Displaced Person Identity Without Documents

1. Regulatory Framework

The regulatory framework governing displaced-person identity is layered across international refugee law, regional asylum regimes, national identity statutes, and humanitarian-organization mandates. The 1951 Refugee Convention and its 1967 Protocol establish the base obligation of states to recognize refugee status, with Article 27 obliging contracting states to issue identity papers to refugees who do not possess valid travel documents. The Global Compact on Refugees, affirmed by the UN General Assembly and now in active implementation through the Global Refugee Forum cycles, has shifted the operating expectation from emergency identity issuance to durable, portable identity that supports the four objectives of easing pressure on host countries, enhancing self-reliance, expanding access to third-country solutions, and supporting return.

The UN Legal Identity Agenda, coordinated through the UN Legal Identity Expert Group, sets a 2030 target of legal identity for all, including birth registration, with explicit recognition that displaced and stateless populations are the hardest-to-reach cohort. The Sustainable Development Goal 16.9 indicator drives donor-coordinated investment in identity systems for displaced populations, and the targeting has produced both genuine inclusion gains and well-documented harms when identity systems were deployed without adequate privacy protection.

In the European Union, the Pact on Migration and Asylum entered application in 2026 with the Asylum and Migration Management Regulation, the Screening Regulation, the Eurodac Regulation recast, and the Asylum Procedures Regulation. These instruments tighten the biometric registration regime at external borders and extend Eurodac into a central biometric system covering asylum seekers, irregular migrants, and beneficiaries of temporary protection, with retention windows that have drawn sustained criticism from the European Data Protection Supervisor and from the Fundamental Rights Agency for their disproportionate impact on vulnerable populations. The GDPR continues to apply, with the special-category-data provisions of Article 9 and the data-protection-impact-assessment requirements of Article 35 framing every biometric humanitarian deployment.

Internationally, the UNHCR Policy on the Protection of Personal Data of Persons of Concern, last revised in 2022 and reinforced by the 2024 implementation guidance, establishes the operating standard for humanitarian organizations. The policy requires data minimization, purpose limitation, security, and accountability, and the implementation guidance is explicit that biometric processing must meet a heightened proportionality test in displacement settings precisely because the consent model is structurally compromised. The ICRC Handbook on Data Protection in Humanitarian Action codifies the same expectation across the broader humanitarian sector.

Sectoral overlays compound the framework. The Financial Action Task Force Recommendations on customer due diligence interact with refugee identity at the moment of bank-account opening, where Recommendation 10's identification requirement collides with the absence of recognized documents. The World Bank's ID4D Practitioner's Guide and the OECD Recommendation on Children in the Digital Environment add further constraints when the displaced population includes unaccompanied minors, which it does at scale.

2. Architectural Requirement

The substantive convergence of these regulatory instruments defines an architectural requirement for displaced-person identity. The identity mechanism must function in the absence of documents and in the absence of cooperative country-of-origin authorities. It must avoid creating centralized biometric databases that present concentrated targeting risk for persecuted populations. It must produce identity that is portable across organizations and across the transition from humanitarian to host-country systems. It must accommodate the structurally compromised consent model by avoiding mechanisms that require irreversible, high-stakes initial enrollment as the price of receiving life-sustaining services. And it must support unaccompanied minors, who arrive with no documents and no adults to vouch for them.

Five dimensions define the architectural requirement. First, evidentiary substitution: in the absence of documents, identity must accumulate from a substrate the person actually has, which is their behavioral trajectory of interactions with the systems they encounter. Second, distribution: the substrate must avoid creating a single high-value database whose breach or seizure would harm the population it serves. Third, portability: identity must travel with the person across organizational boundaries, jurisdictional boundaries, and the transition into formal status. Fourth, asymmetric trust: a person who has interacted consistently with humanitarian systems for years has demonstrated something that an impersonator cannot easily replicate, and the substrate must capture that asymmetry. Fifth, child protection: the substrate must function for unaccompanied minors and across foster placements, relocations, and reunifications, where the conventional document-and-database path is most dangerously fragile.

These dimensions are not satisfied by the canonical document-and-database architecture, regardless of how well the database is operated. The architectural requirement is for a substrate whose unit of identity is the credentialed interaction trajectory rather than the stored credential or template.

