This series was produced in partnership with the Pulitzer Center’s Artificial Intelligence (AI) fellowship.
Following the 1999–2001 Kosovo crisis, Microsoft, in collaboration with Hewlett-Packard and Compaq, provided the United Nations High Commission for Refugees (UNHCR) with hardware and software to support a refugee mobile registration scheme that later informed the development of Project Profile.
In 2002, the UNHCR launched Project Profile after its governing body, the Executive Committee of the High Commissioner’s Programme (ExCom), encouraged the standardisation of registration guidelines and the introduction of “new techniques and tools, including biometrics” as well as global software such as the UNHCR’s Profile Global Registration System (proGres).
Microsoft provided technical advice and guidance on the technology specifications. The Elca Group, a Swiss company, won the tender to develop the global proGres database as part of Project Profile B. Elca was responsible for the development of the three versions of proGres (V1-V3), the UNHCR told vendors in 2013. Elca did not respond to a request for comment.
According to various agency news briefs, the UNHCR and volunteers from Microsoft trained staff to use proGres, then primarily a registration tool for capturing biographical data and facial photographs, and helped set up the registration systems in several countries. The UNHCR did not provide a comment on who specifically deployed proGres, including in Kenya in 2004. proGres is built on Microsoft Dynamic Customer Relationship Management (CRM) software and is the backbone of the UNHCR’s operations, including registration, Refugee Determination Status (RSD), resettlement, and repatriation.
“Thanks for checking in. The company has nothing to share,” was Microsoft’s response to The Elephant through its long-term partner We. Communications, a public relations and integrated marketing agency.
A 2019 UN financial audit report states that proGres V3, an offline system of separate databases storing data locally, “did not meet data protection requirements, putting individuals at risk and putting UNHCR in a situation where its credibility was compromised”.
According to UNHCR, Hewlett-Packard (HP – Zurich office) developed the Profile Global Registration System in Partnership (proGres v4) that was launched in Kenya in 2019. HP, which acquired Compaq in 2002, had not responded to The Elephant by the time of publication.
According to an audit of proGres 4, from 2010 until May 2017, the UNHCR spent US$19.6 million – against a budget of US$54.3 million – in the development and deployment of the interoperable, centralized cloud-based online software that enables the UNHCR to grant access to the chain of actors like governments, the World Food Programme (WFP), and the International Organization for Migration (IOM).
The UNHCR told The Elephant that “while proGres v3 was an offline system of separate databases storing data locally, proGres v4 is a centralized, integrated platform that was built with data protection by design and default.” The agency said proGres v4 has since been “replaced by the next generation of proGres referred to as proGres Cloud”, which offers enhanced cybersecurity and flexibility for different data processing scenarios, and meets UNHCR’s Data Protection Policy requirements. UNHCR spokesperson Faith Kasina did not provide details on who designed and developed proGres Cloud or when it was deployed in Kenya.
Following the development of proGres and the release of a new handbook with standardised registration guidelines, the United States government recommended using its influence to encourage UNHCR to adopt stronger registration measures, including biometrics, to safeguard the integrity of refugee resettlement. These concerns were underscored by a 1999–2000 corruption scandal in Nairobi, where UNHCR employees were found selling resettlement slots.
The US stated that the Department of Homeland Security (DHS) had developed mobile fingerprinting technology that was “compatible with UNHCR’s Microsoft systems”, adding that “US funding should be provided” to acquire the technology.
According to the US in a Wikileak cable, the UNHCR had in 2002 deployed an iris recognition technology, although “biometrics [was] not being used for general registration.” The Iris recognition technology developed by BioID Technologies for UNHCR was used in repatriation operations for Afghan refugees returning from Pakistan to detect and prevent multiple assistance claims by the same individuals. The Elephant sought a comment from the United States embassy in Nairobi and the State Department Office of Press Relations through an online portal and email. The US had not responded to requests for comments by the time of publication.
Developed by HBS Netherlands and funded by the Dutch government, BioRegistrator software was later attached to proGres as an add-on, according to a Wikileak cable of the audit of Project Profile in 2005.
In 2013, seven years after BioRegistrator was deployed in Kenya, the UNHCR partnered with the WFP and introduced biometric identification for food distribution that took the fingerprints of all 10 digits. A ration card barcode and fingerprints were matched against the data recorded in proGres V3 to verify the identity of those receiving food aid.
The WFP and the UNHCR stated that they used US$5.143 million of the initial budget of US$8.5 million to develop, test, and implement the fingerprinting technology. Major donors included the United Kingdom’s DFID, which allocated £6 million to the WFP for biometrics and healthcare, ECHO (European Union), and USAID (US). “Donors were signalling fatigue,” the agencies said, and the savings from biometrics contributed to building the confidence of the donors and the Kenyan government.
In Kenya, according to the UNHCR and the WFP reports, biometric registration resulted in monthly savings of US$1.5 million and a reduction of the refugee population. The decrease was largely attributed to a drop in the “number of ration cards being used illegitimately (host community populations registered as refugees and refugees that have left the camps and sold their ration cards).”
“It is always to increase accountability to donors. What is always missing is accountability towards refugees,” Prof. Gianluca Iazzolino observes. He believes it’s a colonial approach to use the humanitarian space as a testing ground for new technology and on refugees with less legal protection.
Prof. Iazzolino is the author of “Infrastructure of compassionate repression: making sense of biometrics in Kakuma refugee camp”, a report examining the perception of biometric systems by refugees.
According to the study, which was carried out when the UNHCR and WFP were implementing their fingerprinting technology and at the height of terror attacks in Kenya, Somali refugees feared that biometrics “could be used to tighten police control over their movement”, as the launch of biometrics “coincided with fresh announcements of the Kenyan government to repatriate Somali refugees”.
Prof. Iazzolino told The Elephant that rich Somalis bought Kenyan IDs and resettlement opportunities abroad, while poor and marginalised Somalis sold their rations to get money as they were not allowed to work. “The biometrics stopped this,” he said.
The Engine Room, a non-profit organisation looking at risks, benefits, and organisational policies in its “Biometrics in the Humanitarian Sector” report, argued that there is a lack of comprehensive evidence of fraud control and savings occasioned by the use of biometrics.
Humanitarian organisations often focus on “downstream fraud” that is committed by beneficiaries as opposed to “upstream fraud” that is committed along supply chains. “In doing so, it burdens beneficiaries with the issue of accountability when there are substantial problems with fraud elsewhere in the ecosystem,” the report says.
A UNHCR financial audit report states that 54 of 61 fraud cases reported between 2018 and 2019 were committed by its staff and seven by its partners. In an internal audit of the Biometric Identity Management System (BIMS) report in 2016, the UNHCR states that it is difficult to accurately assess in quantitative or qualitative terms the impact of the introduction of biometrics on fraud reduction. UNHCR audits also raised questions about the expenses associated with the development, maintenance, and running of the system.
Apart from verifying identities, preventing “duplication and fraud and to ensure that humanitarian assistance reaches those most in need”, biometrics, the UNHCR told The Elephant, “also opened up new approaches and possibilities to support refugee financial inclusion and self-reliance, including through access to mobile services, banking services and labour markets”.
The UNHCR and the WFP did not respond to questions from The Elephant regarding the amounts lost prior to the deployment of biometrics and where along the supply chain the losses were occurring.
In 2012, the UNHCR made a call for proposals for a biometric system capable of capturing “high-quality fingerprint biometric data” and “iris and facial recognition data” in an effort to further expand Project Profile and prevent multiple registrations by refugees.
Following a competitive tendering process, the consultancy firm Accenture (originating in the US and headquartered in Dublin, Ireland) announced it had won the contract to deploy the centralized Biometric Identity Management System (BIMS) across the UNHCR’s global operations.
“Accenture were selected through a competitive tendering process in 2012 with the RFP published on the UN Global Marketplace in accordance with UN procurement regulations and IPSAS best practice,” the UNHCR told The Elephant.
Accenture told The Elephant that it “did not work on the biometric identity system deployment in Kenya. For any further information, you will need to speak to UNHCR.”
Biometrics falls under surveillance and can be risky, says Prof. Vukosi Marivate, the co-founder of Deep Learning Indaba, the largest annual gathering of Machine Learning/Artificial Intelligence practitioners on the African continent. “Facial recognition,” he says, “could be abused for surveillance as it is easy to track a face.”
According to the Mapping UN Activity in Support of Identity Management report, by 2016, the UNHCR did not use BIMS face recognition in either matching or authentication “since the robustness of face matching technology is not yet to the point that would allow its use in difficult lighting environments such as those encountered outdoors in camps”.
While presenting BIMS at the International Biometric Performance Conference (IBPC) in Gaithersburg, Maryland, in 2016, Accenture stated that “due to the challenging lighting and background, face has proven to be the biometric with the highest recapture rate with an average of 2 captures per enrollee to acquire a good face quality image”.
