Handing over Delhi and Bengaluru airports' facial recognition trial run to a cloud-based Portuguese tech firm 'Vision-Box' has raised privacy and security concerns.
For the three-month long trials, which began on September 6 for passengers taking Vistara flights at Terminal 3, Delhi International Airport Limited (DIAL) has roped in the Lisbon-headquartered firm for technical and software support. Vision-Box is already working with the Kempegowda International Airport (Bengaluru) for an end-to-end paperless biometric programme since July.
Vision-Box's facial recognition technology is a cloud-ready Identity Management as a Service (IdMaaS) architecture, and more than 80 international airports are using its solutions at the moment."There are already data privacy concerns in the country. We have to see that whether the servers on which the personal data will be stored are located in India or abroad...it's nearly impossible to trust any company since there have been several instances of data compromises at large internet companies like Facebook and Google," says Sanjay Kaushik, MD, Netrika Consulting, a corporate security and risk consulting firm.
Engaging a foreign tech firm that had set up shop in the country only about a year ago has not gone down well with experts in aviation and privacy laws. In India, the company has three board members - Bento Antonio Brazio Correia, Miguel Leitmann (who's also the company's global CEO) and Saurabh Kumar. In 2015, a European private equity firm Keensight Capital invested an undisclosed amount in the parent entity.
Last year, when it had opened the first office in India (New Delhi), the company said that the goal is to accelerate the introduction of digital identity solutions and seamless travel technology in the travel, border control, smart government and smart city fields. "The new office will address the growing demand for biometric digital identity services within the travel industry, as well as by government and private companies," the company said in a press release. Email queries sent to Vision-Box didn't elicit response.
In the absence of a personal data protection law in India, there's a growing discomfort among people that the data could be utilized for surveillance and commercial purposes. Involvement of a foreign entity to handle loads of personal data of the citizens creates an additional layer of caution.
Under the biometric-based boarding system, the passengers will be giving out their personal details like government IDs (any one of these - Aadhaar, passport, driving license, voter ID) and facial biometrics to the airport operators which will be processed to make passengers' entry at all check points, including airport entry, entry in to security checks, and aircraft boarding, seamless.
While the personal data captured at the DIAL (at the passengers' discretion during the initial registration) is going to be deleted at the end of every day during the trial phase, but once the technology is fully implemented, it's believed that the data will be stored for longer durations otherwise the whole "seamless" USP would turn futile.
DIAL's initiative comes under the Ministry of Civil Aviation's 'Digi Yatra' programme which aims to create on-the-cloud, common identity management system with "digital identities" enabling biometric boarding process for all airports across the country. As per sources, once the 'Digi project' becomes fully functional, each passenger will be issued a unique ID (like Aadhaar) which will be linked to their biometrics and government ID so that the they do not have to register every time they have to catch a flight.
Sources at DIAL couldn't confirm as to how they would restrict the entry of people who don't have valid air tickets (but are already registered on DIAL's biometric database) since the first entry point at the airport would not involve human interface after the trial phase is over.
"Are we comfortable sharing all our personal data with a foreign entity who we know nothing about? In the name of passenger comfort, they are trying to pry into the lives of people. Instead of investing in such intruding technologies, airports need to get their priorities right by focussing on pain points. They should install more body scanners, take steps in improving efficiency and beef up security to track anti-terror activities," says an aviation consultant.
Experts argue that facial recognition, retinal scanning and character detection are not going to replace the basic requirement of security frisking. This system, as privacy law experts point out, is an unsolicited intrusion of passenger privacy and personal information tracking in the hands of both the processing company and the airport. Also, the passengers might end up footing the bill for this initiative in the form of an increase in passenger service fee or some security surcharge.
"With the weakness in both law and procedures, the courts had denied access to biometric data to private entities, including airports. Nothing substantive appears to have changed to make us believe that the passenger data and privacy will be safeguarded," says Devesh Agarwal, an aviation blogger. Last year, the Supreme Court scrapped Section 57 of the Aadhaar Act which allowed private entities to use Aadhaar and its biometrics data for verification purposes.
Biometric access system was first experimented at the Hyderabad airport in 2016. Last year, there were reports that state-owned Airports Authority of India (AAI) had chosen four airports - Kolkata, Varanasi, Pune and Vijayawada - to implement biometric-based self-boarding system.
Globally, the biometric access systems at airports have received mixed response. Last year, the Orlando International airport became the first US airport to fully deploy the biometric entry and exit programme. While China is ahead in terms of implementation and development of biometric access technologies, airports like San Francisco have banned the use of facial recognition technology over public safety concerns.
"Similar installations are found in North Korea, China, Saudi Arabia, Iran and Hong Kong, and the eventual intent of such systems aren't directly connected with travellers' convenience in anyway. So before such systems are deployed here, it is expected that a collective consensus must be taken," says Mark Martin, CEO of Martin Consulting.