I was invited to speak to a panel in the Internet Governance Forum on the 27th – 30th of September by AccessNow, on Privacy and security in an open/realtime/linked data world.
The goal of this workshop was to discuss open, realtime, and linked data generated, gathered, and organized online, which are proving vital to understanding local communities and the world we live in, ensuring more informed decisions are made at all levels of society. While online data is proving immensely useful, the dramatically increasing trend towards moving data online — whether knowingly, carelessly, or without consent — has led to unprecedented challenges to user privacy and security. At this juncture, Internet Governance is needed to clarify and codify the rights and responsibilities of various actors as regards online data.
The workshop featured short presentations from representatives of civil society, government, academia, and corporations, to facilitate discussion about theses issues amongst the panelists, the audience, and international remote participants, including members of Access’ network (now in 184 countries).
Topics for discussion included:
• How open/realtime/linked online data can aid development
• The use of crowd-sourced, geolocation, and mobile data
• Existing and emerging privacy and security threats of and to online data and ways to mitigate these risks
• How various stakeholders can assist the public in protecting their data and rights online
• Maintaining the balance between privacy, security, inclusivity, transparency, and accountability in legislation, regulation, and terms of service.
I was invited to speak as Innovation Media Advisor for the Africa Region for Internews Network on the use of real time data and the risks associated with that. In my talk I decided to use as example the project we are funding in Ghana, which is implemented by EPAWA – Enslavement Prevention Alliance for West Africa in collaboration with Survivors Connect. Both organizations work on human trafficking, and while EPAWA is a 4-years-old organization working in Ghana with civil society, governamental organizations and agencies and media, Survivors Connect has been working on this in Nepal and Haiti before, and it works as technical implementer for the project.
The pilot project is in fact a sort of experimentation of the use of mobile technology to support the creation of a local network of local monitors, civil society groups and governamental agencies to track the movements of children and women from the rural areas to the capital, and the case of domestic violences inside the communities themselves. The network will exchange real time information via mobile technology and with the support of a password protected Ushahidi platform.
I think this is a good example of the use of real time data but it also highlights some of the main issues I think can come out in other projects. This is the reason why I used this project as example.
The following are my main points of conversation at the workshop.
TECH IS NOT THE SOLUTION TO EVERYTHING – ESPECIALLY TO SECURITY
My point here is that when working with real time data related to sensitive issues, like for example human trafficking, the main key factor to secure data does not rely in the technical security measures, being it encryption or other means, but it lies in the social network, and I am not referring to social online networks, but to social – real people – networks. I have notices many time in my work that the safety of the information exchanged in any networks does rely heavily on the ability to create trusted networks on the ground that are able to secure information because of their deep knowledge of risks, dangers and sources of potential security threats. Those social networks are the ones that can still work when the technology is not there and are the true base of a secure system.
YOU CAN BUILD THE BEST TECHNICAL SYSTEM WHEN YOU START BY THINKING WHAT WILL HAPPEN WHEN TECHNOLOGY IS NOT THERE
Apart from the issue of security, what I think it is extremely important, especially if you work in Africa, is to be able to design information systems that always have a PLAN B. If you system does not have any way to work without electricity, or without internet, or without a phone, then you are building something that most likely is extremely vulnerable and that can be blocked by something as simple as a storm. Technology is always supposed to make things easier and faster, but if technology is the only criteria for the functioning of your system, then it is a limit and not a facilitator.
EDUCATION TO SECURITY MEASURES, THREATS AND VULNERABILITIES IS KEY
Another interesting thing that I notice when I was working in highly unsafe environments like Sudan and Egypt (under Mubarak regime), is that a lot of people underestimate or do not know at all the risks and the vulnerabilities of their real time information systems. Especially in those two cases, where I was working directly with activists, which were well aware of the potential risks of someone hacking or tracing their information, the level of awareness of the actual vulnerabilities of their systems was very low. If we go to less specilaized groups and especially into the world of small NGOs, the ignorance of the issue is even bigger. In this regard I have to say that 2 factors are the underlying casues of this situation:
1) Language. Cyber-security information are still written and explain in a way that it is too complicated and technical for a normal audience. If a small NGO, that does not necessarily have a cyber-security expert in its team, wants to find out information about how to protect their data, how to secure their servers and their emails and so on, most of times gets stopped by the complication and difficulties in understanding a language that it is not familiar with and instructions that will require too much espertise to be followed. (a very well done “Practical Guide to Protecting Your Identity and Security Online” edited by Access Now is available here)
2) Awareness. Too often software companies are not explaining in an open way what are the vulnerabilities of their systems, and too often technical equipment is sold without people having a real understanding of how this equipment really works. We are seeing this with mobile phones: the majority of “normal people”, meaning not expert or part of the cyber-security world, do not know that their mobile phone is always traceable, do not know that their SIM card is traceable, do not know what an IP address is and what information it carries and so on. The same thing is to be said about people using software without fully understanding what are its vulnerabilities.
WHERE DOES PRIVACY END AND OPEN DATA START?
One of the main challenges that I found when working with real time information systems is finding the limit in between Open Data and privacy and security. Let’s take again our Ghana project. The system built will be exchanging information related to children and women, to trafficking, abuses, and violence. For obvious reasons, a lot of the information exchanged cannot be public and needs to be handle in a very careful way. On the other side, if available publicly this information can be extremely useful and can lead to more preparedness and awareness of the problems faced by the communities on the ground, if not to more prompt response in urgent issues. Of course, there are ways by which this information can be filtered and made available, but even in this case, the more you “open”, the more you are increasing the possible risks and vulnerabilities of your system. This tension is always there when dealing with open data and real time information systems, and it needs to be carefully dealt with on a case by case level.