Thursday, March 13, 2014

Human Rights and the Duty to Protect Sensitive Data

Co-authored with Enrique Pirac├ęs, Benetech VP, Human Rights.

Consider this: when you visit your doctor about a medical issue in the United States, you can be reasonably confident that it won't shortly be on the front page of the local newspaper. Privacy protections that ensure your doctor treats your information securely were mandated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Yet, when humanitarian and social justice workers venture into the developing world to gather sensitive information, elementary privacy protections are often neglected.

Don't victims of human rights abuse, refugees, LGBT individuals, and survivors of gender-based violence deserve the same kind of respect for their sensitive information as you expect when you visit a clinic?

Unfortunately, there is no HIPAA equivalent for international human rights and humanitarian information. And this creates serious personal threats in an era where numerous organizations around the world collect individually identifiable data that regularly leaks into other hands.

Photo of Jim Fruchterman moderating a discussion
I moderated one of the discussion panels at the human rights conference
RightsCon Silicon Valley, March 3, 2014
Such confidential information can easily become compromised with the loss, theft, or confiscation of a smartphone or a computer. We now understand that corporate collection and government interception of sensitive information is the norm, not the exception. In the absence of standards that protect that information, the lives of suffering people—victims, witnesses, and the defenders who collect their stories—are all too often put in harm's way.

The summer of Snowden and revelations about the NSA have brought the public and private debate about digital privacy into the mainstream. But it is clear that privacy protections have not kept pace with technological development. In his January 17, 2014 speech on NSA reforms, President Obama stated: "As the nation that developed the Internet, the world expects us to ensure that the digital revolution works as a tool for individual empowerment, not government control."

At Benetech—a nonprofit technology company that develops innovative and effective applications for unmet social needs—we embrace the notion of individual empowerment every day in our work. We know that surveillance is a common strategy to monitor and repress the efforts of many social justice groups and often leads to harm for those who document and expose human rights abuses.

To make strong security accessible to the community involved in human rights documentation, we developed Martus—a free, open source, secure tool for collecting and managing sensitive information.

There's a lot at stake when it comes to protecting data during collection, especially when the information is about subjects who are or could be at risk. We believe that groups involved in collecting identifiable information that might endanger the lives of people who are or could become victims of human rights abuse have the responsibility to protect that information.

That's why Martus offers end-to-end encryption. This means that the user's data is encrypted locally on his/her computer and only the encrypted data is stored on the computer's hard drive or communicated over networks. The keys to unlock the encrypted data should be kept securely by the user, and not shared with third parties who can be hacked or forced to give up the keys to repressive governments.

Take for example a Lesbian, Gay, Bisexual and Transgender (LGBT) rights-focused organization with which we work. They are based in a country where the LGBT community faces a hostile social climate and state-sanctioned harassment. Their offices were raided and police confiscated their computers—including part of its membership list that was insecurely stored—and then used that information to harass members in their homes, in some cases outing them to their families and forcing some to go into hiding.

This is but one incident. Unfortunately, there are many other stories of abuse and violation.

For instance, we know that it is not only current defenders and activists who could be at risk. Collection and archival of digital information are expected tasks for most relief and research efforts, but rarely do such efforts consider the security and safety of data over time. This could be particularly harmful for people who have no other option but to provide data. Think of refugee acceptance at the border of any conflict zone: today's refugee could be tomorrow's targeted person based on ethnicity or political affiliation. Or think of sexual violence in an Internally Displaced Population camp. If you are identified as a rape survivor in many parts of the world, you are likely to experience extreme social stigma.

In the light of the state surveillance leaks and the increasing use of technology to extensively document vulnerable people, we strongly urge all organizations working in the fields of social justice, human rights, humanitarian aid, and journalism to commit to protecting this information with the same level of safeguards that citizens of wealthy countries expect for their own sensitive information. We all have a duty to avoid doing harm, and a duty to protect the most vulnerable communities.

This op-ed was originally published by the Huffington Post.   

No comments: