Invisible No More: Ending the Crisis of Invisibility for Displaced Persons

Author: Pradanya Nagru, MS

April 8, 2026

Background

Today, 1 in 70 people have had to flee their home country due to natural disasters, conflict, violence, or persecution. These refugees and displaced persons are unable to access basic services due to the loss of physical documents in the chaos of flight. Opening a bank account or receiving adequate healthcare coverage are just some fundamental rights that remain out of reach for displaced persons attempting to start over. This struggle, termed the 'invisibility crisis,' leaves refugees vulnerable and unable to gain quality of life or exercise their basic rights. Private ventures are trying to bridge this gap by providing Decentralized Identities (DIDs), which integrate an individual's credentials with existing digital public infrastructures to allow data portability. 

Decentralized Identifiers are an emerging form of digital identity. They act as digital certificates that can be used to instantly verify credentials without the need for a centralized data authority. 

Unlike common identifiers widely used today, DIDs point only to a specific piece of information an organization needs to know to provide its services to the user sharing their data. 

This is an example of how a DID might work:

1. A person creates a unique DID address, one that is owned and controlled by them. 

2. An organization gives the person an official document, such as a diploma or a professional license, and signs the document with a unique stamp. 

3. The certificate is stored in the person's digital wallet. 

4. When the person applies for a job, the employer can verify the authenticity of the license by accessing the digital record on the person's phone (through a QR code, for example). This allows the employer to verify documents instantly, without needing to contact the issuer of the credential. 

A person's details are stored on their device as opposed to the public record, so the person with the DID can choose the information that is shared with the employer for verification. For example, the person can show their professional licence or training certification without having to provide their DOB, address, previous employment history, etc. A user can create multiple identifiers such as credentials and certifications, personally identifiable information (PII) documents, etc. to use for various interactions. The diagram below the illustrates credential verification process: 

Decentralized Identifiers as a Solution to the Invisibility Crisis

Decentralized Identifiers can enable instant verification of an individual's credentials across borders and across sectors, removing bureaucracy and long wait times. Decentralized Identifiers are NOT a new form of identification; rather, they are a means of providing credibility to individuals who already have identification documentation. Most displaced individuals have legal identification but lack adequate access to services in their new home due to missing official documentation. Decentralized Identifiers can verify an individual's legal identification and assign one if none exists by tying a person's educational and professional credentials to their identity. This connection gives displaced persons more credibility when trying to access services in a new country. It allows them privacy and bypasses the requirement for physical documentation that may have been lost. Decentralized Identifiers do not help fill knowledge gaps, if they exist, but rather establish a baseline upon which further skills and qualification can be built. The need for official documentation and potential for privacy breaches can hinder employment opportunities for displaced persons, which DID can prevent. DIDs can also help when displaced persons are applying for loans or government services. By making their credit scores or financial data (if available) are transferrable, the technology eliminates the need for refugees to start from scratch. 

DIDs are also an avenue to expand on U.N. Sustainable Development Goal 16.9—i.e., a "legal identity for all." Making a displaced person’s credentials and past educational, financial, and employment history easily identifiable can help increase their opportunities and quality of life in a new country. It enables the creation of a 'self-sovereign identity,' a form of digital sovereignty in which individuals own and manage their own data, thereby restoring agency to displaced persons and reducing dependency on third party platforms prone to surveillance and control. Decentralized Identifiers work by decoupling identity from central authorities and their databases. This separation creates an additional security barrier, reducing the risk of data being exploited for harmful purposes. By decoupling from central agencies and eliminating the need to rely on centralized databases, Decentralized Identifiers provide an additional layer of security and protection from malign uses of this data. Several possible harmful scenarios are discussed in the following section.  

Concerns & Challenges

The "right to be forgotten," as defined under Europe's General Data Protection Regulation (GDPR), is an individual's right to have their data and (parts of) their digital identity erased by entities who store such data. Decentralized Identifiers are generally compatible with the "right to be forgotten," but some loopholes remain. 

A user's personal data is stored locally in a private database on their device, and a link to it exists in the blockchain. The validity of the credentials is verified through this link which points to the private database. Anything written in the blockchain is immutable, but data in a local database can be changed. If a user wants to delete their data, they can simply delete the information from their private device or revoke access, permanently erasing that part of their digital identity. This is especially beneficial to refugees, migrants, and asylum seekers. If they believe they are at risk of being intercepted or their device confiscated by authorities from their home country, they can choose to delete their personal data, making it harder for third-party individuals to access it. For example, if a displaced person's device is confiscated by government authorities, their private digital wallet and the credentials and personal details on it can now be accessed. If they have the ability to delete certain credentials, then the right to be forgotten and the user's privacy is protected by design. 

