Centre for Internet & Society

The absence of legislation is letting companies compile and deploy sensitive personal information without legal oversight.

The article by Aman Sethi was published in the Hindustan Times on November 27, 2017

When Suvodeep Das, a 42-year-old marketing professional, took a Jet airways flight from Hyderabad to Mumbai in September, he said a software bug in the airline’s website wouldn’t let him check in online without first punching in his Aadhaar number.

“When I got my boarding pass, it had my Aadhaar number printed on it,” Das told HT, wondering, “Why do you need an Aadhaar number to take a flight, and why display it publicly?”

In October, another passenger found their Aadhaar number on the boarding pass: this time, it was barcoded.

HT has reviewed both boarding passes. Publishing Aadhaar numbers is an offence under the Aadhaar Act 2016.

Jet Airways did not respond to repeated requests for comment. Speaking off the record, airline executives said Jet encoded Aadhaar numbers to test the proposed Aadhaar Enabled Entry and Biometric Boarding System (AEEBBS): a complex Aadhaar-seeding project that aims to replace a passenger’s boarding pass with his/her fingerprint.

Bangalore International Airport (BIAL), which plans to install AEEBBS, says it will improve passenger security and reduce check-in time at the Kempegowda International, India’s third busiest airport.

Privacy advocates, however, say the system, which stores passenger biometrics and Aadhaar numbers on the servers of a private corporation, is an example of how the absence of a data protection law in India lets companies compile and deploy sensitive personal information without legal oversight.

Future uses of the AEEBBS, according to the BIAL website, include integrating the system with passenger blacklists, typically maintained by the ministry of home affairs, to determine who can and cannot board a flight.

“The unregulated proliferation of Aadhaar uses is compromising the digital identities of citizens and putting them at risk,” said Usha Ramanathan, a legal theorist who has written extensively on Aadhaar. ”There is a misconception that data protection is about data being at risk. It is actually about the rights of people being at risk.”

Pilot Project

In January, Bangalore International Airport Ltd (BIAL), the corporation that runs the Bengaluru terminal, and Jet Airways integrated their flight and passenger databases as part of a four-month pilot project to test the AEEBS.

“The pilot project incorporated the entire airport journey from entry right through to the boarding gate and included all security check points,” a BIAL spokesperson said in an email. “The project allowed for quicker processing time for a passenger from entry to security gate while simultaneously enabling fewer points of human interaction.”

Participation in the project was voluntary. BIAL said about 15% of passengers opted to use it. In October, BIAL called for bids for a full roll-out of the AEEBBS by December 2018.

The system, tender documents reveal, works in the following way:

First passengers enter their Aadhaar numbers when they book their flights. The airline turns this number into a QR code printed on the flight ticket. Once at the terminal, passengers bypass the standard practice of showing their ticket and ID to a security guard, and instead they enter the terminal by flashing the ticket at a QR code scanner while pressing their fingers against a biometric reader installed at the entrance.

The AEEBBS verifies the passenger’s identity by querying the UIDAI’s database, and then checks the airport’s flight information system to see if the passenger is booked to fly that day.

Thereafter, the system creates a “passenger dataset” that bundles the passenger’s biometrics and flight information into a single file unique to each passenger. This dataset is used to verify the identity of the passenger at each checkpoint, allowing the airport to track the passenger until she boards her plane.

The tender document states that the biometric data should be purged immediately after the passenger’s flight departs. If flights are rescheduled, the biometrics shall persist until the passenger finally departs.

Concerns over Bengaluru airport’s use of Aadhaar
The Aadhaar-Enabled Entry and Biometric Boarding System (AEEBBS) aims to replace boarding cards with a passenger’s fingerprint. Here is how it works.

Why Biometrics?

Bengaluru isn’t the only airport experimenting with systems like the AEEBBS.

“We have initiated trials on facial recognition, iris and finger-print scanning etc., to generate Aadhaar + Biometric enabled passenger data-sets,” said a spokesperson for the GMR Hyderabad International Airport. “We hope to complete these trials in the next two months and deploy them by June 2018 for all domestic passengers.”

Yet biometrics isn’t a fool-proof way of verifying someone’s identity. Biometric experts have maintained that fingerprints can be copied and printed onto “fake fingers” — a process known as spoofing.

At Michigan State University, biometric expert Anil Jain and his team have developed so-called fake fingers using 12 different materials, the most sophisticated of which mimics the physical properties of human skin.

