When you’re pulling people from rubble after missile strikes, or tending to injuries in a tent, or worrying about getting the next truck with medical and food supplies past military check points in a war zone, the latest transformations from technology and digitalization might seem distant – but not for long.
In a few short years, Uber has completely transformed the way we get around cities. Long-established taxi companies suddenly found that, when people could see user ratings of individual drivers, their company brand was no longer a selling point. Their infrastructure – offices, telephone systems – become unnecessary overheads when all you need is an app. For taxi users, Uber has mostly been welcome, bringing a drop in prices; for taxi companies, it has been a disaster.
Some industries had been grappling with technological disruption for years before Uber disrupted taxis: think, for example, of the music industry and Napster. Others are only now beginning the process: it remains unclear, for example, how fundamentally block chain and distributed ledger technologies might upend the financial industry. No industry – no part of life – is immune to being disrupted by technology. And that includes conflict and humanitarian relief.
In many industries, the talk is of ‘self-disruption’ – established players are trying to anticipate how technology may be about to change the landscape, identify the risks and opportunities, and get ahead of the process rather than waiting to be surprised. Established humanitarian agencies likewise need to ask: how might technology reshape humanitarian relief in the coming years, and what should we be doing to prepare?
The rise of the ‘connected beneficiary’
Some sudden catastrophe means you must flee your home, right now. You might or might not ever come back. You have a few moments to grab whatever you can carry. What will you take? It’s a fair bet that near the top of the list is your smartphone. Of course you’d want it with you: to find out where you’re loved ones are; to keep up with news and rumours; to access information and assets, if you have any; to plan where you might go next.
True, not everyone has a smartphone yet – but many do, including seven in ten Syrian youths. When refugees reach a place of relative safety, some of their first questions are “Where can I charge my phone?” and “Is there Wi-Fi?” Increasingly, in the future, beneficiaries will be connected – and that opens up tremendous opportunities to help them more effectively. It will become easier, for example, to collect and analyze data about where refugees are going – and to get good information to them about their options in fast-changing situations.
We may see the rise of online direct-giving platforms, where refugees can prove their identity and describe their current needs, and individual donors can electronically transfer money to them. We may see widespread use of drones to drop aid supplies. Such innovations could start to make the traditional methods of delivering humanitarian aid – large organizations with a sense of pride in always having workers on the ground, physically proximate to beneficiaries – look as anachronistic to donors as old-style taxi companies in the age of Uber.
Beneficiaries need the best of both worlds: for more nimble and efficient ways of meeting their needs to be embraced by agencies with a history that inspires trust. For those agencies, that implies a willingness to self-disrupt in partnership with willing innovators – to constantly question the value of their ways of working, and think hard about the potential opportunities presented by technology to connect people, things, processes and data in new ways. But in seeking to harness the immense opportunities of technology to improve humanitarian aid, they also need to be conscious of some very real risks.
Cyber security and data privacy
There are obvious benefits in, for example, a doctor from one organization being able to use a beneficiary’s digital identity to call up details of medical treatment they previously received at a clinic run by a different organization. But associating data with digital identities inevitably creates issues of privacy and security. And while the consequences of data breaches in peaceful, developed societies are likely to be limited to inconvenience, loss of privacy or financial risks – recovering stolen money, say, or getting one’s name off a credit blacklist – for refugees, they could more easily become matters of life and death.
Consider these different but intertwined scenarios:
- Sudden political change sweeps your country. A group you’ve belonged to for years is now persecuted. You manage to flee, but now unknown entities have access to data from various apps you’ve had on your phone or platforms you have accessed and used, which show where you have been and with whom over the past few years. This enables them to identify your family members and networks, and target you and them with threatening messages.
- You arrive at a refugee camp, hungry and desperate. To access food and basic necessities, you have to agree to provide biometric data – iris and fingerprint scans. Several years hence, you are living in a country which passes a new law asserting jurisdiction over data stored in the cloud by the organization that helped you. By taking your fingerprint, the security services can now find out not only your ethnicity or immigration status but your movements, consumer patterns and financial situation. In some instances the pressure is happening real-time, as data is collected. The fact that ‘humanitarian data’ is picked up and used for purposes other than humanitarian, such as counter-terrorism or migration flow management (while understandable and important from one point of view), puts the individuals at risk of adverse, albeit potentially legitimate, consequences (such as arrest, denial of entry, etc.). As a consequence it means that these people will not be able to access essential humanitarian assistance. The humanitarian organization, which collected the data for a humanitarian purpose will be effectively participating, by the use of that data for purposes other than humanitarian (whether willingly or not). This could then severely compromise the ability of the humanitarian organization to continue to carry out its humanitarian activities.