Note that data erasure and revocation of access are different functions. By revoking access to credentials, an individual is revoking third-party access and making the credentials unusable for verification, but the data still exists on the person's digital wallet and is under the user's control. Deleting the data from a personal device, however, ensures that anyone in physical possession of the device cannot obtain that data.

The GDPR permits erasure of user data by organizations that possess it, if retention of that data is unnecessary or unlawful. This also applies if the user revokes access. In the United States, the California Consumer Privacy Act (CCPA) and other local regulations contain right to delete provisions, but are only applicable to business collection of data and not to the public sector—i.e., government storage and processing of user data. Surveillance and misuse concerns pertaining to targeting of dissidents or displaced persons are most profound in the public sector. The US should expand the scope of these local privacy regulations to include the data held by federal and state governments.

Under the GDPR, the right to be forgotten does not apply to data that is used to serve the "public interest" or data that is deemed necessary for providing government services and operations. Data used to "exercise the right of freedom of expression and information" are also exempt, which is crucial for migrants and displaced persons. 

Although DIDs are by definition decentralized,—i.e., information is not stored in a third-party controlled database—coordination and centralization are necessary for effective cross-border implementation within governments and the private sector. The question then becomes, how much should be centralized, and by whom? Too much centralization or broad access could open up avenues for surveillance or misuse of user data, with dissidents and those fleeing persecution being at greater risk. 

Even though DID interactions between an individual and the credential verifier are secure and private, it is possible to perform traffic analysis—i.e., to build a person's identifier profile by tracing their digital footprint. Metadata of different interactions that person had with various services using DIDs (even if separate identifiers were used each time) can be used to discern other details or location of the person. If authorities can establish correlation between different places a person has been (e.g., a protest or an aid clinic) and the entities they have interacted with using DID, surveillance and targeting becomes a central concern, especially for those fleeing persecution due to their ethnic, gender, religious, or political affiliation. A digital trail may be discovered from repeated use of the same identifiers, and services requiring individuals to scan biometric data in addition to the DID credential verification can open up back doors to privacy violations and external data storage. Given the rise in anti-migrant sentiment, if a host government suddenly decides that a certain group of migrants is no longer welcome, and specific identifiers can be linked back to those migrant populations, the host country can "blacklist" the associated cryptographic signatures. 

An overlooked concern is data sharing between entities. For example, the UN High Commissioner for Refugees (UNHCR) has registered hundreds of thousands of Rohingya refugees in Bangladesh. These refugees have fled from Myanmar and sought protection from ethnic and religious persecution. The UN then passed the refugees' personal data to the Bangladeshi government for the issuing of identity cards necessary to access government aid and services. In 2021, Bangladesh reportedly shared refugee biometric data and photographs with the Myanmar government for "possible repatriation," putting the lives of those refugees at risk. A similar worst-case scenario could arise with the use of Decentralized Identifiers, where in a well-intentioned attempt to coordinate services for displaced persons, a host country inadvertently makes refugees and asylum seekers too visible when invisibility is their greatest protection. 

Once data is shared with an entity (government or private), it may be stored on a permanent database, which enables access to that data even if the DID credential access is revoked by the user. In case of GDPR and European Union (EU) laws, an individual could request that data be deleted if they are aware of non-consensual storage. In the United States, few protections and restrictions exist on data shared with non-business entities, thus, the opportunity for misuse is broader. If an organization requires verification through a Decentralized Identifier, but then stores some details about the person on a local database (such as a name and address), the "decentralization" of the identity becomes irrelevant, because now personal details are stored in a central database. In the case of an exposure or a data breach, personal details could be easily linked to a person's DID metadata. While some data collection is unavoidable, minimization should be the ideal.  

Additionally, private credential data stored on a user's digital wallet can be deleted, but the record of a DID existing under that person's name or identity still exists on the blockchain (the record links to a dead-end after access revocation), which itself provides a means of identification. Refugees, asylees, or migrants being identified as such on these records further opens up avenues for identification, retaliation, and targeting by their home governments. Therefore, no DIDs must explicitly state a person's status or categorization information, as directed by the DID technical standards. DIDs can be designed to have robust privacy protections such as "herd privacy," where all users and messages/digital footprints look similar so as to avoid isolation of a single one by external parties. Such robust privacy protections make Decentralized Identifiers a viable solution to making displaced persons visible without compromising their security. 

