BY LAURA SCHIEMICHEN
Cold, hungry, distressed – refugees arriving in Europe mourn the lives they’ve abandoned and turn anxiously towards the future. Whether they’ve forgotten their ID card or have left their birth certificate behind, the last thing on their minds is re-establishing a legal identity. Looking around, they see thousands of individuals just like them: already 11,000 refugees have arrived in Europe since the start of 2018. Despite waning media attention, the refugee crisis carries on – now over 60 million displaced worldwide.
To manage the growing volume of displaced peoples, EU governments have turned to emerging technologies for identity, aid, and registration. However, few have noted the insufficient data protections surrounding these biometric and bitcoin platforms, and how they can be abused. As these technologies expand to more areas of the world, NGOs and practitioners must craft a more consistent, credible, and equitable privacy and data usage doctrine for the stateless. More importantly, though, governments and civil society must discuss the extent of refugees’ rights to privacy, and how to codify where policy serves to protect (or police) refugees.
The Challenge
A Médecins Sans Frontières worker in Greece reported, “there are difficult moments when you come face to face with the pain and hardship… the trafficking, the horrible drownings, the inhuman living conditions could have been avoided.” As human rights activists call for aid and economic integration, governments push for border control and rule of law. Upon arrival, refugees almost immediately face bureaucratic hurdles to register a new legal identity in the EU. Without it, they are ineligible to receive ration cards and social services. They are also untraceable, further complicating border management. These faulty controls only feed the divisive rhetoric of the region’s populist politicians: the party leader of Italy’s Five Star Movement recently complained that Italy is not a sea-taxi service.
Technologies have in part tackled the registration void. Currently, the United Nations High Commissioner for Refugees (UNHCR) maintains its Biometrics Identity Management System (BIMS), which scans fingerprints, facial and iris images and saves them on a central database in Geneva. The EU asylum-seekers fingerprint database, EURODAC, similarly stores biometric information in an encrypted database managed by Europol and accessible by EU member states. Both registration systems, however, have struggled with EU Regulation mandating that refugee and asylum-seeker fingerprinting be completed within 72 hours of arrival, a logistical challenge given the region’s unprecedented migration flows. Refugees can also refuse to give their fingerprints and, according to the 1951 Convention Relating to the Status of Refugees, cannot be denied entry for this reason alone.
Identification to Improve Aid Delivery and Streamline Bureaucracy
New technologies like BITNATION Refugee Emergency Response (BRER), AID:Tech, and MONI address these tensions with a seemingly promising solution: joint-ID/debit cards for refugees.
Joint-ID/debit cards provide real-time data, unclutter paperwork, and most crucially, combine aid management and identity authentication. Instead of receiving traditional cash disbursements, governments and official agencies can now use these prepaid cards to first identify the refugee and then disburse money to his or her account.
Using blockchain technology and a refugee’s biometrics, the data on these cards remains secure despite not being managed by a central authority. BRER issues an emergency ID and Bitcoin debit card that can be used at ATMs and regular points-of-sale without requiring verification through a third-party, like a bank or UNHCR. AID:Tech, which has collaborated with UNDP and the Red Cross, provides a blockchain-based digital ID record that includes mobile bank account functionality. The digital card can be topped up remotely with electronic cash and, when scanned, reveals the user’s language, welfare entitlements, updated health records, and family member identities. MONI, partner to the Finnish Immigration Service, similarly creates a debit card linked to a unique identity on a blockchain and records every transaction on a public, incorruptible database.
Technologies’ Failures to Protect
These innovations, however, have failed to observe critical privacy safeguards in practice. Despite advances, each has demonstrated insufficient data protections, with critical policy implications.
Institutions like UNHCR have sent mixed messages about how they protect sensitive data against hacks, theft, or abuse. In 2012, privacy advocate Simon Davies argued UNHCR had failed to consider even the most basic safeguards for its biometric refugee registration. After alerting UNHCR to these critical points, the study was abandoned and Davies was not allowed to publish it. Though UNHCR released a Data Protection Policy in 2015, two researchers reported UNHCR in 2016 gave a concerning response to bidders about data-sharing: “Biometrics will be used at the UNHCR’s discretion. Whether or not UNHCR exchanges data with partners is not relevant.”
