Crisis Mapping and Cybersecurity – Part III: security is knowledge

In the discussion we had at ICCM on crisis mapping security, we discussed about what are the scenarios where we can see the issue of security arising for a crisis mapping project.

According to me those are 4:

1. The case of a repressive regime, where the people managing the project are either activists or related to activists
2. The case of a repressive regime where the people managing the project are not activists or are so called “improvised activists”
3. The case of a humanitarian emergency where there are security concerns related to either the presence of militias or a repressive regime
4. The case of a humanitarian emergency in general, where security is very much linked to the delivery of humanitarian aid and the do not harm principle (which indeed should inform also all the other cases).

Case 1 – repressive regime and activism

This was the example I talked about in my previous blog post. In this case the security issues that arise are very much not linked to the protection of the people managing the project, since they normally know the risks and are willing to take them. As much as we are sure they are informed about all the possibilities, it is ultimately their call to decide what to do and how. There is indeed a very important issue to be faced here: when the activists involved other people in the project, what is the knowledge that is shared with those others about the possible risks.?. The example that can be made here is Tahrir Square: the Egyptians that organized the first demonstrations were activists, a lot of them with a history or arrests, tortures and so on. But after a while a lot of ” common citizens” joined the demonstrations:  what was their knowledge of the risks? How much of an informed decision was the one they took?

All in all I think that there are 2 important things to keep in mind when approaching a case like this one:

1. Activists normally make informed decisions and know the risks much better than we do. We have no right to decide for them if something is worth it or not. I come from a family where my father spent 5 years in jail to fight against a repressive regime; I would never dare to think that he did because he did not know, indeed he did because he did know and he decide to accept the risk.
2. The crowd, if we want to call it, may be getting into the process not knowing what the risks are. There is no way for us to prevent this apart from spreading as much as possible the knowledge about cybersecurity. And with spreading I mean produce documentation, use simple language, have software companies and online networks do education and informing people about what is that they are using and what the vulnerabilities are. Information is here more important than food and water.

Case 2: repressive regime and “improvised activists”

I have worked on a case like this some time ago, where the people involved in the project wanted to do a crisis mapping deployment under a very repressive regime and they had 0 or little knowledge of the environment they were acting under. Since we were providing support from abroad, we had to use our knowledge to inform them. All in all the big lesson learned here was that our knowledge of the situation was not enough, and the risk for them was too high. We got under incredible stress, they got very scared and the deployment was closed. The risks that all of us and them run into was really high and we realized that there was no way for us to understand better the situation since we were not there, and for them to learn in such a short time frame without risking to be killed, tortured or worst. In those cases my take away is that BEFoRe you get the knowledge and after that u deploy. There is not such a. Thing as a learning as u do in those cases, because the risks are too high.

Case 3: repressive regime/militias and humanitarian emergency

This was the case of our deployment in Pakistan and Libya. This is a very complicated situation since we are talking about several actors, with several degrees of risks associated with each factor, and different possible outcomes depending on the actor, the beneficiary and the issue. I still think it is very complicated to draw lessons from those kind of situations since it really depends on the cases. In addition to this, the issue here is very much linked to the concept of open data and privacy and how you do provide useful information to both humanitarians and affected communities while making sure that you do not endanger them and respect the do not harm principle.

Those type of deployments are the one that will have to be extremely carefully evaluated, using local or trusted networks, doing a careful risk assessment for each actor involved and making sure that links and connections with key actors are in place. My 2 cents on those type of deployments are the following:

1. Treat different actors indifferent ways: not all information is sensitive or useful for everyone, so create different channels, protect them accordingly and deliver different information to different people
2. No information does not mean no risks. Not knowing can be as deadly as to give the wrong information to the wrong person, so let’s now panic, but instead find ways to make sure the information flows are built in a way that allows vital information to get to the right people
3. Do a very careful assessment of what information people in the ground – being humanitarians, local population or the bad people – have or do not have already, what their information channels are and how they use it. People rely on what they know to gather and get information out, and if you know they channels, you know their possibilities.

Case 4: humanitarian emergency and the do not harm principle

In a recent working group in Geneva, a representatives of ICRC did a very good presentation about the DO NOT HARM principle and how we could apply it to crisis mapping. I think that this is a great starting point – learn from who is mastering it – and I gave a lot of thought to it lately.

In the SBTF for example we have already designed our code of conduct on the base of the ICRC code of conduct, but the issue he goes more inept into the actual implementation of the framework when it comes to applying to the do not harm principle. In this regard the SBTF has already started a discussion about how to use this better and u will soon see some results of those discussions in our blog. The main important thing here is that the DO NOT HARM principle is and should be always the main thing to keep in mind when doing a crisis mapping deployment, especially if there is communication with disaster affect communities involved.

On the other side I am intrigued by how can we make sure we always act under this framework when lots of times we know we do not know. The real risk here is that, since we do not really know all the actual implications of all the crisis mapping deployments, since this field is still growing and developing, how do we make sure that we balance the DNH principle with the urgency to do something, and with the actual benefit of a crisis mapping deployment? The more I think about it, the more it looks to me like a cat eating its own tail: should we not doing anything because the risks to harm are too high, or should we try, knowing that the more we try the more we risk, but also that the more we try the more we learn?

In those kind of situation there are also the so called secondary effects to take into accounts. In fact, while there are risks associated with publishing reports from people on the ground for example, or in making certain information publicly available, there are also other risks that may be associated with those factors that we do not take into consideration. One example may be the fact that, if the crisis mapping deployment is available on line, a repressive regime may be tempted to block the Internet, and in this case also endangering a lot of other situations/ humanitarian operations that need the Internet to work effectively. Another example can also be that, if the crisis mapping deployment is collecting information via. SMS, or social network, the groups in the populations that do not have access to those means may be cut out of the system, and their problems or needs may be completely missed or underestimated because they are not able to express them via those means. Secondary effects can be multiple and various, and it is extremely difficult to understand when and where they are taking place and what to do to avoid them.

In conclusion: I am sorry if readers did not find very good answers in this blog post. The intention is indeed not to give answers but to continue talking about the issue, hoping that a constructive debate could lead to some interesting discussions on real solutions. As final point, I would like to highlight that there is no advantage in the endless battle in between Muggles and Crowdsourceres on the security issue if this battle is only framed as a black and white battle.

