At Avast Digital Trust Services, our goal is to end anxiety for refugees and their loved ones. We see it as a critical component of protecting digital freedom for all.
What do you do when you suddenly have to abandon your country? What do you take with you — and what do you leave behind? These are questions faced by millions of refugees worldwide, who are forced to flee their countries because of persecution, war, or violence. And while some are able to grab identity documents on their way out the door, others are left with no proof that they are who they say they are. So what do you do if one of the things you leave behind is your legal identity?
That’s the situation facing at least some of the approximately 6 million people who have fled the borders of Ukraine in the nearly three months since Russia escalated the war on February 20. They’re joined by an additional 6.5 million people who are displaced inside the country, making for a total of more than 12 million who have been forced to leave their homes thus far. According to Pew Research, that number places the Ukrainian refugee crisis among the worst in modern history.
At the moment, a lack of documents isn’t too much of a hindrance to Ukrainian refugees, who are largely being welcomed in neighboring states. Dr. Dzeneta Karabegovic, PhD, an expert in migration and human rights and a childhood refugee herself, tells Avast that Ukrainians currently don’t need a passport in order to get through most borders of the European Union (EU).
“Any ID will work,” Dr. Karabegovic says. "A birth certificate is especially useful when it comes to children. Worst case scenario, if there’s no documentation at all, children still are let in with their guardian or a person who’s accompanying them on the basis of a written statement of legal guardians that they agree for their child to cross the border.”
The modern world has been grappling with the issue of how displaced people prove their identity for more than a century. The first international agreement on how refugees could handle the issue of missing or incomplete identity documents resulted from the Arrangement of 5 July, 1922, which was a meeting of the League of Nations. Among other things, the conference established a uniform “identity certificate” for Russian refugees, between one and two million of whom had been displaced by various conflicts over the previous decade. The certificate included the refugee’s name, date of birth, place of birth, surnames of their parents, occupation, former residence in Russia, present residence, age, hair, eyes, face, nose, “special peculiarities,” and a place for a photograph.
The issue of refugee identity — and even refugee status — has become increasingly complicated over time. In order to be granted all of the rights and given the documents described above, people fleeing their home countries have to prove to the governments of the receiving governments that they truly are refugees.
In the United States, for example, getting refugee status starts with a referral from the United Nations High Commissioner for Refugees (UNHCR), a US Embassy, or a designated non-governmental organization. Then, a caseworker helps the asylum seeker with application forms and a United States Citizenship and Immigration Services (USCIS) official conducts an interview to determine if the applicant qualifies for refugee status. As part of that application, the USCIS asks for a passport, if the person has it, as well as a refugee certificate from the UNHCR, and any other supporting documents that support the applicant’s case.
The process appears to be fairly straightforward, but Dr. Karabegovic says that it’s more complicated than it seems.
“We see a lot of those who think/know that their asylum claims will be denied, tearing up their documents and showing up without identification, which then makes the whole process much more difficult,” Dr. Karabegovic says. “It is often because they don’t have the ‘legal’ claims all lined up, aka their claims are made more difficult by the countries in which they are wanting to settle.”
While the issue of digital identity in general is very complicated, the issue of digital identity for refugees is extremely complicated. Drummond Reed, Avast’s Director of Trust Services, says that it is “perhaps the single hardest challenge for a worldwide digital identity system.”
“Avast recognizes the complexity and sensitivity of this unique challenge and plans to work very diligently with all stakeholders to ensure it is addressed by our digital identity solutions in the safest and most effective and most privacy-preserving way possible,” he continues.
According to Reed, “Legally valid identification requires a legally-recognized governance authority to issue the identity documents.” In other words: Identity documents are nothing but paper or pixels unless there’s an authority that bestows validity upon them.
But refugees are, almost by definition, separated from the government that validates their identities. In fact sometimes they are being directly persecuted by that government, which means they have incentive to cut off any legally-identifying paper (or pixel) trail. One only has to look to history and the genocide of Jewish people under the Nazi regimes to illustrate how government systems of identification can be turned against a persecuted people. “This means a refugee needs a means of identification that is separate from—and portable across—identity systems controlled by governments or other authorities,” Reed says.
This is where self-sovereign identity (SSI) comes into play. According to the Sovrin Foundation, whose work centers around creating ensuring that the Sovrin identity system is public and globally accessible, self-sovereign identity “empower[s] entities who have natural, human, or legal rights in relation to their identity (‘Identity Rights Holders’) to control usage of their digital identity data and exert this control by employing and/or delegating to agents and guardians of their choice, including individuals, organizations, devices, and software.” In other words, the goal of SSI is to ensure that your digital identity belongs to and is controlled by you, not just your government or any other centralized system. You should have the ability to choose not only who has access to it, but who acts as the “guardian” of it in case you cannot control it directly (e.g., you do not have internet access).
