Volker Schimmel works in Amman, Jordan, with the UNHCR — the United Nations High Commissioner for Refugees — on an initiative that allows asylum-seekers, many of whom have never owned a debit card, to access humanitarian aid money via ATMs that identify individuals by scanning their eyes. When this biometric cash assistance program started, 500 people signed up. Today, there are more than 32,000 displaced people participating. "When we started this, the number of refugees [in Jordan] was 16,000," Schimmel told BuzzFeed News. "Now it's 633,000."
We are in the midst of a global refugee crisis. There are currently 60 million displaced people worldwide. Hundreds of thousands of refugees have poured into Europe, fleeing state-sponsored violence in places like Syria. The recent terrorist attacks in Paris, which left 130 people dead, created something of an international panic around the screening processes refugees fleeing the Middle East undergo.
One such method is biometric data gathering, or the collection of facial images, fingerprints, and iris scans. The collection of this data by governments and international organizations serves many purposes — identifying residents, screening for criminal backgrounds, combatting fraudulent attempts to collect extra aid. But this is highly personal data, which in many cases refugees have no choice but to turn over if they want access to aid and supplies. The practice of collecting and storing it puts already persecuted and endangered people at risk of being tracked down by government actors in the states they are actively fleeing, or being targeted by others as potential terrorists.
Many states and organizations collect this data for different reasons; some employers even do it for reasons of security. Human rights activists have spoken out against Eurodac, the E.U.'s fingerprint database, which they see as invasion of individual privacy. In the U.S., terror attacks have led some to call for increased surveillance of refugees; the Department of Homeland Security published updated information about the interview and screening process refugees undergo in November.
Security isn't the only reason to collect biometric data. In India, 950 million citizens have participated in the government's biometric registration program; as a result, some 200 million people, mostly migrants from rural villages to cities, who had never had identification before were able to open bank accounts for the first time. This gives the government the ability to track citizens with greater accuracy than ever before. Anit Mukherjee, an International Development Research Centre fellow with the Center for Global Development, worked as an early adviser to the project. He said the information collected by the government is never deleted. "Your biometrics live in the database for perpetuity," he told BuzzFeed News. "It doesn't matter whether you're dead or alive."
After the Syrian civil war exploded in 2011, the number of Syrian refugees flowing into Jordan was overwhelming. "An office built for a few thousand Iraqi refugees suddenly had hundreds of thousands," said Schimmel. In 2013, those offices were outfitted with the necessary machines to collect iris scans. The UNHCR, aware that this technology was already in use by a local bank, saw an opportunity to distribute relief dollars to incoming refugees. The UN has said the program has greatly reduced fraud in the system; the number of Syrians requesting aid since iris scanning was implemented has reduced 30%.
Exactly how long the UNHCR holds on to this biometric data is unclear. "If you have an active record, which means your registration is valid, and you're still an asylum-seeker, or refugee, the information is stored by default," said Schimmel. "Once the record is closed, we have data deletion protocols." The UNHCR has an official data protection policy, which says that "personal data that is not recorded in individual case files is not to be retained longer than necessary." Individual case files are, however, "considered permanent records, and must therefore be permanently retained." The policy says any data shared with a third-party organization must be deleted or destroyed if the partnership is terminated.
In June, the UNHCR's field office in Jordan underwent an internal audit. The overall verdict? "Unsatisfactory." The audit found important (but non-critical) security flaws in the way the biometric cash assistance program was being managed. Per the report, which is public, the UNHCR "sent Excel-based beneficiary lists to its bank on an encrypted CD. The lists were prone to manual errors and could easily have been hacked and tampered with. Similarly, the CD was not a safe media as it was vulnerable to the risk of data corruption." The audit makes two official recommendations pertaining to the secure storage of personal refugee data. One calls for "the implementation of a secure data transfer modality," and a second calls for an overhaul of the methods used to record and store backup data, which were deemed at risk of loss in the eventuality of a disaster. (The audit found no flaws with the biometric registration program.)