The issue of security is there and will always be. Practice and constructive debate on the practical implementation of cybersecurity measures is according to me the only way to face this debate. We can’t go back, we cannot prevent people from using crisismapping in repressive regime environments or in humanitarian crisis. But we can inform them, we can share lessons learned and make as open as possible our failures and our knowledge. Free open source knowledge about security is the best weapon we have to avoid others, and ourselves, making the same mistakes and endanger others in those situation. I am happy to do that, so if you want to do a crisis mapping deployment in one of those situation, feel free to shoot me an email. I may not have all the answers, but I will be happy to share what I have learned ..for free.

Managing expectations..or hiding responsabilities?

At ICCM 2011 we could not miss the usual conversation about “rising expectations” in the local populations when doing a crisis mapping deployment. I have already said that, but I will repeat it here, since it seems a very difficult concept to understand: rising expectations is not an issue that is proper or specifically linked to Crisis Mapping. Rising expectation is linked to any humanitarian crisis, to any action taken in those cases and not only to humanitarians but to all subjects acting in environments where the local population is treated as a “receiver” rather than an active actor.

Now the real issue is that there is no way not to rise expectations, since I believe that expectations will always be there. What can be done, on the contrary, is to minimize those expectations by providing timely and reliable information and by being entirely honest about the purposes of the actions taken. I will use a practical example for this.

In April of this year I went to do an information need assessment in Central African Republic. My goal was to go in one of the villages where there are several refugee camps and IDPs camps and see what information they did have or not have, to better inform the local radio stations about it. In almost all the interviews that I have done, I was explaining at the beginning that the organization I worked for, was not there to deliver any aid, but to gather information and then work with local media. Despite the fact that I was taking some time to explain this, and the fact that I had a translator all the time to make sure that the info was passed in a very clear way, when I was asking questions about what information do the local population needed, the answer was always: “I need to go home, I need more food, I need a blanket”. In almost all the interviews I did, it took me almost 20 minutes of listening to all the things that the interviewed person need before I was able to talk about information needs. My boss explained it very well with another example: he went to do an assessment in Chad and asked to the refugees there “What would u like to listen to the radio if there was one?” and the answer was “that I can come back home”.

So to cut a long story short – I could give you another million examples of how expectation will rise no matter what you do or say.

The point here is simple: since expectations will be there anyway, people needs to be as informed as possible to minimize misunderstandings and people doing crisis mapping project need to be realistic and honest about their actual possibilities. Simple as it is, we need to learn from the past and current mistakes of the humanitarian community, to be honest.

Three things needs to happen according to me.

1. One is to spread as much as possible information about how do you communicate with disaster affected communities, how do you inform them about the actual possibilities of your project in terms of connection with the humanitarians. In Pakistan for example, we ask the local population to report what they were seeing around them, and not their needs, and we also actively send information out about the fact that we were not in the situation of knowing if the humanitarian community was using our information. Could we have done better? Yes we could, since you can always do better but at least we tried and we were really honest upfront about our goal and out possible outcomes.

My lessons learned in this years as related to this problem are:
- If you want people to send you information make clear what you will do with that info
- If you do not have contact with humanitarians or you are not a humanitarian organization, make that clear too
- Use radios, Internet, leaflets, posters, word of mouth to spread the voice as much as possible about the fact that U DO NoT HAVE the possibility to respond to the needs identified ( if you indeed not not have this possibility)
- Use a language that is not only comprehensible to the local population, but also a phrasing that leave no doubts, for as much as u can, about the fact that u do not have the possibility to respond.

2. The second thing that needs to happen is that we need to stop thinking that people that before the crisis were doctors, farmers, mothers and fathers, teachers, after a disaster or during an emergency will become suddenly retarded. I am well aware of the psychological consequences of being affected by displacement, war, natural disasters and so on, and I am not minimizing such effects on affected populations. What I am criticizing here is the victimizing stereotype that we attach indiscriminately to all affected communities at all times in favor of the “we need to protect them” approach. Protection of victimization are two very distinct issues, and we should not confuse them or use them as interchangeable.

Too many times the approach of who is calling for the “not rising expectations” seems to ignore the autonomous capacity of affected communities to understand and make decisions when they are well informed about what is going on. More or less the same way that lots of people talking about empowering communities to be resilient ignore local coping mechanisms. I believe effective communication can play a very important role on the expectations issue, but not only that: I believe there is an underlying thought in both the humanitarian community, and the crisis mapping community sometimes, that makes us confuse “protection” with not giving information to affected communities in the name of their inabilities to understand what is going on or to act logically as a consequence.

3. The third issue, and one of the most important according to me, is the one linked to accountability.

Let’ s do another example that I really find appropriate here. If tomorrow something happen, let’s say in New Orleans. If I am a journalist, then I decide to go there, and ask a lot of questions, do investigations, ask people what is going on and why. Some of those people will think that, since the media are there, and they will be reporting, and since a journalist is going to make this public, someone will respond to it..like the government for example. Now in this case, the very act of journalists being there, even if people know that the journalists will not respond, is rising expectations, isn’t it?

The problem here is not rising expectations clearly. The problem is that we are talking about accountability of the humanitarian community, or responders in general, with respect to their work and the way humanitarian aid – or political decision, – are implemented. The existence of mechanisms where affected communities are allowed to express their views and their opinions about the way humanitarian relief is provided, is scarring for the humanitarian community because there are not a lot of existing used mechanisms to call for accountability in this sector.

In this sense crisis mapping is an uncomfortable and undesired approach most of the times, and this unease is masqueraded often as “need to protect” or “need to manage expectations”. The truth is that the is a need for more accountability systems in the humanitarian world that allow not only for external M&E, but that incorporate the opinion and the vision of affected communities as fundamental part of the evaluation of the humanitarian work. Taking into consideration all possible variables, from cultural perspective to different roles and duties, and to mandates, the inclusion of the affected communities’ opinion is and can be a winning key point for the humanitarian world. Often in fact, problems and issues arising from the delivery of humanitarian aid are related to the absence or the lack of cooperation from affected communities themselves in the process, or from their inability to understand the mechanisms behind it. A better informed and knowledgable “client”, if we want to call it this way, means that the work of the humanitarian community itself will be easier and smoother, and that also responsibilities will be clear to everybody.

