According to me those are 4:

1. The case of a repressive regime, where the people managing the project are either activists or related to activists
2. The case of a repressive regime where the people managing the project are not activists or are so called “improvised activists”
3. The case of a humanitarian emergency where there are security concerns related to either the presence of militias or a repressive regime
4. The case of a humanitarian emergency in general, where security is very much linked to the delivery of humanitarian aid and the do not harm principle (which indeed should inform also all the other cases).

Case 1 – repressive regime and activism

This was the example I talked about in my previous blog post. In this case the security issues that arise are very much not linked to the protection of the people managing the project, since they normally know the risks and are willing to take them. As much as we are sure they are informed about all the possibilities, it is ultimately their call to decide what to do and how. There is indeed a very important issue to be faced here: when the activists involved other people in the project, what is the knowledge that is shared with those others about the possible risks.?. The example that can be made here is Tahrir Square: the Egyptians that organized the first demonstrations were activists, a lot of them with a history or arrests, tortures and so on. But after a while a lot of ” common citizens” joined the demonstrations:  what was their knowledge of the risks? How much of an informed decision was the one they took?

All in all I think that there are 2 important things to keep in mind when approaching a case like this one:

1. Activists normally make informed decisions and know the risks much better than we do. We have no right to decide for them if something is worth it or not. I come from a family where my father spent 5 years in jail to fight against a repressive regime; I would never dare to think that he did because he did not know, indeed he did because he did know and he decide to accept the risk.
2. The crowd, if we want to call it, may be getting into the process not knowing what the risks are. There is no way for us to prevent this apart from spreading as much as possible the knowledge about cybersecurity. And with spreading I mean produce documentation, use simple language, have software companies and online networks do education and informing people about what is that they are using and what the vulnerabilities are. Information is here more important than food and water.

Case 2: repressive regime and “improvised activists”

I have worked on a case like this some time ago, where the people involved in the project wanted to do a crisis mapping deployment under a very repressive regime and they had 0 or little knowledge of the environment they were acting under. Since we were providing support from abroad, we had to use our knowledge to inform them. All in all the big lesson learned here was that our knowledge of the situation was not enough, and the risk for them was too high. We got under incredible stress, they got very scared and the deployment was closed. The risks that all of us and them run into was really high and we realized that there was no way for us to understand better the situation since we were not there, and for them to learn in such a short time frame without risking to be killed, tortured or worst. In those cases my take away is that BEFoRe you get the knowledge and after that u deploy. There is not such a. Thing as a learning as u do in those cases, because the risks are too high.

Case 3: repressive regime/militias and humanitarian emergency

This was the case of our deployment in Pakistan and Libya. This is a very complicated situation since we are talking about several actors, with several degrees of risks associated with each factor, and different possible outcomes depending on the actor, the beneficiary and the issue. I still think it is very complicated to draw lessons from those kind of situations since it really depends on the cases. In addition to this, the issue here is very much linked to the concept of open data and privacy and how you do provide useful information to both humanitarians and affected communities while making sure that you do not endanger them and respect the do not harm principle.

Those type of deployments are the one that will have to be extremely carefully evaluated, using local or trusted networks, doing a careful risk assessment for each actor involved and making sure that links and connections with key actors are in place. My 2 cents on those type of deployments are the following:

1. Treat different actors indifferent ways: not all information is sensitive or useful for everyone, so create different channels, protect them accordingly and deliver different information to different people
2. No information does not mean no risks. Not knowing can be as deadly as to give the wrong information to the wrong person, so let’s now panic, but instead find ways to make sure the information flows are built in a way that allows vital information to get to the right people
3. Do a very careful assessment of what information people in the ground – being humanitarians, local population or the bad people – have or do not have already, what their information channels are and how they use it. People rely on what they know to gather and get information out, and if you know they channels, you know their possibilities.

Case 4: humanitarian emergency and the do not harm principle

In a recent working group in Geneva, a representatives of ICRC did a very good presentation about the DO NOT HARM principle and how we could apply it to crisis mapping. I think that this is a great starting point – learn from who is mastering it – and I gave a lot of thought to it lately.

In the SBTF for example we have already designed our code of conduct on the base of the ICRC code of conduct, but the issue he goes more inept into the actual implementation of the framework when it comes to applying to the do not harm principle. In this regard the SBTF has already started a discussion about how to use this better and u will soon see some results of those discussions in our blog. The main important thing here is that the DO NOT HARM principle is and should be always the main thing to keep in mind when doing a crisis mapping deployment, especially if there is communication with disaster affect communities involved.

On the other side I am intrigued by how can we make sure we always act under this framework when lots of times we know we do not know. The real risk here is that, since we do not really know all the actual implications of all the crisis mapping deployments, since this field is still growing and developing, how do we make sure that we balance the DNH principle with the urgency to do something, and with the actual benefit of a crisis mapping deployment? The more I think about it, the more it looks to me like a cat eating its own tail: should we not doing anything because the risks to harm are too high, or should we try, knowing that the more we try the more we risk, but also that the more we try the more we learn?

In those kind of situation there are also the so called secondary effects to take into accounts. In fact, while there are risks associated with publishing reports from people on the ground for example, or in making certain information publicly available, there are also other risks that may be associated with those factors that we do not take into consideration. One example may be the fact that, if the crisis mapping deployment is available on line, a repressive regime may be tempted to block the Internet, and in this case also endangering a lot of other situations/ humanitarian operations that need the Internet to work effectively. Another example can also be that, if the crisis mapping deployment is collecting information via. SMS, or social network, the groups in the populations that do not have access to those means may be cut out of the system, and their problems or needs may be completely missed or underestimated because they are not able to express them via those means. Secondary effects can be multiple and various, and it is extremely difficult to understand when and where they are taking place and what to do to avoid them.

In conclusion: I am sorry if readers did not find very good answers in this blog post. The intention is indeed not to give answers but to continue talking about the issue, hoping that a constructive debate could lead to some interesting discussions on real solutions. As final point, I would like to highlight that there is no advantage in the endless battle in between Muggles and Crowdsourceres on the security issue if this battle is only framed as a black and white battle.

The issue of security is there and will always be. Practice and constructive debate on the practical implementation of cybersecurity measures is according to me the only way to face this debate. We can’t go back, we cannot prevent people from using crisismapping in repressive regime environments or in humanitarian crisis. But we can inform them, we can share lessons learned and make as open as possible our failures and our knowledge. Free open source knowledge about security is the best weapon we have to avoid others, and ourselves, making the same mistakes and endanger others in those situation. I am happy to do that, so if you want to do a crisis mapping deployment in one of those situation, feel free to shoot me an email. I may not have all the answers, but I will be happy to share what I have learned ..for free.

Now the real issue is that there is no way not to rise expectations, since I believe that expectations will always be there. What can be done, on the contrary, is to minimize those expectations by providing timely and reliable information and by being entirely honest about the purposes of the actions taken. I will use a practical example for this.

In April of this year I went to do an information need assessment in Central African Republic. My goal was to go in one of the villages where there are several refugee camps and IDPs camps and see what information they did have or not have, to better inform the local radio stations about it. In almost all the interviews that I have done, I was explaining at the beginning that the organization I worked for, was not there to deliver any aid, but to gather information and then work with local media. Despite the fact that I was taking some time to explain this, and the fact that I had a translator all the time to make sure that the info was passed in a very clear way, when I was asking questions about what information do the local population needed, the answer was always: “I need to go home, I need more food, I need a blanket”. In almost all the interviews I did, it took me almost 20 minutes of listening to all the things that the interviewed person need before I was able to talk about information needs. My boss explained it very well with another example: he went to do an assessment in Chad and asked to the refugees there “What would u like to listen to the radio if there was one?” and the answer was “that I can come back home”.

So to cut a long story short – I could give you another million examples of how expectation will rise no matter what you do or say.

The point here is simple: since expectations will be there anyway, people needs to be as informed as possible to minimize misunderstandings and people doing crisis mapping project need to be realistic and honest about their actual possibilities. Simple as it is, we need to learn from the past and current mistakes of the humanitarian community, to be honest.

Three things needs to happen according to me.

1. One is to spread as much as possible information about how do you communicate with disaster affected communities, how do you inform them about the actual possibilities of your project in terms of connection with the humanitarians. In Pakistan for example, we ask the local population to report what they were seeing around them, and not their needs, and we also actively send information out about the fact that we were not in the situation of knowing if the humanitarian community was using our information. Could we have done better? Yes we could, since you can always do better but at least we tried and we were really honest upfront about our goal and out possible outcomes.

