In search of better data protection for those caught in conflict

With millions of people around the world expected to receive humanitarian assistance in 2019, governments and NGOs are reviewing measures to protect the personal data collected in the delivery of that aid. Will it be enough to protect the vulnerable from digital threats?

By: /
February 1, 2019
WFP
Organizations like the World Food Programme, which distributes food in places like South Sudan, are at risk of data breaches. REUTERS/Andreea Campeanu

Humanitarian assistance today is aided by a revolution in the availability of greater volumes of social and personal data. Humanitarian organizations collect this information to make sure limited aid supplies go to those most in need, and that the aid actually reaches and benefits the intended recipient.

This year will be the second year of operations for the UN’s Centre for Humanitarian Data and the fifth for its groundbreaking data aggregation platform, the Humanitarian Data Exchange. But as momentum gains for the effort to amass larger and larger sums of data about persons in conflict, and despite the new General Data Protection Regulation (GDPR) in the European Union, humanitarian organizations have miles to go before preventing the nefarious use and misappropriation of the personal data of their clients — the most vulnerable and impoverished persons in the world — by actors ranging from militaries to authoritarian regimes to amorphous hacker armies.

The threats

As recently as December, a North Korean refugee resettlement organization in South Korea was the victim of a suspected North Korean cyber attack that saw the sensitive and personal data of nearly 1,000 North Korean defectors stolen, presumably to be used for malicious ends. The organization claims that the breach occurred because a staff member failed to follow its data handling policies. Similar attacks have been carried out by hackers likely sponsored by the Syrian government or its allies against humanitarian workers and organizations, stealing the personal data and identity card numbers of displaced Syrian civilians. Even more unnervingly, these data breaches can go undetected and the victim organizations have real disincentives against admitting when they occur. In fact, until recently the most widely discussed case was the somewhat innocuous breach of a cash assistance software service provider’s large beneficiary database by one of its competitors.

Internet surveillance is a relatively new omnipresent threat. In April 2015 it was discovered that a French network intelligence company (Qosmos) had been doing business with the Syrian secret police, offering a sophisticated system to monitor and trace all internet communications in Syria with simple keyword searches, not unlike the US National Security Agency’s infamous XKeyscore system. Qosmos is still under investigation for its role in enabling the tyranny of the Syrian government, providing the means to “track, torture and execute dissidents” through big data. Privacy International was first to point out other similar examples showing how data-intensive humanitarian aid activities could be perverted to enable deeper internet surveillance in the developing world.

Not unlike Facebook ads and self-driving cars, warfare and tyranny today use big data. Different types of dissident-catching and oppression-enabling software are promoted around the globe, with one targeting social media accounts catching headlines in 2018. Cyber attacks against and internet surveillance of humanitarians in conflict zones is a new dynamic, and a modernized humanitarian response that can navigate this new reality is overdue. In conflict zones like Syria or Yemen, where the Geneva Conventions mean quite little, poor humanitarian data protection could easily contribute to an increase in targeted attacks on civilians and post-conflict persecution. Global military powers are also after humanitarian data. In 2013, top-secret documents leaked by Edward Snowden revealed that the NSA and the UK’s Government Communications Headquarters had targeted UNICEF, the UN Development Programme, Amnesty International and Médecins du Monde for data surveillance and interception.

Similar threats of surveillance and oppression have reached Canadian shores, with cases like Saudi digital activist Omar Abdulaziz, who, researchers suspect, had his phone hacked by his government while in Canada.

The impact of Canadian aid is also in question. In 2018, the Canadian government paid more than CAD$670 million to NGOs and UN agencies to provide humanitarian assistance around the world. With threats from internet surveillance only likely to expand, the Canadian government needs to ask if it’s being responsible with the humanitarian aid it sponsors, or if it’s exposing war and disaster victims who accept that aid to unmitigated surveillance.

The challenges

Humanitarian organizations and UN agencies obviously don’t want to enable war crimes and the perverse use of their data for clandestine military purposes. Yet, without wider adoption of more impervious data collection and storage technologies, and the development of technical standards for best practice in personal data protection in humanitarian settings, this is exactly what they will do. But a bigger problem than having the right tools and established standards may just be getting the humanitarian workers collecting and handling sensitive data to follow basic data protection policies.