I am well aware that this is a generalization of the humanitarian community and of the approach to humanitarian aid, since there are efforts going on to involve and incorporate the opinion of the affected communities in the evaluation of the aid system, but still the is a lot to do. Until affected communities will be kept under the umbrella of the “protection” paradigm, and therefore will not be fully informed about what is going on around them during an emergency, expectations will be rised, independently from the existence or not of a crisis mapping project. But saying that doing a crisis mapping project and asking people to report what their needs are during an emergency, is like to have a 911 number with no one answering to it, is simply too much of a simplicities way to approach the issue, that will always make me doubt that behind this statement there is a deep fear that letting people speak will highlight responsibilities and mistakes of the humanitarian community that otherwise will be be kept hidden.

Crisis Mapping and Cybersecurity – Part II: Risk Assessment

This blog expresses only my personal views, and not the one of any organization or institution I have worked or currently work for.

I have a background in human rights and humanitarian affairs, and in those fields you do something that I realized was not that common in the ICT world – or maybe it is just under reported – that is called risk assessment. How does a risk assessment look like?

There are several components to the matrix: there is the risk, the source (sometimes), the likelihood, the mitigation tool/measure and (sometimes) the independent variables. I truly believe that this matrix can help in understanding what are the things that we should focus our attention on and what are the things that we cannot change or we should just ignore. The very key factor in the use of this matrix though does not lie in the matrix, but in whom is filling it.

Here is a couple of examples of simple matrix for risk assessments:

This is exactly the same matrix that we used for the U-Shahid project in Egypt and while I was the one that proposed to use it, I didn’t fill it: the people that fill it where the Egyptian activists that had a very deep knowledge or all those factors, due to their experience. If I would have fill it, the outcome would have been very different, since my ideas on the possible risks associated with this project were very different.

Here an example of how we used this matrix.

1. First step was to identify the source of risks: in the Egyptian case the source was very easy to identify since it was only one, the Egyptian government and it’s national security. We also identifies an additional source of threat that could have been the Muslim Brotherhood, but since they came to our training to learn how to use the system, we decided that they were not going to be a bit threat: after all they have been discriminated against several times and they are not allowed to participate in the election, so we realized that they also had an interest in the project.
2. Second step was to list all the possible risks and to associate them with a degree of likelihood from 1 to 10 and design mitigation systems. We came out with the following matrix:

A. Hardware:

  Get the computers where the Flsms software was hosted: DL= 8

We set up what I call the FLSMS mobile system. Here mobile stands for “that moves” and not for mobile phones. Basically we realized that the likelihood of those computers to get caught by the national security was to find them when they were getting online to send data to the Ushahidi system. For this reason we decided that all the people managing the FLSMS system had NoT to do that from their home, but instead from an Internet point. But since an Internet point can be found over the course of 12 hours (election day) we decided that the team responsible for using this system was going to move from Internet point to Internet point every 1 hour / 1 hour an a half. In addition to this, the messages were sent to the Ushahidi platform once in all every time the person managing the software was moving to another Internet point.

The second problem, related to the fact that the sim card could have been indent infield thanks to the IMEI number, the sim cards for the system were bought by the organization and registered all under the same name (yes that was a risk that the organization was taking, but they decided that it was better to have the risk on the organization than on individuals).

  Get to the server: DL= 5

The server was hosted abroad and accessed remotely. In addition to that, several copies of the databases were done and  distributed in different other servers. The main server had an automatic backup done every hour and it was encrypted.

B. System:

  Block the SMS number (in and out): DL = 9

This was one of the risks we knew we could do less. We had a public number that we had to advertise since the project was based on crowd sourcing methodology and the number was registered, as it was obligatory in the country. We decided to have other 5 numbers available and already working, that were registered as personal numbers of some of the less known people participating in the project (but swapped in between them). Those numbers were divided like this: one was used by the monitors, one by the NGOs involved in the project, one was used by the known network of the people that the organizers knew and that were also reporting (and they were sharing it with their trusted network). The other 2 were backups numbers.

  Block the website: DL= 9

We created several mirror websites, and we bought under several names all the similar domains that we could use to replace the main one.

  Infiltrate the platform: DL= 9

The high likelihood of this variable is due to the fact that we knew that the government was easily able to arrest the organizers and torture them to get the password to the system. For this reason we decided that it was not worth it to try to get any super hardcore security system, also because this could have meant for people to be killed if not able to access the system for the repressive regime security people. Some decided that the main thing for us was not to prevent them to access the system, but to make sure that if they did they could not destroy the information contained in there or get to the identity of the people working on it. So what we did was to create a system where we could monitor what each recorded person was doing inside the platform and allowed only the editorial board to be able to delete informations or change settings.

The only 2 people that had access to the database containing all the details of the SMS coming for example were 1 tech person inside the country and 1 tech person outside. All the back ups where handle by the person outside the country and the tech person inside the country had no access to it – this information, the fact that the tech guy was not able to access info from inside the country, was shared broadly on channels that we knew were controlled by the national security.

  Falsify informations DL= 10

We realized that there was little we could do prevent this. Some decided to ignore this issue by relying on the fact that the numbers would have played in our favor. In fact several tentatives to send in false informations were done and always detected. In addition to this, we had a very strong verification system that was verifying information one by one and was only flagging as verified information that were supported by several independent known sources, or by multimedia that we’re undoubtedly showing what was reported. In addition to this we were encouraging people to use the SMS alert system of the Ushahidi platform of that if something was being reported in their area, they could go and verify it.

C. People:

   Arrest all the participants: DL= 5

To try to avoid this possibility we wanted to keep the identity of the people working on the project hidden. Unfortunately this was not possible, since the national security pretended to have the list of all the people working on this project. Since any measure to prevent them from arresting the participants was completely unless we decided to do 2 things: the first one was that all participants were well aware about the fact that their contact information were in the hand of the ns. The second one was to ask to all of them to move as much as possible during the election day, to avoid an easy identification of their location. The third one was to create an arrest protocol (see below).