“Many of the commercial systems may not have state-of-the-art spoof detection facilities,” Jain said, adding that he has advised the UIDAI on biometrics in the past.

Jain said it was important that a secured space like an airport have biometric readers that include “liveness” detection, a term that refers to a broad set of techniques that use a combination of advanced hardware and software to avoid spoof attacks.

However, it is not mandatory for UIDAI-certified biometric devices to have liveness detection features. Documents published by Standardisation Testing and Quality Certification (STQC), the agency tasked with certifying Aadhaar devices, make clear that “liveness detection” is “preferable” but not mandatory.

Some manufacturers of certified devices say their devices have liveness detection, but STQC does not include this specific feature in its testing.

Prof Jain said biometrics are harder to forge than the identity cards that are currently needed to gain access to airport terminals, suggesting that the AEEBBS could increase security only if the data that undergirds the system is properly secured.

Storage Concerns

Under regulations framed by the Unique Identification Authority of India (UIDAI), it is illegal to store biometric data captured for any Aadhaar-related transaction.

Also, UIDAI-certified biometric devices are prohibited from storing biometric data which casts a cloud over BIAL’s proposal to create passenger datasets to merge passenger flight data, biometric data and Aadhaar numbers, and store it on a local BIAL network.

While UIDAI did not respond to requests for comment on if these passenger data sets violated its regulations, BIAL said it would work around the system by capturing passenger biometric data twice — once to verify passenger identities in accordance with UIDAI regulations, and once for the purpose of creating the passenger data set.

“Our intent is to capture data and store a separate set of biometrics records (delinked from Aadhaar) that include face/iris/fingerprints for the purpose of authentication of passenger at various check points inside the airport,” the spokesperson said.

Some experts believe this may not be enough.

“The Aadhaar Act and Regulations are supposed to ensure that our biometric records are safe, and entities capturing biometrics for Aadhaar-related purposes cannot store the biometrics,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

“If biometrics collected doesn’t need to follow the Aadhaar regulations because of a technicality, how strong are the regulations?” Prakash said.

Last year, 22.18 million passengers travelled through Bengaluru airport. Once the AEEBBS is installed, the airport’s servers shall become a temporary repository of millions of fingerprints, and a lucrative target for sophisticated hackers who could capture this data by implanting malicious software in the system.

Such software has become easier to access since August 2016, when a group calling itself the “Shadow Brokers” announced it had stolen some of the world’s most advanced cyber-weapons from the vaults of the Tailored Access Operations unit of National Security Agency, which manages the cyber-arsenal of the United States of America.

Designing the system to minimise the use of biometrics could alleviate these concerns, according to Rahul Matthan, a partner at law firm Trilegal.

“If data minimisation is the principle that we keep on top of mind, Aadhaar should be used to allow entry,” Matthan said, “Then the airport must devise other methods and standards to ensure that security and passenger tracking is achieved.”

Safeguarding Aadhaar Numbers

The AEEBBS also raises questions on the manner in which airlines and airports will store non-biometric data like passenger Aadhaar numbers. UIDAI regulations published in July 2017 say companies and government departments must store Aadhaar numbers in secure, isolated, databases called ‘Aadhaar Data Vaults’.

Each Aadhaar number in these vaults must be associated with a “reference key” — which is like a nick-name for the Aadhaar number. So instead of using a citizen’s Aadhaar number for a given transaction, businesses must preserve the confidentiality of the number by using the reference key instead.

Jet Airway’s decision to print Aadhaar numbers, rather than the reference keys, on the boarding passes, suggests that the airline is not following UIDAI guidelines — a problem that is likely to multiply as more airlines start gathering this information to avail of the AEEBBS facility. Jet Airways did not respond to requests for comment.

Once the AEEBBS is in place, BIAL also intends to use passenger data, harvested during check-in and boarding, for commercial purposes, but it is unclear if and how this data will be anonymised before it is used.

“We aim to make meaning of the abundant data that will be collected,” the BIAL spokesperson said, insisting that the airport would respect traveller privacy and the data would not be sold to third parties. “In due course — and with passenger consent — we intend to use business intelligence to make the journey more impactful.”

For lawyer Matthan, the AEEBBS is an example of why India needs a comprehensive data protection law to address issues between citizens and private corporations.

“There is a need to ensure that Aadhaar is based on a sound framework of privacy protection,” he said, noting that the recent Supreme Court judgment protected citizen privacy against infringement by the government.

Data protection legislation, he said, would ensure that private corporations are held to the same standard.