My lessons learned in this years as related to this problem are:
- If you want people to send you information make clear what you will do with that info
- If you do not have contact with humanitarians or you are not a humanitarian organization, make that clear too
- Use radios, Internet, leaflets, posters, word of mouth to spread the voice as much as possible about the fact that U DO NoT HAVE the possibility to respond to the needs identified ( if you indeed not not have this possibility)
- Use a language that is not only comprehensible to the local population, but also a phrasing that leave no doubts, for as much as u can, about the fact that u do not have the possibility to respond.

2. The second thing that needs to happen is that we need to stop thinking that people that before the crisis were doctors, farmers, mothers and fathers, teachers, after a disaster or during an emergency will become suddenly retarded. I am well aware of the psychological consequences of being affected by displacement, war, natural disasters and so on, and I am not minimizing such effects on affected populations. What I am criticizing here is the victimizing stereotype that we attach indiscriminately to all affected communities at all times in favor of the “we need to protect them” approach. Protection of victimization are two very distinct issues, and we should not confuse them or use them as interchangeable.

Too many times the approach of who is calling for the “not rising expectations” seems to ignore the autonomous capacity of affected communities to understand and make decisions when they are well informed about what is going on. More or less the same way that lots of people talking about empowering communities to be resilient ignore local coping mechanisms. I believe effective communication can play a very important role on the expectations issue, but not only that: I believe there is an underlying thought in both the humanitarian community, and the crisis mapping community sometimes, that makes us confuse “protection” with not giving information to affected communities in the name of their inabilities to understand what is going on or to act logically as a consequence.

3. The third issue, and one of the most important according to me, is the one linked to accountability.

Let’ s do another example that I really find appropriate here. If tomorrow something happen, let’s say in New Orleans. If I am a journalist, then I decide to go there, and ask a lot of questions, do investigations, ask people what is going on and why. Some of those people will think that, since the media are there, and they will be reporting, and since a journalist is going to make this public, someone will respond to it..like the government for example. Now in this case, the very act of journalists being there, even if people know that the journalists will not respond, is rising expectations, isn’t it?

The problem here is not rising expectations clearly. The problem is that we are talking about accountability of the humanitarian community, or responders in general, with respect to their work and the way humanitarian aid – or political decision, – are implemented. The existence of mechanisms where affected communities are allowed to express their views and their opinions about the way humanitarian relief is provided, is scarring for the humanitarian community because there are not a lot of existing used mechanisms to call for accountability in this sector.

In this sense crisis mapping is an uncomfortable and undesired approach most of the times, and this unease is masqueraded often as “need to protect” or “need to manage expectations”. The truth is that the is a need for more accountability systems in the humanitarian world that allow not only for external M&E, but that incorporate the opinion and the vision of affected communities as fundamental part of the evaluation of the humanitarian work. Taking into consideration all possible variables, from cultural perspective to different roles and duties, and to mandates, the inclusion of the affected communities’ opinion is and can be a winning key point for the humanitarian world. Often in fact, problems and issues arising from the delivery of humanitarian aid are related to the absence or the lack of cooperation from affected communities themselves in the process, or from their inability to understand the mechanisms behind it. A better informed and knowledgable “client”, if we want to call it this way, means that the work of the humanitarian community itself will be easier and smoother, and that also responsibilities will be clear to everybody.

I am well aware that this is a generalization of the humanitarian community and of the approach to humanitarian aid, since there are efforts going on to involve and incorporate the opinion of the affected communities in the evaluation of the aid system, but still the is a lot to do. Until affected communities will be kept under the umbrella of the “protection” paradigm, and therefore will not be fully informed about what is going on around them during an emergency, expectations will be rised, independently from the existence or not of a crisis mapping project. But saying that doing a crisis mapping project and asking people to report what their needs are during an emergency, is like to have a 911 number with no one answering to it, is simply too much of a simplicities way to approach the issue, that will always make me doubt that behind this statement there is a deep fear that letting people speak will highlight responsibilities and mistakes of the humanitarian community that otherwise will be be kept hidden.

I have a background in human rights and humanitarian affairs, and in those fields you do something that I realized was not that common in the ICT world – or maybe it is just under reported – that is called risk assessment. How does a risk assessment look like?

There are several components to the matrix: there is the risk, the source (sometimes), the likelihood, the mitigation tool/measure and (sometimes) the independent variables. I truly believe that this matrix can help in understanding what are the things that we should focus our attention on and what are the things that we cannot change or we should just ignore. The very key factor in the use of this matrix though does not lie in the matrix, but in whom is filling it.

Here is a couple of examples of simple matrix for risk assessments:

This is exactly the same matrix that we used for the U-Shahid project in Egypt and while I was the one that proposed to use it, I didn’t fill it: the people that fill it where the Egyptian activists that had a very deep knowledge or all those factors, due to their experience. If I would have fill it, the outcome would have been very different, since my ideas on the possible risks associated with this project were very different.

Here an example of how we used this matrix.

1. First step was to identify the source of risks: in the Egyptian case the source was very easy to identify since it was only one, the Egyptian government and it’s national security. We also identifies an additional source of threat that could have been the Muslim Brotherhood, but since they came to our training to learn how to use the system, we decided that they were not going to be a bit threat: after all they have been discriminated against several times and they are not allowed to participate in the election, so we realized that they also had an interest in the project.
2. Second step was to list all the possible risks and to associate them with a degree of likelihood from 1 to 10 and design mitigation systems. We came out with the following matrix:

A. Hardware:

  Get the computers where the Flsms software was hosted: DL= 8

We set up what I call the FLSMS mobile system. Here mobile stands for “that moves” and not for mobile phones. Basically we realized that the likelihood of those computers to get caught by the national security was to find them when they were getting online to send data to the Ushahidi system. For this reason we decided that all the people managing the FLSMS system had NoT to do that from their home, but instead from an Internet point. But since an Internet point can be found over the course of 12 hours (election day) we decided that the team responsible for using this system was going to move from Internet point to Internet point every 1 hour / 1 hour an a half. In addition to this, the messages were sent to the Ushahidi platform once in all every time the person managing the software was moving to another Internet point.

The second problem, related to the fact that the sim card could have been indent infield thanks to the IMEI number, the sim cards for the system were bought by the organization and registered all under the same name (yes that was a risk that the organization was taking, but they decided that it was better to have the risk on the organization than on individuals).

  Get to the server: DL= 5

The server was hosted abroad and accessed remotely. In addition to that, several copies of the databases were done and  distributed in different other servers. The main server had an automatic backup done every hour and it was encrypted.

B. System:

  Block the SMS number (in and out): DL = 9

This was one of the risks we knew we could do less. We had a public number that we had to advertise since the project was based on crowd sourcing methodology and the number was registered, as it was obligatory in the country. We decided to have other 5 numbers available and already working, that were registered as personal numbers of some of the less known people participating in the project (but swapped in between them). Those numbers were divided like this: one was used by the monitors, one by the NGOs involved in the project, one was used by the known network of the people that the organizers knew and that were also reporting (and they were sharing it with their trusted network). The other 2 were backups numbers.

  Block the website: DL= 9

We created several mirror websites, and we bought under several names all the similar domains that we could use to replace the main one.

  Infiltrate the platform: DL= 9

The high likelihood of this variable is due to the fact that we knew that the government was easily able to arrest the organizers and torture them to get the password to the system. For this reason we decided that it was not worth it to try to get any super hardcore security system, also because this could have meant for people to be killed if not able to access the system for the repressive regime security people. Some decided that the main thing for us was not to prevent them to access the system, but to make sure that if they did they could not destroy the information contained in there or get to the identity of the people working on it. So what we did was to create a system where we could monitor what each recorded person was doing inside the platform and allowed only the editorial board to be able to delete informations or change settings.

The only 2 people that had access to the database containing all the details of the SMS coming for example were 1 tech person inside the country and 1 tech person outside. All the back ups where handle by the person outside the country and the tech person inside the country had no access to it – this information, the fact that the tech guy was not able to access info from inside the country, was shared broadly on channels that we knew were controlled by the national security.

  Falsify informations DL= 10

We realized that there was little we could do prevent this. Some decided to ignore this issue by relying on the fact that the numbers would have played in our favor. In fact several tentatives to send in false informations were done and always detected. In addition to this, we had a very strong verification system that was verifying information one by one and was only flagging as verified information that were supported by several independent known sources, or by multimedia that we’re undoubtedly showing what was reported. In addition to this we were encouraging people to use the SMS alert system of the Ushahidi platform of that if something was being reported in their area, they could go and verify it.

