Rush to aid Syrians overlooks protecting right to privacy

News & Analysis
Rush to aid Syrians overlooks protecting right to privacy

Humanitarian agencies are collecting personal information for Syrians caught in the crossfire of a drawn-out and bloody civil war. Indeed, refugees fleeing persecution and conflict, need to access services and protection offered by the world’s humanitarian community. But in the rush to provide necessary aid to those afflicted by the crisis in Syria, humanitarian organisations are overlooking a human right that also needs protecting: the right to privacy.

Humanitarian and aid agencies are creating surveillance systems that collect and retain personal data with no standards or data protection principles in place. There are very real risks involved, including the creation of databases filled with the personal data of a vulnerable population. Good intentions aside, failing to protect information of Syrians could have the opposite effect: these communities will be more, not less, at risk.

Biometrics and ID Cards

Tracking refugees in the midst of the world’s largest, ongoing humanitarian crisis is not easy, especially considering that 2.5 million Syrians have left their homes since the civil war broke out in March 2011. So while deploying new technologies can certainly help track and process refugees, doing so uncritically doesn’t help with the problems – it makes them worse.

For instance, in August the UN Refugee Agency, UNHCR, introduced biometric iris scanning technology to assist in refugee registration in Irbid, a town in northern Jordan close to the Syrian border, where thousands of refugees have been arriving on a daily basis.

But this particular technology is yet to be well-tested in such sensitive environments, and this is the first time UNCHR has rolled it out. The organisation boldly proclaims that the technology “poses no risks to the confidentiality of refugees”, but this has to be taken largely on trust, because UNHCR has no public published guidelines on data protection. Further, there is also no information available on whether those wishing to register as refugees may opt out of iris scans, which can be physically intrusive and culturally inappropriate. It should be noted however, that UNHCR is in the process of developing a data protection policy and the agency should be applauded for taking this step.

recent article in Scientific American describes in glowing terms how this biometric database will be used:

"Instead of receiving food packages, money vouchers or bankcards from UNHCR, refugees in the iris-identification system receive a monthly text message saying money has been placed in their accounts. Then, they walk up to an ATM owned by Cairo Amman Bank, and, rather than insert a card and punch in a pass code, they look into a specially designed iris camera. Once ID’d, a refugee would be able to withdraw his or her monthly allotment of cash. Right now 13,500 families are receiving funds, thanks to their iris prints, according to UNHCR."

Beyond the fact that untested technology, which could easily fail, is being implemented that has a direct impact on a refugee’s ability to access support, the adoption of this system reveals a double standard. It is hard to believe that any developed country would accept iris-registration and scanning as a pre-requisite to receiving state assistance. Yet, this dystopian vision is exactly what is being imposed on vulnerable refugee populations who have no choice but to opt-in to receiving assistance.

Tying aid to particular mobile companies or banking systems also raises the concern that those companies may retain and use individuals’ information after an aid programme has ended. Or, worse yet, they may pass sensitive information to governments, facilitating state surveillance.

Beyond merely handing over the data, these databases create a single point of vulnerability. Pro-Assad groups such as the Syrian Electronic Army have successfully hacked into well-defended systems in the past; imagine if they wanted to gain access to these databases? With seemingly no security or protections in place, the personal data of an untold amount of Syrians is seriously at risk of being compromised in a country with an elite hacking army and an oppressive dictator clinging to power.

Beyond biometric data, UNCHR has a more immediate data protection problem: a haphazard collection of hundreds of thousands Syrian identity documents collected by Jordanian authorities from those fleeing the conflict. For almost a year, Syrian refugees arriving in northern Jordan were required to hand over their identity cards before they were transported to refugee camps. Given the difficult circumstances in which many fled Syria, those who did not have their identity cards instead gave over other documents, such as passports or drivers licences. Consequently, the Jordanian government accumulated a giant store of identity documents, whose purpose was unclear.

UNHCR is now working with the Jordanian government to return the documents to their owners so that they can leave refugee camps, but it is an immense task: officials scan each document, accord it a unique barcode, enter the details into a database and then store the document in a barcoded envelope. Since June 2013, the details of 180,000 documents have gone into the database.

While a centralised database may facilitate the documents’ return, it is unclear why it was necessary to collect them in the first place and the question remains as to how the database will be managed in the future. It is also far from certain that people who were forced to hand over their documents while fleeing an armed conflict can be said to have truly consented to having their personal information entered into a database that could be used for unforeseen purposes in the future.

The Risks

While it is clear that new technologies can benefit the Syrian population, steps must be taken to mitigate risks to individual’s privacy. The most obvious risk of en masse data collection is that particular information could fall into the wrong hands, producing tragic consequences. Lists of refugees or those receiving assistance could include groups targeted by government or non-state groups for persecution as well as individuals at risk of violence because of their political views, ethnicity or other factors.

More insidious risks exist as well. The European Commission Humanitarian Organisation has funded an aid organisation to record the locations of informal Syrian refugee settlements in Lebanon by using smartphones to transmit GPS coordinates to a UN database. This information then allows appropriate aid to be delivered to these communities. But if the database is not secure, the same information could be used for less worthy purposes, for example, to break up informal settlements.

Privacy International has highlighted the dangers of aid facilitating surveillance and other rights-limiting measures in its recent report, Aiding Surveillance. The example of Syria provides a relevant insight into how some of the problems described in that report play out in the midst of an armed conflict and humanitarian disaster. Humanitarian organisations need to take a more critical eye to programmes that involve collecting significant personal information about those receiving their assistance. At-risk populations deserve privacy as much as those who distribute it do.