Combining accountability and privacy: CISPA researcher develops a token-based system for humanitarian aid-distribution

In 2021, 3,575,484 people worldwide received food assistance from the International Committee of the Red Cross (ICRC). Aid organizations strive to assist victims of violence, famine and disaster in regions with limited internet connectivity. And they do so using limited financial resources. To ensure that aid organizations can help as many people as possible, the distribution process must be efficient and accountable. Traditionally, humanitarian organizations use different forms of paper-based systems to support aid-distribution. These, however, are difficult to scale to large groups of recipients. They also complicate audits when it comes to verifying that donor money was well spent. To address these challenges of efficiency and auditability, organizations have recently started exploring digital solutions. Most of them integrate so-called Identity Management systems (IdM), as commonly used in passports. However, the use of IdM-based solutions brings significant privacy risks to the vulnerable population of aid recipients: personal information stored in central databases might leak or be abused.

Requirements for a solution

The ICRC approached Dr. Wouter Lueks about a privacy-friendly solution for these problems. “I was triggered by two reasons”, he explains: “It’s a technical challenge and it’s a privacy-sensitive topic”. The project that evolved is based on a collaboration between Lueks’ former employer, the EPFL in Lausanne and the ICRC. “The usual approach would have been to use biometrics, because fingerprints don’t just change”, Lueks continues. For the ICRC, however, using biometrics was not the preferred option. Biometric data are extremely privacy-sensitive precisely because they do not change. Also, securing these data is difficult. At this point, Lueks’ research interests came into play. “Typically, we build a system to solve a problem. I’m interested in disentangling the risks that materialize when you design systems to solve that problem. Some risks are inherent in the problem itself, others come from how you design the solution.” One possible risk of organizing fair distribution on the basis of fingerprints, for example, is that the underlying central database could be used by state and non-state actors to identify groups of recipients and subject them to repression. Here the risks stem from a design choice. In order to mitigate such risks, Lueks and the ICRC worked closely together to design a better solution. Two workshops and regular meetings were held over the course of one year. The outcome was a list of requirements for possible solutions that ranged from deployment conditions to security and privacy factors, while ensuring that the ICRC’s ethical standards were fulfilled.

©Lea Mosbach/CISPA

Workflow of humanitarian aid distribution

A token-based aid-distribution system

Lueks and his fellow researchers came up with a token-based approach to satisfy the aforementioned requirements. The most important design choice was to decentralize information using digital tokens, meaning that all collected information is stored only on a token that stays with the recipient. The token can either be a smart card or a smartphone. Smart cards have the advantage of being cheap and suitable for large-scale operations where digital infrastructure is lacking, while phones are easier to deploy (if available). The token-based scheme follows the existing humanitarian aid distribution workflow (see figure below). Once the system is set up, which can be done outside the target region and before the start of a mission, there is no need for updates or internet connectivity. The tokens work offline, meaning that the smart cards communicate locally with registration and distribution stations upon presentation. “One of the key challenges in this design,” explains Lueks, “was how to ensure that only eligible persons can receive aid and that audit records cannot be faked, while at the same time revealing as little information as possible about aid recipients.” Using Lueks’ token-based design, the distribution station and auditor can verify the eligibility of any recipient, while no information about the recipient themselves is being revealed. The design thus ensures privacy, while maintaining auditability.

More efficiency increases capability to help

Implementing a decentralized aid-distribution system that relies on digital processes can help increase the efficiency of humanitarian aid operations. More efficient registration and distribution processes can save time and money on the ground and thus increase NGOs’ capabilities to help people in need. Until now, the problem with paper-based solutions, as well as many digital solutions, was a lack of privacy. The solution created by Lueks closes this gap. “In the process of figuring out what the real problem is you often uncover new challenges, which makes this work very satisfying.” Lueks explains. His approach of focusing on the problem rather than the solution, fits the Do-No-Harm approach implemented in humanitarian aid. This approach aims at identifying unintended negative as well as positive impacts of humanitarian interventions before the start of a mission. Lueks has demonstrated that this also applies to the design of new digital solutions. In the future, he would like to continue to work with NGOs: “For me, they are interesting partners because they work to benefit society”. And using technology for a good cause is what Lueks strives for.

,If you want to know more about Dr. Wouter Lueks’ work, listen to our CISPA TL;DR podcast! In episode 18, Tobias Ebelshäuser talks to Lueks about his research in the field of privacy-friendly digital solutions.