C. People:

   Arrest all the participants: DL= 5

To try to avoid this possibility we wanted to keep the identity of the people working on the project hidden. Unfortunately this was not possible, since the national security pretended to have the list of all the people working on this project. Since any measure to prevent them from arresting the participants was completely unless we decided to do 2 things: the first one was that all participants were well aware about the fact that their contact information were in the hand of the ns. The second one was to ask to all of them to move as much as possible during the election day, to avoid an easy identification of their location. The third one was to create an arrest protocol (see below).

   Arrest of the activists managing the projects (editorial board): DL= 9

This was the most likely hung to happen, as all the activists had been already arrested before and where all well known by the NS for this project. To them we applied the same arrest protocol. In addition to this we set up an external team, based in another country. In the case all the participants were arrested, the entire system could be taken over and managed by a team of people, trained in the previous months, and that was unreadable by the national security of the country. In this way, the information could still come in from the country, but the processing was “outsourced” to a foreign team (key for this was the trust already present in between the two groups).

   Close the organization managing the project DL= 5

For this eventuality we had already set up a chain of international organizations (human rights watchdogs) that could at least use their international power to put pressure on the gov’t in case of the closure of the organization. In addition to this, the organization keeps constant contact with the national security and responded to all their inquiries about the project, including giving them all the information requested (sometimes written in such a way that was impossible to understand what we were doing for example).

   Intimidate the participants to the project DL= 10

This was something that was already happening during the design phase of the project. To avoid bad things to happen, we were always sure that the organizers – especially the less known once, and so the most vulnerable – were never alone and always in busy areas when outside.

   Intimidate the people sending in informations DL= 7

This eventuality was agin something that we could not avoid easily. For this reason, we were making very clear, even in the advertisement of the project was we the possibilities, how the government could reach out to people and how it could trace them. In addition to this we did training for free to people on how to use social media, mobile and Internet security and to do video and pictures with their phones without being caught.

In addition to this we had an arrest protocol in place. The arrest protocol was design by asking to the people that had been arrested before to describe exactly how the arrests happened. The main thing for us was to let everyone else know if someone was arrested, for two reasons: to allow action to be taken immediately, like call a lawyer, and to allow the rest of the team to take actions in order to avoid to be arrested or to stop working on the project.

The phases that we identified for the arrests were:

1. Police arrive.
2. If person to be arrested in the house possibly ring the bell or open the door directly
3. If person to be arrested outside simply get the person
4. In both cases ask/take their mobile phone and computer

On this premises we realized that our chance to get the information out, especially if the person was arrested while alone, so with no witnesses, was to allow for them to send an SMS out. The way we did that was really simple: we ask everyone to set up a direct SMS already written in their phone linked to the keyboard ( something as simple as to set up a button in the phone that automatically bring you to the message already written). The time necessary to send the SMS out was as short as two clicks on the same button: one to get to the SMS already written, one to send it to 10 predefined numbers. Simple as it is.

This deployment was particular for several reasons. The first one was that we knew that we could not prevent the gov’ t from doing certain things, like arrest us, or get into the system, so instead of trying to prevent them from doing it, we try to mitigate the effects.

The second one was that the people involved were activists, so people that were taking a certain amount of risk, knowing it, and we’re ok with that since they were willing to risk to achieve their goals.

For those 2 reasons our security protocols were focusing more on mitigation measures for the EFFECTS and not on preventing the act from actually happen.

In addition to this, we knew were well that there was no way we could control or mitigate all the risks, so for those ones, we decided to create system where the act was at least going to be known by others, as to allow other measures to be taken.

For example in the case of Libya, we created 2 platforms that had 2 different types of information and therefore two different goals and targets. The private platform was to mainly inform the humanitarians about the situation on the ground, and had details and sources to make sure they could verify and do an evaluation of the reliability of the source (ultimately this evaluation was left to them, even if we did a preliminary verification of the information collected). The second platform, the public one, was for the general public to know what was going on in the country, and had no sources and no detailed information in it.

This is, I think, a very good example of the creation of different communication channels and different targets. The idea here is to understand the difference and to make decision based on the risks assessment and the possible outcomes.

Inform the local population..or not?

In the case of the Libya deployment the Crisis Map we created was not supposed to inform the local population. Despite contrary opinions, this decision was conscientious made based on a risk assessment: we knew that there was no way for us to know who the people we were talking to were, and we had no link with reliable and verified people on the ground. For this reason we knew that it was going to be impossible for us to know that were not giving “sensitive” information to the wrong Libyans, and for this reason we decided that it was better not to chose any privileged group at all. I am not going to say this was the best decision we could make, but it was the only one we could make at the time, so I stand by it: any choose would have been completely arbitrary.

In this regard I have to admit, we knew very well that by putting those information online we were indirectly privileging one group (the one that had access to Internet) to another one ( the one that had no Internet access). On the other side, we also knew very well that the bad people did not needed our platform to know what was going on on the ground – we were ultimately mapping their actions, so it would have been pretty hilarious if they needed to look at our platform to know what they were doing!!

But despite a common thinking, this was not all about communicating with disaster affected communities! We tried to communicate with Libyans by relying on local media – the once that started working freely during the war. The problem was that we did not have a way to communicate to them useful information that did not already knew. This was the reason why there were, on the Libya deployment, lists of local media, that we thought could be useful to the humanitarian community to use to provide  useful information to the local population. Of course they did not used it.

Why we did not get in contact with them directly? Because we did not have enough trusted and verified information to give to them, because the majority of them had more knowledge than us of what was going on, and because that deployment was ultimately managed by OCHA. The issue that a lot of people screaming about communication with disaster affected communities without having any clue about it forget, is that I would never push a group of online volunteers to randomly send blast SMS to people on the ground.

Communicating with disaster affected communities is indeed a very important thing that needs to be done properly and by professionals. In the Haiti case the SMS sent to the local population were designed and created by the Red Cross, not by the volunteers at Tufts. The information given to the refugees escaping from Libya in the refugee camps in Tunisia were taken by Internews from the humanitarians, and not design by the SBTF volunteers. I would very much stay very far away from anyone that thinks that in the Libya crisis mapping deployment we should have sent out information to the affected communities without replying on the support of organizations that do that as a job. The real problem here is that humanitarians should do that, since communication is part of humanitarian relief, but they often don’t.

Creating intelligence vs being intelligent

There has been a lot of discussion about the fact that having people using social media or the Internet to put information out is one thing, but aggregate them, map them and categorize them is another thing. I could not agree more on this, and I also agree that there are several degrees of risks associated with the second that are far higher than the first one. Since crisis mapping is ultimately about mapping, categorizing and analyzing data, we have to look more inept to this issue.

Simple as it is, I have to say I am a bit bored about the discussion on  “u are creating intelligence for the bad people” theory: there has been no one case in the past were the bad people did not knew in advance everything we were mapping or even much more than that. I agree there is a risk to give them some more info, I also think that we should be a bit more realistic and less sensationalists about this.

In addition to this, I have to say, and forgive me for being a bit of an ass: this all being worried about creating intelligence for the bad people theory is always coming from people that have:

1. Very little knowledge of crisis mapping or repressive regimes
2. Almost never taken part in any of the crisis mapping deployment were this was an issue
3. They kind of strangely disappeared when there is a deployment like this, while writing in-depth report about it after the deployment

To go back to the reality, let’s be honest: I have lived and worked under repressive regimes, war zones and so on. The reasons why the majority of intractable conflicts are that way is because there is a high level of intelligence on the ground that, for how much I love crisis mapping, crisis mapping will never have: this all dream that aggregated tweets will give you a better picture of what u can have when you live, act and know the situation on the ground is the naive “all about technology” bullshit that underline for me a very little knowledge of what the actual reality is.

This does not mean we should not be extremely careful about creating intelligence, and this was why we did had a private platform for the Libya case. But it does mean that we should be a bit more intelligent and face things realistically instead of living in wonderland. Focusing on theoretical scenarios is indeed dangerous here, since it divert attention from the actual thing that needs to be done: gather as much information as possible on what is actually happening on the ground, what is the level of intelligence already present there, who are the actors and what info they may have or not. Again it comes back to real risks and information assessments, not to the power of social media and crisis mapping.

In the case of crisis mapping for example, there are several things that can be done to understand what are the risks associated with that:

- the first one is to look at the information you are producing. An example can be a tweet mapped that sais that the rebels are taking Misrata. What kind of information more than the one contained in the tweet itself is there if I map this on a Ushahidi platform for example?