   Arrest of the activists managing the projects (editorial board): DL= 9

This was the most likely hung to happen, as all the activists had been already arrested before and where all well known by the NS for this project. To them we applied the same arrest protocol. In addition to this we set up an external team, based in another country. In the case all the participants were arrested, the entire system could be taken over and managed by a team of people, trained in the previous months, and that was unreadable by the national security of the country. In this way, the information could still come in from the country, but the processing was “outsourced” to a foreign team (key for this was the trust already present in between the two groups).

   Close the organization managing the project DL= 5

For this eventuality we had already set up a chain of international organizations (human rights watchdogs) that could at least use their international power to put pressure on the gov’t in case of the closure of the organization. In addition to this, the organization keeps constant contact with the national security and responded to all their inquiries about the project, including giving them all the information requested (sometimes written in such a way that was impossible to understand what we were doing for example).

   Intimidate the participants to the project DL= 10

This was something that was already happening during the design phase of the project. To avoid bad things to happen, we were always sure that the organizers – especially the less known once, and so the most vulnerable – were never alone and always in busy areas when outside.

   Intimidate the people sending in informations DL= 7

This eventuality was agin something that we could not avoid easily. For this reason, we were making very clear, even in the advertisement of the project was we the possibilities, how the government could reach out to people and how it could trace them. In addition to this we did training for free to people on how to use social media, mobile and Internet security and to do video and pictures with their phones without being caught.

In addition to this we had an arrest protocol in place. The arrest protocol was design by asking to the people that had been arrested before to describe exactly how the arrests happened. The main thing for us was to let everyone else know if someone was arrested, for two reasons: to allow action to be taken immediately, like call a lawyer, and to allow the rest of the team to take actions in order to avoid to be arrested or to stop working on the project.

The phases that we identified for the arrests were:

1. Police arrive.
2. If person to be arrested in the house possibly ring the bell or open the door directly
3. If person to be arrested outside simply get the person
4. In both cases ask/take their mobile phone and computer

On this premises we realized that our chance to get the information out, especially if the person was arrested while alone, so with no witnesses, was to allow for them to send an SMS out. The way we did that was really simple: we ask everyone to set up a direct SMS already written in their phone linked to the keyboard ( something as simple as to set up a button in the phone that automatically bring you to the message already written). The time necessary to send the SMS out was as short as two clicks on the same button: one to get to the SMS already written, one to send it to 10 predefined numbers. Simple as it is.

This deployment was particular for several reasons. The first one was that we knew that we could not prevent the gov’ t from doing certain things, like arrest us, or get into the system, so instead of trying to prevent them from doing it, we try to mitigate the effects.

The second one was that the people involved were activists, so people that were taking a certain amount of risk, knowing it, and we’re ok with that since they were willing to risk to achieve their goals.

For those 2 reasons our security protocols were focusing more on mitigation measures for the EFFECTS and not on preventing the act from actually happen.

In addition to this, we knew were well that there was no way we could control or mitigate all the risks, so for those ones, we decided to create system where the act was at least going to be known by others, as to allow other measures to be taken.

Intelligence, trusted networks and double standards

One of thing that I found very useful when working on information systems in emergency situations, is to create privileged communication channels with the different actors by relying on trusted networks already present in the country or in between the humanitarian community.

For example in the case of Libya, we created 2 platforms that had 2 different types of information and therefore two different goals and targets. The private platform was to mainly inform the humanitarians about the situation on the ground, and had details and sources to make sure they could verify and do an evaluation of the reliability of the source (ultimately this evaluation was left to them, even if we did a preliminary verification of the information collected). The second platform, the public one, was for the general public to know what was going on in the country, and had no sources and no detailed information in it.

This is, I think, a very good example of the creation of different communication channels and different targets. The idea here is to understand the difference and to make decision based on the risks assessment and the possible outcomes.

Inform the local population..or not?

In the case of the Libya deployment the Crisis Map we created was not supposed to inform the local population. Despite contrary opinions, this decision was conscientious made based on a risk assessment: we knew that there was no way for us to know who the people we were talking to were, and we had no link with reliable and verified people on the ground. For this reason we knew that it was going to be impossible for us to know that were not giving “sensitive” information to the wrong Libyans, and for this reason we decided that it was better not to chose any privileged group at all. I am not going to say this was the best decision we could make, but it was the only one we could make at the time, so I stand by it: any choose would have been completely arbitrary.

In this regard I have to admit, we knew very well that by putting those information online we were indirectly privileging one group (the one that had access to Internet) to another one ( the one that had no Internet access). On the other side, we also knew very well that the bad people did not needed our platform to know what was going on on the ground – we were ultimately mapping their actions, so it would have been pretty hilarious if they needed to look at our platform to know what they were doing!!

But despite a common thinking, this was not all about communicating with disaster affected communities! We tried to communicate with Libyans by relying on local media – the once that started working freely during the war. The problem was that we did not have a way to communicate to them useful information that did not already knew. This was the reason why there were, on the Libya deployment, lists of local media, that we thought could be useful to the humanitarian community to use to provide  useful information to the local population. Of course they did not used it.

Why we did not get in contact with them directly? Because we did not have enough trusted and verified information to give to them, because the majority of them had more knowledge than us of what was going on, and because that deployment was ultimately managed by OCHA. The issue that a lot of people screaming about communication with disaster affected communities without having any clue about it forget, is that I would never push a group of online volunteers to randomly send blast SMS to people on the ground.

Communicating with disaster affected communities is indeed a very important thing that needs to be done properly and by professionals. In the Haiti case the SMS sent to the local population were designed and created by the Red Cross, not by the volunteers at Tufts. The information given to the refugees escaping from Libya in the refugee camps in Tunisia were taken by Internews from the humanitarians, and not design by the SBTF volunteers. I would very much stay very far away from anyone that thinks that in the Libya crisis mapping deployment we should have sent out information to the affected communities without replying on the support of organizations that do that as a job. The real problem here is that humanitarians should do that, since communication is part of humanitarian relief, but they often don’t.