While they might be the owners of their identities, refugees can’t just show up somewhere and declare that they are who they say they are. Identity documents have little standing unless they’re verified by a trusted authority. Plus, a system like that would be rife with exploitation by terrorists, war criminals, and other bad actors.
So if the government can’t do it – and the individual can’t do it – who can?
“The only answer of which I am aware is non-governmental organizations (NGOs),” Reed says. “One or more of these organizations, acting on humanitarian principles, can provide attestation of some set of identity data for a refugee. They then act as ‘guardians’ or ‘custodians’ of that information.”
NGOs that choose take on this responsibility must first perform “identity proofing”—the process of confirming that a person is who they claim to be. After an NGO finishes identity proofing a refugee, Reed says the results can be stored in one or more of three forms:
Still with us? At this point in the process, the refugee’s identity has been proven via the trusted NGO and the refugee has either physical or digital documents to confirm their identity. But now they have to prove these are their rightful identity documents each time they use them, a process called “identity binding.” If the documents are physical, anyone who wants to verify that they’re legitimate can contact the NGO. If they’re digital, their authenticity can be verified via a digital signature on the documents supplied by the custodial NGO.
Ideally, Reed says, any identity verification will be done through privacy-preserving biometrics. While we tend to think “fingerprints or face scans” when we hear the term “biometrics,” Reed is quick to point out that even those very first refugee identity documents from 1922 – the ones that included standard descriptive elements as well as “special peculiarities” – used biometrics.
“If it includes sufficient detail about the exact characteristics of the individual, a biometric can be as simple as a highly detailed physical description recorded as plain text,” Reed says. “Another relatively simple biometric is a photograph, such as those required for a passport or driver's license.”
However, low- or no-tech biometrics like photos usually have to be verified manually, which is slow and prone to errors. (Anyone who used a fake ID in order to drink underage in the US knows just how fallible this type of biometric verification can be.) With that in mind, Reed recommends digitally enrolled and verified biometrics, like fingerprints, facial scans, iris scans, palm scans, and voiceprints.
As with physical identity documents, there are challenges when it comes to biometric identity verification. First, it is safest if biometrics are stored only on a device owned by the refugee and not in a cloud-based server. “If the biometric is stored on a local device such as a smartphone or tablet that the refugee can carry, it can be verified locally,” Reed says. “This is the most privacy-preserving scenario since the biometric never leaves the local device. It is also the hardest to weaponize because the refugee can either discard or destroy the device — or use a ‘duress code’ to silently signal the device to fail a biometric match.”
However, in refugee situations it’s highly likely that the person either won’t have or will lose their devices. For that situation, Reed recommends using a third-party biometric provider (BSP), which stores a biometric template that is similar to a hashed password.
“The BSP works together with the NGO to enroll a biometric template for the refugee,” Reed says. “This is not the raw biometric data itself, but a profile of the biometric that can be used to verify when a matching biometric is presented. This template is then stored either in the cloud or a secure database only accessible to the NGO or its delegates.” Such access control is critical to prevent the biometric template from falling into the wrong hands, for instance the group that the refugee is fleeing.
One example of a BSP taking this approach is iRespond, a non-profit organization that provides self-sovereign privacy-preserving biometric identification for refugees and other displaced or at-risk populations. Reed explained that the Thai government contracted with iRespond to provide biometric identification for Thai fishing fleet workers who were being shanghai’ed and forced to work as slave labor before being thrown overboard by unscrupulous fishing boat captains. iRespond is now working with the Swiss-based Human Colossus Foundation to develop a self-sovereign birth certificate that includes iRespond’s privacy-preserving biometric technology.
Dr. Karabegovic fled Bosnia with her mother and sister in 1992, on the last plane out of Sarajevo. In those 30 years, her refugee, residency, and citizenship status have all changed multiple times. But a digital identity solution for refugees could have saved her so much time and grief over the years – and it still could, in the near future.
“There is never a time I cross a border without anxiety. ‘Will my papers be ok?’” Dr. Karabegovic says. “Once a refugee, always a refugee. This year marks 30 years.”
At Avast Digital Trust Services, our goal is to end this anxiety for refugees and their loved ones everywhere. We see it as a critical component of protecting digital freedom for all.
The concept of digital identity is fairly new and might sound complex, but it’s pretty easy to grasp. What’s more, most of us have one and it’s a lot more valuable than you think.
The EWC pilot will focus on the use of the EU Digital Identity Wallet in the context of travel – such as providing passenger information, buying goods and services, and trusted business to business interactions.