- the second one is to look at the aggregate value of the information produced. In the case of Libya for example there was a week were a lot of refugees were escaping from the Tunisian border. Now the fact that a lot of reports were saying this gave to us the idea that the phenomenon was really big. The question to be asked here was: were the people on the ground not noticing that? There was any way that this information was not available to them and so where we were actually producing an additional layer of information with the map?

- An additional way to do an evaluation of the risks involved in a crisis mapping project in this kind of situation is to look at the IP address of the people looking at your platform – easily done by using Google Analytics. Are there people looking at your platform from the country monitored, and if yes, are they very frequently looking at it. This may give you – or not – an idea of who is looking at tour platform, how often and maybe telling you something about who are the users of your platform

- Another important thing to do is to look at the freedom/not of the internet usage in a specific country the level of control over the mobile technology and the past experience in that country on monitoring of those channels – and the actors doing it

All in all, I still think it comes to a realistic risk assessment, a case by case evaluation of the outcomes of your crisis mapping deployment and of the capacity of the “bad” people on the other side.

At his opening speech at ICCM Patrick Meier has listed a number of topics that have been and will be very important in the field of crisis mapping. One of them was security.

It is sure that security is and will be in the years to come one of the major topic to be addressed in this field, but yet, I feel there is the need of a more pragmatic approach to this topic than the one used so far.

In one of the sessions at ICCM, which was entirely focused on this subject, some very interesting issues came out, which will give me some more ground to explain why I think that almost 90% of the discussions on cyber-security tend to take a tangent in the direction an academic – philosophical approach rather that a practical solution to practical problems.

1. One of the major discussions on security gravitate around the design or protocols, standards and code of conducts to try to crystallized the problem in predefined codes and in this way find predefined solutions. While I understand the need for some sort of universal documentation that would allow us to look at the problem of security in a much clearer way, I think that starting with this as the first step is an upside down approach that will not really help that much.

What I have learned in my experience in working with repressive regime and in dealing with security issues in crisis mapping projects is that everything is entirely related to the background of the place where you are implementing your project. In this regard I fear that if we design protocols and procedures before and then try to “customize” them to the specific case, we will end up missing a lot of the local specificity that can make something that is very safe in a situation super dangerous in another.

2. A second discussion has been focusing on the tools and the responsibility on who design, build and sell/make available those tools to the public. I have already discussed this in one of my previous blog post, but I will reiterate here what I think is the main problem in focusing on the tools instead of the uses, and I will explain it with an example. A knife is a tool that we always have, in every household. We all know a knife can be used to kill, or hurt people, but we also know that this isn’t the only use you can make of it. Now, while when we buy a knife the vendor will not tell us to be careful because we can also kill someone with it, since he assumes we know it, the situation is different when it comes to cyber/ digital tools.

The main problem here is the level of collective knowledge that we have about the risks we run into when using a certain platform. When we buy a phone, the vendor will not tell us that our phone can always be recognized and traced, that there is a unique identification number and signal associated with it, and that there are several ways that someone can use to access all the information in our phone. The same happen when we open an email account.

While there are certain information/tools that we know are accessible/ hackable, the knowledge about risks associated with a lot of tools is still not that widespread. I truly believe that the conversation about who has the responsibility to spread this knowledge is indeed useless: the responsibility according to me is shared in bw the users and the consumers, and we should all work towards more knowledge spread more broadly. Ultimately it is not about which tool is better than the other, it is about knowing exactly what vulnerabilities associated with each tool are and how to make this knowledge as accessible as possible.

3. The third big discussion is about what to do when risks are too many, or knowledge too poor or when solutions have not been designed yet. In this regard I am a big fan of the “if you don’t know what you are doing, do not anything” principle, but I also truly believe that we cannot think that inaction is the best solution for all security issues we face when doing a crisis mapping project. If there are security concerns, they need to be addressed carefully and responsibly, but in urgent situations – like a crisis – there is no time for prolonged conversations on what to do. Action needs to be taken, and better be a good one. So, what do to?

My 2 cents on this are the following:

1. Stop talking about who should do what and focus on what need to be done now. If u are interested in the topic and realized it is important, do it yourself. I am much less interested in the attribution of responsibilities then the actual lowering of the negative outcomes. With this I am not saying that there are no responsibilities, but that I would prefer to act in advance on the issue then to wait for fact to happen and then call someone guilty.

2. Go local! I will never be enough tired to say that local population normally have a much better knowledge of the risks and the dangers. Talk to them: they may not realized how to use a tool, but they will be bale to tell you how local actors will take advantages or not of certain possibilities, if presented to them.

3. Focus on what u can do and mitigate, since if you cannot do anything, there is no point in wasting your time trying to find a solution to it. To do this, you should not focus just on the cause of certain threats, but on their consequences: you may not be able to make a government weaker, or less repressive, but you can look at the practical consequences of their repression and mitigate it.

4. Dissect your problems and your security concerns: when facing a security issue, dissect it into all different and possible phases, components and possible outcome and look at all of them as if their were single factors. You may not be able to solve entirely the problem, but you may be able to act on single components and in this way lower the overall impact of the security threats.

Now, I know this is easier to say than to do, and there is no “how to do” guide on this, but we have to start from something no?

In my next post I will make a practical example to explain those suggestions.

One of my main concerns is that often I will find a general focus on the evaluation of the infrastructure that allow the technology to work amd the quality of the technology in terms of functioning, and not on the qualitative background necessary for the technology to actually be used.

What I think it is extremely important here is not to focus on one or the other but to make sure that all of them are taken into consideration and understood in their complexity.

The technology

The functioning of the technology is pretty much straight forward. It does work or it does not work. On the other side that fact that a technology works does not mean that the technology is the right one for the goal you have. Increasingly people choose a technology because they like it and then try to fit it to their objectives. The reason is that often there is interest, from donors and NGOs in financing and trying new technologies as to show how innovative your organization or project is. In this context the main problem that emerges is that the technology itself, being it radio, mobile, wifii, computer based, can be working perfectly but not really adding anything to the original context. Other times the technology is working perfectly but the additional cost of it it is too high for the users.

I see this every time people approach me asking to help them in using a Ushahidi platform for their project. What often happen in this case is that people see Ushahidi as a powerful tool for crowd sourcing, but they forget that the platform is also a mapping tool. For instance, not necessarily all crowd sourced information is mappable, and more than that, not all mapped crowd sourced information is actually going to give an additional value to the the information itself. E same thing happen when people want to use the Ushahidi platform to map historical data, where most likely a GIS map or a static map will be more useful in term of visualization and also in terms of accessibility – allowing for offline, printable maps to be produced more easily.

Affordability of technology

The affordability of technology is something extremely important that is often linked to the sustainability of a project. One of the main issue here is that traditionally people have been focusing on how much does a technology equipment/ maintenance costs. This is indeed a problem, but not always the main one. Sometimes the cost a technology is not directly related to the money necessary to buy or to maintain it, but to the cost associated with the consequences of using it. I will make an example here:

Pamoja FM is a radio station in Kibera in the city of Nairobi. Pamoja FM decided some time ago to use a short code number agreed with Safaricom to increase it’s revenues. Since the radio receives a lot of SMS from its listenership they thought that having a short code would have allow them to get more money out of it, pne of the reason being that Pamoja is a community radio station and for this reason it is not allowed to do advertisements. Safaricom did an agreement with the radio and gave to them a 4 digit short code at an increased price so that part of the revenues from the short code could go to the radio station. The short code worked beautifully. The radio was getting 5 shillings per SMS and the number was easy to remember. The problem was that the increased price was really increased since the prices for one SMS on the user end was 10 shillings, compared to the normal price of 2 shillings. The number of messages that the radio was receiving decreased from 500 a day to almost 0. In this situation the technology was working and doing exactly what it was supposed to do, but the assumption that users would have paid such an amount of money to send an SMS to the radio was wrong.

Appropriateness of technology

This issue is strictly related to the how do u chose which technology is the best for your project and for the place where u are going to implement it. Some time ago I had a discussion with Laura Hudson from FLSMS about the necessity to have not only technical assessment but also “cultural behavior” assessment on the use of technology in a specific context.

One example is what happened to the Ushahidi Chile project when I was still finishing my Master at Columbia University and with a group of students, and the support of the Ushahidi team and a local organization, we set up 2 phone numbers to receive informations directly from afford communities in the country. In the first 2 month of the project the team in NYC was very surprised that very few people were actually reporting using those numbers and that we were receiving more messages asking us to answer the phone (which we could not do) than to report directly via SMS. Once we went to the country we discovered that Chileans normally do not use SMS, and that they are much more used to phone calls than to text. We could not find out what the reason was, but everyone we talked to confirmed to us that they were very rarely using text rather than calls. A similar example is the U-Shahid project in Egypt, where even if provided with an SMS system, people during the elections were reporting using much more twitter and Internet than their phone, simply because they were more used to that and because the Internet in their phone was comparatively cheaper than the SMS.