In fact, poor adherence to data handling standards may be a widespread problem even within UN agencies. A recent UN World Food Programme (WFP) internal audit of beneficiary data management practice produced damning revelations. Auditors found that excessively detailed personal information, including the religion of the aid recipient, was being collected without reason, and that aid recipients didn’t give informed consent to the use of their personal data. In addition to these breaches of organization policy, it was also found that personal data was routinely copied without encryption or password protection. The WFP received the largest portion of Canadian humanitarian funding in 2018, more than 22 percent of the government’s total humanitarian spending.

My own informal surveying of data handling habits among fellow humanitarian workers and the reports of other humanitarians found that similar practices as those of the staff of WFP are common. What’s more, many store sensitive beneficiary data with cloud storage service providers in the United States; companies that are of course subject to Patriot Act information disclosure requests from American intelligence agencies. The inadvertent generation of metadata by humanitarian communications and interactions with beneficiaries and its potential misuse is also something many humanitarians are likely oblivious to. Technology options are varied, and encryption is not the default. Average humanitarian workers struggle without the data protection and Information and Communications Technology (ICT) security literacy needed to navigate modern tools and risks.

The uncertain future

Despite the weak application of policies and the scarcity of technical guidance, humanitarian actors are charging forward into the unknown. The WFP, UNHCR and others are experimenting with the use of biometric (iris, face or fingerprint) scans for identity verification in humanitarian assistance, while the NGOs they work with are encouraged to do the same. The increasing availability of new technologies only adds momentum to the drive to collect more and more data. (Oxfam recently completed a consultation on its potential use of biometric data following a three-year, self-imposed moratorium on the practice. It concluded biometric data collection is still too risky to use in humanitarian settings.)

The EU’s GDPR offers the most rigorous privacy protection anywhere in the world and has caught the attention of humanitarian organizations headquartered in Europe. But the protections to personal data offered under the law only apply in Europe or to European citizens’ personal data outside Europe. And so, as the regulatory effects of the new GDPR become more pronounced in 2019, the immediate effect on humanitarian personal data will likely be making sure it is kept off European servers, balkanizing the data protection rights between people of the wealthy West and the developing South.

Humanitarian industry leaders are by no means oblivious to the new imperatives of personal data protection for the vulnerable persons they work with. The International Committee of the Red Cross recently launched a Handbook on Data Protection in Humanitarian Action, and in 2016, the UN’s OCHA quietly proposed an initial framework of minimum standards for handling data responsibly, urging others to develop something comprehensive for the whole industry. The Sphere Project, an entity which sets the widely adopted minimum standards for humanitarian practice, introduced in November 2018 a basic but critical new guideline on personal data protection, stating simply that organizations should have robust policies to ensure data is protected. Perhaps, with the right endorsement and adaptation for operation, the Harvard Humanitarian Initiative’s Signal Code and USAID’s Principles for Digital Development, which together offer both the human rights backstop for humanitarian data protection and the most robust operational guidance for personal data protection in humanitarian settings to date, can be used for organizations to establish a set of technical standards and finally put some agreeable common principles into practice.

As both the WFP audit and the recent North Korean refugee data breach made clear, having a good policy isn’t enough to keep your data safe. Frontline staff need data protection and data privacy rights training. They also need better ICT security guidance and private sector partnerships for software tools that can be used to better assure the protection of the data of the vulnerable persons they work with.

Additionally, humanitarians need wide agreement on a minimum technical standard for data privacy and security and common principles, so that the myriad of humanitarian NGOs around the world can urge and shame each other into offering minimum guarantees on beneficiary protection and rights.

The Canadian government is expected to produce a national data strategy in the near future. Whether or not it offers similar data privacy protection for those who receive Canadian humanitarian assistance as it will offer for Canadians will test if Canada can do better than the EU’s GDPR.

On the heels of much discussion about humanitarian data privacy at various global fora and a whole six years after the Snowden revelations, we are still without concerted action on humanitarian and refugee data privacy protection.

While there are signs that some leading organizations are mobilizing towards adaptation, 2019 will likely be another year of uninhibited surveillance of humanitarian actors and conflict affected persons, with more breaches and excessive collection of sensitive personal data that we may never hear of. As conflicts continue, and new ones emerge, humanitarians may unknowingly give advantages to conflict actors and enable the lethal targeting or post-conflict persecution of persons who offered up their data in hopes of receiving humanitarian assistance.