Creating intelligence vs being intelligent

There has been a lot of discussion about the fact that having people using social media or the Internet to put information out is one thing, but aggregate them, map them and categorize them is another thing. I could not agree more on this, and I also agree that there are several degrees of risks associated with the second that are far higher than the first one. Since crisis mapping is ultimately about mapping, categorizing and analyzing data, we have to look more inept to this issue.

Simple as it is, I have to say I am a bit bored about the discussion on  “u are creating intelligence for the bad people” theory: there has been no one case in the past were the bad people did not knew in advance everything we were mapping or even much more than that. I agree there is a risk to give them some more info, I also think that we should be a bit more realistic and less sensationalists about this.

In addition to this, I have to say, and forgive me for being a bit of an ass: this all being worried about creating intelligence for the bad people theory is always coming from people that have:

1. Very little knowledge of crisis mapping or repressive regimes
2. Almost never taken part in any of the crisis mapping deployment were this was an issue
3. They kind of strangely disappeared when there is a deployment like this, while writing in-depth report about it after the deployment

To go back to the reality, let’s be honest: I have lived and worked under repressive regimes, war zones and so on. The reasons why the majority of intractable conflicts are that way is because there is a high level of intelligence on the ground that, for how much I love crisis mapping, crisis mapping will never have: this all dream that aggregated tweets will give you a better picture of what u can have when you live, act and know the situation on the ground is the naive “all about technology” bullshit that underline for me a very little knowledge of what the actual reality is.

This does not mean we should not be extremely careful about creating intelligence, and this was why we did had a private platform for the Libya case. But it does mean that we should be a bit more intelligent and face things realistically instead of living in wonderland. Focusing on theoretical scenarios is indeed dangerous here, since it divert attention from the actual thing that needs to be done: gather as much information as possible on what is actually happening on the ground, what is the level of intelligence already present there, who are the actors and what info they may have or not. Again it comes back to real risks and information assessments, not to the power of social media and crisis mapping.

In the case of crisis mapping for example, there are several things that can be done to understand what are the risks associated with that:

- the first one is to look at the information you are producing. An example can be a tweet mapped that sais that the rebels are taking Misrata. What kind of information more than the one contained in the tweet itself is there if I map this on a Ushahidi platform for example?

- the second one is to look at the aggregate value of the information produced. In the case of Libya for example there was a week were a lot of refugees were escaping from the Tunisian border. Now the fact that a lot of reports were saying this gave to us the idea that the phenomenon was really big. The question to be asked here was: were the people on the ground not noticing that? There was any way that this information was not available to them and so where we were actually producing an additional layer of information with the map?

- An additional way to do an evaluation of the risks involved in a crisis mapping project in this kind of situation is to look at the IP address of the people looking at your platform – easily done by using Google Analytics. Are there people looking at your platform from the country monitored, and if yes, are they very frequently looking at it. This may give you – or not – an idea of who is looking at tour platform, how often and maybe telling you something about who are the users of your platform

- Another important thing to do is to look at the freedom/not of the internet usage in a specific country the level of control over the mobile technology and the past experience in that country on monitoring of those channels – and the actors doing it

All in all, I still think it comes to a realistic risk assessment, a case by case evaluation of the outcomes of your crisis mapping deployment and of the capacity of the “bad” people on the other side.

Crisis Mapping and Cybersecurity – Part I: Key points

This blog expresses only my personal views, and not the one of any organization or institution I have worked or currently work for.

At his opening speech at ICCM Patrick Meier has listed a number of topics that have been and will be very important in the field of crisis mapping. One of them was security.

It is sure that security is and will be in the years to come one of the major topic to be addressed in this field, but yet, I feel there is the need of a more pragmatic approach to this topic than the one used so far.

In one of the sessions at ICCM, which was entirely focused on this subject, some very interesting issues came out, which will give me some more ground to explain why I think that almost 90% of the discussions on cyber-security tend to take a tangent in the direction an academic – philosophical approach rather that a practical solution to practical problems.

1. One of the major discussions on security gravitate around the design or protocols, standards and code of conducts to try to crystallized the problem in predefined codes and in this way find predefined solutions. While I understand the need for some sort of universal documentation that would allow us to look at the problem of security in a much clearer way, I think that starting with this as the first step is an upside down approach that will not really help that much.

What I have learned in my experience in working with repressive regime and in dealing with security issues in crisis mapping projects is that everything is entirely related to the background of the place where you are implementing your project. In this regard I fear that if we design protocols and procedures before and then try to “customize” them to the specific case, we will end up missing a lot of the local specificity that can make something that is very safe in a situation super dangerous in another.

2. A second discussion has been focusing on the tools and the responsibility on who design, build and sell/make available those tools to the public. I have already discussed this in one of my previous blog post, but I will reiterate here what I think is the main problem in focusing on the tools instead of the uses, and I will explain it with an example. A knife is a tool that we always have, in every household. We all know a knife can be used to kill, or hurt people, but we also know that this isn’t the only use you can make of it. Now, while when we buy a knife the vendor will not tell us to be careful because we can also kill someone with it, since he assumes we know it, the situation is different when it comes to cyber/ digital tools.

The main problem here is the level of collective knowledge that we have about the risks we run into when using a certain platform. When we buy a phone, the vendor will not tell us that our phone can always be recognized and traced, that there is a unique identification number and signal associated with it, and that there are several ways that someone can use to access all the information in our phone. The same happen when we open an email account.

While there are certain information/tools that we know are accessible/ hackable, the knowledge about risks associated with a lot of tools is still not that widespread. I truly believe that the conversation about who has the responsibility to spread this knowledge is indeed useless: the responsibility according to me is shared in bw the users and the consumers, and we should all work towards more knowledge spread more broadly. Ultimately it is not about which tool is better than the other, it is about knowing exactly what vulnerabilities associated with each tool are and how to make this knowledge as accessible as possible.

3. The third big discussion is about what to do when risks are too many, or knowledge too poor or when solutions have not been designed yet. In this regard I am a big fan of the “if you don’t know what you are doing, do not anything” principle, but I also truly believe that we cannot think that inaction is the best solution for all security issues we face when doing a crisis mapping project. If there are security concerns, they need to be addressed carefully and responsibly, but in urgent situations – like a crisis – there is no time for prolonged conversations on what to do. Action needs to be taken, and better be a good one. So, what do to?