The appropriatness of techology is also related to the social aspects and role of that technology Ina given context. I will use as example one of the Radio stations we work with and it’s role in the community in Kenya. I am currently working on a project to use Mobile Money to create a system where listeners will be able to place greeting messages in the radio station by calling unique number and paying with their mWallet for the message. In choosing the radio stations to be involved in the pilot project we had to exclude some very interesting community radios. The reason behind this was not that they were not appropriate for the project but that they were such an important point of gathering for the community that the introduction of a remote system to place greetings could have jeopardize the important role that those radios are playing in their community. The introduction of a new technology here could have as secondary effect the distraction of a social system that is not only working but very important for the local population.

The true is that even if people do have technology, and use it, they use it in a very different way according to their culture, their life and the actual context they live in. Decide to use SMS in a country just because there is a high literacy rate and a good mobile penetration is not enough: we need to understand how people use mobile phones, why and in which context.

For this reason when doing an assessment for the use of technology cultural behaviors and social dynamics should be considered as one of the main important component.

So, how do I assess the use do technology?

I have been asked this question once and I answered by saying that I do two things: I go to the local market, and I take public transportation. Why?

Local market because in this way I can see how people do make transactions, how do they communicate, and how do they evaluate prices, and what social dynamics are present as related to gender, economical situation and information sharing. For instance, do people use mobile banking, and if yes, how often and frequently? Do people talk about politics and what is going on in the country in the market? Where do people in the market come from, and if from far, are they the once that share info with the others coming from other areas? Do people listen to the radio in the stands? Do they play with their phones? Do people compare prices? And if yes, how?

Public transportation for a very specific reason: people get bored when they do long trips, and they tend to find way to spend that time. This is when the driver may put up some music, and normally is the radio. And in the same time is when people will either read or play with their phones – if they have one. What do they read? Do they use their phones to send SMS? Do they go on Facebook? Do they tweet? Do they play games? And if the driver put the radio on, what programs is he listening to? Does the radio program have only music or also debates? …

Of course, this isn’t the only way I do assessment, but it is normally a very good start. Listen and observe before asking and drawing conclusions

On Wednesday, October 26, 2011 Matthew Levinger posted a blog post titled “Risk Management and Ethics in Conflict Mapping” on the TechChange website. I have been reading that blog post for 2 days now, and I would like to share with mister Levinger and some comments that that blog post raised into my mind. I apologize in advance if this blog post will not sound nice, but I know a lot of the people that work at TechChange and some of their Advisory Board members, and I know that they all appreciate honesty and a open dialogue on such sensitive topics like Ethics and Crisis Mapping.

Mr. Levinger raised in his blog post some very interesting and thoughtful thoughts about what are the main issue in the crisis mapping field, but let’s proceed with order.

The second paragraph of Mr. Levinger said:

“Two years ago this month, the first International Conference of Crisis Mappers (ICCM) was held at John Carroll University in Cleveland. Next month, the third ICCM will convene in Geneva, Switzerland, as the annual gathering of a volunteer network with 2,900 members from 137 countries. TechChange, which was established just last year, has over 3,000 members on its listserv.”

I apologize with Mr. Levinger if I am misunderstanding, but if I didn’t know that Mr. Levinger was an adult, I would imagine that he is playing the part of “TechChange got more subscriber than you guys have in a third of the time”. Unfortunately Mr. Levinger does not realized that having people subscribing to receive weekly updates on the courses or news offered by TechChange is not exactly the same thing than having 2900 PROFESSIONALS having an open forum to exchange information, sharing content and discuss actual issues, including in the imediate aftermath of an emergency. It is called two ways communication system, or interactive system. The Crisis Mappers Network is not a listserv, dear Mr. Levinger, it is a forum, a network for interaction, and it is a place that is not about how many people interact or receive the emails, it about the quality of the interaction in between those people. I personally think it is super cool that you have 3000 people on your listserv Mr. Levinger, but I think you do not need to compare TechChange to the Crisis Mappers Network, since they are not a two way communication system, they are advertising their products. It is just a bit different.

To continue on Mr. Levinger blog post:

“As GIS and other place-based technologies continue their exponential rate of advance, the need for sustained dialogue between the producers and the consumers of data from volunteer GIS-based and other participatory mapping projects becomes ever more urgent. The producers of this data are predominantly experts in information and communication technologies, whereas the consumers of the data include international humanitarian responders, officials from governments and international organizations, members of advocacy groups, and residents of communities afflicted by natural disasters or political crises. Miscommunication and cultural disconnects can easily arise among these diverse stakeholder groups, with negative effects on the outcomes of participatory mapping projects.”

There are 2 big mistakes in this paragraph:

1. Producers and consumers of crisis mapping systems are already having a dialogue Mr. Levinger. In fact, since Haiti, lots of things have been happening in this field, and this dialogue is getting bigger and broader. One of the place where this dialogue is happening is, in fact, the Crisis Mapper list (remember?–> 2 ways-communication system?). The Standby Task Force for example, a producer of information, even have in its pool of volunteers people from OCHA, the Red Cross, NGOs, military, crisis managers, emergency response professionals. For shocking as this may sound, the dialogue is already happening Mr. Levinger. You are a bit late.

2. The producers of the data Mr. Levinger, are absolutely NOT predominantly experts in information and communication technologies. You are clearly not getting this very straight, to be honest: there are also experts in information and communication technologies in the pool of volunteers that have been working on crisis mapping projects, but the majority of them are coming from completely different fields. Actually they are not at all experts, they are housewives, engineers, mothers, students, journalists, teachers. I invite you to look at the 600 and more volunteers that the Standby Task Force has deployed in the last year and you will see that probably 10% is actually an expert in experts in information and communication technologies.

And now let’s go the most interesting part of this blog post, the questions rised about Ethics of Crisis Mapping. Let me try to give some answers to those questions.

• Are the producers or recipients of data from these projects exposed to security risks or other potential adverse consequences, including threats to privacy.

Security has been The topic, for the past 8 months, since the Arab spring and even before, and to be honest, we are vomiting constantly security blog posts, advices, guides, briefs and so on about it. Lots need to be done, but for example, the Standby Task Force have been designing security protocols for each emergency, including when supporting Sudanese activists in demonstrating against the regime. I have personally worked in Egypt under Mubarak and done a crisis mapping project there. So the answer to your question is YES, we are all expose and we all know what the potential consequences are.

The problem that you are trying to generalize here is in fact very much linked to something else. The problem is not the body of volunteers that networks like the Crisis Mapping one or the Standby Task Force are deploying in crisis situation, the problems are people that have not been trained and that do not know what and how to deal with certain issues. And you know how do you solve this problem Mr. Levinger? By providing FREE training material and information, by sharing lessons learned (like the Libya and Colombia report) , by engaging people in discussion about this and offering them free support when they set up a crisis map. Because to tell you something shocking: we may keep discussing about problems and what needs to be known to do a crisis mapping project, but people will keep doing it anyway. We cannot prevent people from doing it, so if we want to solve the problem we have to share the knowledge and make sure people understand what they are doing. Of course, if only people that have 895$ can have acces to this knowledge, then we will always have to deal with people that do not know what they are doing.

• What negative effects may result from false or distorted reporting? For example, after the Haiti earthquake, many reports of victims trapped inside collapsed buildings were posted by people seeking help for digging out the corpses of family members who had been buried in the rubble.

This is way, Mr. Levinger, the Standby Task Force has been setting up verification protocols and teams to deal with this (see the verification protocols for Libya and a simple verification slide presentation for the volunteers to use) . Now, again, this discussion have been happening for at least one year, and to make a long story short: there are multiple negative effects that can arose from this. Now that we know it, what? I tell you what: we stop wasting time in telling to each other that “O MY GODDDD…what is going to happen?????” and we start discussing about what are things that can be done to prevent this from happening, how do we implement use more robust protocols, what is working on the ground and what didn’t. To show an example of how this can be done here.

• Does the establishment of a crowdsourcing platform for crisis mapping create unwarranted expectations that there will be a timely response to reports by people in need? Some observers have suggested that creating an Ushahidi platform for a disaster zone is akin to establishing a 911 telephone line without giving the dispatchers any emergency response capability.

