Since July 1, passengers at Hyderabad airport have had the option of using their face as their “boarding card” as facial recognition technology trials were launched. But the roll-out of this new technology, which promises “hassle-free and paperless” journeys, has raised questions about whether the data it collects will be given to private companies and what it means for passengers’ privacy.

Facial recognition registration counters have been put up at the domestic departure gates of the Rajiv Gandhi International Airport in Hyderabad on a trial basis from July 1 till the end of the month. Around 250 passengers have enrolled voluntarily so far, reported The Hindu.

Bengaluru’s Kempegowda International Airport, meanwhile, has signed up Vision Box, a Portuguese company, to provide facial recognition technology services, according to a press release on the firm’s website. The Indian Express reported that the airport was planning to roll out the initiative in the third quarter of 2019.

The initiative is part of the Ministry of Civil Aviation’s “Digi Yatra” policy, which intends to offer air passengers a “seamless, hassle-free and paperless journey experience”. It was framed in August 2018. To enrol for the scheme, passengers will have to show identification proof such as a passport, a PAN card or Aadhaar, the country’s biometrics-linked ID system.

The pilot projects come at a time when citizens and government around the world are grappling with the implications of facial recognition technology being widely used. In India, police departments have already starting using the technology. Already, the National Crime Records Bureau has invited bids for a company to provide it with an Automated Facial Recognition System, according to The Quint.

But as some places have started using similar technology, others are sceptical of it. For instance, in May, San Francisco became the first city in the United States to ban the use of facial recognition technology because of concerns about public safety.

How it works

The Digi Yatra policy states that Indian airports will have separate kiosks before the entry gates for passengers to enrol for the service. Once passengers submit official identification proof, an image of their face is clicked.

If the passenger chooses to register through Aadhaar, then images of their face and iris are captured and matched with their Aadhaar biometrics. Once confirmed, the passenger receives a 72-character token number from Unique Identification Authority of India. This token gets stored on the passenger’s profile, according to the policy.

If the passenger provies another form of identity proof, their image is captured and an SMS sent to their phones with a verification number.

After this, a Central Industrial Police Force personnel checks the identity proof of the person and on confirmation, a Digi Yatra identity is formed. Another facial recognition check is done at the boarding gates.

Passengers who enrol through Aadhaar will not need to register again for future journeys.

The policy states that passengers can apply for a Digi Yatra identity online through other airline ticket booking websites by using either Aadhaar or other identity proofs. But this registration will have to be activated at the Digi Yatra kiosks at the airports.

What the policy states

The Digi Yatra policy lays out guidelines for how passenger data will be collected by the private companies that have been contracted to run the facial recognition systems.

It requires the facial recognition software to obtain the consent of passengers before capturing images of their faces. It allows for this data to be used for marketing purposes, if the customer gives consent for this. The policy states: “In case the passenger ‘opts in’ for such a service, the Digi Yatra Platform shall share the mobile number with the Airport BBS [Biometric boarding systems] / other ecosystem partners like registered taxi/ cab operators, hotels, lounges etc.”

The policy says that if users consent to this, they must also be provided with an option to opt out of the agreement. But it is uncertain this information will be buried as part of the iniative’s terms and conditions or made clear to the passengers.

The policy also outlines what happens to the data after the passenger finishes her journey. “This facial data cannot be stored by airports for longer than the duration of transit of passenger and facial data will be purged out of the system 1 hour after take-off/ departure of the flight,” it states. This includes biometric information acquired through Aadhaar.

But the policy later also states that the use of Aadhaar will be subject to change according to guidelines. It notes: “Use of Aadhaar will be solely for identity validation, which will be subject to the prescribed guidelines of UIDAI from time to time.”

Data protection?

However, as this initiative is rolled out, India still does not have a law to protect and regulate the data and privacy of its citizens. Without such a law in place, how will this facial recognition data be regulated?

Rakesh Maheshwari, the cyber law and security coordinator at the Ministry of Electronics and Information Technology, told that the data would be regulated according to Section 43A of the Information Technology Act, 2008.

This section of the Act deals with “compensation for failure to protect data”. It states that a “body corporate” will pay compensation up to Rs 5 crore when it is “negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person…”

However, this section that Maheshwari quoted, applies only to private corporations. What if it is the government that falters? What counts as “reasonable security practices”? sent queries about how the data would be stored and protected from misuse to the Directorate General of Civil Aviation, Kempegowda International Airport, Rajiv Gandhi International Airport and Vision Box. This article will be updated if they respond.

‘Pandora’s box’

In the absence of a law to protect citizens’ privacy and their data, experts were sceptical about any advantages facial recognition technology could bring.

“The legal framework determines whether or not the actual implementation is authorised,” said lawyer Apar Gupta of the Internet Freedom Foundation.

Supreme Court advocate and cyber law expert Pavan Duggal said that gathering facial features as data was a “gross violation” of the right to privacy. “My facial features are my property,” he said. “These features are also very sensitive data.”

As the Rajya Sabha passed the Aadhaar and Other Laws (Amendment) Bill, 2019 on July 8, Union Minister Ravi Shankar Prasad said that the government would draft a comprehensive law to protect data.

But the Economic Survey that was tabled on July 4 and authored by Chief Economic Advisor K Subramanian paints a different picture about data protection.

It states: “Datasets may be sold to analytics agencies that process the data, generate insights, and sell the insights further to the corporate sector, which may in turn use these insights to predict demand, discover untapped markets or innovate new products.”

Moreover, Duggal said that the Information Technology Act and Aadhaar Act did not have any provisions to regulate facial recognition. “There is no law in place,” he said. “The Aadhaar Act only deals with biometrics, not facial features.”

Duggal said that it could be used to profile citizens. “There is so much diversity in India,” he said. “There are various religions, castes and sub-castes. This data can be potentially used to target certain communities. It can open a Pandora’s box. It can assume a different proportion depending upon who is controlling it. It can be commercially exploited and sold to the Dark Net.”

There was also little clarity on whether a tendering process was followed in picking the companies to run the facial recognition pilots at Hyderabad and Bangalore airports, Gupta said.

“None of the government departments are seeking independent legal opinions on this,” he said. “It is almost looking like there is a fetish for collecting personal data to use it for profits.”