Screenshot of BIMS components as presented at the International Biometric Performance Conference (IBPC) in Gaithersburg, Maryland, in 2016 by Accenture. BIMS is a centralized database that links verification stations in UNHCR offices and camps around the world back to a central biometric database in Geneva. Photo credit/Accenture
In a 2015 archived document, Accenture had stated that BIMS stored “fingerprint, iris, and face photo information for manual identification and facial recognition”. However, responding to questions from The Elephant, the UNHCR said that “facial photographs are collected for identity documents and case files but are not used for automated facial-recognition matching in Kenya”.
According to Amnesty research, facial recognition algorithms can lead to bias against women and persons with dark faces if training datasets had bias, resulting in the misidentification of Black persons or false positive matches in image databases.
Fingerprints aren’t perfect either, according to a former WFP employee who requested anonymity. Sometimes during food collection, the BIMS scanners failed to recognise the fingerprints of refugees. This is due to various factors, including dirt, moisture, or damaged fingers due to hardship and manual work, such as construction.
If fingerprints failed, the WFP worker said, then the iris would be used. In her report, “The Biometric Assemblage: Surveillance, Experimentation, Profit, and the Measuring of Refugee Bodies”, communications scholar Mirca Madianou suggests that the iris recognition technology deployed by the UNHCR in 2002 might have wrongly denied at least 11,800 claimants.
In 2023, the UNHCR stated, “BIMS has not always been flawless; so-called bugs pop up occasionally, which have caused the application to misbehave, freeze, or crash, and require urgent fixing as soon as possible.” Any bug fixes and software modifications are carefully designed and discussed in detail, the UNHCR added on its website. UNHCR told The Elephant that BIMS is designed to ensure accurate identification and is subject to regular technical performance data quality reviews. The agency did not directly address whether any of its biometric systems have exhibited bias or how software bugs might have affected accuracy.
A software engineer told The Elephant that software bugs can arise from various sources, such as coding errors, oversights in design, or unexpected interactions with other software.
According to a Wayback Machine snapshot of the Accenture website, the company was “selected to design and build” BIMS because of its Unique Identity Service Platform (UISP) and its repute in biometrics globally. UISP forms the core of BIMS and comprises the award-winning patented Biometric Matching Engine (BME) that compares “a variety of biometric identifiers, such as face, fingerprints, iris or voice, against large volumes of reference identity data”. BIMS operates in conjunction with the proGres database.
Accenture states that UISP is based around the concept of “Emergent Identity – the idea that every time an individual interacts with our system (an ‘identity event’), we learn something about them – perhaps a new biometric sample, or a new piece of biographic or contextual data”.
The UNHCR told The Elephant that “there is no AI used in the UISP, and nothing new is learnt about individuals when they interact with the system – nothing at least in the sense of machine learning and AI”.
Accenture notes on its website that, with careful consideration of data privacy regulations, Emergent Identity “can provide rich analytical insights into customer identities to facilitate improved experiences, prevent fraud, and streamline interactions.”
From 2012 to 2015, the BIMS budget was US$9.6 million, with a total expenditure of US$8.7 million. The budget for 2016 was US$2.7 million, according to an audit report.
According to Accenture, archived document BIMS incorporates fingerprint, iris, and facial capture and recognition technologies from multiple vendors, including WCC Smart Search & Match, Green Bit, GenKey, Warwick Warp, IriTech, SmartSensors, and Cognitec.
Alexandrine Pirlot de Corbion, Director of Strategy at Privacy International, has raised questions concerning the UNHCR’s collection and use of sensitive data, its partnerships with the private sector, and the lack of transparency and accountability in the procurement and contracting process.
“Do they only provide software and hardware, or are they also involved in data processing themselves?” She asked.
Responding to questions from The Elephant, the agency stated that “Refugee personal data is hosted on UNHCR-controlled cloud servers. Access to this data is strictly controlled, and tech vendors do not have access to personal data,”, adding, “Only a very limited number of authorized individuals—UNHCR staff or others—can access the databases, and then only to perform specific tasks for a defined period.”
A goliath in the world of large-scale biometric databases and predictive policing, Accenture is also a big contractor with US national security and law enforcement agencies, winning multi-million dollar contracts with Customs and Border Protection (CBP), and Immigration and Customs Enforcement (ICE).
Accenture and Microsoft are also part of the ID2020 Initiative, which the UNHCR is involved in. Using blockchain technology running on Microsoft Azure’s Enterprise Ethereum and leveraging Accenture’s UISP software, the ID2020 consortium works to provide digital IDs for one billion undocumented people worldwide in line with the UN’s SDG Target 16.9.
Story editing by Betty Guchu.