Data security in humanitarian action
If the essence of war is speed, knowledge of sensitive information about the enemy can make the difference. Even if this means cracking and stealing data held by neutral organisations. How does the Red Cross protect its own data?
In forensic science, Locard’s principle argues that ‘every contact leaves a trace’. The same applies to every piece of data on the web: SMS, messaging apps, cash-transfer programmes, social-media metadata generate a constant flow of information at a high level of traceability, thus raising duly justified concerns with respect to data confidentiality. A fortiori, this exposure is perilous for organisations such as the International Committee of the Red Cross (ICRC), operating first-hand on the battleground to carry out effective humanitarian action. The ICRC offers assistance to people on all sides of a conflict. As stated by its current President Peter Maurer, ‘the only criterion is need and need alone’. Consequently, the Committee owns and transfers highly sensible data: a prize catch for unscrupulous governments, groups and intelligence agencies. Even a single unauthorised external access to such information can drastically undermine the reliability of the ICRC as a neutral and impartial organisation. How does the Committee address this challenge? Let’s take a look at its strategies.
In the last couple of years, the ICRC has relentlessly increased its efforts to ensure a higher level of data protection from third parties. In 2017, it produced a specific report on ‘Humanitarian Futures for Messaging Apps’, promptly followed by a comprehensive ‘Handbook on Data Protection in Humanitarian Action’. In 2018, the Committee focused on the protection of sensible data arising from cash-transfer programmes in the context of armed conflict (see: https://www.icrc.org/en/publication/cash-transfer-programming-armed-conflict-icrcs). These publications have raised awareness of the multiple risks connecting data management and communication technologies. And once clear standards had been established, real change has followed.
One concrete example of the ICRC’s current approach to data security strategies is its new ‘Policy on the Processing of Biometric Data’, adopted in August 2019. This document introduced innovative breakthroughs concerning the responsible use of biometric fingerprint systems, widely employed by the Committee for aid distribution and family-link programmes. In short: to avoid cases of the misuse of such crucial data, it developed a global framework of targeted technical and legal safeguards. One cornerstone, for example, is the requirement of a detailed ‘Data Protection Impact Assessment’ prior to any use of the collected information. But can we really say that what has been done is enough?
Many questions remain unanswered. For example, how to overcome the still existing widespread skills gap of ICRC staff with regard to training in digital risks. The relevance of the abovementioned latest developments should not be underestimated. But now, let’s take another step forward: why doesn’t the Committee create a permanent tech-focused internal department, as a stable tool for humanitarian action? Innovative data-security strategy. This would strengthen its protection from cyber operations and other threats in the digital age, preventing their potential human cost. Just imagine how helpful this could be. But for the moment – although the direction is clear – such developments remain to be seen.