3. Why Procedural Approaches Fail

The procedural humanitarian-identity approach has been to deploy registration systems that issue identifiers, capture biometrics, and store templates in databases controlled by international organizations or host governments, with contractual and policy commitments to data protection and access control. This approach has produced genuine inclusion gains and is, at the operational level, the only thing that has worked at scale. It also fails the architectural requirement, and the failure modes are now well documented.

It fails on evidentiary substitution because the registration moment is treated as the identity-establishing event. Before that moment, the person has no recognized identity; after it, the person has the identity the system issued. There is no mechanism by which the person's accumulated interactions across multiple touchpoints constitute identity in their own right. The system therefore demands an enrollment event before service delivery, creating both a logistical bottleneck and a power asymmetry that the consent model cannot absorb.

It fails on distribution because the architecture is database-centric. UNHCR's PRIMES, the World Food Programme's SCOPE, the IOM's MIMOSA, host-country asylum systems, and Eurodac all maintain centralized stores of biometric and biographic data. The breach risk is concrete: the 2021 ICRC incident and subsequent breaches across humanitarian organizations have demonstrated that determined adversaries can and do reach these stores. For populations fleeing the very governments most likely to seek the data, the risk is not theoretical.

It fails on portability because each system maintains its own identifier under its own authority, with limited interoperability. A person registered with UNHCR may need to re-enroll with WFP, with the host country's asylum authority, with a financial-inclusion partner, and with a resettlement-country authority. Each enrollment creates an additional record, additional consent extraction, and additional surveillance surface. The recent identity-federation work under the UN Legal Identity Agenda is meaningful but operates on top of the database-centric substrate, which limits how far it can go.

It fails on asymmetric trust because the database does not record interaction trajectory in a form that can be evaluated as identity evidence. A person who has received services for six months has a behavioral history, but that history lives in service-delivery logs that are not architecturally treated as identity material. The procedural answer is to upgrade the logs into an audit trail; the architectural shortcoming is that audit trails are operator-side artifacts, not person-side identity.

It fails on child protection most acutely. An unaccompanied minor has no documents and cannot meaningfully consent to enrollment. The procedural protections (best-interests determination, guardian appointment, data-minimization for child records) are real but operate within an architecture that still requires the child to be enrolled into a database before identity is recognized. Children in transit between placements lose continuity precisely because the database-centric architecture binds identity to a specific operator's record system.

4. The AQ Keyless Identity Primitive

The Adaptive Query keyless identity primitive disclosed under USPTO provisional 64/050,895 specifies that an identity emerge from an accumulating, credentialed interaction trajectory whose integrity is evidenced by a dynamic hash chain anchored in the specific circumstances of each interaction, with no requirement for centralized storage of biometric templates or persistent personal identifiers. The primitive treats identity as a property of the trajectory rather than as a record in a database.

Five structural properties define the primitive. First, anchoring: the trajectory begins at the first credentialed interaction, with no precondition of documentary or biometric enrollment. The first interaction itself, signed by the receiving humanitarian authority under a published taxonomy, becomes the anchor. Second, accumulation: each subsequent interaction extends the chain by linking to the prior anchor, with the linking material derived from the specific interaction content and context rather than from a stored template. Third, asymmetric trust slope: the chain's evidentiary weight grows with consistent interactions and is structurally resistant to impersonation because impersonators cannot reconstruct the specific historical interaction content.

Fourth, distribution: the chain is held in the form of credentialed interaction records distributed across the operators that produced them, with no centralized template store required. A breach of any single operator's records produces information about that operator's interactions but does not produce a master template usable for surveillance or targeting. Fifth, recursive closure: the lineage records are themselves credentialed observations that re-enter the system as inputs to subsequent identity evaluations, producing a self-evidencing identity substrate that survives operator changes, jurisdictional transitions, and the move into formal status.

The primitive is technology-neutral. Any signature scheme, any storage substrate, any evaluator can implement it; the inventive step is the structural shape. It composes hierarchically across humanitarian organizations, host-country authorities, and resettlement-country institutions: the trajectory accumulates across levels rather than being severed at organizational boundaries. It accommodates the structurally compromised consent model because the first interaction is service delivery itself, not a high-stakes enrollment step the person must consent to before receiving life-sustaining services. It functions for unaccompanied minors because the trajectory begins at first contact with protection services and travels with the child across placements without requiring a database-binding step.

Critically, the primitive does not replace the operational competence of UNHCR, WFP, IOM, or host-country asylum systems. It changes what those competencies are evidenced by: from records in operator databases to credentialed interactions in a portable trajectory that belongs to the person rather than to the operator's record system.

