DigiYatraFRT

Hey Digi Yatra Foundation, open up the doors…

…If not today, maybe tomorrow? The Digi Yatra Foundation reached out to IFF to offer information on the DigiYatra data ecosystem and invite us to a private closed-door meeting with the CEO and team. This is what we had to say in response.

Disha Verma
Disha Verma
Prateek Waghre
Prateek Waghre

03 July, 2024
6 min read

Donate Now

tl;dr

Digi Yatra Foundation, a private company that runs the opt-in facial recognition airport check-in service, reached out to IFF to invite us to a closed-door meeting with their CEO Mr. Suresh Khadakbhavi and the team. While we appreciate the invite for a private conversation and will be happy to engage (with some reservations), we urge the DYF team to invite diverse civil society voices for an open conversation in the interest of instilling transparency by design, which has been one of our core asks from Digi Yatra. We also strongly urged them to pause their plans to scale Digi Yatra across airports and to newer service sectors until pressing privacy concerns with the system are adequately addressed and corrected.

Important Documents

  1. IFF’s Email response to Digi Yatra Foundation dated June 26, 2024 (link)
  2. IFF’s explainer post on Digi Yatra’s privacy concerns (link)
  3. IFF’s past work on Digi Yatra (link)

Background

Originally a scheme of the Indian union government, Digi Yatra is a privately-run airport service owned by the Digi Yatra Foundation (“DYF”) with a 26% shareholding from the Airports Authority of India. Digi Yatra intends to facilitate authentication of passengers as an alternative to boarding passes by using facial recognition technology (“FRT”)—a deeply flawed and dangerous tool that can lead to harrowing consequences for individual privacy, dignity, free speech, movement, and life. Surveillance risks aside, Digi Yatra’s data ecosystem, or DYCE, presents a number of concerns with regards to how the service stores, processes, shares, or uses personal data of passengers, especially their highly vulnerable and sensitive facial data. 

Of late, passengers across India have reported coercive techniques being deployed at airport gates to sign them up for Digi Yatra without their informed consent, with as many as 29% of passengers flying out of the Delhi airport reportedly never realising they have been registered for the service. This year, Digi Yatra announced its move to a new app and a “complete overhaul in its infrastructure” amidst allegations of its tech provider having pending criminal investigations to its name—but it failed to make transparent disclosures on DYF’s past relationship with the provider and why it was migrating away from it (read our analysis here).  

More recently, DYF has revealed its plans to scale up the service for use in railways, hotels, and taxis, while it continues to expand operations across more airports in India. It has not addressed any of these prevalent concerns before announcing such expansion.

DYF’s outreach and our response

Two weeks ago, DYF reached out to IFF to invite us to a private, closed-door meeting with their team to share information on DYCE and its technical infrastructure. This comes at the height of IFF’s incessant advocacy and literacy efforts on the privacy concerns surrounding Digi Yatra, and writing to DYF and the Ministry of Civil Aviation.

While we appreciate DYF reaching out to us, we strongly believe that this is a conversation that needs to happen in the public domain and include more diverse voices. Alongside IFF, a large number of civil society organisations, cybersecurity researchers, lawyers, privacy advocates, and passengers have been drawing attention to DigiYatra’s problematic manner of operation and privacy risks for years. They should all have the opportunity to represent their views together. Some of these organisations/individuals also possess deep knowledge about data ecosystems and infrastructures similar to Digi Yatra. Given the complexity of issues, non-transparency in design, and other concerns with DigiYatra, detailed explanations about its technical infrastructure must be in the public domain. Private, closed-door meetings would also prevent all these voices from simultaneously presenting their concerns, learning from each other's questions, and meaningfully responding to any new information shared with them.

Therefore, we urged DYF to use mechanisms that are open, inclusive, and diverse, such as open-door meetings comprising cybersecurity researchers and other thematic experts, in place of a closed-door, private one. 

For more information, here is a copy of our response.

