On July 1, under the Centre’s Digi Yatra initiative, a Facial Recognition (FR) system was launched on a pilot basis at the Rajiv Gandhi International Airport (RGIA) in Hyderabad, a first in any Indian airport. The technology allows passengers to merely look at a camera without a boarding pass and walk through the security gate. However, researchers on FR systems and open data say loopholes in the Digi Yatra policy may potentially lead to the FR data of passengers being misused for government surveillance or for commercial reasons.
The pilot project that is being tested in Hyderabad until July 31 allows passenger entry into the airport. The pilot system has a capacity to register 3000 individuals. Sources say due to high demand from frequent flyers they are close to achieving this target with just a week left for the pilot to end. A person can register with the FR system using any government ID at the airport. Their identity will also be physically reviewed by the Central Industrial Security Force (CISF) officers at the airport. If the project is found successful it would be expanded to security gates before boarding and eventually to all major airports in the country.
At Hyderabad, the facial recognition data of the passengers who had opted to register with the FR system is maintained by the IT department of GMR Hyderabad International Airport Limited (GHIAL), the airport management firm that operates RGIA. As per the Centre’s Digi Yatra policy, the private firm is expected to delete the FR data one hour after the passengers’ departure. Furthermore, at the time of registration for FR, the private firm can enrol the passenger for ‘value added services’ - anything from an invite to a lounge to special offers. Experts suggest that this could be targeted advertising based on the data the firm has on the passenger.
However, the policy prescribes no "checks and balances" to ensure that these companies delete the passenger data after an hour, nor is there a definition of what constitutes a value-added service, point out researchers.
Who will watch the watchers?
"How can one check if these private firms are deleting the FR data of their passengers? Who is checking if they do it or not? No one knows," says Srinivas Kodali an independent researcher on open data who obtained access to documents showing internal communications between various Central government agencies and the AAI over the course of 2018 via RTI. The documents paint a picture of the consultations between stakeholders that eventually led to the Digi Yatra policy in its present form.
"The FR data will be owned by airports that are run by private companies and as long as the person is in the airport they could be targeted with advertisements," says Srinivas, who raised concerns about the FR data in the hands of the government with little or no accountability.
The initial versions of the Digi Yatra draft that was under discussion showed that the FR data from airports was to be shared with intelligence agencies like the IB and RAW. The data was to also be shared with the local police. But these details did not make it to version 5.2 of the final policy which is now public. Presently, the police and intelligence officials send out notices to airports for keeping tabs on wanted criminals fleeing the country and smugglers.
"In a democratic country like in the USA when their NSA was caught snooping on their citizens, they were held answerable to their parliament. But in India, the RAW answers only to the Prime Minister’s Office (PMO) and is not accountable to the Indian Parliament, so no questions can be asked about how they use the FR data," alleges Srinivas.
Researchers also have little faith in the upcoming Data Protection Bill that provides exceptions to the government on using a citizen’s data. The Bill is expected to be tabled in the ongoing Lok Sabha's monsoon session.
'Digi yatra policy needs to be more specific'
Anoop N, an Associate Professor with the Center for Visual Information Technology and Head of the Biometrics lab at IIIT-Hyderabad raises concerns about invasion of privacy when people choose to send pictures over the internet through remote servers. He is of the view that there could be more threat to a person’s invasion of privacy when FR systems are deployed across the country.
"Every time you take a picture, it's not just your identity that is being revealed but also information on if the person is looking fresh or tired or sick and their health details could be weaned from the FR data," explains Anoop who adds that if FR data is used for identification, then ideally only that person’s identity must be accessed. Anoop, however, notes that it’s fine if the FR system is used in a controlled setting like in an airport but it could still pose privacy issues. "If it's deployed in a setting where the data is sent to a remote server and you don't know how they process the data," he says.
Anoop argues that policies pertaining to FR need to be more specific on what it can and cannot be used for to prevent misuse. He notes, "It should be specific to the industry where it is being used."
FR could become the norm
There is nothing called perfect technology, says Anoop who is of the view that the FR tech is here to stay despite the threats. "The person who checks your ID card at immigration, is he perfect? They do make mistakes. Any system has to be compared against what is already in place. As long as the tech is better than what it is replacing, that is the yardstick by which you measure something like FR systems," he observes.
Over time as FR systems become more robust, their applications could be extended to verifying the identity of a person for making small level digital payments and withdrawing cash apart from seamless travel through airports.
China already has deployed FR systems that help the public make digital transactions. "In China, the government directly controls their FR systems, they don't have any limits as to what can be done with it. The issue is much bigger as their government is using FR to track people all over the country and have a surveillance system all over the country which is integrated," added Anoop. In India, several security agencies have begun using their own FR systems, including the Hyderabad police.
"All horrible things are built with good intentions. But if you create appropriate technology that preserves one's privacy in a democratic setup, you can force the country to adopt a policy which respects people’s privacy," says Anoop.