How safe is humanitarian data? Just ask the frontline aid workers who collect it.
The cyber-attack on the International Committee of the Red Cross, discovered in January, was the latest high-profile breach to connect the dots between humanitarian data risks and real-world harms. Personal information belonging to more than 515,000 people was exposed in what the ICRC said was a “highly sophisticated” hack using tools employed mainly by states or state-backed groups.
“The biggest frontier in the humanitarian sector is the weaponisation of humanitarian data,” said Olivia Williams, a former aid worker who now specialises in information security at Apache iX, a UK-based defence consultancy.
She recently completed research – including surveys and interviews with more than 180 aid workers from 28 countries – examining how data is handled, and what agencies and frontline staff say they do to protect it.
Sensitive data is often collected on personal devices, sent over hotel WiFi, scrawled on scraps of paper then photographed and sent to headquarters via WhatsApp, or simply emailed and widely shared with partner organisations, aid workers told her.
The organisational security and privacy policies meant to guide how data is stored and protected? Impractical, irrelevant, and often ignored, Williams said.
Some frontline staff are taking information security into their own hands, devising their own systems of coding, filing, and securing data. One respondent kept paper files locked in their bedroom.
“The biggest frontier in the humanitarian sector is the weaponisation of humanitarian data.”
Aid workers from dozens of major UN agencies, NGOs, Red Cross organisations, and civil society groups took part in the survey.
Williams’ findings echo her own misgivings about data security in her previous deployments to crisis zones from northern Iraq to Nepal and the Philippines. Aid workers are increasingly alarmed about how data is handled, she said, while their employers are largely “oblivious” to what actually happens on the ground.
Williams spoke to The New Humanitarian about the unspoken power imbalance in data collection, why there’s so much data, and what aid workers can do to better protect it.
The interview has been edited for length and clarity.
The New Humanitarian: You were deployed in humanitarian responses. What did you see that sparked your interest in data security?
Olivia Williams: I would quite often be embedded with teams doing vulnerability assessments, gathering beneficiary information – personal data. The information was gathered in notebooks; they were on bits of paper that were subsequently stuck in somebody’s back pockets or rucksack. Sometimes they were on laptops. Sometimes I was taking videos or doing audio recordings.
It really dawned on me that we’ve got all of this currency in our hands, if we chose to use it with ill intent. That really started to perturb me. Where are all the questions and the conversations amongst the humanitarian community around protecting this data? It really was worrying we weren’t having these conversations. We weren’t being trained to think about data handling and about how to secure information.
The New Humanitarian: How would you characterise what aid workers told you?
Williams: It’s like the wild west. And if people assume that because there is a policy, that that policy is best practice and practicable and actionable in the field, then they have no idea.
Whether it’s privacy policies or data security policies, I’d say 95 percent of the policies I’ve looked at absolutely don’t translate to the field.
And that’s corroborated by the conversations and the surveys with aid workers themselves who say: “Policies are nice to have, but they don’t help us to do our job. And in many cases, they hinder us from doing our jobs, if we stuck to the letter of them. And therefore we find ways to work around them.”
What steps do you take to keep beneficiary data safe? What problems do you see? What works well? What changes are needed? You can use this secure form to send us your thoughts. We may use this information in future coverage, but we’ll keep responses anonymous.
The New Humanitarian: Why is there such a wide gulf between these data policies, and what actually happens on the ground?
Williams: One of the things that I always try to tell people is: You have experts around you all the time: people who are on the front line are absolute experts in data handling – the good, the bad, and the ugly of it. They can give you countless examples, in case study form, how parts of policies might work and others really don’t.
But that conversation between those frontline experts and HQ and organisations generally, those conversations are not being had. Many of the aid workers I spoke to said, “It’s really refreshing to be asked for our opinion, because we’re never asked.”
Even in debriefs, it’s all about how do you feel the deployment was successful, how much aid were you able to distribute, and have you brought back photos we can use on our social media channels. It’s all those kinds of things, which is great, but where are the conversations about: Do you feel that any of the information you gathered was more than necessary? Do you feel that we need to be focusing on data minimisation? Did you sense any hostility or any concern from beneficiaries when you were asking for such personal information, or how did you capture that information? Nothing along those lines is being discussed.
The New Humanitarian: In Bangladesh, Rohingya refugees were asked for biometric data and other information when they registered for “smart cards”, which they needed to receive aid. Some of this data was later shared with the government of the country they fled, Myanmar, and a Human Rights Watch investigation showed that many Rohingya likely did not consent to this. Can there be proper consent to share personal information in humanitarian responses? It seems like there’s a clear power imbalance between the people who collect data and the people who give it.