My 2 cents on this are the following:

1. Stop talking about who should do what and focus on what need to be done now. If u are interested in the topic and realized it is important, do it yourself. I am much less interested in the attribution of responsibilities then the actual lowering of the negative outcomes. With this I am not saying that there are no responsibilities, but that I would prefer to act in advance on the issue then to wait for fact to happen and then call someone guilty.

2. Go local! I will never be enough tired to say that local population normally have a much better knowledge of the risks and the dangers. Talk to them: they may not realized how to use a tool, but they will be bale to tell you how local actors will take advantages or not of certain possibilities, if presented to them.

3. Focus on what u can do and mitigate, since if you cannot do anything, there is no point in wasting your time trying to find a solution to it. To do this, you should not focus just on the cause of certain threats, but on their consequences: you may not be able to make a government weaker, or less repressive, but you can look at the practical consequences of their repression and mitigate it.

4. Dissect your problems and your security concerns: when facing a security issue, dissect it into all different and possible phases, components and possible outcome and look at all of them as if their were single factors. You may not be able to solve entirely the problem, but you may be able to act on single components and in this way lower the overall impact of the security threats.

Now, I know this is easier to say than to do, and there is no “how to do” guide on this, but we have to start from something no?

In my next post I will make a practical example to explain those suggestions.

Appropriateness, affordability and sustainability of technology

Since I started working as innovation and new media consultant I often find myself struggling on exactly should be and how to look at the assessment of environments for the implementation of projects involving the use or the introduction of the so called new technologies.

One of my main concerns is that often I will find a general focus on the evaluation of the infrastructure that allow the technology to work amd the quality of the technology in terms of functioning, and not on the qualitative background necessary for the technology to actually be used.

What I think it is extremely important here is not to focus on one or the other but to make sure that all of them are taken into consideration and understood in their complexity.

The technology

The functioning of the technology is pretty much straight forward. It does work or it does not work. On the other side that fact that a technology works does not mean that the technology is the right one for the goal you have. Increasingly people choose a technology because they like it and then try to fit it to their objectives. The reason is that often there is interest, from donors and NGOs in financing and trying new technologies as to show how innovative your organization or project is. In this context the main problem that emerges is that the technology itself, being it radio, mobile, wifii, computer based, can be working perfectly but not really adding anything to the original context. Other times the technology is working perfectly but the additional cost of it it is too high for the users.

I see this every time people approach me asking to help them in using a Ushahidi platform for their project. What often happen in this case is that people see Ushahidi as a powerful tool for crowd sourcing, but they forget that the platform is also a mapping tool. For instance, not necessarily all crowd sourced information is mappable, and more than that, not all mapped crowd sourced information is actually going to give an additional value to the the information itself. E same thing happen when people want to use the Ushahidi platform to map historical data, where most likely a GIS map or a static map will be more useful in term of visualization and also in terms of accessibility – allowing for offline, printable maps to be produced more easily.

Affordability of technology

The affordability of technology is something extremely important that is often linked to the sustainability of a project. One of the main issue here is that traditionally people have been focusing on how much does a technology equipment/ maintenance costs. This is indeed a problem, but not always the main one. Sometimes the cost a technology is not directly related to the money necessary to buy or to maintain it, but to the cost associated with the consequences of using it. I will make an example here:

Pamoja FM is a radio station in Kibera in the city of Nairobi. Pamoja FM decided some time ago to use a short code number agreed with Safaricom to increase it’s revenues. Since the radio receives a lot of SMS from its listenership they thought that having a short code would have allow them to get more money out of it, pne of the reason being that Pamoja is a community radio station and for this reason it is not allowed to do advertisements. Safaricom did an agreement with the radio and gave to them a 4 digit short code at an increased price so that part of the revenues from the short code could go to the radio station. The short code worked beautifully. The radio was getting 5 shillings per SMS and the number was easy to remember. The problem was that the increased price was really increased since the prices for one SMS on the user end was 10 shillings, compared to the normal price of 2 shillings. The number of messages that the radio was receiving decreased from 500 a day to almost 0. In this situation the technology was working and doing exactly what it was supposed to do, but the assumption that users would have paid such an amount of money to send an SMS to the radio was wrong.

Appropriateness of technology

This issue is strictly related to the how do u chose which technology is the best for your project and for the place where u are going to implement it. Some time ago I had a discussion with Laura Hudson from FLSMS about the necessity to have not only technical assessment but also “cultural behavior” assessment on the use of technology in a specific context.

One example is what happened to the Ushahidi Chile project when I was still finishing my Master at Columbia University and with a group of students, and the support of the Ushahidi team and a local organization, we set up 2 phone numbers to receive informations directly from afford communities in the country. In the first 2 month of the project the team in NYC was very surprised that very few people were actually reporting using those numbers and that we were receiving more messages asking us to answer the phone (which we could not do) than to report directly via SMS. Once we went to the country we discovered that Chileans normally do not use SMS, and that they are much more used to phone calls than to text. We could not find out what the reason was, but everyone we talked to confirmed to us that they were very rarely using text rather than calls. A similar example is the U-Shahid project in Egypt, where even if provided with an SMS system, people during the elections were reporting using much more twitter and Internet than their phone, simply because they were more used to that and because the Internet in their phone was comparatively cheaper than the SMS.

The appropriatness of techology is also related to the social aspects and role of that technology Ina given context. I will use as example one of the Radio stations we work with and it’s role in the community in Kenya. I am currently working on a project to use Mobile Money to create a system where listeners will be able to place greeting messages in the radio station by calling unique number and paying with their mWallet for the message. In choosing the radio stations to be involved in the pilot project we had to exclude some very interesting community radios. The reason behind this was not that they were not appropriate for the project but that they were such an important point of gathering for the community that the introduction of a remote system to place greetings could have jeopardize the important role that those radios are playing in their community. The introduction of a new technology here could have as secondary effect the distraction of a social system that is not only working but very important for the local population.

The true is that even if people do have technology, and use it, they use it in a very different way according to their culture, their life and the actual context they live in. Decide to use SMS in a country just because there is a high literacy rate and a good mobile penetration is not enough: we need to understand how people use mobile phones, why and in which context.

