Digital Onboarding Systems, Identity Introducers, and Data Legal-Policy Dilemmas in Contexts of International Refuge, Statelessness, Nomadism, and Internal Displacement
By Riccardo Vecellio Segate
Last July, the International Journal of Digital Law and Governance (De Gruyter) published my research article titled ‘Biometric Technology at the Borders of Citizenship: Identifying Technical Standards for Introducer-Based Remote Onboarding in Global Contexts of Statelessness, Nomadism, Displacement, and Refuge’, funded by the Bill & Melinda Gates Foundation as part of a project on Trustworthy Digital Infrastructure for Identity Systems at The Alan Turing Institute (the London-based UK’s national institute for data science and AI).
Not only does this output align with my long-standing research interests in “law and technology” and refugee law, but also with a more recent incursion of mine into the land of “technical standardisation”, whose significance among quasi-legal instruments is escalating, and to which I have devoted a number of recent scholarly works, including in the fields of smart collaborative robotics and outer-space cybersecurity. While the article has been presented to several specialised audiences, including that of the latest conference of the European Society of International Law (Interest Group on Migration and Refugee Law) held in Vilnius, I welcome the opportunity of conveying its main points to a broader public through this blogpost.
My article is concerned with the role “introducers” can play towards the remote onboarding of individuals onto digital identity systems, in contexts that I define of “borderline citizenship”, encompassing asylum seeking, statelessness, nomadism, and internal displacement. In particular, I assess potential candidates for this role — first and foremost humanitarian personnel and diasporas — alongside their functions, responsibilities, and constraints.
Let’s take a step back: who are the introducers, and why does this even matter? Hundreds of millions of individuals worldwide have their identity unknown to any central authority. They are mostly spared taxes and surveillance, yet they also survive outside the protection of a State, and cannot access public welfare and opportunities. “Introducers” are officials who are supposed to vouch for someone’s identity, mediating between these unrecorded humans and central authorities, so to “enrol” the first into a public database; hence, introducers need to be trusted by both parties. The idea gained momentum with India’s Aadhaar, although introducers’ liability for mistakes and corruption derailed the project. Capitalising on this experience, the World Bank and other agencies launched an initiative to mainstream this role within development cooperation and humanitarian intervention actions.
From a legal standpoint, the main concern is to determine the best balance among all interests at stake: States’ drive to surveil, “quantify”, and control, and individuals who would benefit from welfare, security, and opportunities while striving for defending their freedoms. Keeping comprehensive accounts of populations is also essential for States towards risk assessment and mitigation, emergency response, disaster recovery, and resource distribution. On balance, excellent reasons to onboard unknown individuals exist, provided that the dignity and privacy rights of the onboardees are upheld, and safeguards against group discrimination are devised.
Policymakers shall also be mindful of all interests vested in those who are tasked with designing and implementing the technology solutions that enable such introducers to operate. Indeed, while the introducers mediate between state administrative authorities and the introducees (ensuring the latter are who they claim to be), then it is a machine that stores each identity, transfers it to the authorities, and makes it available for any future use, including unlocking services and accessing official correspondence. It needs to prove robust (resilient to failure), accurate, efficient, and secure. Self-evidently, the identification of the most appropriate introducers is intertwined with that of the most suitable technologies, whose design and implementation responds to constitutional-level principles and societal values, but also “lower-level” regulatory tools known as technical standards. Human rights do not automatically percolate inside these industry-led solutions: feeding legal and ethical epistemology into the process, and securing value-based audits thereafter, remain challenging tasks.
All considerations above are of general application, yet some situations display additional layers of practical, policy, and legal complexity. Those are the contexts of “borderline citizenship” I have outlined above, and to which I now turn. In these situations, legal intricacies multiply: the applicable framework turns from mostly domestic to mostly international; geopolitics creeps in; fragmented authorities overlap; and definitory challenges abound. I will succinctly report the main conundrums and recommendations related to designing and implementing technical standards for remote digital identity onboarding, interfaced with the choice of appropriate introducers, with reference to each of these four “borderline” settings.
