Why the Rights Are Needed
A need for clarity and specificity about the status of information and HIAs as a basic humanitarian need, including protections afforded these activities compared to other, traditionally accepted forms of humanitarian assistance.
A need for humanitarian actors and crisis-affected populations to have guidance about what rights crisis-affected populations have to protection from harm related to the use of ICTs and data; rights to data privacy and security; and rights to agency over how their data is used.
A need for enshrinement of the rights of crisis-affected populations to receive remedy and accountability for violations of these rights.
The Right to Information
The Need for the Right to Information
The generation, transmission, provision, and receipt of information during crisis have always been an essential component of crisis response by affected populations and humanitarian actors.75 The NGO, Article 19: The Global Campaign for Free Expression identifies some of the critical roles that information can play in the aftermath of a crisis. These include: the mitigation of the loss of life; reducing panic; directing people to essential services; ensuring two-way communication between assistance providers and affected communities; and other vital response functions.76
With the advent of the networked age, however, the role that ICTs and information itself plays in the response of affected communities and humanitarian actors to crises has become even more central and crucial. ICTs and the collection and analysis of data are increasingly central to how humanitarian actors determine need and manage responses, as well as to how affected communities access essential services.
Affected populations have begun to identify the enhanced access to information enabled by internet connectivity, smartphones, and other ICTs and infrastructure as a primary humanitarian need that is, in some cases, more important to them than access to traditional forms of assistance, such as food, water, and shelter.77 The phenomena of ICTs and near real-time data updates being perceived by affected populations as necessary prerequisites for accessing services is a significant turning point in the history of humanitarian assistance.
There appears to be a potential relationship between the resiliency of populations and their access to telecommunications and social media. A July 2016 BBC Media Action study of refugees in Greece and Germany found the following:
“The analysis shows that refugees who stay in regular contact with other refugees and who have wide communication networks of family members and friends (via mobile networks and social networking sites such as Facebook and WhatsApp) were likely to be more resilient than those who were less connected.”78
A 2014 Humanitarian Innovation Project (HiP) study titled Refugee Economies found that refugees who use technology in their daily lives identified mobile technology and the internet as important for their economic well-being. Mobile technology enabled the creation of supply chains, provided refugees with pricing information, and enabled the easy transfer of money. In some professions, such as agriculture, refugees cited mobile technology as critical to facilitate and sustain trade networks.79
The relationships between access to ICTs, social media platforms, network infrastructure, and HIAs and the human security, well-being, and survivability of crisis-affected populations have only just begun to be studied. Regardless, the anecdotal evidence available suggests that these little understood relationships between information access and crisis-affected populations are profoundly transforming the very nature of how crises unfold in the 21st century—both positively and negatively.
Relatedly, the Tampere Convention on the Provision of Telecommunication Resources for Disaster Mitigation and Relief Operations acknowledges the essential role ICTs play in potentially reducing the vulnerability of populations to crises.80 As a whole, however, international treaties and law have not fully kept pace with these changes and remains relatively vague about the role of information in crises, as well as how and when information activities and communications infrastructure are protected.
These major gaps in current International Humanitarian Law (IHL) have critical implications that have not yet sufficiently addressed. The most important example of these gaps is the current language of the Geneva Convention regarding the rights of protected populations to request humanitarian assistance.
The Fourth Geneva Convention, Article 30 states that,
“Protected persons shall have every facility for making application to the Protecting Powers, the International Committee of the Red Cross, the National Red Cross (Red Crescent, Red Lion and Sun) Society of the country where they may be, as well as to any organization that might assist them.”81
This language may be interpreted as the right of crisis-affected populations to call for help by any means necessary, including, in the 21st century, the use of ICTs.
However, this language only applies in international conflicts, as Ruth Abril Stoffels notes. She identifies, in her commentary for the International Committee of the Red Cross on Legal regulation of humanitarian assistance in armed conflict: Achievements and gaps, the clearly unmet legal need and operational realities that limit the value of Article 30 in this regard:
“In the case of international conflicts the entitlement to request aid from third parties is established in Article 30 of the Fourth Geneva Convention. In the case of internal conflicts, however, there is no provision referring either directly or indirectly to such an entitlement. This right therefore needs to be expressly enshrined in law or its effectiveness will not be guaranteed in cases in which the international community fails to take spontaneous action, the authorities responsible for the victims do not disclose the situation to the outside world and the media do not have access to the affected area and are unable to sound the alarm.”82
At present, this is the only language in current IHL that appears to specify a right to populations to request humanitarian assistance. Additionally, information in the context of emergencies and disasters has traditionally been treated within the context of freedom of speech, rather than as a humanitarian resource necessary for the sustainment of life unto itself. With the advent and proliferation of ICTs, communications infrastructure and the means to access it require intentional protection equal to other traditionally protected physical humanitarian resources, such as food, water, shelter, and medical treatment.
