The news that a platform used by at least 11 major operational NGOs and UN agencies may be relatively easy to breach, potentially exposing the personal, location, and demographic data of tens of thousands of highly vulnerable people, is deeply disturbing but not surprising. The real scandal here is not that these vulnerabilities reportedly exist, but that there is still no intentional, comprehensive agenda or political will to decisively address the root causes of this incident and limit the possible fallout.
Reports last month, from Devex and IRIN, that Red Rose’s beneficiary data tracking platform may have serious security vulnerabilities should be a wake-up call to the entire humanitarian sector. According to the reports, Mautinoa Technologies, a competitor of Red Rose, was able to enter a cloud-based server of Catholic Relief Services and access names, photographs, family details, PIN numbers, and map coordinates for more than 8,000 families receiving assistance from the NGO in West Africa. In a statement, Red Rose told the news agencies the access was only possible due to a password management error, and that its systems were secure and robust. Mautinoa said there were further “fundamental” weaknesses in security and encryption in the system.
The danger this type of breach could represent for crisis-affected and vulnerable populations cannot be overstated. The humanitarian community must not press the “snooze button” on the alarms that are likely now ringing in agency headquarters and country offices around the world following these allegations. Rather than circling the wagons, humanitarian leaders need to address the growing threat posed by potential catastrophic data breaches head on.
The weaponisation of humanitarian data to aid attacks on vulnerable populations may already be happening
Critical incidents – such as breaches of platforms and networks, weaponisation of humanitarian data to aid attacks on vulnerable populations, and exploitation of humanitarian systems against responders and beneficiaries – may already be occurring and causing grievous harm without public accountability.
The alleged Red Rose vulnerabilities are simply one reminder of the long-standing absence of commonly agreed and enforced technical, ethical, and regulatory standards for treating sensitive beneficiary data in digital systems in the humanitarian sector. The more traditional technical domains of humanitarian action, such as nutritional assistance, shelter provision, and water, hygiene, and sanitation activities are covered by the broadly agreed “Sphere” minimum standards, which act as industry benchmarks. But, so far, there are no standards or commonly agreed guidelines for how humanitarians should ethically and safely be custodians of digital data.
Instead, there are a plethora of individual policies, codes of conduct, and statements of intent across the humanitarian community. The draft revision of the Sphere handbook currently includes language broadly calling attention to data security and privacy as a protection issue but does not tackle specifics, such as external certification and auditing, training, and jurisdictional issues. The result is a fractured landscape of voluntary policies that look good on paper but lack broader doctrinal agreement and means for enforcement.
The sector’s collective failure to adequately regulate and professionalise humanitarian information activities is both morally untenable and operationally unsustainable. Continued inaction may soon undermine trust between humanitarian agencies and the people they seek to serve, eroding the meaning and value of the core humanitarian principles of humanity, impartiality, independence, and neutrality.
The Red Rose report is terrifying not only because these backdoor pathways for accessing sensitive data may exist, but because we have clear evidence that a constellation of state and non-state hostile actors are actively attempting to exploit them on an regular basis. A 2017 article by Carleen Maitland and Rakesh Bharania reported that one regional WiFi network for displaced population camps in Greece faced up to 80,000 “hostile events” by largely unknown entities against the system per week.
What makes the Red Rose incident unique is not that a breach was possible, but simply that it was publicly reported. The fact of the matter is that critical failures and breaches of information systems are an open secret in our sector. However, hard evidence of these vulnerabilities and their real world impacts is scant and difficult to capture due to fears by individuals and organisations of the financial and reputational repercussions of publicly documenting them.
In an era where humanitarians are increasingly reliant on potentially vulnerable digital data platforms to do their jobs in conflict zones and disaster areas, there needs to be an independent body with the authority to collect and responsibly report on critical incidents like the Red Rose breach. At present, no such body exists.
"Morally untenable and operationally unsustainable"
Continuing to accept this status quo is antithetical to the values of all humanitarians and shirks the duty of care incumbent upon us to address threats to the human rights and human security of affected populations. As senior humanitarian leaders prepare to convene at United Nations Headquarters in New York next week for the emergency aid coordination body OCHA’s Global Humanitarian Policy Forum, the issue of data protection and security must now top the community’s agenda.
Creating an independent ombudsman for investigating alleged critical incidents, such as the alleged Red Rose vulnerability, would represent a critical and welcome first step.