tl;dr
The Digi Yatra Foundation has announced a shift to a new app closely after suspicions started surfacing about its tech partner and operator potentially being under criminal investigation for money laundering. Amid the allegations and the ongoing restructuring of the service’s data ecosystem, the Digi Yatra Foundation has offered no explanation, information, or disclosures to its users, further deepening the non-transparency of Digi Yatra’s operations and citizen mistrust. Digi Yatra collects sensitive personal data like facial biometrics and Aadhaar data, and presents a plethora of privacy and surveillance concerns. It has repeatedly failed to make disclosures about its data storage, processing and sharing practices, nor has ever published the data security audits it purportedly undertakes. Its poor governance structure and lack of disclosures, despite Digi Yatra being a partly government-run service, has made it completely unreliable. As the old app goes out of service, this is a ripe time for Digi Yatra users to uninstall and move away from the app, and fight to protect their personal data from potential misuse.
Background
Digi Yatra is an opt-in service at Indian airports launched by the Ministry of Civil Aviation (“Ministry”) on June 8, 2017 with an aim to make air travel “seamless, contact-less, hasslefree and paperless” for all passengers in India. It was implemented in domestic airports in 2022 and is today an unavoidable sight at 13 Indian airports. The service facilitates digital processing of passengers at airports by using facial recognition technology (“FRT”) and Aadhaar-linked credentials to authenticate passengers in place of traditional boarding passes at airport terminal entry points, security check, self-bag drop, check-in, and aircraft boarding. It is run by the Digi Yatra Foundation (“DYF”), a non-profit private company which is essentially a consortium of 5 domestic airports with 26% shareholding from the Airports Authority of India.
We have extensively written about the data collection, storage, and processing mechanisms adopted by Digi Yatra since its inception, and its worrying use of FRT without safeguards. More recently, we have raised concerns to the concerned airports and Ministry about the unlawful and undignified manner in which airline passengers across India continue to be ambushed and coerced into signing on to the “voluntary” Digi Yatra service, and have launched an informative Know-Your-Rights campaign to help citizens resist against it.
Now, DYF has announced shifting to a new Digi Yatra app. This is murky because it comes at a time when the app is under fire for being affiliated with Dataevolve, a one-person company whose CEO has been under a separate criminal investigation for money laundering, as well as for using an excessive and dangerous amount of app permissions in the users’ phones. We break down all this and more.
What’s up with the Digi Yatra app?
On March 26, 2024, DYF tweeted that users may face outages while using the app between 26 March and 31 March, 2024 as they are “upgrading our backend systems” and “enhancing the robustness of your Digi Yatra Central Ecosystem and the Digi Yatra Apps”.
⚠️ Important Announcement ⚠️
— Digi Yatra Official (@DigiYatraOffice) March 26, 2024
Dear Digi Yatris, we are upgrading our backend systems in the next few days, and you might face intermittent outages in Digi Yatra services from 26 March until 31 March 2024.
Please be prepared to use the normal manual processes at the airport.
We… pic.twitter.com/QZWzYyN9HF
Then, within a day, Digi Yatra tweets a guide asking users to switch over to a new app. It then ensures users that it will make the shift to the new app seamless. No explanations, no context, just vibes.
Switch to the new Digi Yatra App with 3 simple steps:
— Digi Yatra Official (@DigiYatraOffice) March 27, 2024
Step-1: Please uninstall your old Digi Yatra App.
Step-2: Download and install the new Digi Yatra App.
Step-3: Recreate and save your credentials.
Available on iOS and Android.#FamilyTravel #seamlessjourneys… pic.twitter.com/owT1JTJOM9
We regret any inconvenience caused due to the upgradation of the Digi Yatra app. This upgrade is part of our ongoing effort to improve our services, as our commitment to enhancing the travel experience among users remains undeterred.
— Digi Yatra Official (@DigiYatraOffice) April 3, 2024
While we understand your concern, rest…
In this quick transition, many users were left confused. A recent report from The Ken mentions how passengers are irked at the airport on discovering the app has suddenly stopped working. In fact, none of the Digi Yatra users the reporters spoke with were aware that the app was discontinued—they found out about the change only when they reached the airport. There was no prior notice given to them, let alone disclosures and information about WHY the switch to a new app.
In the same report, DYF claimed that the app is “preparing for the future, which includes scaling up to a larger user base” and that the app needs a new application architecture and domain to “accommodate this growth”. The DYF CEO stated in another recent report that the shift is not because DYF is parting with Dataevolve, but due to the increasing user base of the app as it prepares to get ready for international journeys and offering other services like hotel check-in.
