Passengers across the country report being bullied into registering for a system that is supposed to be voluntary—and aimed at enhancing their airport experience. What makes it worse: DigiYatra is a foundation controlled by five private airports—who have been given access to a treasure trove of personal data.
Researched by: Rachel John & Anannya Parekh
First, some basic deets
Origin story: DigiYatra began in 2017 as an experiment by Bangalore airport to make air travel more convenient for its passengers. The technology was embraced by the Civil Aviation Ministry—which launched the DigiYatra Scheme the same year. In 2019, the DigiYatra Foundation was set up as a public-private partnership. The government holds a 26% stake in the foundation. The rest is controlled by five privately held airports—Cochin, Bangalore, Delhi, Hyderabad, and Mumbai.
Where we are now: The system has been launched in 13 airports—starting with Delhi, Bengaluru and Varanasi in December 2022 followed by Hyderabad, Pune, Kolkata, Vijayawada, Ahmedabad, Mumbai, Cochin, Guwahati, Jaipur and Lucknow. As of December 2023, over 3.5 million users have downloaded the DigiYatra app. Another 25 airports are expected to deploy the system in 2024.
How it works: is pretty simple:
- Download the DigiYatra app—link it to your Aadhaar card and upload your photo.
- When buying a ticket, link your DigiYatra ID to it.
- The airline will share your details—including photo—with the airport on the day of your flight.
- When you reach the airport, all you have to do is scan your boarding pass. Facial recognition tech will be used to confirm your identity.
- You can then whiz right through airport entry, security, self-bag drop, check-in and boarding—for the most part.
And why did we do this?
There are two official and sound reasons for DigiYatra.
One: Since the pandemic ended, Indian airports have been overcrowded and chaotic. An average of 155K people travelled daily on airlines between July 2021 and January 2024. That number reached an all-time high of 263,199 on December 16. The result: out-of-control queues and waiting times—especially at security. The government framed Digiyatra as a solution to this madness. Its other aims include lowering operational costs, increasing security etc.—but the main sell is passenger convenience.
Two: It makes excellent financial sense for airports. The faster you get through security—the more time you have to shop and eat at the airport. The industry calls this “residence time”—“The time spent at an airport outside of entry, check-in, or security.” Apart from fees secured from airlines, airports make money on duty-free shops, F&B purchases, and advertisements:
Aeronautical revenues are tightly controlled by the government by controlling air tariffs, expansion plans, and so on. It is the non-aeronautical revenue sources from which airports can really grow,” said [research analyst] Mohit Kumar… On top of this, airports also enjoy their highest margins, up to 40%, on duty-free sales, which is followed by F&B and retail sales outside of duty-free zones.
Point to note: The only ones left out are the airlines—who gain no real benefit from the system. Rather, they have to spend money on integrating their systems with airports—to be able to transfer passenger information to the airport in real-time:
We are sharing this data approximately every three minutes through APIs [application programme interface] to ensure that any cancellation or new bookings are also stored by the system until the last minute.
This is why the airlines fiercely resisted DigiYatra—until the government leaned on them to ensure compliance.
Ok, the biggest concern is user data, right?
But not just what is collected—but also how much is collected by a single app—and how it can be used. Here’s a quick rundown of the concerns:
Sooo much data: An Internet Freedom Foundation analysis found that the DigiYatra app collects the following:
- “Identity and contact data such as name, country of nationality or residence, national identification number, employment history, educational background, professional qualifications, job title and function, biometric data, and other personal data concerning provider of information relevant to DYF goods and services.”
- “Business information such as information provided during contractual relationship with user or user’s organisation and DYF, or otherwise voluntarily provided by user or user’s organisation.”
- “Profile, usage and technical data such as passwords to DYF platforms, user preference in receiving marketing information, communication preference, IP address, login data, browser type and version and device type.”
- “Video or image data, images or video provided or captured with consent on mobile apps, kiosks systems or e-gates at airport checkpoints etc. when individuals visit the airport or DYF premises.”
That’s a mind-boggling amount of information—just to board a flight. As IFF notes: “The categories of data listed for collection are extremely sensitive and wide.” Best practices dictate that any entity should only collect the minimum information necessary—related directly to the stated purpose.
Who has access? The stated purpose for collecting all this data is to establish the passenger’s identity—and travel documents. But the privacy policy includes a number of other—far fuzzier–purposes:
However, it goes on to say that the collected data may also be used for purposes other than those such as improvement of products, contacting for surveys, and to process user/customer requests among others. Such use shows a clear function creep by the DigiYatra Foundation.
More importantly: The policy indicates that the data can be shared with any third party that provides services to the foundation. These are vendors who do marketing, sales etc. And DigiYatra doesn’t need user consent to do so. And since DigiYatra is a foundation controlled by private entities, you cannot file an RTI to find out how they’re using your data.
The Big Brother problem: The digital privacy law passed by the government in 2023 gives it the right to demand access to any data—collected by any entity. The reasons are suitably vague, as well. The government can exempt itself from any or all provisions of the law—in the name of “sovereignty and integrity of India, security of the state, friendly relations with foreign countries, maintenance of public order or preventing incitement to any cognizable offence relating to any of these.” So anything you share with DigiYatra can be easily accessed by the government—and used for any purpose it sees fit.
More importantly: Facial recognition data that is shared today to get you on a flight may be used to put you on a no-fly list—or to identify you in other contexts. DigiYatra essentially allows the government to create a database of biometric information on its citizens—which can be deployed across its surveillance systems:
At present, Digi Yatra uses a 1:1 facial authentication process – where your facial biometric data is only compared to your photos. But the civil aviation ministry’s long-term plan is to extend this to 1:N facial recognition – where your data will be compared with the biometric data of other people. As more and more people register and submit their biometric data, the system will be updated and improved upon technologically.
Point to note: The government insists that all biometric data is stored on the user’s app—and not in any database. Any data that is shared with the airport is purged within 24 hours. Again, there is no way to confirm this is true.
Why the zabardasti? DigiYatra is supposed to be an opt-in service aimed at making your life easier. And it is run by a private foundation. So why are the government’s security personnel bullying people into signing up for DigiYatra at the airport? In fact, many are registering passengers without their consent. Here’s an example out of Delhi:
[Tavish Pattanayak] skipped the queue dedicated for Digi Yatra users, who have downloaded and registered on the app, allowing them to enter the passenger building through electronic gates equipped with cameras that scan their boarding passes and faces. However, Mr. Pattanayak soon realised that passengers in his line were also being requested to look into a camera, following which the CISF personnel would click a button on the screen to give consent on their behalf for a one-time sign up for Digi Yatra.
FYI: CISF denies any involvement—even though their participation in enrollment has been confirmed by airport staff.
The bottomline: The biggest problem is that Indians themselves don’t take privacy seriously. It’s only a matter of time before airports begin to penalise passengers who don’t enrol for DigiYatra—ensuring they have the longest wait times, for example. And as such systems spread to railway and bus stations, this kind of data collection will soon become ‘normal’—even reasonable.
Reading list
The Leaflet has a good overview of DigiYatra. Internet Freedom Foundation is the best on its privacy policy and the concerns it raises. Srinivas Kodali in The Wire flags the dangers of facial recognition technology. The Ken (paywall) looks at the reasons behind launching DigiYatra. The Hindu reports on how passengers are being coerced to sign up for the service. Our Big Story on the new data protection law highlights how the government can misuse data. A good watch: Data privacy expert Apar Gupta’s explainer on DigiYatra.