Mr. Levinger, I would suggest that you sit down if you are reading this, since I may just be about to give you a VERY SHOCKING news. U ready? Have some water close to you in case you faint? Ok then: in humanitarian response YOU ARE ALWAYS CREATING EXPECTATIONS THAT YOU WILL NOT BE ABLE TO MEET. Now, to explain what I am saying here I invite you to go to any refugee camp on the world and ask to any of the refugees there if their expectation have been met when they get there. I have been visiting quite a lot of refugee camps, and working in emergencies, and I can tell you, the answer will always be, that the entire humanitarian world is creating expectations that they are not able to meet. And this is because most of the times the expectations that affected communities have are way over the actual capacity of the humanitarians responding. This is what the reality is today and how it will most likely be for some time.

But to come back to the crisis mapping projects: to be honest, the only place where I have seen the risk of this happening was Haiti, 2 years ago, Again, that was one of the first situation where crowdsourcing methodology was applied to a crisis mapping experiment in a massive humanitarian emergency, and to be honest, a lot was done to prevent affected population to think that an immediate response was going to come – for example by doing radio programs that were explaining how the system was working.

The issue of managing expectation have been dealt since then in a lot of different ways, like for example in the PakReport instance where people were informed via SMS about what the project was about; or in the Libya platform were the goal of the platform was clearly stated in the home page, or in the Alabama deployment. The Standby Task Force is using banners in each of its deployment to tell people what they can expect or not, and other crisis mapping projects are using banners in an increasing way.

Now again, to cut a long story short: there will always be expectations that are not met and this is valid more on the ground that it is on a virtual crisis mapping project. The difference is that crisis mapping project engage actually in communicating with disaster affected communities, which most humanitarian do not do. See this interesting report about Dadaab to know more about it.

The first issue here is not that any crisis mapping project is creating expectations of immediate delivery of aid, the issue here is that that aid is not arriving anyway, but if there is a way to display it in a clear way, then the humanitarians working on the ground are held accountable of what they are actually not providing – despite the millions of dollars invested in humanitarian aid.

The second issue is that, we should stop considering affected communities as a bunch of retarded idiots. If you tell them, they understand: they do not become immediately retarded because they are affected by a war or a disaster. The real way to solve issues with expectation is to have clear and broad communications channels with affected communities, not to avoid doing any crisis mapping project.

• What are the ethical implications of creating universal surveillance systems that compile streams of data from diverse sources?

This is a good question Mr. Levinger. But why is Crisis Mapping a “universal surveillance systems that compile streams of data from diverse sources”?? Who has ever talked about a universal surveillance system? I mean, we do not need crisis Mapping to do this this is already existing, it is called intelligence and you should know better one of the most universal one, that HAS TONS of ethical component is the US one, where you serve as Intelligence Analyst.

• In the context of violent conflicts and other political crises, how can parties to the conflict be prevented from using crowd-sourcing platforms to spread disinformation or incite violence, e.g. by exaggerating the number of victims or falsely accusing their opponents of war crimes or mass atrocities?

Mr. Levinger I would like to write the answer to this to you here, but this blog post is becoming very long, so I will just give you some blog post links that you can read to get some answers to your questions. But to give you a hint: WE DON’T. We can set up good security and verification systems, and we build trusted networks on the ground. But the bad people will always have access to those information, as everyone else does. Anyway, read some good info from my good friend Patrick Meier:

Why Dictators love the web

Information Forensics

Wag the Dog

“These ethical and logistical questions need to be effectively addressed as part of an operational plan prior to an intervention. While getting the hard data is important, we also have to remember that our goal is providing aid and support to the people affected by conflict.”

U are right, and since you are sooo concerned, you are offering courses to teach people how to do this for only 895$..of course in the interest of affected popultions!!

Mr. Levinger. I know this blog is snappy, but now I will be let you understand something that I consider very important and I am not doing it in the interest of making a mess or trash you. Please, next time you write about those topics keep in mind:

- You need to know very well what you are talking about. You have been mentioning very interesting issues in your blogpost, but you have been addressing them poorly, and mainly because you have never done a Crisis Mapping project before, and you are not involved in the field since long time.

- CrisisMapping it is actually about doing things, not reading/writing papers. As far as I know, you do not have ANY experience in managing any Crisis Mapping project or a crowdsourcing system to communicate with disaster affected communities. It is scarring that you are giving trainings to others on something that you have never done. Installing a Ushahidi platform in a computer or volunteer a couple of hours a week on a Crisis Mapping project it is not enough to give lessons on how to manage, set up and create a Crisis Mapping project.

I really hope you will be at ICCM, since I would like to continue this conversation and maybe start discussing actual answers and not repeating questions that have been asked too many times.

Now, since this was almost a Crisis Mapping class, I will be sitting here waiting for you to send me my 895$ check. Of course, for the sake of affected populations!!!

The goal of this workshop was to discuss open, realtime, and linked data generated, gathered, and organized online, which are proving vital to understanding local communities and the world we live in, ensuring more informed decisions are made at all levels of society. While online data is proving immensely useful, the dramatically increasing trend towards moving data online — whether knowingly, carelessly, or without consent — has led to unprecedented challenges to user privacy and security. At this juncture, Internet Governance is needed to clarify and codify the rights and responsibilities of various actors as regards online data.

The workshop featured short presentations from representatives of civil society, government, academia, and corporations, to facilitate discussion about theses issues amongst the panelists, the audience, and international remote participants, including members of Access’ network (now in 184 countries).

Topics for discussion included:
• How open/realtime/linked online data can aid development
• The use of crowd-sourced, geolocation, and mobile data
• Existing and emerging privacy and security threats of and to online data and ways to mitigate these risks
• How various stakeholders can assist the public in protecting their data and rights online
• Maintaining the balance between privacy, security, inclusivity, transparency, and accountability in legislation, regulation, and terms of service.

I was invited to speak as Innovation Media Advisor for the Africa Region for Internews Network on the use of real time data and the risks associated with that. In my talk I decided to use as example the project we are funding in Ghana, which is implemented by EPAWA – Enslavement Prevention Alliance for West Africa in collaboration with Survivors Connect. Both organizations work on human trafficking, and while EPAWA is a 4-years-old organization working in Ghana with civil society, governamental organizations and agencies and media, Survivors Connect has been working on this in Nepal and Haiti before, and it works as technical implementer for the project.

The pilot project is in fact a sort of experimentation of the use of mobile technology to support the creation of a local network of local monitors, civil society groups and governamental agencies to track the movements of children and women from the rural areas to the capital, and the case of domestic violences inside the communities themselves. The network will exchange real time information via mobile technology and with the support of a password protected Ushahidi platform.

I think this is a good example of the use of real time data but it also highlights some of the main issues I think can come out in other projects. This is the reason why I used this project as example.

The following are my main points of conversation at the workshop.

TECH IS NOT THE SOLUTION TO EVERYTHING – ESPECIALLY TO SECURITY 

My point here is that when working with real time data related to sensitive issues, like for example human trafficking, the main key factor to secure data does not rely in the technical security measures, being it encryption or other means, but it lies in the social network, and I am not referring to social online networks, but to social – real people – networks. I have notices many time in  my work that the safety of the information exchanged in any networks does rely heavily on the ability to create trusted networks on the ground that are able to secure information because of their deep knowledge of risks, dangers and sources of potential security threats. Those social networks are the ones that can still work when the technology is not there and are the true base of a secure system.

YOU CAN BUILD THE BEST TECHNICAL SYSTEM WHEN YOU START BY THINKING WHAT WILL HAPPEN WHEN TECHNOLOGY IS NOT THERE

Apart from the issue of security, what I think it is extremely important, especially if you work in Africa, is to be able to design information systems that always have a PLAN B. If you system does not have any way to work without electricity, or without internet, or without a phone, then you are building something that most likely is extremely vulnerable and that can be blocked by something as simple as a storm. Technology is always supposed to make things easier and faster, but if technology is the only criteria for the functioning of your system, then it is a limit and not a facilitator.

