enhancing convenience and security, they are developed without a data protection regime and robust surveillance reform, which is problematic,” said Kamesh Shekar, programme manager at Delhi-based think tank The Dialogue.

“The data collected through these means are not safeguarded against misuse, who can access data and whether it is only used for the stipulated purpose is unknown,” Shekar said. “Measures to prevent and tackle breaches and abuse are not specified.”

To alleviate these privacy concerns, the civil ministry said that personally identifiable information is not stored centrally and travel credentials are held in a secure wallet in the passenger’s smartphone itself. Blockchain technology is being used to secure the uploaded data and all data will be deleted from the servers within 24 hours of use, the ministry added.

Blockchain is a system which records digital data in a way that makes it difficult to carry out alterations.

However, Shekar warned that any internet-based technology, including blockchain, is not immune to cyber security threats.

Additionally, as the policy governing this service also allows data sharing with third parties to provide value-added services, Shekar said there are increased chances of third-party fraud, snooping and misuse of data.

Although the policy governing this service talks about deleting the passenger’s biometric data from the system within 24 hours of the person’s journey, “it also mentions that [the boarding system] shall have the ability to change the data purge settings based on security requirements” without being notified, said Aditi Seetha, programme manager, The Dialogue.

Anushka Jain, policy counsel at Internet Freedom Foundation, also highlighted that there is a lack of safeguards against passenger data being shared with third parties. “Passengers are required to place their faith in the authorities and hope that your data is not compromised, at least until a new data protection law comes in,” Jain said.

Representative image. Credit: Prakash Singh/AFP

Lack of protection

In the 2018 policy which governs this service, the government had suggested that the mechanism will conform and adhere to the country’s data protection laws.

However, the Niti Aayog – the Union government’s public policy think tank – had later cautioned the civil aviation ministry in its discussion paper published in November that the service must comply with existing data privacy laws. However, experts point out that it is unclear how passengers’ data will be protected given that at present, India has no data protection laws.

While India currently does not have a data protection law, a new bill covering digital personal data protection is being discussed. Even this proposed bill, some experts say, would provide little protection against problems arising from facial recognition.

“Biometric data such as a person’s face is sensitive personal data,” Jain said. “While fingerprints cannot be captured easily, anyone can capture your face [through a photo]. A person’s face is on various identification cards, but fingerprints are not,” Jain added, emphasising the sensitivity of facial recognition data.

“The earlier iterations [of the Digital Personal Data Protection Bill, 2022 being discussed] differentiated between personal data and sensitive personal data and did provide for stringent protections with regard to sensitive personal data,” Seetha said.

“Sensitive personal data” refers to personal data such as biometrics.

Since the proposed law will amend the existing Information Technology Act and remove a section on compensation for failure to protect data, it appears to be a little worrisome how the biometric data collected at airports will be protected, Seetha said.

There are other reasons to be sceptical too, according to experts. “While the data will be cleared from the airport database 24 hours after passenger departure, there is less clarity on whether data gets deleted from other registries where the data gets stored,” Shekar said. The Niti Aayog had also said in its draft paper that rules related to purging of facial biometrics and other passenger information stored in other registries must be clearly set out in Digi Yatra’s policy.

Fundamental right

India’s current laws do not provide stringent punishments in case of violation or breach of sensitive data, Seetha warned.

Usage of facial recognition technology would not comply with the Puttaswamy judgement given by the Supreme Court, Seetha added. In the Puttaswamy judgement of 2017, the Supreme Court had held that the fundamental right to privacy is guaranteed under the Constitution.

Such concerns have also been raised in other countries where similar services have been deployed. Facial recognition technology is used widely across airports in the United States, in Doha, Dubai, Singapore and at London’s Heathrow.