On July 1, under the Centre’s Digi Yatra initiative, a Facial Recognition (FR) system was launched on a pilot basis at the Rajiv Gandhi International Airport (RGIA) in Hyderabad, a first in any Indian airport. The technology allows passengers to merely look at a camera without a boarding pass and walk through the security gate. However, researchers on FR systems and open data say loopholes in the Digi Yatra policy may potentially lead to the FR data of passengers being misused for government surveillance or for commercial reasons.

The pilot project that is being tested in Hyderabad until July 31 allows passenger entry into the airport. The pilot system has a capacity to register 3000 individuals. Sources say due to high demand from frequent flyers they are close to achieving this target with just a week left for the pilot to end.  A person can register with the FR system using any government ID at the airport. Their identity will also be physically reviewed by the Central Industrial Security Force (CISF) officers at the airport. If the project is found successful it would be expanded to security gates before boarding and eventually to all major airports in the country.

At Hyderabad, the facial recognition data of the passengers who had opted to register with the FR system is maintained by the IT department of GMR Hyderabad International Airport Limited (GHIAL), the airport management firm that operates RGIA. As per the Centre’s Digi Yatra policy, the private firm is expected to delete the FR data one hour after the passengers’ departure. Furthermore, at the time of registration for FR, the private firm can enrol the passenger for ‘value added services’ – anything from an invite to a lounge to special offers. Experts suggest that this could be targeted advertising based on the data the firm has on the passenger.
However, the policy prescribes no “checks and balances” to ensure that these companies delete the passenger data after an hour, nor is there a definition of what constitutes a value-added service, point out researchers.
“How can one check if these private firms are deleting the FR data of their passengers? Who is checking if they do it or not? No one knows,” says Srinivas Kodali an independent researcher on open data who obtained access to documents showing internal communications between various Central government agencies and the AAI over the course of 2018 via RTI. The documents paint a picture of the consultations between stakeholders that eventually led to the Digi Yatra policy in its present form.
“The FR data will be owned by airports that are run by private companies and as long as the person is in the airport they could be targeted with advertisements,” says Srinivas, who raised concerns about the FR data in the hands of the government with little or no accountability.
The initial versions of the Digi Yatra draft that was under discussion showed that the FR data from airports was to be shared with intelligence agencies like the IB and RAW. The data was to also be shared with the local police. But these details did not make it to version 5.2 of the final policy which is now public. Presently, the police and intelligence officials send out notices to airports for keeping tabs on wanted criminals fleeing the country and smugglers.