EDUCATION TO SECURITY MEASURES, THREATS AND VULNERABILITIES IS KEY

Another interesting thing that I notice when I was working in highly unsafe environments like Sudan and Egypt (under Mubarak regime), is that a lot of people underestimate or do not know at all the risks and the vulnerabilities of their real time information systems. Especially in those two cases, where I was working directly with activists, which were well aware of the potential risks of someone hacking or tracing their information, the level of awareness of the actual vulnerabilities of their systems was very low. If we go to less specilaized groups and especially into the world of small NGOs, the ignorance of the issue is even bigger. In this regard I have to say that 2 factors are the underlying casues of this situation:

1) Language. Cyber-security information are still written and explain in a way that it is too complicated and technical for a normal audience. If a small NGO, that does not necessarily have a cyber-security expert in its team, wants to find out information about how to protect their data, how to secure their servers and their emails and so on, most of times gets stopped by the complication and difficulties in understanding a language that it is not familiar with and instructions that will require too much espertise to be followed. (a very well done “Practical Guide to Protecting Your Identity and Security Online” edited by Access Now is available here)

2) Awareness. Too often software companies are not explaining in an open way what are the vulnerabilities of their systems, and too often technical equipment is sold without people having a real understanding of how this equipment really works.  We are seeing this with mobile phones: the majority of “normal people”, meaning not expert or part of the cyber-security world, do not know that their mobile phone is always traceable, do not know that their SIM card is traceable, do not know what an IP address is and what information it carries and so on.  The same thing is to be said about people using software without fully understanding what are its vulnerabilities.

WHERE DOES PRIVACY END AND OPEN DATA START?

One of the main challenges that I found when working with real time information systems is finding the limit in between Open Data and privacy and security. Let’s take again our Ghana project. The system built will be exchanging information related to children and women, to trafficking, abuses, and violence. For obvious reasons, a lot of the information exchanged cannot be public and needs to be handle in a very careful way. On the other side, if available publicly this information can be extremely useful and can lead to more preparedness and awareness of the problems faced by the communities on the ground, if not to more prompt response in urgent issues. of course there are ways that this information can be filtered and made available but even in this case, the more you “open” the more you are increasingly the possible risks and vulnerabilities of your system.  This tension is always there when dealing with open data real time information systems, and it needs to be carefully dealt with on a case by case level.

The purpose of the simulation was to wrap up a Crowdsourcing workshop series that had been carried out over the course of 6 months with the purpose of supporting the Pilot Project for Climate Change and Resilience in the country. As a consequence of that series, the crowdsourcing component has been added to the annual plan of the country inside the PPCR.

I decided that after a very broad overview of the crowdsourcing concept and methodology, an explanation of some examples and tools to be used and a general discussion about the possible applications of crowdsourcing to the PPCR and the Zambian context, there was a need of some more practical examples on what a crowdsourcing projects applied to a natural disaster would look like.

The participants to the simulation were of various backgrounds: there were ministry of health officials, ICT people and web developers, meteorologic department officials, members of the Disaster Management and Mitigation Unit, members of the Climate Change Network, members of the Youth Environmental network and members of Zabuntu, a local NGO working on application of new technologies in Zambia.

This was the description of the background and the definition of the roles.

BACKGROUND**
Flood simulation in Kazangula, Zambia
On the night of the 4th of June a massive flood has invested the Kazangula area. One village, Marguni, is very close to the river and there is no information about what may have happened there.

The weather prevision said that in the incoming hours heavy rains is supposed to come in that area, and other two villages around Marguni are at risk to be flooded. Unfortunately the flood has cut down all communication so it is not possible to call the chiefs and let them know that they have to evacuate.

All the NGOs are based in Lusaka and only the Zambian Red Cross has volunteers in Marguni and has immediately get in contact with them to alert them and to gather information. The Red Cross also have a FLSMS system that gathers this information and that they can use to send information back to the field.

DMMU has set up an Ushahidi platform to gather information from SMS but they do not have anyone that report to them since DMMU does not have people on the ground in the village and by the time they can mobilize their staff it will be too late.

The Ministry of Urban Planning has a team of mappers there that were sent to one of the not yet flooded villages and that could easily be relocate. In fact, the big problem in that area is that there are no accurate maps of the villages and some of the streets and building are completely missing from any official map. Another team of mappers are in the HQ in Lusaka and they start immediately trying to locate the area and the main buildings in the village.

At the ministerial level the Ministry of Information and the Ministry of Finance get immediately together under the call of the president and the Prime Minister ask them to follow the issue and to allocate resource to respond to the emergency. The Prime Ministry is really angry since this is not the first time that this happens, and he order to the 2 Ministries to come out with a good preparedness plan for the next year.

DMMU contacts the Red Cross and ask them to have their volunteers reporting to DMMU so that they can organize the relief aid and keep the government informed. The Ministry of Finance and the Ministry of Information ask DMMU to report every 2 hours and to fill a request for funding according to how much the need to respond to the emergency.

ROLES

Ministry of Urban Planning – Mappers:
- Find the satellite images of the village and create a map for the rescue teams
- find location of missing places
- come back to the HQ and map them
- mark the place found with a sign so that others can use it

Zambian Red Cross:
- go around and report to HQ via SMS what is going on
- when they find an event they report it via SMS or email
- they get requests from the HQ about verification of information
- they go and verify and report to HQ

Rescue teams:
- Receive communications from the HQ and go to solve problems
- They need to have exact location and know what to bring to be able to help

DMMU HQ + tech team:
- they use the flsms software to receive messages
- they receive messages from their people but also from the crowd
- they send messages back to RC teams to ask for verification
- they map events on the Ushahidi platform and mark them as verified
- they ask for resources to the Ministry

Ministry of Information and Communication and Ministry of Finance:
- they look at the platform and decide how to allocate resources
- the design policies for the emergency response
- they give money to the DMMU HQ to send teams on the ground

See here for the description of the specific roles.

THE SIMULATION OUTCOMES
The simulation was carries out over the course of 2 hours and every 20 minutes I was inserting a change in the situation by providing instructions to 4 key actors in the simulation: the 2 ministries, the President of the Red Cross and the Director of DMMU.

The inceptions in the simulation over the course of the 2 hours were also provided via SMS to the FLSMS system, and via mail to the Ushahidi platform, and via The Prime Minister (me) communication to the Ministries.

The simulation as incredibly useful and after it we had a 1 hour briefing abut problems and issues faced that were presented at the final event in the RHoK.

Those are the problems faced by each of the team in details:

1. The Mappers: the mappers ground had not seen a satellite image before in their life. Once I provided them the initial satellite image (on a printed format) they had to try to find it using Google Earth. The process took to them 1 hour after which I decided that UNOSAT was able to find the complete satellite imagery of the flooded area and sent it to them.

Once they had the satellite images, they had to draw it on a piece of paper – there was no electricity on the area and no printer available – the actual map of the area for the rescue teams. To do this they used Google Maps and start modifying it on line by adding all the streets and location. The fact that they could not create a map for the initial hour made it impossible for the rescue teams to find the locations of cases reported by the RD volunteers. In addition to this, it took to the mappers almost 30 minutes to figure out how to read a satellite image and how to relate it to the Google Map – Open Street Map.

2. Zambian Red Cross. The Red Cross was the first one to activate and was also the one that set up the SMS system to gather information from their local volunteers on the ground. The volunteers were going around looking for cases and they had to text in to the HQ the cased found and verified. They also were receiving from the HQ the communication received via SMS from the short code and they had to go and find the place to verify the information and report back to the HQ.

The absence of maps made it impossible for them to let the HQ and the rescue teams know where they were funding people or situation that needed an immediate response and at one point volunteers from the RC were trying to talk directly to the Mappers to let them know where things were and how to plot them on the map.

The volunteers on the other side had to deal with an incredible amount of information coming in via SMS: more than 20 messages every 10 minutes were coming in and some of them were blandly false and were making them lose time in trying to reach very far areas and find out what was going on. In addition to this some of the report were not entirely false but sligly unprecise, which leaded to some discussions in the team about how to confirm them with HQ. The volunteer teams were on the other side very good, and decided due to the volume of communications to split into smaller teams of 2 each.

3. Rescue Teams. The rescue teams where the ones that had to use the maps created by the Mappers and to decide priorities according to the RD communication. For this reason their actions were highly depending on the good job of the other two teams. Interaction at the beginning was a crazy mess, the rescue teams wanted to reach out to the volunteers on the ground but the RC headquarter didn’t give to them their contacts, and they also had several issue with streets that had double names or that were mapped too roughly.

In addition to this this team needed a lot of equipment, which was not available de to the lack of investment from part of the Government. For this reason he team has to hare GPS units and only had one helicopter to rescue people from the roofs in flooded areas.

4. Disaster Management and Mitigation Unit. DMMU is the responsible for coordination of disaster response operations in Zambia. The first problem they had was to convince NGOs to work with them, and specifically the Red Cross. Due to long standing friction in bw the two organization, mainly because of funding and also because the DMMU is directly depending from the Vice President office which make it is highly political body, at the beginning the RD refused to provide information and to sync their SMS system with the Ushahidi platform managed by the DMMU.