For this reason when doing an assessment for the use of technology cultural behaviors and social dynamics should be considered as one of the main important component.

So, how do I assess the use do technology?

I have been asked this question once and I answered by saying that I do two things: I go to the local market, and I take public transportation. Why?

Local market because in this way I can see how people do make transactions, how do they communicate, and how do they evaluate prices, and what social dynamics are present as related to gender, economical situation and information sharing. For instance, do people use mobile banking, and if yes, how often and frequently? Do people talk about politics and what is going on in the country in the market? Where do people in the market come from, and if from far, are they the once that share info with the others coming from other areas? Do people listen to the radio in the stands? Do they play with their phones? Do people compare prices? And if yes, how?

Public transportation for a very specific reason: people get bored when they do long trips, and they tend to find way to spend that time. This is when the driver may put up some music, and normally is the radio. And in the same time is when people will either read or play with their phones – if they have one. What do they read? Do they use their phones to send SMS? Do they go on Facebook? Do they tweet? Do they play games? And if the driver put the radio on, what programs is he listening to? Does the radio program have only music or also debates? …

Of course, this isn’t the only way I do assessment, but it is normally a very good start. Listen and observe before asking and drawing conclusions

Answer to Matthew Levinger

This blog post has been edited after clarification on the role of TechChange and on their position expressed in the comment below. 

On Wednesday, October 26, 2011 Matthew Levinger posted a blog post titled “Risk Management and Ethics in Conflict Mapping” on the TechChange website. I have been reading that blog post for 2 days now, and I would like to share with mister Levinger and some comments that that blog post raised into my mind. I apologize in advance if this blog post will not sound nice, but I know a lot of the people that work at TechChange and some of their Advisory Board members, and I know that they all appreciate honesty and a open dialogue on such sensitive topics like Ethics and Crisis Mapping.

Mr. Levinger raised in his blog post some very interesting and thoughtful thoughts about what are the main issue in the crisis mapping field, but let’s proceed with order.

The second paragraph of Mr. Levinger said:

“Two years ago this month, the first International Conference of Crisis Mappers (ICCM) was held at John Carroll University in Cleveland. Next month, the third ICCM will convene in Geneva, Switzerland, as the annual gathering of a volunteer network with 2,900 members from 137 countries. TechChange, which was established just last year, has over 3,000 members on its listserv.”

I apologize with Mr. Levinger if I am misunderstanding, but if I didn’t know that Mr. Levinger was an adult, I would imagine that he is playing the part of “TechChange got more subscriber than you guys have in a third of the time”. Unfortunately Mr. Levinger does not realized that having people subscribing to receive weekly updates on the courses or news offered by TechChange is not exactly the same thing than having 2900 PROFESSIONALS having an open forum to exchange information, sharing content and discuss actual issues, including in the imediate aftermath of an emergency. It is called two ways communication system, or interactive system. The Crisis Mappers Network is not a listserv, dear Mr. Levinger, it is a forum, a network for interaction, and it is a place that is not about how many people interact or receive the emails, it about the quality of the interaction in between those people. I personally think it is super cool that you have 3000 people on your listserv Mr. Levinger, but I think you do not need to compare TechChange to the Crisis Mappers Network, since they are not a two way communication system, they are advertising their products. It is just a bit different.

To continue on Mr. Levinger blog post:

“As GIS and other place-based technologies continue their exponential rate of advance, the need for sustained dialogue between the producers and the consumers of data from volunteer GIS-based and other participatory mapping projects becomes ever more urgent. The producers of this data are predominantly experts in information and communication technologies, whereas the consumers of the data include international humanitarian responders, officials from governments and international organizations, members of advocacy groups, and residents of communities afflicted by natural disasters or political crises. Miscommunication and cultural disconnects can easily arise among these diverse stakeholder groups, with negative effects on the outcomes of participatory mapping projects.”

There are 2 big mistakes in this paragraph:

1. Producers and consumers of crisis mapping systems are already having a dialogue Mr. Levinger. In fact, since Haiti, lots of things have been happening in this field, and this dialogue is getting bigger and broader. One of the place where this dialogue is happening is, in fact, the Crisis Mapper list (remember?–> 2 ways-communication system?). The Standby Task Force for example, a producer of information, even have in its pool of volunteers people from OCHA, the Red Cross, NGOs, military, crisis managers, emergency response professionals. For shocking as this may sound, the dialogue is already happening Mr. Levinger. You are a bit late.

2. The producers of the data Mr. Levinger, are absolutely NOT predominantly experts in information and communication technologies. You are clearly not getting this very straight, to be honest: there are also experts in information and communication technologies in the pool of volunteers that have been working on crisis mapping projects, but the majority of them are coming from completely different fields. Actually they are not at all experts, they are housewives, engineers, mothers, students, journalists, teachers. I invite you to look at the 600 and more volunteers that the Standby Task Force has deployed in the last year and you will see that probably 10% is actually an expert in experts in information and communication technologies.

And now let’s go the most interesting part of this blog post, the questions rised about Ethics of Crisis Mapping. Let me try to give some answers to those questions.

• Are the producers or recipients of data from these projects exposed to security risks or other potential adverse consequences, including threats to privacy.

Security has been The topic, for the past 8 months, since the Arab spring and even before, and to be honest, we are vomiting constantly security blog posts, advices, guides, briefs and so on about it. Lots need to be done, but for example, the Standby Task Force have been designing security protocols for each emergency, including when supporting Sudanese activists in demonstrating against the regime. I have personally worked in Egypt under Mubarak and done a crisis mapping project there. So the answer to your question is YES, we are all expose and we all know what the potential consequences are.

The problem that you are trying to generalize here is in fact very much linked to something else. The problem is not the body of volunteers that networks like the Crisis Mapping one or the Standby Task Force are deploying in crisis situation, the problems are people that have not been trained and that do not know what and how to deal with certain issues. And you know how do you solve this problem Mr. Levinger? By providing FREE training material and information, by sharing lessons learned (like the Libya and Colombia report) , by engaging people in discussion about this and offering them free support when they set up a crisis map. Because to tell you something shocking: we may keep discussing about problems and what needs to be known to do a crisis mapping project, but people will keep doing it anyway. We cannot prevent people from doing it, so if we want to solve the problem we have to share the knowledge and make sure people understand what they are doing. Of course, if only people that have 895$ can have acces to this knowledge, then we will always have to deal with people that do not know what they are doing.