While all personal data should be protected, the biometric information of refugees is especially vulnerable. In the Jordanian context, refugees being registered by the UNHCR have a particular reason to be concerned. "Especially in the beginning, there was — at least on the official propaganda side — a big push by Syrian authorities to pursue refugees as traitors to the regime," Schimmel explained. "The fear was always that there would be retribution in exile, or at home, where there are family members." In other words, there are plenty of reasons why someone might want to use the data collected by the UNHCR to figure out which Syrians are living where.
Refugees seeking aid from the UNHCR are not required to supply biometric data. The organization operates on a principle of informed consent; refugees are told what data is being collected and what it's being used for before they submit to the process. There are also rules in place for informing refugees if a data breach has occurred, or if their data is being shared with third parties. "No one is obliged to register," according to Schimmel, and, indeed, "there have been cases" in which refugees opted out of the biometric registration process, though Schimmel could not say how many.
But the problem is, for refugees who are often in critical need of assistance when they arrive in a new country, privacy is not often the first thing on their minds. Katja Lindskov Jacobsen, author of The Politics of Humanitarian Technology, argues that what seems like a choice in theory is, in practice, non-optional. "Either you give it, or you don't have assistance," Jacobsen said of biometric data. "I think that's the problem. European citizens can say no, if they want to."
Jacobsen said that states that collect biometric data have "national security" incentives that justify a level of secrecy around how that data is stored. But the UNHCR, she said, is tasked first and foremost with protecting asylum-seekers, and as such should be more transparent about its systems. Jacobsen said the UNHCR is under pressure from donor countries to embrace technological solutions to problems like fraud, which can result in the adoption of tools that the people on the ground aren't exactly sure how to use yet. "I think it came as a surprise to them that it was actually quite complicated to use this technology," she said.
Gus Hosein is the director of Privacy International, a UK-based nonprofit organization that advocates in favor of personal privacy and against government surveillance. He has worked with the UNHCR in the past, and agreed that, while the amount of biometric data being gathered around the world has been rapidly increasing since September 11, organizations like the UN still "don't know how to store it." Moreover, he argued that, while U.S. citizens have the right to take their concerns about personal privacy before Congress, people who have fled their home countries don't have the same option. "Refugees have no legal rights, and no access to law," he said, "and their information is being collected." Events like the attacks in Paris, Hosein said, are likely to result in increased pressure on organizations like the UNHCR to share the information it has on the location of individuals who have fled Syria.
Recently, the UNHCR has made some changes to its biometric cash assistance program. Via a third-party vendor called IrisGuard, the organization devised a new system that no longer requires biometric refugee data to be stored by the Cairo Amman Bank. Via a proprietary system known as EyeCloud — a technology that is "only six months old" according to Schimmel — refugees in Jordan can access cash from iris-scan–enabled ATMs without having to engage in an insecure data transfer with the bank. According to Schimmel, the ATM takes a picture of the user's iris, creates a summary of that image, encrypts it, and sends it via VPN to a secure UNHCR server. After a yes or no response is sent back regarding a match in the database, the new image is deleted. "No biometric data is exchanged in the process," said Schimmel. The information being stored with the bank was also deleted.
In the future, Schimmel said, the UNHCR will only be sharing biometric data in anonymized, aggregated form. An official spokesperson for the UNHCR in Geneva said registration information is shared "only with countries receiving resettled refugees." Per the internal audit, continued improvements to the data backup system in Jordan are scheduled to be undertaken this month.
The vast and ever-growing amount of personally identifiable information in the world is a reality the general public has to adjust to in 2015. In some instances — like skipping long lines at the airport — there are even benefits to biometric identification systems. But experimenting ad hoc with new technologies on people who have left their home states and have no legal recourse in the wider world puts those people at greater risk. "By definition, a refugee population is always at risk," said Schimmel, "because the definition of a refugee is they have a well-founded fear of persecution, which means someone is interested in doing them harm."