Williams: There’s inevitably a massive difference in power dynamics between organisations and aid workers, and beneficiaries.
A lot of organisations say, “It’s OK, we’ve got the policy. It’s OK, our people have done the training. We understand about GDPR.”
… But the conversation that isn’t being had is: Can beneficiaries give consent, really, when the alternative is that they don’t get the aid that they need? That power dynamic is a really, really off and nasty part of the humanitarian sector. In one way it would be difficult to manage. But we’re also not talking about it.
Can consent be obtained when it’s at the expense of receiving life-saving humanitarian assistance? In many parts of the world, privacy is trumped by need. We think, in the west, that everyone has access to that kind of vehicle and that right to be forgotten. But they don’t. Most people don’t have that. So consent, in most contexts in the humanitarian sector, is not worth the paper it’s written on – quite literally.
The New Humanitarian: There were huge concerns about data security after the Taliban seized power in Afghanistan last year. Aid workers had to sift through the data their organisations collected over the years, and I think many were surprised by the sheer volume. Why is there so much data out there?
Williams: Donors, in many cases, require high volumes of data, so that they can feel their funding has been satisfied. They can go to government meetings and say, ”Look at the beneficiaries we’ve helped. Look at the numbers.” So there’s a numbers game there.
I think if policymakers and organisations were put on the spot, in many cases they wouldn’t be able to justify why they are asking for the name and address and telephone number of that adult’s siblings, or that adult’s mother, or all of the names of the children they have.
If you’re talking about shelter, for example, all you need to know is how many adults are there, and how many children. You don’t need to know all the children’s names, all the children’s ages, whether they are the biological father of those children. There’s a lot that doesn’t need to be obtained.
The New Humanitarian: What surprised you about what aid workers told you?
Williams: I asked aid workers about their confidence in using technology, and a lot of them were not confident.
Given that the humanitarian sector is constantly evolving with technology, and more and more using tablets and electronic interfaces to collect information, the lack of confidence is rising.
Learning the basics
Worried about cyber-security but unsure what to do? Williams says the first step is to educate yourself. Free online courses are widely available; she recommends the intro to cyber-security course offered by The Open University as a starter. Other free or low-cost providers are listed here.
More people have less confidence with the greater development of technology. They’re not keeping up.
Humanitarian organisations, those that can afford it, want to buy the latest and greatest and think that’s going to help them visualise their data, and it’s going to help them be faster at doing vulnerability assessments and analysing the data and sharing the data.
It does do those things, but it also means there’s an even wider gap and disconnect between technology and those who are expected to use it on the ground.
The New Humanitarian: What do you think needs to happen as far as donors are concerned?
Williams: Funders want to be able to have the numbers and have the visual of how is the money being used, how are people being helped.
If they say to you, “We might be able to throw some money to you to better secure information and make those walls stronger, but what will we be able to show for it?”
And the answer is: What success looks like in that context is that nothing happens. And that’s a very difficult pill to swallow for organisations that are so wedded to being able to show impact.
So I think we need to shift the paradigm slightly around what we think success looks like, and bring our thinking up to speed with the realities of the modern day, which is that the biggest frontier in the humanitarian sector is the weaponisation of humanitarian data. So unless you’re up to speed with that, then you’re already on the backfoot. You’re already behind.
So I think funders need to play a really large part. It’s not just funding things because they have been asked to. But reversing that and saying, “We will only fund you if we can have these conversations from the beginning about how you’re securing your data. So I want to see your data management plan. You don’t have one? That’s fine. But we want to work with you to build one.
“We need to have open and candid conversations about what data you collect, who collects it, how big is your staff turnover – might one person be collecting one week and another one the other week? Have they both been trained to the same degree? Who are you partnering with, and how are they protecting your data?”
The New Humanitarian: What about individual aid workers – the kind of people who answered your survey and flagged these problems in the first place? What steps can they take?
Williams: There’s always something we can do as individuals. A litmus test for any organisation you work for is asking them what their provision is for data security.
I think the more we can be seen to be asking, arguably, what is quite a difficult question, shows that you care about the end user, you care about the beneficiary, you understand some of the landscape around data protection and data security. And also it puts a little bit of pressure on the organisation to think about it more deeply.
Don’t be afraid to ask the questions. One of the things that really came through very keenly from aid workers is that they’re afraid within their own organisations to be seen to be stepping out of place – to be raising their head above the parapet and calling organisations out on this stuff. They don’t want to be seen as the trouble-maker; they’ve worked so hard to get their position in the first place.
I think organisations themselves need to be saying, “Hey, we want to know what you think.”