Once they got the collaboration set up – which took almost 4 hours, simulation time – they had the problem of having to coordinate an incredible amount of information coming, in, technical problems with the two platforms, lack of funding, incredibly pressure rom the Ministry which forces them to spend more time in creating reports and providing statistics then in actually coordinate the relief effort.

The teach team that was supporting them was also looking for the first time at both the Ushahidi platform and FLSMS. The majority of them were – in real life – web developer just out of university that had never really worked on building something for immediate application and with a time constraint and pressure to deliver. It took to them almost 1 hour – real time – to figure out how to sync the two software, how to customize the Ushahidi platform and how to fix and explain to non tech savvy people how to use the tools.

5. The two ministries were the once that had the most pressure on their shoulder during all the simulation. They had to convince the prime minister about the gravity of the situation, they had to fight over allocation of money – more information to people or more money for food and recovery? – they had to understand the situation form DMMU and take the responsibility for any misleading or wrong information communicated to the Prime Minister.

Both the Ministry of Information and Communication and the Ministry of Finance had also to protect their own portfolio and perform well since re elections were only 6 months away. They were also held responsible for delays and lack of support to the rescue teams and the aid organizations while accused by the parliament of not using at their best the resources available.

CONCLUSIONS
The simulation was one of the best way for all the actors involved to learn what a crowdsourcing project applied to a humanitarian emergency can end up being: a crazy mess but also a good way to save lives.

At the end of he simulation we all spent 2 hours talking about the simulation and what happened, what things went wrong and what went well and those are the lessons learned we came out with:

- Collaboration in between different actors is crucial and needs to be build on a long standing trusting relationship
- During an emergency all is always about correlations and ability to understand who does what
- Satellite Images, maps and geographical information can truly help in saving lives
- Never use a new technical tool during an emergency
- Knowing how to do something does not necessarily means knowing how to apply it in a practical case
- During an emergency, a mistake committed by one, can lead to many mistakes and start a chain of wrong actions that can endanger lives
- Protocols, collaboration systems and communication channels needs to be in place well before an emergency, as well as to be tested and customized according to different situations
- During an emergency nothing of what you normally count is there, so you always need to have a plan B, and a plan C and a plan D..and maybe some other plans.

Some of those conclusions may sounds very obvious and banal to a lot of people that work in emergencies, but the point of this simulation was not to find something new, but to let people that do not work in emergencies every day what a real emergency looks like. In addition to this, I wanted all the people in the room to see how depended they are from other actors and bodies and how little ability they have to make a difference if they are not able to collaborate.

After the simulation one of the things that came out was the instead of focusing on emergency response everybody agree that each single organization and body present at the simulation should focus on preparedness and start thinking about what they will need to do and how in case of a real emergency in the country.

As a consultant, this was my first simulation entirely organized and managed by myself. I have to say, it was a lot of work, especially going around the simulation location for 2 hours before the simulation started, to hide little pieces of papers with written on it locations or facts, but it was worth it. I realized that with over 30 trainings that I have done in my life on the use of Crowdsourcing for disaster management and related tools, nothing worked as good as the simulation. Nothing gave both me and the people participating in it a deeper sense of what really needs to be done and how things can get screwed up easily in a situation where tension, stress and urgency are the basic status of everyone for hours if not days.

** all the information contained in this document has been arbitrarily invented and the way existing organizations in Zambia have been described here, and their relationships, is completely invented by the author of the simulation.

The overall goal is to raise awareness and stimulate action, especially among African governments and development practitioners, on how ICTs can contribute to the improvement and transformation of traditional and new economic and social activities.

Furthermore, the studies should recommend ways in which to scale up the successful application of ICTs and to further operationalize their use within a number of strategic sectors, while paying appropriate attention to associated risks.

In order to provide analytical background for the study, the Partners have awarded a series of contracts to consultant firms to conduct sectorial studies of the actual and potential use of ICTs in the African economy.

The aim is to identify specific sectorial opportunities and challenges in Africa that can possibly be addressed through an increased or more efficient use of ICT, benefitting from a best practice analysis of applications around the world. Each study typically contains a scan of ICT applications in a particular sector followed by a more detailed study of two or three countries case studies, on a representative basis, chosen in conjunction with the partners. On the basis of this analysis, it should be possible to form a clearer understanding of the barriers to wider adoption and the factors for success.

These studies will then be used to assist the partners in formulating options for strategic interventions in these fields and to making appropriate recommendations.

The sector studies have been awarded as follows:

• Agriculture (Deloitte);

• Climate Change Adaptation (IISD);

• Education (ICT Development Associates);

• Financial Services (VitalWave);

• Health (VitalWave);

• Delivery of Public Services (Deloitte).

In addition, two closely related cross-cutting studies will look at:

• The contribution of ICTs to regional trade and integration (ICT Development Associates);

• The local ICT sector as a platform for regional trade and integration (TNO/Excelsior).

It has been incredibly interesting to participate in this workshop for several reasons and I have to say I was quite impressed by the approach that the World Bank and the African Development Bank have taken with regard to those studies.

1. The crowdsourcing methodology that has been used to gather feedback and to publicize the reports before the release of the final versions. The eTransform website in fact is an open platform that allows anyone that is interested to download the reports from the website (the drafts of the report for now) and to add comments or suggestions to the authors. This approach is incredibly useful and will allow, if there will be participation, to anyone that work in the field to influence the content of the reports and to add their expertise and their experiences. This participatory approach is a win to win according to me as it guarantee the possibility for practitioners but also for policy makers to participate remotely on the drafting of the reports and in this way make the reports themselves a more comprehensive overview of the field.
2. The use of external reviewers before the release of the final reports. I was called to do an independent evaluation of the report on Climate Change since I have been working as crowdsourcing consultant for the World Bank in the Pilot Project for Climate Change and Resilience in Zambia. The bank has decided to use the reviewer not at the end of the process but in the middle, which, which all its limitations, is a very smart approach. For three days the consultants had the possibility to discuss with both the partners and the external reviewers and experts in the field about their work, and to gather feedbacks, comments and suggestions on how to move forward.
3. The use of social media to gather feedback on the report and the integration with blogs and multimedia. The eTransform website is definitely not the classical World Bank or AfDB website: twitter feeds, blogs and comment sections allow anyone, with any means, to participate in the process and everything is open and displayed in the website as it comes through. As the reports are on the use of ICTs in Africa, this approach underlines a deep understanding of the background necessary to make those reports a serious benchmark in the WB and AfDB approach to ICTs, not only in words but also with facts.

But what do those reports means in practical terms? And why are they important?

In the past year I have been working on application of ICTs for different organizations, from small NGOs to big international organizations, and what I noticed is that the main problems on ICT4D come from the policy makers side more than from the practical implementation. Where the overall background relative to regulations, infrastructures and policies is not there to allow a broader use and implementation of ICTs, e sub-category of cheap and low cost solutions are developed and created on the ground by local organizations and groups to use and apply ICTs in the present constraints.  At the local level I would say there is more understanding of the necessary use of those tools and of their possible applications. What is missing is the high level understanding of what this means and how this affect governance and national policies.

In this regard there is a missing study in the eTransform project, which is the one that goes deeper in analyzing the impact on governance: what ICT is doing in terms of political impact on balance of powers in African countries?  – Granted, both the World bank and the AfDB are probably not the right body to conduct a study on this topic -.

What I hope is that from those studies, policy makers around Africa will have a better understanding of the necessary actions to move forward in the definition of effective policies that can, if implemented, give to their own countries a better chance to take advantage of ICTs applications.

After those 3 days of discussions, I came out with a list of issue that according to me are the main important to keep in mind in any of the fields analyzed in the reports:

1. The importance to look for locally created and implemented technologies that are born from local needs and developed inside the local existing national conditions.
2. The pivotal importance of a political will to lower barriers in the market for the commercialization of mobile technology, satellite technology, Internet and general ICT infrastructure.
3. The need for Africa Countries to look more at their neighbors than at the Western World in terms of possible application of ICTs
4. The importance in all of this of the educational and research component, which can alone increase the market, the interest, the availability and the use of ICTs.
5. The incredible important to look at the unexpected effects of the application of technology in Africa (as in all the rest of the world). ICT4D is not just about technology or about development; it is also about politics, social behaviors, sociological equilibrium, anthropology and communities.

I urge everyone that is interested in any of the topic mentioned above to visit the eTransform website and add their comments on the reports. Since it is the first time that this kind of process is being conduct in such an open way (according to my knowledge, but happy to know if there are other cases), I think it is important to participate and to contribute to the drafting or useful recommendations for  policymakers in Africa.