Book a Risk Assessment

Category: Blog

Your blog category

  • Flying in India: Segregation (sort of) strikes again

    Flying in India: Segregation (sort of) strikes again

    In an era where technology seamlessly integrates into our daily lives, India’s aviation sector has embraced digital transformation through the Digi Yatra program. Launched with the promise of enhancing passenger convenience by leveraging facial recognition technology (FRT), Digi Yatra aims to revolutionize air travel. However, as with many technological advancements, it brings forth a host of security and privacy concerns that warrant critical examination.

    If you have ever flown out of major airports recently, you will notice that they have a separate section for Digi Yatra. This section is less crowded and everyone else is herded to the general section. Even if you are flying Business Class, or even First Class, you are treated as a lesser mortal.

    This article delves into the multifaceted aspects of Digi Yatra, exploring its operational framework, the legal landscape governing data protection in India, reported incidents and controversies, and comparisons with international counterparts. The goal is to provide readers with a comprehensive understanding of the program’s implications on individual privacy and data security.

    Understanding Digi Yatra

    Digi Yatra is an initiative by the Ministry of Civil Aviation, implemented through the Digi Yatra Foundation—a not-for-profit entity comprising the Airports Authority of India and several private airport operators. The program utilizes FRT to facilitate paperless and seamless travel experiences for domestic passengers across participating airports.

    Passengers opting into Digi Yatra can register through a mobile application, uploading their personal details and a selfie. This data is used to create a unique Digi Yatra ID, which, when linked to flight information, allows for automated check-ins, security clearances, and boarding processes without the need for physical documents.

    The Promise of Seamless Travel

    Proponents of Digi Yatra highlight several benefits:

    • Efficiency: Reduced wait times at various checkpoints.
    • Convenience: Elimination of the need for physical boarding passes and ID proofs.
    • Contactless Processing: Enhanced safety measures, especially pertinent in post-pandemic travel scenarios.

    While these advantages are appealing, they must be weighed against potential risks to individual privacy and data security.

    Legal Framework: The DPDP Act and Its Implications

    India’s data protection landscape underwent a significant shift with the enactment of the Digital Personal Data Protection (DPDP) Act. The Act aims to safeguard personal data and establish accountability among data fiduciaries.

    Key provisions relevant to Digi Yatra include:

    • Consent: Explicit consent is required for data collection and processing.
    • Data Minimization: Only necessary data should be collected for specified purposes.
    • Purpose Limitation: Data should be used solely for the purposes stated at the time of collection.
    • Data Retention: Personal data should not be retained beyond the necessary period.

    While the DPDP Act provides a foundational legal framework, its effective implementation and enforcement remain critical to ensuring programs like Digi Yatra adhere to privacy norms.

    Reported Concerns and Incidents

    1. Involuntary Enrolment and Consent Issues

    Despite the program’s voluntary nature, there have been reports of passengers being enrolled without explicit consent. Instances at Delhi and Kolkata airports revealed that security personnel and private staff were capturing facial biometrics without adequately informing passengers or obtaining their permission [1].

    2. Data Breach Allegations and App Transition

    In early 2024, Digi Yatra faced scrutiny over its association with DataEvolve, the initial app developer. Allegations surfaced regarding data breaches and misuse, leading to the termination of the partnership. Users were advised to uninstall the old app and transition to a new version developed under stricter controls [2].

    3. Transparency and Accountability Concerns

    The governance structure of the Digi Yatra Foundation, being a private entity, exempts it from the Right to Information (RTI) Act. This lack of transparency has raised questions about data handling practices and accountability mechanisms [3].

    4. Potential for Surveillance and Data Misuse

    Critics argue that the integration of FRT in public infrastructure without robust oversight could pave the way for mass surveillance. The possibility of data being accessed by government agencies for purposes beyond the stated intent, such as tax monitoring, has been a point of contention, despite official denials [4].

    International Comparisons: Lessons from Abroad

    Examining similar programs globally provides insights into best practices and potential pitfalls:

    • European Union: The General Data Protection Regulation (GDPR) mandates stringent consent requirements and grants individuals rights over their data, including access, rectification, and erasure.
    • Singapore: The Changi Airport’s biometric system emphasises transparency, with clear communication to passengers about data usage and retention policies.
    • USA: The Global Entry Program is a voluntary program for frequent travellers. They do use FRT, but things are a lot more transparent andsecure.

    These examples underscore the importance of comprehensive legal frameworks and transparent operational practices in implementing biometric systems.

    Recommendations for Enhancing Privacy and Security

    To address the concerns associated with Digi Yatra, the following measures are recommended:

    • Strengthening Consent Mechanisms: Ensure that passengers are fully informed and provide explicit consent before enrolment.
    • Enhancing Transparency: Subject the Digi Yatra Foundation to RTI provisions or establish alternative accountability measures.
    • Regular Audits: Conduct independent security and privacy audits, with findings made publicly available.
    • Data Minimisation: Collect only essential data and establish clear data retention and deletion policies.
    • Public Awareness Campaigns: Educate passengers about their rights and the implications of biometric data collection.

