This post is co-written by Carly Nyst and Zara Rahman.
Over the past few months, we at The Engine Room, together with consultant Carly Nyst, have been working with Oxfam to better understand two things:
- How biometric technologies are being used in the humanitarian sector
- What we can learn from those experiences
We’ve spoken to people from a range of humanitarian agencies about their first-hand experiences with biometric technologies in the sector. Through these interviews, we’ve come to better understand what their best practices are and how they deal with the privacy and security challenges that biometric tech brings up.
We’ve also interviewed experts from academia, civil society and the private sector about what they see as the risks and opportunities posed by biometrics. In January, we convened a community call with a variety of experts to solicit a wider set of opinions and experiences.
Ahead of releasing our main research report next week, we wanted to share some background and context on what we’ve found.
Biometrics already in use in the humanitarian sector
First, it’s important to understand the context of the sector, which is unique for many reasons. When it comes to biometrics, we found that there is currently widespread deployment of biometrics in development and humanitarian contexts. As early as 2001, UNHCR’s Executive Committee – responding to the enthusiastic efforts by states to integrate biometrics into asylum processing and border protection – encouraged the integration of biometrics into refugee registration and processing.
Since then, UNHCR has gradually integrated different biometrics identification capabilities into its registration activities. From 2015, they began rolling out a global Biometric Identity Management System. Other UN agencies, such as the World Food Programme and the UN Development Programme have also adopted biometrics, broadening their programmatic uses beyond refugee protection to cash-based interventions and voter registration.
UNHCR and WFP now operate wide-ranging biometrics registration systems, to which implementing partners also have access and contribute. Separate from this, international NGOs and civil society organisations have deployed biometrics themselves. We found this is most often in pilot programmes or discrete applications. Save the Children, for example, has used biometric technology to record adolescent girls’ attendance at school, while Mercy Corps partnered with MasterCard to distribute a biometrics-based identity card and payment solution in Nigeria.
UNHCR and WFP now operate wide-ranging biometrics registration systems, to which implementing partners also have access and contribute.
All this is happening within a changing regulatory environment. Among other areas of regulation, data protection law covers how organisations acquiring biometric data must process, retain, store and destroy such data. In just a few months, the General Data Protection Regulation (“GDPR”), a new rigorous legal framework on data protection, will come into force. The GDPR places onerous obligations on organisations, especially with regards to biometric data. Therefore, any organisation with a global reach contemplating deploying biometrics must consider its requirements.
What makes biometric data different from other types of personal data?
Biometric data is different from other pieces of personal data for a number of reasons, and this difference is crucial to understanding both how biometric data could be used and the potential consequences of its use.
We identified four key ways in which biometric data is different from other pieces of personal data.
- Uniqueness and immutability: Unlike names, appearances or home addresses, most forms of biometric data are singularly unique to the individual involved and cannot be changed. As people like Shoshana Amielle Magnet have written, the act of distilling an individual’s identity into a unique number or code may be viewed as dehumanising, and may embed discrimination along the lines of gender, race, or socio-economic status.
- Richness of information: Some biometric data contains a richness of information that exacerbates the risks created through its collection, storage and use. Depending on the type of biometric data, a lot of personal information can be gleaned, from health conditions, to family members.
- Mode of acquisition: The act of acquiring biometric data is often far more intrusive than the collection and provision of other types of personal data. In some cultures, an iris scan could be considered invasive, for example, as Privacy International notes in its 2013 report, Biometrics: Friend or Foe of Privacy?.
- Flexibility of use: As technology advances, biometrics are increasingly used for surveillance and monitoring. Advancements are also permitting passive identification. For example, the use of facial or iris recognition at a distance, without the knowledge or involvement of the individual concerned.
This is the context upon which we based our work. Knowing the background and the current trends and pressures informed our development of recommendations for Oxfam.
There are no easy answers
We found that, like many responsible data issues, there are no easy answers when it comes to deploying or even considering whether or not to use biometrics in the humanitarian sector.
We’ll share more of those findings, including benefits and risks, in the full report – so watch this space!