Privacy International Participates in Global Virtual Summit on Digital Identity for Refugees
Refugees are among the most vulnerable people in the world. From the moment they flee their homes, as they pass through 'temporary' places such as refugee camps and detention centres to their 'final' destinations, they are continuously exposed to threats. In the digital age, these threats are increasingly being driven by the processing of vast amounts of highly sensitive personal data: from enrollment and registration processes needed for them to access services, to their identification and authentication by government agencies, every interaction they have with authorities carries huge threats to their privacy and security.
Driven by advances in technology and the promise of more efficient and less costly services, new digital solutions aimed at addressing highly complex problems faced by refugees and governments are being promoted by tech companies, aid agencies, and donors. From providing access to and securing refugee camps, to tracking refugees' movements, and establishing a person's age and origin, these solutions promise a lot - but also carry huge threats.
One of the main areas in which this dynamic is evident is in the deployment of digital identity solutions. Often promoted as a necessary tool to provide services, security, and to verify people's identities, they also carry huge risks, especially if actors are rush to adopt them without considering whether the lack of an ID is actually the root of the problem identified, or without due consideration of how to mitigate the unique risks posed by such systems.
This is why Privacy International responded to a call for contribution in view of the upcoming Global Virtual Summit organised by the UNHCR, the UN refugee agency, and the Immigration, Refugees and Citizenship Canada (IRCC), dedicated to exploring digital identity for refugees and asylum-seekers.
The challenges of identity, identification and ID are massive: human identities are complex, multifaceted and changing; the designs of identification systems is difficult to ensure inclusion, security and accuracy; yet the consequences of breaches or exclusion are large. All these diverse challenges probably see their most challenging possible environment in the refugee context.
In our submission we recommended that the events and activities of the Global Virtual Summit address the following areas. PI will raise when we take part in the Second Virtual Event – Refugee identity: Privacy, confidentiality, data protection and security on 24 May 2019 from 4-5pm CEST:
Taking a step back: why digital identity
- What is the problem that the digital identity system is designed to solve; what evidence is there for the extent of the problem; and why would digital identity be a solution to that problem?
- What alternative solutions are possible?
- Is an identity solution that cuts across multiple actors or purposes desirable; and what risks emerge from this?
- How are concerns related to intersectionality and gender to be addressed?
- How to address donor and political pressures when the answer is that a digital identity system is not a desirable solution?
Planning for the problem identified: Designing a system
- Does the design of the system meet the goals established in the purpose of the system, or does its design exceed those purposes to create additional privacy risks?
- Has the technological design of the system provided for the maximum protection of the beneficiaries?
- How will the digital identity system interact with the bureaucracies of host states?
- Over what time-frame is the system designed to be used, and what is the data retention policy?
Undertaking thorough assessments: preparing to fail well
- What are the roles and motivations of state actors and private companies in the operation of the system, and is the data of refugees protected from further exploitation in the future?
- Who holds the responsibility and so the obligations for the system (design, deployment, management, auditing, maintenance, etc.)?
- How are new systems operating in relations to existing non-humanitarian identity systems, i.e. national ID systems?
- What are the unintended consequences in the short-, mid- and long-term?
- Does the entity deploying the system have the expertise, tools and resources to undertake a well-informed risk assessment and to mitigate the risks identified?
- What minimum IT security measures should be implemented, and is there financial and technical support for such measures?
- What will happen if any data in the database is breached by various actors?
Understanding the lived experiences of refugees and asylum-seekers: human and ethical dimensions of digital identity
- How do those who are affected by them experience the process?
- What unintended impacts does the system have, for example in the impact upon survival strategies?
- Who is excluded by the system, and what are the implications?
We found the photo here.