Humanitarianism in the Age of Cyber-warfare: Towards the Principled and Secure Use of Information in Humanitarian Emergencies
OCHA POLICY AND STUDIES SERIES
October 2014 | 011 :: 22 pages
KEY MESSAGES: [p.2]
1. New information and communication technologies in humanitarian response create opportunities for improved humanitarian response as well as risks to the privacy and security of affected communities.

2. The current system tends to restrict sharing of relatively harmless data, while not sufficiently protecting information that could be used to identify individuals and communities.

3. The information that humanitarians can collect will be shaped in the future by factors that include:
a) privacy laws and any appropriate exceptions for disasters and crisis.
b) ethical considerations, such as the need for practices that ensure information is used responsibly, particularly when obtaining consent is not practical.
c) the extent to which political or criminal groups target humanitarian operations, as well as the level of government surveillance.

4. To respond to these emerging issues, humanitarian organizations should:
a) prioritize transparency and evidence based humanitarianism and ensure that scarce resources for data security are focused only on truly sensitive information.
b) support ethical innovation, ensuring that projects using new or untested systems are held to a higher standard of oversight, and codes of conduct are regularly updated and enforced.
c) adopt codes of conduct and operational procedures for the ethical and principled use of information, in particular personal data, at the organizational level, and consider adopting universal guidelines for the use of information in humanitarian crisis.
d) invest in risk analysis and information security, including ensuring basic data security training for staff, and where needed, affected communities, and working with experts to better understand, prevent and respond to attacks.
e) promote the idea of a “humanitarian cyberspace” that humanitarian information systems should be off-limits for attacks and advocate that in some cases cyber-attacks on humanitarian actors are violations of international humanitarian law.
f) advocate for the co-creation of legal frameworks with affected communities to protect their data in emergencies.

Part VII: Conclusion and recommendations [p. 18-19]
A more connected, data-driven humanitarian system creates an opportunity to save lives and reduce suffering, even as it raises concerns for privacy and security. On one hand, in a humanitarian crisis, in which any delay can cost lives, privacy concerns and consent may be justifiably ignored in the service of the greater good. At the same time, humanitarian principles demand greater moral accountability and consideration of potential harm. Humanitarians also need to address concerns that technologies are being tested without public debate or ability to opt-out.

The bulk of international assistance goes to long-term, complex crises and conflicts,[45 World Humanitarian Data and Trends 2013, OCHA] often in areas with weak governance and little regard for human rights, and in which sophisticated surveillance by governments and cyber-warfare by armed groups is increasingly the norm. By modelling best practices in the principled use of information and respect for privacy, humanitarian organizations can set a positive example and allay concerns about their neutrality.

Below are some suggested initial steps:
1. Prioritize transparency and Evidence Based Humanitarianism
By increasing the use of open data platforms, information sharing and organizational transparency humanitarian organizations can model best practices and prioritize resources to protecting only the most sensitive information. Organizations should consider joining the International Aid Transparency Initiative, adopting open data standards and supporting initiatives to facilitate information sharing, such as the Humanitarian Data Exchange and the Open Humanitarian Initiative. Organizations should also consider “off-line” and “low tech” ways to share their data, making sure that the very people they collect data from, the affected communities, can perform their right to access data regardless of their literacy rate and technological access.
2. Support ethical innovation
As information technologies continue to develop, humanitarian organizations need to stay ahead of emerging risks to privacy. Projects using new or untested systems or technologies should be held to a higher standard of oversight, such as through ethical review boards, and full
consideration should be given to the concerns of affected people and communities. Codes of conduct and other guidance should be regularly updated to reflect new developments and should have clear systems of monitoring and enforcement.
3. Adopt codes of conduct and procedures for the ethical use of information
All humanitarian organizations should have clear codes of conduct or policies for the responsible use of information, with a focus on the principled use of personal data. Beyond the agency level, humanitarian organizations and stakeholders should consider adopting a consensus set of principles or guidance for responsible use of information in humanitarian crisis. Codes of conduct at all levels should be supported with clear internal procedures and
capacities for managing information, including anonymization, obtaining or waiving informed consent, and privacy impact assessments and other tools to determine what data should be collected.
4. Invest in risk analysis and information security
Humanitarian organizations need to invest in assessing and classifying data to determine what they need to collect and to hold based on potential risks. Organizations need to invest in strengthening their cyber-security, working with experts as needed, including through active
checks for security breaches. All staff should be trained in basic data security practices. Evaluations of threats from cyber-groups in different countries should be factored into the design of programs. Humanitarian organizations should look to other sectors, such as human rights, to see what tools and protocols have already been developed.
5. Advocate for a “humanitarian cyberspace”
Organizations should investigate ways to engage with online communities and other groups to promote the idea of a “humanitarian cyberspace” and to encourage recognition of humanitarian principles. Humanitarian organizations should advocate that cyber-attacks on humanitarian actors and information systems, as well as civilians, be considered violations of international humanitarian law where appropriate.
6. Advocate for legal frameworks for sharing data in emergencies
Humanitarian organizations should advocate for clear legal frameworks at both the national or international level to govern when and how information from affected populations is shared. Humanitarians should also consider partnering with private sector companies and industry
associations, particularly in the telecommunications, internet and social media areas, to develop clear terms of use and agreements for when and how data is released in a crisis.