Let’s start with asylum seekers. Much has been grieved about the obsolescence of their protection framework and its focus on political persecution, but an often-disregarded quandary concerns identity. If the destination country discloses a refugee’s identity with the sending country, that defeats the very purpose of having a protection system in place. This should be accounted for when engineering the data-management algorithms of these machines, yet it also matters towards identifying appropriate introducers. Humanitarian personnel would represent the most immediate option, yet is this any safe? Recent misconducts suggest in the negative. In my article, I recall the major scandal involving UNHCR data on Rohingya refugees being shared with their persecuting government in Myanmar. My article’s analysis is worth clarifying: UNHCR did not share Rohingya’s data with the government of Myanmar directly; nonetheless, there are at least three reasons why my article’s recount is still de facto truthful. First, the UNHCR should refrain from sharing refugees’ data with any government, including the destination country’s, unless it is formally agreed that the latter will not in turn transfer such data back to refugees’ country of origin. Second, binding data protection standards (beyond relatively “soft” MoUs) must be applied and enforced to avert data leaks and unauthorised disclosure. Third, whenever the UNHCR finds that the destination country misuses the data it supplies (like Bangladesh did in this incident by transferring data back to Myanmar), it should suspend or drastically redefine its cooperation with such authorities. Whenever these three conditions go unfulfilled, refugees (and their families) are unacceptably endangered. Consequently, technology protocols should account for these complexities, and humanitarian personnel should only be trusted as introducers if all three conditions are met. It is worth noting that there are various types of identities: to simplify, foundational identities are those one is born with, but additional functional identities may be later attributed to serve a precise aim at a given juncture in specific circumstances. Functional identities are already routinely assigned in humanitarian contexts, but destination countries would plausibly still prefer to be “introduced” to a refugee’s foundational identity — where available. Truth be told, humanitarian personnel work under unspeakable pressure: on the one hand, they pledge to protect individuals who are fleeing from persecution and misery; on the other hand, should they wish to keep operating within the given jurisdiction, they cannot overly resist governmental pressures — all the more so in the current climate of political backlash against immigrants and whoever assists them. Crafting the smartest balance is an edgy ride in between politics and law, which further illustrates the complexity of onboarding individuals into centralised identity systems in these circumstances. Humanitarian actors aside, another candidate to the role as introducers could be trusted members from local diasporas, who might have retained ties with country-of-origin communities and thus help corroborate one’s belonging to a given family, ethnicity, or village.
International refuge definitely covers a core fraction of my article, but statelessness is explored in no less detail — and here, too, complexities abound. For instance, when it comes to voluntarily stateless individuals (who have relinquished their citizenship), should they be coerced into identity systems? And States being chief producers of (involuntary) statelessness via inefficiency and discrimination, should the solution be entrusted to those very same entities that originated the problem in the first place? On the issue of identifying potential introducers, trust is again tricky: as “good character” often features as a criterion for naturalisation, the introducer’s role feels suspicious in that s/he could be perceived as “scoring” the onboardee’s conduct beyond certifying his/her identity. If centralised solutions are not to be entrusted to state institutions, then perhaps a decentralised blockchain-based ID wallet could do it, by recording all stateless individuals and outsourcing their reasoned redistribution to an international organisation.
To underscore the pertinence of so-called “intimacy” indexes, the less populated a territory, and the denser its population, the deeper the interpersonal bonds. Yet “locality” is not always the safest pursuit. For instance, internal displacement is often caused by “natural” disasters that are consequent to or exacerbated by carelessness, negligence, and bribery on the part of local administrators vis-à-vis land protection and infrastructure maintenance. It would not be sensible for those very same administrations to expect displaced people to trust introducers who are also accredited before the same (mal)administrations that displaced them…
Last, the article briefly examines the challenges elicited by systemic human mobility in the form of traditional and digital nomadism.
From a more technical perspective, countless innovations deserve consideration. To mention but one, onboarding via satellite Internet should be preferred over cabled Internet, as less prone to government-mandated disruption in the event of protests or other threats to “public order”. On the whole, digital remote solutions will be designed by industry players, mostly drawing on “know-your-customer” (KYC) protocols as widely implemented in the banking sector. Even there, discriminations (such as identity-based financial sanctions) are daily business, so that before importing similar protocols into humanitarian domains, we shall acquire confidence they will not be deployed for market or geoeconomic purposes against the already marginalised. Acknowledging the intrinsically political nature of standard-setting bodies is equally fundamental.
In conclusion, guidance on how international humanitarian law, international refugee law, international human rights law, but even domestic law should apply to digital identity onboarding is scant in general, and virtually inexistent with reference to “borderline” contexts. There are no legal instruments, especially on the international plane, on how to identify introducers and apportion their liabilities. Sophisticated interdisciplinary expertise is warranted towards human-rights-compliant-by-design identity systems, and to regulate the function and profile of introducers. The complexity exposed in my article will hopefully serve as a first step in this direction!
Publisher’s Note: Readers of this blog may also be interested in the special collection of articles on Trustworthy Digital Identity in Data & Policy, which derive from a Conference held by The Alan Turing Institute.
About the Author
Riccardo Vecellio Segate is a Postdoctoral Researcher at the University of Groningen, an Editor of the Data & Policy journal at Cambridge University Press and a member of the Area 5 Committee on Algorithmic Governance that works across the journal and the Data for Policy Conference.
***
This is the blog for Data & Policy (cambridge.org/dap), a peer-reviewed open access journal published by Cambridge University Press in association with the Data for Policy Community. Interest Company. Read on for ways to contribute to Data & Policy.