An overlooked challenge to DID implementation is the global digital divide. Although the digital divide is narrowing as more people gain access to phones and digital technologies globally, barriers remain.The functioning of the DID system relies on digital wallets and mobile technology, excluding those who do not have access to those tools. Groups who are already marginalized by a lack of (adequate) access to phone technology will be further so, when that same technology is needed to unlock access to services in a new country. Women are disproportionately impacted by the gender divide in digital literacy and access to smartphones. If DIDs and digital wallets become the ticket to unlock aid and necessary services, the digital and gender gap widens and excludes a segment of the population from the achievement of "self-sovreignty."

For those who lack legal identification, DIDs and the opportunities they unlock may be even further out of reach. Hundreds of millions around the world, especially children, do not have legal identification at birth or are currently stateless, invisible in their own homeland. While there are avenues to assign someone legal identification, that person goes unnoticed even in a decentralized system, as credentials become secondary to the establishment of legal identity and personhood. The requirement that legal identification be linked to a civil registry that continuously records "vital events" of the population (such as census data) means that those individuals are already living on the margins of society, unable to access basic health, educational, and financial services in their country of birth. It is not realistic for those individuals to be expected to carry the burden of proving their identity digitally when none exists on paper.  

The most daunting challenge to overcome, however, is integrating Decentralized Identifiers into all aspects of the global system, including public infrastructure and private industry. Decentralized Identification technology is still in its early development stages, and while it is being deployed on a smaller scale, wider adoption by governments and industries have yet to catch on. Currently there are different methods of creating, deploying, and verifying credentials using DIDs, but platform data standards are often incompatible with each other. Standards around DID development and deployment, such as those recently published by the World Wide Web Consortium (W3C) bring us one step closer to global integration and establishing uniformity. However, recognition of DIDs as a global standard for identification and credential verification must occur before effective cross-border implementation is possible. As the technology becomes widespread, its jurisdiction and governance must also be established within and between governments for its ethical use. The United Nations is open to DID use, and is working with governments and industry to make this vision a reality, but there is a long way to go before they can effectively be used for identification verification and enhance opportunity and quality of life for displaced populations. 

Glossary

• Blockchain: A digital database that stores data using cryptography in such a way that the data is tamper-proof and unchangeable once recorded in the blockchain. Most blockchains are decentralized, meaning they are not controlled by any single entity. 

• Decentralized Identifier (DID): A unique digital identifier that is not tied to a central authority and enables individuals to share data selectively. 

• Digital Identity: All data that represents a person's identity online. Includes digitized form of personally identifiable information (PII), as well as the person's online activities such as social media posts and interactions, search history, location data, online purchase history, etc. 

• Digital Sovereignty: A nation's right to control the digital infrastructure, data, and services operating within its jurisdiction.  

• General Data Protection Regulation (GDPR): A law in the European Union that mandates technology companies and other entities to follow strict rules when dealing with user data. Includes data privacy and security protections as well as provisions on appropriate use, storage, retrieval, and deletion of data. Companies based in or operating within EU jurisdiction, or those handling personal data of persons based in the EU must comply. 

• Legal Identity: Defined by the UN as the basic characteristics of a person (name, sex, place, and date of birth) established through registration with a national or international authority following a person's birth. 

• Metadata: A set of data/attributes that contains the technical details information of another piece of data. It can be thought of as an envelope that contains the actual data transmitted. For example, in a text message, the message contents are the actual data, but the sender and recipient information, timestamps of message exchange, the file or message size, and device location are pieces of metadata that reveal information about that text exchange without revealing the content of the message itself. 

• Personally Identifiable Information: Information that can be used to uncover a person's identity. PII includes a person's name, date of birth, phone number, Social Security Number, etc. 

• Right to be Forgotten: Under GDPR Provisions, the right to have personal data erased under specific conditions, such as when it is no longer necessary or consent is withdrawn.

• Self-Sovereignty: The concept that individuals have the right to own and control data about their digital identity. 

• UN Sustainable Development Goals: A collection of 17 objectives adopted by the United Nations that aim to address climate change, reduce inequality, improve education and health, and foster peace and economic growth. These goals signify what the fulfillment of those rights looks like/what minimum standards countries must aspire to achieve in these domains.