Information management saves lives
Today’s blog post is written by Mathias Antonsson. Mathias has been working with ICT through Communications and Project Management for both the United Nations and Sida for almost five years. He started the @UN Twitter account, is a PRINCE 2 practitioner and has won a UN 21 Award which is awarded personally by the Secretary-General “to recognize the outstanding work of colleagues who advanced projects with great impact and innovative potential”. Connect with him on Twitter where he is known as @Plurrify.
Before I started working with ICT4D in Nairobi for Sida I worked at the United Nations headquarters in New York. There I co-founded and managed the UN Twitter account and first came into contact with the issue of internet security, as it was often brought up by our followers. Most often it was discussed in the context of human rights and user anonymity. I worked through many hot topics such as the Haiti earthquake, the Bangkok protests, the ICC arrest warrant for Sudan President Omar Hassan al-Bashir for war crimes and crimes against humanity, the Gaza flotilla raid and many others. In addition I covered the protests that followed the Iranian election in 2009.
The Iranian government first shut down internet access completely, then limited the bandwidth and filtered access to certain sites such as Facebook, YouTube and the BBC. In order to access the internet Iranian citizens started sharing details to open web proxy servers with each other over Twitter, however these were soon shut down too. Concern was expressed that the anonymity of these Iranian activists would be compromised and that they would be prosecuted.
Two weeks into the protests the voices had largely been silenced and replaced by a pro-government online presence. Knowing what reports to trust became more or less impossible. At the time the Iranian government’s methods for quelling the debate received much criticism, but since then we have seen similar developments take place during the Arab Spring.
This post will however not be about the big politics, but the potential risks of ignoring security aspects when developing or using data services. I work in Kenya, a country that is currently experiencing a boom of new neat, mostly mobile SMS-based, ICT-services. With an increasing number of users transmitting sensitive data, the question of data quality and integrity is more important than ever. Yet many of these new services are developed on almost no budget, therefore the extra cost to develop security features quite often does not receive the attention it deserves.
Why is it important? These databases can for example contain an individual’s HIV status, children’s school results, sensitive income or debt information and in some cases people’s sexual orientation. If this data, or similar personal details, are associated with names and addresses the outcome of a security breach can be devastating. It could even lead to prosecution. Security therefore means ensuring privacy, authenticity and anonymity.
Information management, as this field is called, is also not only a challenge for these exciting new tech start-ups, but relevant for NGOs. By delivering humanitarian assistance and sometimes operating in insecure environments NGOs collect, store and communicate sensitive information for citizens, clients, staff, partners and other stakeholders. This makes the data worth protecting. Yet at the same time it needs to be accessed by the right people in a timely manner. So what can one do?
You need to consider what data you collect, its sensitivity, and then balance the cost in relation to potential risks. Who do you share your data with? How? Who would benefit from wrongful access? What are the consequences of the data being made public?
You should also consider and continually review what data you require, never collecting more than needed. The individuals you collect data from should be informed of how it will be used, stored and how it will be communicated. Also the data must be stored securely and access limited. Staff must be trained on their responsibilities. Finally, once the data is no longer needed it should be deleted.
The guidelines above are easy to list, but harder to adhere to. They have to be delivered in a context where the developers might lack the proper skills or knowledge, in an environment where funding to even deliver the service itself is tight. Or even in a situation where the decision-maker might not understand its importance. In addition, data breaches will always happen. Then there’s the factor of human error.
Nevertheless, if sensitive data leaks the risk to individuals (and the NGO/tech company) can be grave. Hence it is an area that, despite its seeming mundaneness, has to play an integral role in the planning and funding of tech-based services.