
Migración Colombia · UNDP Accelerator Lab
An identity for 1.7 million refugees — where the data travels with the person, not the institution.
Colombia hosts 1.7 million Venezuelan refugees, more than a third of all Venezuelans displaced across Latin America. According to UNHCR and ICAO, fewer than one in five people have access to identity documents that meet international standards. Without them, they cannot access government services, prove identity at checkpoints, receive healthcare, or participate in the formal economy. In every practical sense, they exist outside the system.
Host countries face the other side of the same problem. Issuing ID cards, running refugee databases, and maintaining records in accordance with global privacy standards are expensive, slow, and politically fraught. In the wrong hands, that data can enable religious, economic, racial, or gender-based discrimination.
The UNDP Accelerator Lab in Bogotá had a clear vision: an ID that gave refugees proof of identity and Temporary Protected Status, with data ownership in the individual's hands, not the institution's. It would work as both a physical credential and a digital key to unlock housing, medical services, and common areas. They needed a working prototype in 90 days, to UN security standards, on a humanitarian budget.
They came to Karakoram.
Three months to a working prototype. The scope was not modest: passport-grade physical ID cards, NFC-based digital keys, encrypted cloud storage, a mobile application, and a data model that satisfied GDPR and UN data protection policies simultaneously.
Most teams quoted twelve months or more. Karakoram scoped it differently. The question was not what could be built eventually, or even as an MVP. It was what had to exist to prove the concept was viable and safe. We built to that specification. Not less. Not more.

Plataforma de Identidad Digital (PID) is a secure, low-cost identity system for Venezuelan refugees: proof of protected status, access to government services, and a portable repository for medical and educational records. The data travels with the person, not the institution.
The core idea: split the data so neither half can identify anyone on its own.
The card holds the identifying fields. First and last name, date of birth, photo, gender, citizenship, ID number, and expiration date. These are encoded onto the card's NFC chip and travel with the person who carries the card.
The server holds everything else. Issue date, issuing authority, host country, and medical and educational records, all stripped of identifying detail and encrypted to government standard. On its own, it is pseudonymised data under GDPR and UN policy: records with no names attached. If the server is breached, nothing on it points back to a real person.
The two halves merge only through a security token held on the card's NFC chip. Tap the card to an Android phone running the PID app, and the token unlocks the server's records and re-personalises them in-app. Apart, neither half is worth stealing. Together, only the cardholder can make them whole.
The same card unlocks access to physical spaces: temporary emergency housing, basic services, the national health system, and COVID-19 vaccination.

We needed a low-cost card that could survive ten years of real-world use, the length of the Temporary Protected Status it carried, and resist forgery to the same standard as a Colombian passport. In partnership with HID, the cards were manufactured at HID's high-security print facility in Italy, with holograms and hidden UV security features. HID also hosted the PID server that held the pseudonymised half of the system.


A portable, refugee-owned identity system. People can prove who they are and unlock government services, medical records, and physical spaces with a single tap, without handing control of their data to any government or institution.
The functional prototype, 80 cards, an Android application, and a registration tool, was delivered within the 90-day window, to UN security specifications, within budget. It demonstrated a data architecture that satisfied GDPR and UN data protection requirements simultaneously, with no off-the-shelf solution to copy.

What ifhiring frontline workers in Latin America was as fast and easy as sending a WhatsApp message?

What ifa peacebuilding team could see communal tension shifting in days, not read about it in a survey three months later?

What ifan aid worker’s history could follow them across borders, and a host country could verify it at the checkpoint, offline, without trusting any single NGO?

What ifanyone could program a radio station like a seasoned music director just by describing it?