Update: May 5, 2021 — On April 14, Access Now met with representatives from UNHCR and WFP in Jordan to discuss concerns raised in the letter to IrisGuard, and welcomes open engagement with the agencies on privacy and data protection issues around the use of iris scan technology.
April 12, 2021 — Refugees should not be required to hand over personal biometric data in exchange for basic needs such as purchasing food, or accessing money. However, iris scan technology supplied by UK-registered company, IrisGuard, is reportedly being used by the World Food Programme (WFP) and the United Nations High Commissioner for Refugees (UNHCR) in refugee camps and urban centers in Jordan.
Based on reports suggesting the absence of meaningful consent, and an opaque privacy policy, Access Now has serious objections to the lack of transparency and privacy safeguards around this precarious tech rollout.
“When you have no choice, you can’t consent,” said Marwa Fatafta, MENA Policy Manager at Access Now. “Forcing people with little recourse, such as refugees, to surrender private information in exchange for food is an affront to human rights standards, and an insult to human dignity. WFP and UNHCR have willingly unleashed iris scan tech upon at-risk communities, and must, at a minimum, be aware of the potential consequences of their actions.”
Access Now has contacted IrisGuard requesting answers to a series of privacy and data protection questions, including:
- Did IrisGuard conduct any human rights due diligence or review to identify the potential privacy and security risks of connecting biometric data to the receipt of social services? What steps were taken to mitigate or prevent these risks?
- Is there a privacy policy specific to the iris scan payment system? Is it available in the native languages of refugees? How are refugees informed about it?
- Who is authorized or can be authorized to access the database of the iris scan payment system or request disclosure or processing of retained data? Will the data be shared with any other entities besides UNHCR and WFP?
Access Now sent the letter to Imad Malhas, Co-founder and CEO, IrisGuard, on March 29. After 14 days, IrisGuard is yet to reply.
“People must have agency over their personal information,” said Isedua Oribhabor, U.S. Policy Analyst at Access Now. “No company should have unchecked, open-door access to the personal information of millions of people, particularly of vulnerable communities. IrisGuard is no exception. Not only is this dystopian scenario completely unnecessary, we have no idea as to the data they collect, what they do with that data, or if any attempts are made to keep it safe.”
Private companies such as IrisGuard carry a responsibility to respect and promote users’ rights, and collection of data must be in line with the principles of necessity and proportionality. The need for transparency and accountability is amplified when serving those forcibly displaced and struggling to exercise their fundamental rights.