He added, “There was a requirement for a complete overhaul of architecture.”
Why is this shady?
On April 2, 2024, Twitter user and cybersecurity researcher @/kinglsyj posted an exposé of Digi Yatra’s data ecosystem and its close ties with Dataevolve. Upon digging deeper into Dataevolve, they found that this was a one-person company helmed by an individual under criminal investigation by the Enforcement Directorate. Tagging DYF on a tweet, they asked, “What is the guarantee they haven't siphoned away everyone's personal data?”
Yet another #DigitalIndia #FAIL
— mas.to / (@kingslyj) April 2, 2024
The idiots at @DigiYatraOffice didn't realise their package name didn't match their org/domain.
in.dataevolve.digiyatra /https://t.co/plD9fjuE00
ie. "Official" DigiYatra app was no different from malicious apps pretending to be them. https://t.co/K3a11cAqSA pic.twitter.com/2wPoiUeU49
And who is that "one person"? Avinash Komireddy Son-in-law of former AP DGP.
— mas.to / (@kingslyj) April 2, 2024
His FIL handed Dataevolve OPC Pvt Ltd a govt contract as e-challan provider.
Avinash is accused of siphoning away over Rs.36 crores and the scam is being probed by @dir_ed! https://t.co/7TIUrjbWPy
The user also found that while the old app relied on domains owned by Dataevolve, the new app removed any such affiliations.
The old app was communicating with the API endpoint at https://t.co/czO7ZSQEsw /https://t.co/ALLizW0eqX
— mas.to / (@kingslyj) April 2, 2024
The new app communicates with https://t.co/5tkDZoYzXR.
IOW all past versions of #DigiYatra app were sending passenger data to Dataevolve's AWS servers.
#Privacy #FAIL pic.twitter.com/Ee4v7uGjMy
So while there is evidence of DYF moving away from Dataevolve, none of this was clarified by DYF. It did not officially provide any information, disclosures or proof to the contrary except a few media quotes from the CEO. There is already constant criticism of and a long list of concerns with the total lack of transparency when it comes to Digi Yatra and its data practices, which is made worse by the lapse of communication by DYF to its own users during such a significant “complete overhaul in infrastructure”.
It is important to remember what is at stake here: the sensitive personal data of millions of Digi Yatris, whether onboarded onto the app willingly or through coercion. As per its own privacy policy, which is replete with contradictions and loopholes (read our deepdives here and here), DYF has had access to sensitive citizen information like facial biometrics and Aadhaar data of users while it remained in partnership with Dataevolve. It has claimed in press statements and tweets that such data is not stored centrally by Digi Yatra, but no official proof has been provided, and the privacy policy creates enough room for DYF to both store and share such data liberally with its secret third party affiliates. DYF further claims it conducts data security audits of its ecosystem but has repeatedly failed to make them public, or make any proactive disclosures whatsoever to bring any relief to its users. Again, DYF had the opportunity to make proper disclosures about the old architecture and app as it is supposedly “completely overhauling” it—but nothing!
Digi Yatra has been on thin ice with regards to its data ecosystem and surveillance implications since the day it was rolled out. One of the key arguments made by civil society and privacy experts is the complete lack of transparency and information about the service, even despite it being partly government-run and initially introduced as a government scheme. Instead of recognising these pitfalls and remedying them by actually conducting security audits and providing evidence of its “secure” ecosystem, Digi Yatra is doubling down on being completely opaque, impenetrable, and shady. Digi Yatra (new) is as unreliable as Digi Yatra (old), but now with added context about its allegedly criminal affiliates and vague data sharing practices, it is also dangerous.
Dear Digi Yatris, if you have doubts about Digi Yatra but still continue using it because it brings some degree of convenience to your travel, let this post convince you otherwise. Saving 10 minutes at the airport is not worth risking your sensitive facial biometric data for life. Resist surveillance, reject Digi Yatra.
Important documents
- IFF’s blog post on Digi Yatra and its privacy and surveillance concerns. (link)
- IFF’s opinion piece for The India Forum on Digi Yatra. (link)
- IFF’s on Digi Yatra and FRT for the InFocus Podcast by The Hindu. (link)
- IFF’s letters to Ministry of Civil Aviation (link), NITI Aayog (link), Airports Authority of India (link), Digi Yatra Foundation (link), regional airport authorities Delhi (link), Bengaluru (link) Cochin (link), Mumbai (link) and Hyderabad (link).
- Read our past publications on Digi Yatra. (link)