Thus, the explicit recognition of a right to information during crises—including both the right to request assistance regardless of the nature of the crisis and IHL protection for relevant communications infrastructure and activities—is now required. While the Additional Protocol I to the Geneva Convention Relative to the Protection of Civilian Persons in Time of War (Fourth Geneva Convention) provides for the protection of objects indispensable to the survival of the civilian population,83 the interconnectedness of civilian, military, and armed non-state actor communication networks is a feature of modern telecommunications, thus creating ambiguity as to what constitutes a legitimate target under the Additional Protocol.84 This constitutes a gap in existing IHL, and the articulation and codification of a specific right to information during crises will also necessitate the development of prohibitions under IHL for what constitutes violations of this right, including intentional obstruction of and attacks upon, HIAs and infrastructure.
This right, in effect, also acknowledges the existence of “humanitarian cyberspace.” However, there is no current agreement on what constitutes “humanitarian space,”85,86 let alone humanitarian cyberspace. Humanitarian cyberspace is a differentiated zone that likely includes servers, sensors, telecommunications networks, and mobile devices employed for humanitarian purposes and subject to humanitarian protections wherein aid organizations and their personnel are recognized as not being legitimate targets.87 Humanitarian cyberspace encompasses the people connected to its functions as directly related to its secure and consistent operation and use.
This concept builds on the well-established but poorly defined analog concept of “humanitarian space.”88 The right to information during crises requires clearer delineation and codification, including descriptions of what infrastructure is used by which actors, and in what contexts may actually constitute humanitarian cyberspace.
The Right to Protection from Harm
The Need for the Right to Protection
The use of ICTs and digital data in humanitarian response has grown considerably over the past decade. There is an emerging understanding of the potential harm that these technologies and the related HIAs that employ them may cause in certain operational contexts.89 In some limited cases, specific harmful impacts of ICTs have been documented as a result of deployments by civil society actors.90,91
Some efforts have been made to begin capturing best practices relevant to ICT use in HIAs during past humanitarian responses.92 Despite the growing awareness of the unique threats to vulnerable populations that these approaches may cause or magnify, there is no accepted ethical doctrine or minimum technical standard for their mitigation and prevention.93
In many cases, the ethical and operational guidance employed is not current with either changes to the technological state-of-the-art, as well as to the technological adaptations of humanitarian actors, affected populations, and alleged human rights abusers. There are many understandable reasons that this “blind spot” in current humanitarian practice has occurred.
Chief amongst these reasons is the absence of an intentionally and explicitly articulated right for affected populations to be protected from harm related to HIAs. Relatedly, this right must be articulated to specifically create a corresponding obligation for humanitarian actors to prevent and mitigate the potential harm. Realization of this right depends on this critical gap in current practice being urgently addressed. The identification and articulation of a right to protection from harm related to HIA’s is the first step.
The Right to Data Privacy
The Need for the Right to Data Privacy
Humanitarian action is primarily an information-driven practice. From needs assessments to logistics, assistance and response is predicated at every stage by information collection and sharing. Crises, by their very nature, necessitate the sharing of sensitive and confidential personal information by individuals—information that would otherwise remain private.94
Privacy, by its nature, is a complex and at times nebulous concept. In its breadth, it encompasses a broad range of allied interests. These can include compromised physical security, financial and property harms, reputational harms, relationship and contractual harms, emotional and psychological distress, and vulnerability to future harms. It can cover personal identity, family life, the home, and correspondence, which has come to mean all forms of communication.95 In the networked age, potential violations of a data subject’s right to privacy arise from a number of activities, each of which encompass a range of potential harms. These activities include (but are not limited to): the collection, processing, and dissemination of data and metadata, and direct privacy invasions.96 Philosophical and legal conceptualizations of privacy have evolved throughout the 19th and 20th centuries, and continue to do so. Data protection laws have arisen specifically in response to the pressures of new technologies on older conceptions of privacy97 and broad conceptualizations of privacy are an important tool for both understanding the impact of technology on affected populations and individuals and serve as a reminder that the impact of future technology on privacy is unclear and thus as a concept must be constantly reassessed.
The adoption of ICTs to manage this information may increase the speed and efficiency by which information can be collected and shared, but this adoption also increases the volume of sensitive information collected, as well as the potential number of avenues by which a malicious party might gain access to these data. Thus, the use of ICTs creates additional burdens and challenges with regards to protecting individual privacy in the context of humanitarian crises, during which pre-existing risks are magnified considerably.