    Conclusion

    Digi Yatra represents a significant stride towards modernizing India’s aviation sector. However, the integration of advanced technologies like FRT necessitates a cautious approach, balancing efficiency with the fundamental right to privacy. By addressing the highlighted concerns and adopting best practices from global counterparts, India can pave the way for a secure and privacy-respecting digital travel experience.

    References

    [1] Air travellers allegedly having biometrics enrolled in Digi Yatra without consent. Biometric Update. January 8, 2024.

    [2] Digi Yatra sidelines legacy facial recognition app maker amid data breach rumors. Biometric Update. April 2024.

    [3] DigiYatra CEO denies storing passenger data. The Economic Times. April 17, 2024.

    [4] Government denies claims that IT dept accesses DigiYatra data. India Today. December 31, 2024.

  • Cyber Resilience is not a certificate—it’s a capability!

    Cyber Resilience is not a certificate—it’s a capability!

    Or, why ISO 27001:2022 Alone Is Not Enough for Cybersecurity and Resiliency.

    While ISO 27001:2022 provides a robust baseline for managing information security through a formalized ISMS, recent findings from the Verizon 2025 Data Breach Investigations Report (DBIR) reveal a glaring gap: compliance alone does not equal security. As cyber threats evolve rapidly—particularly through the human attack surface—organizations must go beyond ISO certification to build truly resilient security postures.

    Human Risk Remains the Largest Attack Vector

    DBIR 2025 Insight: Over 60% of breaches involved a human element, including phishing, misuse, and error. Specifically, 28% were due to human error, such as misconfigurations or falling for social engineering attacks.

    Why ISO 27001 Falls Short: ISO 27001 does require security awareness (e.g., Control 6.3), but it does not offer a risk-based or behavior-driven model for managing ongoing human risk. Most organizations implement annual training and stop there—failing to reduce real-world behavior-based threats.

    What’s Needed: Implement a formal Human Risk Management (HRM) program that includes:

    • Behavioral analytics to measure risk-prone actions by users.
    • Ongoing simulated phishing and social engineering campaigns.
    • Role-based microlearning and just-in-time training.
    • Integration of HRM KPIs into risk registers.

    ReferenceSANS Insights on Human Risk in DBIR 2025

    Rise in Vulnerability Exploits and Ransomware

    DBIR 2025 Insight: A significant increase in breaches stemming from exploitation of known vulnerabilities. Many were avoidable with timely patching or basic configuration.

    Why ISO 27001 Falls Short: ISO 27001 mandates vulnerability management (Control 8.8), but does not prescribe how to prioritize remediation based on exploitability, risk scoring (e.g., CVSS), or threat intelligence integration.

    What’s Needed:

    • Automated patch management and configuration drift detection.
    • Integration with threat intelligence platforms to prioritize fixes.
    • Red teaming and continuous attack surface monitoring.

     

    SMBs Disproportionately Targeted

    DBIR 2025 Insight: Small and mid-sized businesses (SMBs) experienced nearly 4x as many ransomware-related breaches as large enterprises.

    Why ISO 27001 Falls Short: ISO 27001 is resource-intensive, and many SMBs either don’t fully implement it or treat it as a checkbox exercise.

    What’s Needed:

    • Right-sized controls from the CIS Controls v8 and NIST CSF tailored for SMBs.
    • Cloud-native security tooling with managed services for threat detection and response.
    • Board-level cybersecurity governance and awareness.

    ISO’s Lack of Real-Time Threat Intelligence and Incident Response

     DBIR 2025 Insight: Breach lifecycles continue to shrink, and adversaries often exfiltrate data within days or hours of compromise.

    Why ISO 27001 Falls Short: While Control 5.7 introduces threat intelligence, ISO 27001 lacks depth on real-time threat detection, SIEM/SOAR integration, and incident response agility.

     What’s Needed:

    • 24×7 SOC coverage.
    • Automated response and playbook execution.
    • Purple team exercises and tabletop drills.

     

    The Case for Multi-Framework and Integration

    DBIR 2025 Emphasis: The report continues to promote a defense-in-depth strategy using frameworks like the CIS Controls and NIST Cybersecurity Framework (CSF).

     Why ISO 27001 Alone Isn’t Enough:

    • Lacks prescriptive technical controls (e.g., endpoint detection, least privilege enforcement).
    • Doesn’t prioritize based on threat intelligence or active risk exposure.

     What’s Needed:

    • Combine ISO 27001:2022 with CIS Controls v8NIST CSF, and MITRE ATT&CK to create a layered, risk-prioritized program.

     ReferenceCIS Press Release on DBIR 2024 Recommendations

    Final Thoughts

    ISO 27001:2022 provides a critical foundation—but foundations don’t stop floods. The Verizon DBIR 2025 makes it clear: cyber adversaries are exploiting human behaviorpatching delays, and poor detection far faster than traditional compliance cycles can respond. To remain resilient, organizations must:

    • Treat human risk as a measurable, manageable threat vector.
    • Adopt continuous monitoring and automated remediation capabilities.
    • Embrace multi-framework security architectures that go beyond audits and policies.

     

     Resilience is not a certificate—it’s a capability.