Why a diverse dialogue matters

The Digi Yatra scheme (and now service) is a core public interest issue which affects human rights and freedoms of a vast number of Indian citizens. IFF has undertaken extensive advocacy on the matter—shedding light on the data collection, storage, and processing mechanisms adopted by Digi Yatra since its inception, and its worrying use of FRT without safeguards. In 2024 alone, we raised concerns to shareholding airports and the Ministry of Civil Aviation about the unlawful and undignified manner in which airline passengers across India are ambushed and coerced into signing on to the “voluntary” Digi Yatra service, and launched an informative Know-Your-Rights campaign to help citizens resist against it. More recently, we raised alarms about the lack of transparency and disclosures on DYF’s behalf when they announced shifting to a new Digi Yatra app all the while being under fire for being affiliated with Dataevolve, a one-person company whose CEO has been under a separate criminal investigation for money laundering, and using an excessive and dangerous amount of app permissions in the users’ phones. Our research and advocacy on Digi Yatra is grounded in three aspects:

  1. Digi Yatra poses grave risks to human rights of Indian citizens, including but not limited to the right to privacy and to dignity under Article 21 of the Indian Constitution;
  2. Digi Yatra’s data collection, use, and sharing practices, data flow and infrastructure, and day-to-day operations are patently non-transparent and unintelligible to the public, worsened by the fact that it operates without an active data protection law in place;
  3. Meaningful engagement with Digi Yatra and DYF is impeded by the fact that despite being a government scheme, it is run by a private entity, making it impossible for the public to seek information, transparency, accountability, and grievance redress from a system that deeply affects their rights.

We have relentlessly sought transparency and proactive disclosures from Digi Yatra for years, posing questions about its data ecosystem and surveillance implications since the day it was rolled out. Instead of recognising these pitfalls and remedying them by actually conducting security audits and providing evidence of its “secure” ecosystem, Digi Yatra has time and again acted in a manner that cements its opacity and inaccessibility to the general public. We are deeply concerned that such “private closed-door” conversations further exactly this opacity and lack of public accountability that IFF has been fighting hard to dismantle. 

IFF has tackled a wide range of privacy-infringing policy initiatives and schemes over the years, but one core demand commonly echoes across all of them: more broad, diverse, and meaningful stakeholder consultations, please! This case is no different. We understand that some members of our community felt we should have taken the private meeting without going public. While we are happy to continue to engage with DYF, this should take place in a manner that is most optimal and beneficial for all quarters and ultimately furthers core public interests including, but not limited to, transparency and accountability. We wish this conversation happens in a room full of civil society voices, and that such meaningful discourse becomes routine in the policy space. 

It was, therefore, important for us to push for a public conversation, and inform our community. In doing so, we were careful to ensure that any information which could identify individuals (such as names, email addresses, certain specifics of the conversation) in the public domain was redacted. We also hope such civil society engagement, if any, is meaningful, and that DYF considers and deliberates upon all recommendations made by stakeholders (including the more difficult ones like those against the use of FRT) as they ultimately represent expert opinion and core public interests.

Our only “demand”....

Alongside polite requests for an open-door civil society meeting, we placed just *one* firm demand. Drumroll please…

Digi Yatra, and the manner in which it has been deployed, has posed risks to passenger privacy, safety, and dignity, and affected the Indian public at large since its conception. It also operates in the absence of an active data protection law and functional data protection regime, leaving passengers with little safeguards or resources in case of rights violations. However, and worryingly so, Digi Yatra shows no plans of stopping, as recent reports indicate that DYF will be scaling its operations not only across Indian airports, but also into trains, hotel and transport services. 

Given the long list of risks and unaddressed concerns associated with Digi Yatra, plans to expand its operations and scale will simply be a glaring lapse of diligence and responsibility on part of DYF and the Ministry of Civil Aviation. Therefore, we strongly believe (and conveyed so in our response) that DYF must pause its plans of expansion until prevalent issues with DigiYatra are adequately addressed and corrected.

*This post has drafted with assistance from Anjney Mital, Digital Literacy Intern, Internet Freedom Foundation.

Donate Now

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Supreme Court issues notice in Sushant Singh's transfer petition challenging website blocking

Sushant Singh has sought transfer of his writ petition from the Bombay High Court to the Supreme Court, challenging Rules 8 and 16 of the IT Blocking Rules, 2009. On 02.05.2025, the Supreme Court issued notice and tagged it with SFLC’s pending petition raising similar issues.

6 min read

2
Section 44(3) and the Systematic Dismantling of the RTI Act: A Fact Check to Ashwini Vaishnaw

Section 3 has no relevance to the RTI amendment, and Mr. Ashwini Vaishnaw's response fails to address the core concern: Section 44(3) weakens citizens’ right to information and transparency in governance. IFF does a fact check. 

6 min read

3
Budget Session 2025: A Digital Rights Review

The Budget Session of Parliament, held from January 21 to April 4, 2025, included a recess from February 13 to March 10 for Standing Committee reviews. Key discussions covered various national issues, including digital rights and freedoms.

12 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!