Photo: Drone surveillance helps search and rescue in Nepal
A member of “Serve On” holds up a flying drone – used to help identify areas that are worst-hit by the earthquake in Nepal. The group joined up with the UK’s International Search and Rescue (UKISAR) team around the area of Chautara.
Background | On 25 April, a magnitude 7.8 earthquake struck the country, killing more than 5000 people, and injuring thousands more. The UK responded to Nepal’s request for international help, sending search and rescue teams, emergency medics and logistical support. Find out more at: www.gov.uk/nepal-earthquake-2015
Credit: Jessica Lea/DFID
One of these new challenges is the aggregation effect, also known as the “data mosaic effect.” This phenomenon occurs when certain data that might not appear to be sensitive are combined with additional data that makes the impact on an individual’s privacy potentially dangerous and unpredictable.98
Thus, individuals have a limited ability to predict what impact seemingly trivial data they share might have when aggregated with other data in the future. In addition to complicating the ability of individuals to provide informed consent, this phenomenon becomes even more complex during crises when individuals may prioritize privacy, as well as their willingness to share information, differently.99
The risks posed by the aggregation effect increasingly, critically, and uniquely impact the humanitarian sector. Data products resulting from the derivation and aggregation of individual data with one or more additional stream(s) of data from other sources are increasingly commonplace during response operations.
In the context of humanitarian response, the resulting risks are no longer limited to only the exposure of PII, but also the creation and exposure of DII. Raymond describes the challenges inherent in the creation and management of DII as follows:
“…DII can result from the transformation of seemingly disparate, unrelated data sets into an amalgamated data product that can be easily ‘weaponized’ into a means for doing harm. The potential harm of DII is often most apparent, if not entirely, to the perpetrator of potential harm, rather than to the holder of one or all of the pieces of a potentially actionable mosaic of DII. Whereas PII’s potential harm comes from when it is leaked or breached, DII’s harm, and thus its ethical implications, often emanates from simply whether the possibility exists that it can be even created. This reality makes the overall ethical imperative to understand, manage, and protect potential sources of DII as important, if not more so in some cases, than those commensurate with holding only one source of PII.”100
Data privacy and ensuring protection from harm, including the provision of data security, are therefore fundamentally linked—and neither can be realized without the other. Data security is an intrinsic part of protecting data privacy, regardless of the type of data being utilized.
The number of data records leaked, stolen, or accidentally exposed to the public numbers numbered over half a billion in the first six months of 2016, with the majority constituting personal information.101 The right to data privacy and security explicitly enshrines the moral and existing legal obligation of humanitarian actors to implement appropriate security practices to safeguard sensitive data from unauthorized access, alteration, and destruction.
The Right to Data Agency
The Need for the Right to Data Agency
The articulation of the right to data agency enshrines extant protections in international law against non-consensual human experimentation and to ensure the dignity of crisis-affected populations as mandated by core humanitarian principles. Article 3 of the UDHR can be read as inherently providing a right for data agency and protection from non-consensual experimentation as an inherent aspect of realizing the right to liberty and security of person,102 while Article 7 of the ICCPR explicitly provides this right.
Fulfilling the humanitarian imperative compels the collection and use of PII and DII in crises. However, that requirement to collect and use PII and DII data to support response operations must be balanced with the humanitarian principle of humanity, which requires ensuring respect for the individual. The right to data agency exists at the intersection of the need for humanitarians to access data from individuals and the right of individuals to have their autonomy respected when this data is collected and used.
The right to data agency is of particular importance in the context of the often widely held assumption that data collection and use is, itself, inherently beneficial. In the recent Ebola outbreak, international humanitarian actors accessed call detail records (CDRs) to model predictions of the epidemic and to conduct contact tracing.
Critically, the potential harms of acquiring and using CDRs, which contain PII, were deemed insignificant in the face of the potential benefits humanitarian actors aimed to achieve with the data. Sean McDonald’s Ebola, A Big Data Disaster—provides an account of the unmitigated risks and apparent violations of human rights resulting from this experimental use of PII. To date, no clear benefit of this operation has been demonstrated.103
Similarly, DII was collected and transmitted to alleged perpetrators of gross human rights abuses as part of the 2007 “Eyes on Darfur” intervention conducted by Amnesty International. The creation and transmission of DII was to the apparent detriment of the human security of the civilians the intervention was intended to protect. In an analysis of the intervention, Grant Gordon found that the collection of satellite imagery and the public release of metadata about villages being monitored resulted in a 20-percentage point increase in the number of attacks on those villages.104
In the above case studies, the populations affected by crises were not included in decisions about the collection and use of their data (PII) or data relevant to their human security (DII). Until now, there has been no clear codification of the right to data agency. Evidence of the potential harm of HIAs presented above demonstrates the urgent necessity of the explication of the right to data agency.
