‘You cannot trust a vendor’: understanding biometrics in the humanitarian sector
Biometrics were the theme of the month for September in the ICRC’s Digital Dilemmas series of talks and debates on aspects of humanitarian work. Biometrics and digital identity have proved both valuable and problematic for the humanitarian sector in recent years, leading it to examine the technologies and develop better ways to implement them, or simply recognize when they are not needed.
The import of the situation was addressed head on by the International Committee of the Red Cross. “We very much recognize as humanitarian organizations that we certainly failed to have the expertise to know how much this technology can offer, but also how much it needs to be suitably managed,” said Regis Savioz, the head of the Japanese delegation of the ICRC, who was moderating the first session on biometrics.
Industry insight into biometrics for humanitarian settings: NEC
Savioz interviewed Cristiano Blanez, manager for the International Organization Team, Global Relations Division at NEC, who outlined some commonly misunderstood fundamentals around biometric systems.
Blanez explained how a template of the characteristics of captured biometrics are formed and that the raw data, such as photos of an individual are not kept and cannot be reverse generated from the data.
Blanez said the technology itself is neutral, but the way it is used and, critically, how much data is collected are key issues for any sector. Do not collect data that is not essential and encrypt what is collected to the extent that anyone accessing the data would not even be able to recognize that it is related to biometrics.
Decentralized identity systems were also discussed as the humanitarian sector looks at ways to move away from potentially vulnerable central databases. Blanez acknowledges that the adoption of decentralized identity systems in humanitarian settings “is one measure that is mitigating the risk” for databases, “but we also know that it’s not that simple when we’re talking about a place that doesn’t have enough technology to do that, where it would require a digital device or an i-smartcard… There’s a lot of mechanisms around security but it’s still a physical device.”
Collectors of biometrics have a role in gaining the consent of those supplying their data, and governments and civil society have a role and responsibility to understand the technologies in use, said Blanez.
“Everything has to be very well planned and there have to be a lot of procedures on top of that,” said Blanez, “Transparency is very important for the citizen, society, for everyone.”
‘Overpurposed’ by design? A panel discusses the experience of the humanitarian sector in handling biometrics
Biometrics projects can either drive or undermine trust in humanitarian activities, concluded Stuart Campo, team lead for data responsibility at the OCHA Centre for Humanitarian Data who moderated the ICRC debate.
Some issues such as consent, transparency and data minimization were revisited in the next instalment of the DigitHarium program, when researchers and analysts from the humanitarian sector exchanged their experiences of using biometrics – or deciding not to or even cancelling programs.
The representatives also discussed the balance of power when systems are introduced, the need for life-long project planning, the need to seek help and the importance of doing the right thing for the populations they aim to serve while also having to manage their donors.
“If you don’t’ have genuine choice then you can’t have informed consent,” said Elizabeth Shaughnessy, senior data privacy analyst at Oxfam Great Britain. She said engaging with communities is essential for addressing the local context of any project to try to compensate for the power imbalances introduced when an organization takes and stores a community’s data.
“We have to be able to think and plan long-term – at least a lifetime,” said Shaughnessy, describing Oxfam’s latest policies for biometrics, which grapple with making provisions to deal with data beyond the length of a contract.
The policy was signed off in May 2021 and looks to build in safety mechanisms for projects involving biometrics at the funding stages of a proposal or simply make sure biometrics are not used. The charity is building its own capacity for biometrics and working with external partners to ensure teams understand what help they need and where to get it in terms of security experts.
Shaughnessy described the “make it or break it” challenges when it comes to implementing biometrics: trust, transparency and accountability. Trust is also vital between Oxfam and its donors.
“I have to be honest – I don’t have a solution for it just yet… but the inherent power imbalances that we see throughout a program, so the power imbalances between a donor and a partner, between partners of different size and capacity, between the implementing partners and the individuals and communities that they’re working with,” said Shaughnessy of an overall area of concern Oxfam is hoping to address with its policies.
