Eyes Wide Shut: The challenge of humanitarian biometrics

By Paul Currion

IRIN Columnist 

Biometrics, for those of you who haven't spent the last 10 years swearing at the automated passport gates at Heathrow, is the use of human measurements for identification. The most familiar biometrics are fingerprints, but the computer-powered scanning of eyes and faces is being implemented in a growing range of contexts. The origins of modern biometrics lies in the identification of criminals, but it was the war on terror that turned biometrics into the $13.8 billion industry it is today.

As a result the technology has leapt ahead in recent years – and leapt into some surprising places. You might use your fingerprint to access your smartphone, but everybody gets fingerprinted now, including schoolchildren. Facebook can recognise you even if it can’t see your face, but even music festival organisers have decided that facial recognition technology is a good bet. Despite longstanding concerns about privacy, biometrics clearly have their uses, and a growing range of sectors have been implementing them – including the humanitarian industry.

Biometrics in the humanitarian context are ostensibly focused on preventing identity fraud, but the basic dynamic was captured in this 2006 report from the UN’s refugee agency, UNHCR, in Malaysia:

“Nang Piang, a refugee from Myanmar, placed his finger tentatively on the biometrics scanner... ‘I don't know what it is for, but I do what UNHCR wants me to do,’ he said... ‘This is an important step for UNHCR Malaysia as we strengthen the security of our registration system to prevent fraud,’ said Volker Türk, head of UNHCR in Malaysia, ‘Such a security measure will certainly enhance the credibility of UNHCR's registration system in the eyes of the Malaysian government...’”

This statement makes clear that biometric registration is driven by the interests of national governments, technology companies and aid agencies – in that order.

"I don't know what it is for, but I do what UNHCR wants me to do"

UNHCR's biometric system was initially funded by the EU and the US (specifically recommending funding “for early UNHCR use of mobile fingerprint technology developed by [the Department of Homeland Security]”). A number of companies have since been involved, including PA Consulting, who previously helped the UK government develop its border control biometrics, and one of whose former employees now works for the UN, overseeing global deployment of the system.

Critics of the industry focus on two concerns. Security is one: in 2008, for example, PA Consulting lost 84,000 biometric UK prisoner records – not through an act of cyber-crime, but because they were left on an unencrypted USB stick in an unlocked drawer in an unsecured office. Privacy, the second issue, is sometimes even more critical from a humanitarian perspective, because the privacy of vulnerable communities and individuals – many of whom may already be fleeing conflict or persecution – may be critical for their protection.

UNHCR has argued that biometric registration improves protection for refugees, but the question is clearly not settled. A recent study by Katja Lindskov Jacobsen pointed out that – while biometric registration may help to mitigate some vulnerabilities – the creation of the “digital refugee” may also create new vulnerabilities. These arrive precisely because this data can be shared between different actors for more than one purpose; to address problems faced by refugees, yes, but in a different context to frame refugees as the problem.

Government assurances of privacy are no guarantee. The European Commission promised that its EURODAC database of asylum applications would be protected, right up until 2012 when it agreed to allow Europol and other law enforcement agencies access to it. UNHCR expressed concerns about this, but the Commission went ahead anyway. UNHCR plunged on towards a global and centralised Biometric Identity Management System (BIMS) while only adopting a data protection policy in May 2015 – a policy that explicitly states that UNHCR “may transfer personal data [of refugees] to third parties.” That policy has safeguards built in, but the security of your data is only as secure as the weakest link in your chain – and, as noted above, that link might simply be somebody who forgets their USB stick.

This fits with a wider and more worrying pattern in the field of biometrics: it's marginalised groups who are used as guinea pigs for new biometric applications, always with claims that it's for their own benefit. Privacy International has identified that in countries where democratic processes – such as parliamentary oversight and the rule of law – function more effectively, biometric schemes have been repeatedly challenged and rolled back by informed citizens. The real issue here is accountability – or lack thereof – precisely because humanitarian biometrics are being implemented in countries where those factors are weak to non-existent.

For example: one of the earliest uses of humanitarian biometrics dates back to 2003, helping UNHCR to establish that only 0.5% of Afghan returnees from Pakistan were trying to game the Afghanistan refugee return programme. Current President Ashraf Ghani promoted biometrics as the foundation for his country's social policy in his 2006 book “Fixing Failed States”, and the Afghan authorities have made it their goal “to fingerprint, photograph and scan the irises of every living Afghan.” This has made Afghanistan the most biometrically identifiable country in the world – although UNHCR and the Afghan government have both invested heavily in biometric databases, the US military has been the real driving force.

The use of biometrics clearly has benefits. The Centre for Global Development has given cautious and context-specific support to the broader principle of incorporating biometrics to bridge what they refer to as the identity gap – on the basis that the vulnerable and marginalised are usually required to submit to biometric registration to enable them to access government services. The Columbia Human Rights Law Review comes down on the side of the legality and efficiency of biometric ID cards for refugees, if privacy concerns are fully addressed.

Yet it seems obvious that the individuals being registered are unlikely to be fully aware of the implications: a UNHCR article quotes Congolese refugee Olivier Mzaliwa saying: “I can be someone now. I am registered globally with the UN and you’ll always know who I am.” Even assuming that Olivier has been well-informed about the possible downsides of his registration (which seems doubtful, since it's not clear that UNHCR field staff themselves will be aware of these issues), he no longer has any control over this data about himself – and it is doubtful he has any means to regain that control, or even to find out how the data is being used. There is still a massive accountability gap.

Depending on where you lie on the political spectrum, registration of your identity is either an invaluable tool in the fight against poverty or an additional chapter in Seeing Like A State – although it’s probably both. Either way, the use of biometrics is only going to increase, particularly as we move towards mainstreaming cash distribution, where registration and verification are critical to ensure effective targeting and monitoring. Given this trend, we have an obligation to avoid using the bodies of the poor as experimental subjects, subject to an implicit assumption that they are all criminals – if not now, then at some unspecified point in the future.

We’ve seen in this article how biometric systems design has privileged the point of view of humanitarian organisations or national governments. Is it possible to develop a new design approach for managing identity, one that isn't a second-hand solution from companies looking to expand their market?

World Vision has explored one alternative in developing its Last Mile Mobile Solutions, making its concerns about biometrics clear. Building on this and other efforts, and incorporating the principles of participatory design, our starting point should be designing from the point of view of refugees, rather than our own organisations. Unfortunately the humanitarian community consistently fails to engage with that perspective, but this debate is more critical than ever, and not just for biometrics. The debate around design imperialism has died down, but it hasn’t disappeared, and digital design is becoming increasingly important.

So next time you’re swearing at the biometric passport scanner at the airport, remember that although your passport gives you the freedom to travel, that freedom is subject to surveillance and control. You might have more in common with refugees like Olivier Mzaliwa than you think; but unlike Olivier, at least you can choose your queue at the airport.