Though MONI and AID:Tech claim to be blockchain-based, and by extension belong to no centralized authority, both operators have made contradicting statements about how their platforms are governed. MONI claims its technology “lets the [Finnish] government help out asylum-seekers, while still keeping control over their spending in case anything unusual comes up.” Similarly, AID:Tech cards can be “remotely managed and monitored.”
The Role of States in Porous ID Programs
Despite the EU’s constitutional protections for privacy as a fundamental right, European agencies and member states may be increasing the potential risk that these technologies are leveraged as vehicles for surveillance and discrimination, rather than sources of integration. As Amy Weiss-Meyer argued regarding the design of UNHCR’s new Welcome Card, “it’s easy to imagine a government using biometric data to track down migrants – not to assist them, but to deport them.”
Politics and security concerns blur the lines of where accountability under the rule of law begins and ends: a series of terror attacks have led national surveillance agencies to implement programs that monitor the communications of foreign nationals. These new ordinances, including the UK “Snoopers Charter,” German BND, French International Electronic Communications Law, potentially threaten the ability of these refugees and asylum-seekers to truly secure the freedom they seek.
Building Solutions and Resilient Institutions for Refugee Identity
Undoubtedly, beneficiaries of these technologies see transformative gains. After registering his fingerprints with UNHCR, Congolese refugee Olivier Mzaliwa shared, “I can be someone now. I am registered globally with the UN and you will always know who I am.”
However, refugees like Olivier may not consider how their data is disproportionately more vulnerable to abuse by institutions and non-state actors. Policy must therefore enshrine data protections to the level of the individual and assuage third-party concerns. Both the EU and state governments must clarify their range of authority to manage and monitor data platforms that claim to be decentralized. They must clearly disclose, within reason, how the data is shared and with whom. A refugee must be asked to consent to these standards by the local managing authority upon entry to a country and ideally without a pages-long Terms of Agreement. The EU must shape industry norms for entrepreneurs and startups like BRER, Aid:Tech, and MONI by ensuring operators interpret and employ these data protection requirements within the architecture of their technologies.
For data saved in centralized locations like the United Nations or Europol, measures must be taken to help these institutions understand the risks of faulty data security. Awareness and implementation of data standards within these often bureaucratic, slow-moving institutions should be facilitated by frequent maintenance and pressure-tests for systemic vulnerabilities. Rather than arm’s-length product development, the private sector, NGOs, and refugee advocates should act as direct consulting partners. Such efforts are already underway; the consulting firm Accenture has become the primary implementing partner on UNHCR’s BIMS registration system.
Finally, technologists must modify their platforms as individuals transition out of their status as asylum-seekers or refugees, including when they resettle long-term. Refugees should be able to opt-out of sending their data to international institutions as they wean off of aid disbursements. They must be offered opportunities to integrate within formal banking systems by applying long-term financial inclusion principles. Though far from perfect, projects like ID2020, BanQu, and Taqanu are tackling this challenge in meaningful ways by using a similar digital identity to create a permanent record of one’s economic activity and facilitate participation in the global economy for the long-term.
Beyond what UNHCR has identified today as “the highest levels of displacement on record,” refugee flows are anticipated to increase exponentially in the coming decades. Emerging technologies for identity, aid, and registration play an important role in tackling this pressing challenge, but states cannot ignore policing concerns. Though refugees may not consider their own data protection and privacy rights as they seek safety, policymakers absolutely must evaluate technologies with dignity in mind.
Laura Schiemichen is completing a joint-degree in Transatlantic Affairs between the Fletcher School of Law and Diplomacy and the College of Europe. She is a German native and previously worked at the European Parliament, Compass Lexecon, and the Millennium Challenge Corporation. Laura graduated from Wellesley College in 2014 with a degree in Economics and Sociology.
Photo credit: AMISOM Public Information via Flickr