5. Compliance Mapping

The five-property primitive maps onto the substantive obligations of the regulatory framework. Anchoring at first credentialed interaction satisfies the Refugee Convention Article 27 obligation in a manner that does not require documents the person lacks and does not depend on cooperation from the country of origin. The UN Legal Identity Agenda's 2030 target is met for the hardest-to-reach cohort by an architecture that does not require enrollment infrastructure as a precondition.

Distribution satisfies the GDPR Article 9 special-category-data minimization standard, the Article 35 data-protection-impact-assessment requirements, and the Article 25 data-protection-by-design obligation by producing an architecture in which there is structurally no central biometric template store to protect. The European Data Protection Supervisor's persistent objections to the Eurodac retention regime are addressed at the substrate level rather than through procedural caveats. The UNHCR Policy on the Protection of Personal Data is satisfied not by tighter controls on a centralized store but by the absence of the centralized store the policy struggles to constrain.

Portability satisfies the Global Compact on Refugees objective of expanded access to third-country solutions because the trajectory travels with the person across the resettlement transition. The FATF Recommendation 10 customer-due-diligence requirement is satisfiable by the trajectory itself, supplying a credentialed identity history that the financial-inclusion partner can evaluate without relying on documents the person lacks. The recurring re-enrollment burden across UNHCR, WFP, host-country, and resettlement-country systems is structurally eliminated because the trajectory is the identity.

Asymmetric trust slope satisfies the proportionality test the UNHCR data-protection guidance applies to biometric processing in displacement settings: the substrate provides a robust identity mechanism without invoking the proportionality concern, because the mechanism does not require biometric processing in the heightened-risk sense. The asymmetry also addresses the FATF expectation that customer-due-diligence rigor scale with risk: a long, consistent trajectory provides stronger identity evidence than a short, recent one, with the gradient available to the financial-inclusion partner as a quantifiable measure rather than a binary recognized-or-not.

Recursive closure addresses the UN Legal Identity Expert Group's interoperability objective and the OECD Recommendation on Children in the Digital Environment by producing a lineage that survives operator transitions, jurisdictional transitions, and the unaccompanied-minor placement transitions that current architectures most fragilely support. The child-protection answer is not a tighter database; it is an architecture in which the child's identity is not bound to any database in the first place.

6. Adoption Pathway

Adoption of the keyless identity primitive in displaced-person identity proceeds along an incremental path that does not require dismantling existing humanitarian information systems. The first stage is overlay: existing service-delivery touchpoints at registration, food distribution, medical encounters, and shelter assignments produce credentialed interaction records that extend a person-held trajectory in addition to the operator-held service log. The person gains a portable identity asset; the operator continues to operate its existing system. This stage is achievable on existing infrastructure and produces immediate compliance value for GDPR Article 25 by-design obligations and for the UNHCR data-protection proportionality standard.

The second stage is cross-organizational recognition: humanitarian organizations begin to evaluate trajectories produced under one another's authority taxonomies, eliminating the recurring re-enrollment burden across UNHCR, WFP, IOM, and partner-NGO touchpoints. The Global Refugee Forum coordination mechanism and the existing UN Legal Identity Agenda working groups supply the governance surface for inter-organizational taxonomy mapping. The recognition does not require database federation; it requires only that operators evaluate one another's credentialed trajectory records, which the primitive structurally supports.

The third stage is host-country and resettlement-country integration: national identity authorities accept trajectory evidence as input to formal identity issuance, supplying a credentialed identity history that displaced persons can use to satisfy CDD, civil-registration, and naturalization processes that would otherwise demand documents from a country of origin that cannot or will not cooperate. The Global Compact on Refugees implementation cycles, the EU Pact's solidarity mechanism, and the OECD migration-policy coordination supply the diplomatic surface; the primitive supplies the technical substrate.

The fourth stage is child protection integration: protection-services operators, foster-placement authorities, and family-tracing services compose trajectories across the unaccompanied-minor lifecycle, supplying continuity that current database-bound architectures most dangerously lose. The honest framing is that the AQ keyless identity primitive does not replace humanitarian identity systems; it gives the population those systems serve a portable, distributed, structurally protective identity substrate that the document-and-database architecture, by its structural shape, cannot supply, and that the regulatory framework now expects.