The Troubling Side of DigiYatra: Privacy, Security, and Implementation Woes in India's Airport Biometric System

In an era where technology promises seamless experiences, India's DigiYatra initiative stands out as a bold attempt to revolutionize air travel. Launched by the Ministry of Civil Aviation in December 2022, DigiYatra is a facial recognition technology-based system designed to enable contactless, paperless boarding at airports. Passengers upload their Aadhaar-linked details, selfies, and boarding passes to the app, allowing biometric verification at entry points, security checks, and gates. As of mid-2025, it boasts over 15 million users and operates at 24 airports, with plans to expand into a full-fledged Digital Public Infrastructure supporting 22 Indian languages. Proponents hail it as a time-saver, reducing queues and enhancing efficiency. However, beneath the veneer of convenience lie significant issues that have sparked widespread criticism, including privacy breaches, technical failures, coerced enrollments, and questionable management practices. This article delves into these concerns, drawing on reports, user experiences, and expert analyses.

Privacy Concerns: Surveillance in the Skies?

One of the most persistent criticisms of DigiYatra revolves around data privacy. The system collects highly sensitive biometric data, facial scans tied to personal identifiers like Aadhaar numbers and travel details, which raises alarms about potential misuse and surveillance. Critics argue that DigiYatra operates on a flawed model of consent, where users may not fully understand the implications of sharing their data. For instance, the policy allows access to passenger information by security or government agencies, with data retention periods that can be adjusted, fueling fears of unchecked state surveillance.

Privacy advocates have highlighted loopholes in data handling. A 2024 report noted that while the DigiYatra Foundation claims data is stored on users' devices and deleted after 24 hours from airport systems, there are no robust guardrails against misuse by private entities involved in the ecosystem. The integration of facial recognition technology has been likened to a surveillance tool rather than a service, with concerns that it could lead to unfair exclusions or profiling. Moreover, the Digital Personal Data Protection Act of 2023, which governs such systems, has been criticized for inadequate enforcement, leaving room for excessive data collection without clear opt-out mechanisms.

User reports on social media amplify these worries. Many have questioned how a program using unrestrained facial recognition technology at airports is managed, especially given India's lack of comprehensive data protection regulations tailored to biometrics. In one analysis, experts argued that DigiYatra needs greater individual control over data to comply with privacy standards, amid reports of surreptitious enrollments.

Data Security Breaches and Vendor Controversies

Security lapses have further eroded trust in DigiYatra. In April 2024, the app underwent a sudden overhaul: users were forced to download an entirely new version, scrapping the old one. This was not just a tech upgrade, it stemmed from an alleged scam involving the original vendor, Dataevolve Solutions. The company, which handled the app since 2021, was implicated in a money laundering case by the Enforcement Directorate. Shockingly, Dataevolve operated the app on its own infrastructure, not the government's, violating data security protocols. As a result, personal data of over 3.3 million users, including facial biometrics, ended up owned by this tainted private entity.

The incident sparked outrage, with calls for the Ministry of Civil Aviation to clarify how such a critical system was outsourced to a one-person company run by the son of a police officer. Earlier, in 2022, fake apps mimicking DigiYatra exploited package name mismatches, allowing malicious actors to pose as the official app and potentially steal data. These breaches underscore broader cybersecurity risks, especially as DigiYatra scales up. A 2025 academic paper warned of data breach potentials in the system, emphasizing the need for stricter compliance.

Technical Glitches: Convenience or Chaos?

Despite promises of hassle-free travel, DigiYatra has been plagued by technical issues that frustrate users. At Kolkata Airport, travelers reported difficulties uploading boarding passes, defeating the app's purpose of expediting processes. Flight delays often render the app useless, displaying errors like "you are too late," forcing passengers back to manual queues. QR code failures at entry points, such as "Wrong Seat No." errors, have been common, with users blaming integration issues between airlines and the app.

Inclusivity is another pain point. Facial recognition technology systems like DigiYatra have shown inaccuracies for women, people of color, and those with certain facial features, contradicting the goal of seamless travel. Passengers denying permission for DigiYatra have faced repeated boarding pass rejections at security gates, highlighting systemic biases. These glitches not only waste time but also create unnecessary segregation, with long queues forming in DigiYatra lanes as adoption grows.

Consent and Coercion: Voluntary or Forced?

DigiYatra is marketed as optional, but ground realities tell a different story. Social media is rife with complaints of coercion, where airport staff, often private volunteers, push enrollments without proper consent. Despite assurances from Civil Aviation Minister Jyotiraditya Scindia that consent is mandatory, passengers report being funneled into DigiYatra lanes or enrolled surreptitiously. This defective model of consent compromises autonomy, especially when spyware-like access to devices is alleged.

A 2024 Hindu explainer detailed privacy loopholes, including how data deletion policies are unclear, leading to concerns over indefinite retention. NITI Aayog has urged more user control, but implementation remains spotty.

Expansion Plans: Scaling Up Risks?

As DigiYatra eyes Digital Public Infrastructure status, critics warn of amplified issues. Expansion to more airports and languages could exacerbate privacy risks without addressing core flaws like data mismanagement and breaches. A MediaNama report questioned its readiness for wider use, citing a history of scandals. False narratives, like claims of income tax notices for international travel via DigiYatra, have also muddied waters, though debunked.

Conclusion: Balancing Innovation and Safeguards

DigiYatra embodies India's digital ambitions but exemplifies the pitfalls of rushing biometric technology without ironclad protections. While it offers convenience for some, the issues, privacy invasions, security lapses, glitches, and coercion, demand urgent reforms. Stakeholders, including the DigiYatra Foundation, must prioritize transparency, robust data policies, and genuine consent to rebuild trust. Until then, passengers might think twice before handing over their faces to the system. As one expert put it, is it service or surveillance? The answer could shape the future of technology in public spaces.