While convenience and seamless transit is at hand, implementing facial recognition at busy airports can be a nightmare unless data security standards are raised.
On September 5, it was announced that passengers commuting via Air Vistara flights from Delhi T3 would be able to voluntarily avail biometric facial data authentication, beginning September 6. The biometric authentication service would be introduced on a trial basis, and is being held by Delhi International Airport Limited for a period of three months. Services are being offered by Portuguese IdMaas (Identity Management-as-a-Service) firm, Vision-Box, which has raised further concerns about the safety of a particularly sensitive array of data.
It is this that may become key to the success of the facial recognition trial at Delhi Airport, and even provide precedence to how privacy legislations are shaped in the future. Right now, the “voluntary” bit of the facial authentication programme seems to be of utmost importance. “Facial recognition presents numerous challenges in today’s context in India, primarily because this technology can violate people’s right to privacy, which is listed as a fundamental right under Article 21 of the Constitution of India. Right now, there is no legal framework that regulates or enables the use of facial recognition. So, the seemingly random use of facial data by airlines or airports would seem to be a complete violation of the people’s right to privacy,” says Dr. Pavan Duggal, cybersecurity advocate and chairman of International Commission on Cybersecurity Law.
The technology, however, is not being rolled out as a replacement of any established security procedures already in place at airports, and instead being tested as a convenience factor. One big reason for this, is that even though the technology has been around for a while, there are areas to improve. “It’s a good thing that the service is being started as a trial in combination with the existing government ID verification. Facial recognition technology is not particularly new, and has been around for some time — you already see multiple companies and organisation doing it. By itself, facial recognition technology is not entirely foolproof. But, it does offer about 85 to 90 percent accuracy. So, this technology is actually used in combination with other technologies,” says Sidharth Mutreja, enterprise cybersecurity solutions architect, Asia-Pacific, at Kaspersky India.
One major implication of establishing facial recognition at airports is that eventually, the government will be required to step up and take responsibility for the safety of its citizens. As Duggal states, “There needs to be enough checks and balances to ensure that the data is being properly handled, and is only being given access to by certain authorities. In this scenario, the usage of this data in places such as Hyderabad or Delhi airport have opened up a Pandora’s box of information for the government, since running of airports is a sovereign function. Hence, government bodies cannot run away from the consequences of using facial recognition at airports.”
It is this factor that might eventually speed up the adoption of stringent cybersecurity legislation, work on which has been in progress in recent times. Until then, biometric authentication such as facial recognition cannot be implemented as a standard in any public infrastructure, and hence kicks in the “voluntary” bit of the trial. Duggal explains, “I don’t think we should be in a hurry to employ this tech. Like we saw in California, if the facial data is stolen, the identity of an individual can be compromised for a long period of time. These are just some of the challenges that must be addressed before we start implementing such technology in public infrastructure. Even if an airline is privately operated, they can only be operational in airports, because of which a government is involved in any case. The fundamental right to privacy is directly dealt with by the state, and not by the private entity in question.”
Mutreja identifies two clear areas which will come in focus with the ongoing facial recognition trials at Delhi Airport. “Among two key factors, privacy is one aspect that needs to be closely looked at — how you store that (facial recognition) data, where you keep it, and what you do with it once it is used. The second factor is to prevent abuse of the data, and monitor who has access to it,” he says. The onus, then, is clearly on seeing whether the technology really makes the in-airport transit process easier or more streamlined than it is today. Mutreja adds, “This might have a similar effect as what we saw a few years ago, when we used to have stamping of bags at airports as compulsory security protocol. Now, the bags are monitored at specific points and cleared automatically, rather than needing to put stamps on them.”
While the trial might provide an interesting case study for the Indian government to consider in future, citizens of India should proceed with caution before authorising use of their facial data, until then. “India has slowly woken up to the possibility of new tech, but we do not have a cyber security law, or a data protection law, or even a privacy law, which makes use of facial recognition usage in airports even more alarming,” says Duggal, affirming the need for regulation before establishing advanced technology in public spaces.
Air Vistara, the airline handed responsibility for conducting the trials, declined News18’s request for its comments on the development, stating that the trials are being implemented by Delhi International Airport Limited, the private body assigned with running the airport.