- You are a humanitarian relief worker. You are taken to visit a person in need of humanitarian assistance or protection. Unknown to you, your phone has been hacked, or the metadata generated by your phone is aggregated, allowing its location to be surveilled, your social media activity followed and telecom metadata analyzed. The next day, the house you visited is destroyed in a drone strike or the people you met with detained. Suddenly your organization is viewed locally with anger and suspicion, and and perception of neutrality of humanitarian action is compromised.
Despite the gravity of potential risks of data breaches, data hygiene tends not to be a high priority for humanitarian workers in the heat of a crisis situation – understandably so, when time is of the essence and workers from different agencies need to be able to collaborate quickly on the basis of trust. Meanwhile, many beneficiaries have only recently come online and have not yet developed a mature appreciation of the risks that come with connectivity. Others are simply having a hard time to adapt to a new reality where connectivity also carries greater risks.
But surprisingly few efforts have been made to understand the specific needs for information security risk management in humanitarian contexts. In spite of work done by, for example, the UN in late 2013 and 2014 (PDFs), little tangible progress has been made. Part of the problem is that donors, seeking efficiency, do not put pressure on agencies to invest in stronger cyber policies or data protection regimes. Another part of the problem is that agencies, like any business with a reputation to protect, have the incentive not to admit when they have been hacked.
In considering how to seize the opportunities of technological self-disruption, humanitarian agencies need to pay more heed to the potentially devastating impact of being publicly implicated in a data breach that endangers the lives of beneficiaries (and staff). There needs to be more proactive discussion on global standards for collecting, sharing and storing data in times of crisis – and a zero-tolerance for attempts to penetrate these organizations to gain insights into people at their most vulnerable. Some examples of situations where these risks have materialized are reported in the 2013 report by Privacy International Aiding Surveillance. The International Conference of Privacy and Data Protection Commissioners recognized these risks in its 2015 and 2016 resolutions on Privacy and International Humanitarian Action, in which it noted, inter alia, that:
Humanitarian organizations not benefiting from Privileges and Immunities may come under pressure to provide data collected for humanitarian purposes to authorities wishing to use such data for other purposes (for example control of migration flows and the fight against terrorism). The risk of misuse of data may have a serious impact on data protection rights of displaced persons and can be a detriment to their safety, as well as to humanitarian action more generally.
Misinformation and the changing nature of war
Technological change brings another under-appreciated risk for humanitarian agencies: becoming the victim of concerned misinformation campaigns using new and social media platforms. Among the ways in which technology is transforming the conduct of conflict is opening up new possibilities to battle for the control of the narrative, by using third party commercial agents and ‘chatbots’ to disseminate propaganda in ways that appear organic.
This risk intersects with the risk of data privacy breaches. Imagine an online platform established by a humanitarian agency to crowd-source data from citizens about what is happening in real-time during a conflict, to provide information about evolving humanitarian needs and collect evidence to document abuses. Now imagine such a platform being hacked or spoofed to create a false picture about who is attacking whom. A successful hack could rapidly reshape perceptions and change the course of conflict.
The recent targeting of humanitarian efforts in physical attacks, from medical convoys to facilities or individuals, indicates that norms are shifting, and agencies’ reputation for neutrality is no longer guaranteed to offer protection. It will be increasingly desirable to attack an agency’s reputation directly, if a party to a conflict perceives it to be in their interest to spread misinformation about the mandate, impact and purpose of its operations or the intentions of its staff. The consequences could be devastating, with a high cost of reestablishing staff security and organizational reputation, and ultimately of the beneficiaries for whom the action of such organizations is essential.
Currently, little thought is going into game-planning such scenarios and thinking through possible responses or mitigation strategies. The same is true for other questions raised by how technology is reshaping the conduct of both war and humanitarian relief. Imagine, for example, a party to a conflict perceiving a strategic advantage in taking down the physical infrastructure that underpins an enemy’s connectivity – fibreoptic cables or GPS satellites; if communications go down over a wide area for a long time, what challenges would it create for delivering humanitarian relief, particularly once humanitarian organizations start to rely heavily on digital connectivity and disinvest in physical, frugal, operational capability? There are no easy answers to this question, or the many others raised by thinking about how technology will disrupt the conduct of war and humanitarian relief. How best to meet refugees’ data protection needs, even when refugees themselves may not be aware of them? What opportunities may exist to serve connected beneficiaries more efficiently?
Humanitarian agencies are starting to address these questions, but slowly; the question is whether they can adapt and accept the change in mindset needed to mitigate risks and build on the potential offered by the exponential growth rate and convergence of new technologies and digital transformation for a forward-looking humanitarian response.
Note: The ICRC has adopted a Personal Data Protection Framework to safeguard the personal data of individuals, particularly in testing conditions, such as armed conflicts and other humanitarian emergencies.