Sébastien Marcel, professor and senior researcher at Switzerland’s Idiap Research Institute, said “encryption is not sufficient” due to the potential for data theft at the moment of decryption. Data minimization is key, as is choice of biometric system vendors because of accuracy.
“You cannot trust a vendor,” said Marcel. “You can trust a vendor to generally do good work, but you cannot trust that the accuracy they are giving you is necessarily true because it was done without international benchmarks so you need to rely on an independent third party which is going to evaluate the products of the vendor for you.”
He believes the lack of certification programs is the main issue for the sector at present. There are only two that he is aware. Humanitarian organizations must appoint third party evaluators or develop their own capabilities for judging biometric technologies.
Ultimately, biometrics projects are a trade-off between convenience and security for Marcel.
Refugee biometrics abandoned for eKYC
Perhaps the most compelling part of the discussion was the recounting of the situation faced by the United Nations Relief and Works Agency for Palestine Refugees in the Near East which provides schooling, cash and food assistance for almost two million refugees.
Dorothée Klaus, the agency’s director of relief and social services explained how voluntary registration for the refugee list, which determines service provision, was problematic as there was no incentive for people to indicate deaths or when they leave the programs. This led the agency to attempt to deploy an “army of persons” to survey and update the lists, a process that a donors questioned and then withdrew from funding.
This is when the UNRWA realized it may need a different way to verify the identity of the refugees and authenticate cash transfers. The UNHCR had been doing iris scans in the region since 2015, but UNRWA felt this would be inappropriate in their political environment. The community is highly wary of biometrics.
Then COVID and the crisis in Lebanon required the agency to massively scale up its cash transfer relief in the country without knowing who was still in the country. The agency, whose reputation in the region had already been called into question faced further reputational risks and with the UNHCR already using iris scanning in Lebanon, they decided to pursue the same form of biometrics.
The agency got everything in place in just four months – equipment, software, trained staff – but the policy side, under-resourced, lagged behind as pressure mounted to have a system that would help secure more funding.
“While internally we had had those discussions around consent, and ‘is an iris scan really a precondition for accessing services?’ and why we’re doing it,” said Klaus, “we had extensive discussions around data protection, where we’re storing the data, making access servers that are outside of the region highly protected, highly secured environments and so on.”
“But we’d had those discussions really among a relatively small group within the organization,” acknowledged Klaus, “and this organization employs almost thirty thousand persons.” They realized they had not had enough external communication or given themselves enough time to frame the messages for various groups such as refugees, political activists, host governments and their own staff, to make it an “understandable and acceptable solution.”
UNRWA has made assumptions that the pressures of the emergency and the fact other UN agencies were using iris biometrics would mean enough “acceptability” for their project. “Those assumptions just were not valid,” said Klaus, “We had underestimated the mistrust that does exist between the agency and refugee community.”
Activists were telling refugees they were protecting them from UNRWA collecting their biometrics and “potentially leaking them to third parties for uses out of control of any of us.” There was also the fear that the agency would use the system to try to announce a decreased number of refugees. Months of stand-off and discussions followed between all parties.
“We realized there was no way forward with the iris scans,” said Klaus, “the agency was not able to hold the trust, it was not able to garner the support for this so we made an informed decision jointly with some of the donors that had already allocated funding for the iris scans and other stakeholders, to drop the iris scans and to replace it with an alternative approach.”
UNRWA has instead developed face biometrics-based eKYC for refugees. Refugees will go online where a live photo is taken and will present an identity document which will be matched and further questions asked. A QR code will then be generated to serve as a verification document, such as for cash transfer.
“This will not be as cost efficient,” noted Klaus, “and probably not be as bulletproof and fraud-proof as let’s say an iris scan operation is but it is already pretty close.” She hopes it will strike a compromise between the donors’ need for accountability and identity authentication at higher standards and an acceptance by the refugee community so that it does not feel that their data is being misused.
“Are iris scans ‘overpurposed’?” reflects Klaus, “in our case it may have been just that.”