• What negative effects may result from false or distorted reporting? For example, after the Haiti earthquake, many reports of victims trapped inside collapsed buildings were posted by people seeking help for digging out the corpses of family members who had been buried in the rubble.

This is way, Mr. Levinger, the Standby Task Force has been setting up verification protocols and teams to deal with this (see the verification protocols for Libya and a simple verification slide presentation for the volunteers to use) . Now, again, this discussion have been happening for at least one year, and to make a long story short: there are multiple negative effects that can arose from this. Now that we know it, what? I tell you what: we stop wasting time in telling to each other that “O MY GODDDD…what is going to happen?????” and we start discussing about what are things that can be done to prevent this from happening, how do we implement use more robust protocols, what is working on the ground and what didn’t. To show an example of how this can be done here.

• Does the establishment of a crowdsourcing platform for crisis mapping create unwarranted expectations that there will be a timely response to reports by people in need? Some observers have suggested that creating an Ushahidi platform for a disaster zone is akin to establishing a 911 telephone line without giving the dispatchers any emergency response capability.

Mr. Levinger, I would suggest that you sit down if you are reading this, since I may just be about to give you a VERY SHOCKING news. U ready? Have some water close to you in case you faint? Ok then: in humanitarian response YOU ARE ALWAYS CREATING EXPECTATIONS THAT YOU WILL NOT BE ABLE TO MEET. Now, to explain what I am saying here I invite you to go to any refugee camp on the world and ask to any of the refugees there if their expectation have been met when they get there. I have been visiting quite a lot of refugee camps, and working in emergencies, and I can tell you, the answer will always be, that the entire humanitarian world is creating expectations that they are not able to meet. And this is because most of the times the expectations that affected communities have are way over the actual capacity of the humanitarians responding. This is what the reality is today and how it will most likely be for some time.

But to come back to the crisis mapping projects: to be honest, the only place where I have seen the risk of this happening was Haiti, 2 years ago, Again, that was one of the first situation where crowdsourcing methodology was applied to a crisis mapping experiment in a massive humanitarian emergency, and to be honest, a lot was done to prevent affected population to think that an immediate response was going to come – for example by doing radio programs that were explaining how the system was working.

The issue of managing expectation have been dealt since then in a lot of different ways, like for example in the PakReport instance where people were informed via SMS about what the project was about; or in the Libya platform were the goal of the platform was clearly stated in the home page, or in the Alabama deployment. The Standby Task Force is using banners in each of its deployment to tell people what they can expect or not, and other crisis mapping projects are using banners in an increasing way.

Now again, to cut a long story short: there will always be expectations that are not met and this is valid more on the ground that it is on a virtual crisis mapping project. The difference is that crisis mapping project engage actually in communicating with disaster affected communities, which most humanitarian do not do. See this interesting report about Dadaab to know more about it.

The first issue here is not that any crisis mapping project is creating expectations of immediate delivery of aid, the issue here is that that aid is not arriving anyway, but if there is a way to display it in a clear way, then the humanitarians working on the ground are held accountable of what they are actually not providing – despite the millions of dollars invested in humanitarian aid.

The second issue is that, we should stop considering affected communities as a bunch of retarded idiots. If you tell them, they understand: they do not become immediately retarded because they are affected by a war or a disaster. The real way to solve issues with expectation is to have clear and broad communications channels with affected communities, not to avoid doing any crisis mapping project.

• What are the ethical implications of creating universal surveillance systems that compile streams of data from diverse sources?

This is a good question Mr. Levinger. But why is Crisis Mapping a “universal surveillance systems that compile streams of data from diverse sources”?? Who has ever talked about a universal surveillance system? I mean, we do not need crisis Mapping to do this this is already existing, it is called intelligence and you should know better one of the most universal one, that HAS TONS of ethical component is the US one, where you serve as Intelligence Analyst.

• In the context of violent conflicts and other political crises, how can parties to the conflict be prevented from using crowd-sourcing platforms to spread disinformation or incite violence, e.g. by exaggerating the number of victims or falsely accusing their opponents of war crimes or mass atrocities?

Mr. Levinger I would like to write the answer to this to you here, but this blog post is becoming very long, so I will just give you some blog post links that you can read to get some answers to your questions. But to give you a hint: WE DON’T. We can set up good security and verification systems, and we build trusted networks on the ground. But the bad people will always have access to those information, as everyone else does. Anyway, read some good info from my good friend Patrick Meier:

Why Dictators love the web

Information Forensics

Wag the Dog

“These ethical and logistical questions need to be effectively addressed as part of an operational plan prior to an intervention. While getting the hard data is important, we also have to remember that our goal is providing aid and support to the people affected by conflict.”

U are right, and since you are sooo concerned, you are offering courses to teach people how to do this for only 895$..of course in the interest of affected popultions!!

Mr. Levinger. I know this blog is snappy, but now I will be let you understand something that I consider very important and I am not doing it in the interest of making a mess or trash you. Please, next time you write about those topics keep in mind:

- You need to know very well what you are talking about. You have been mentioning very interesting issues in your blogpost, but you have been addressing them poorly, and mainly because you have never done a Crisis Mapping project before, and you are not involved in the field since long time.

- CrisisMapping it is actually about doing things, not reading/writing papers. As far as I know, you do not have ANY experience in managing any Crisis Mapping project or a crowdsourcing system to communicate with disaster affected communities. It is scarring that you are giving trainings to others on something that you have never done. Installing a Ushahidi platform in a computer or volunteer a couple of hours a week on a Crisis Mapping project it is not enough to give lessons on how to manage, set up and create a Crisis Mapping project.

I really hope you will be at ICCM, since I would like to continue this conversation and maybe start discussing actual answers and not repeating questions that have been asked too many times.

Now, since this was almost a Crisis Mapping class, I will be sitting here waiting for you to send me my 895$ check. Of course, for the sake of affected populations!!!