The harm caused by the current practice of collecting and using information without informed consent, or at a minimum, notification, underscores the current relevance of the right to data agency. Populations affected by crises have the right to provide informed consent to the collection and use of their PII for experimental HIAs and to receive protection from non-consensual experimentation. Populations affected by crises also have the right to be afforded notification regarding the collection and use of their DII, whenever possible.
Furthermore, the realization of the right to data agency is necessary for the inclusion of affected populations in decision-making about humanitarian responses that affect them. The right to data agency positions affected populations at the center of the humanitarian response, and is therefore fundamental to enfranchising affected populations, consistent with the Core Humanitarian Standard.105
The Right to Redress and Rectification
The Need for the Right to Redress and Rectification
The right to redress is rooted in pragmatic need and human rights principles: humanitarians will inevitably make both foreseen and unforeseen errors in the realm of data, and must establish clear methods of addressing these errors. Crisis-affected population have the right to receive redress for these errors, which may include the rectification of inaccurate data, the deletion of data that cannot be rectified, and reparations for damage that is caused by erroneous data.
In the EU context, these rights are directly linked to an individual’s right to access data106 that has been collected about them, as enumerated in Article 8 of the European Charter of Fundamental Rights. These rights are also linked to the “data quality” principle,107 a common (albeit unclearly defined) concept that links many different national privacy laws.
The right to redress acknowledges the increasing reach and import of personal data. This information touches on many important aspects of an individual’s life, including the workplace and the educational, health, and judicial systems. This wide reach means that data that is incomplete, inaccurate, or collected in both lawful and illegal fashions can cause demonstrable harm to individuals and to groups. This reality therefore obliges the humanitarian community to actively address this source of harm: it obliges them to “set right” errors.
The right pertains to both potential harm and to harm that has already taken place. As part of the right to redress, individuals hold a right to rectify incorrect or incomplete data about them, with the goal of avoiding future harm. If they have been harmed by actions humanitarians take on the basis of incorrect or incomplete data, or data gathered illegally or in violation of their right to data agency, they have the right to receive redress in the appropriate form.
The right to redress, as described in the EU context and in this document, ensures that errors on the part of the party who collects and harbors the data are not ignored or addressed in a minimal or haphazard fashion. It gives individuals a clear path to correcting the record, and in some cases, a clear path to recovering financial damages for the harms suffered.
Algorithmic research and assessment methods deserve particular scrutiny on the basis of this right, as they are often built on incomplete, prejudiced, or otherwise biased data. These data can potentially entrench errors and compound harm if they are not accurate. Individuals are entitled to redress if they are harmed by algorithmic methods based on inaccurate or incomplete prior information.
75. Chris McIvor, “Data or Dialogue? The Role of Information in Disasters,” in World Disasters Report 2005 (International Federation of the Red Cross and Red Crescent Societies, 2005), http://www.ifrc.org/en/publications-and-reports/world-disasters-report/wdr2005/wdr-2005—chapter-1-data-or-dialogue-the-role-of-information-in-disasters/.
76. Article XIX: Global Campaign for Free Expression, “Humanitarian Disasters and Information Rights: Legal and Ethical Standards on Freedom of Expression in the Context of Disaster Response,” no. April (April 2005), http://article19.org/data/files/pdfs/publications/freedom-of-information-humanitarian-disasters.pdf.
77. Matthew Brunwasser, “A 21st-Century Migrant’s Essentials: Food, Shelter, Smartphone,” The New York Times, August 25, 2015, http://www.nytimes.com/2015/08/26/world/europe/a-21st-century-migrants-checklist-water-shelter-smartphone.html?_r=0.
78. Theodora Hannides et al., “Voices of Refugees: Information and Communication Needs of Refugees in Greece and Germany,” 2016, http://www.bbc.co.uk/mediaaction/publications-and-resources/research/reports/voices-of-refugees.
79. Alexander Betts et al., “Refugee Economies: Rethinking Popular Assumptions” (Oxford, 2014), 33, http://www.rsc.ox.ac.uk/files/publications/other/refugee-economies-2014.pdf.
80. United Nations, “Tampere Convention on the Provision of Telecommunication Resources for Disaster Mitigation and Relief Operation,” Treaty Series 2296, no. 40906 (January 8, 2005): 5, https://treaties.un.org/pages/ViewDetails.aspx?src=TREATY&mtdsg_no=XXV-4&chapter=25.
81. International Committee of the Red Cross, “Geneva Convention Relative to the Protection of Civilian Persons in Time of War (Fourth Geneva Convention).”
82. Stoffels, “Legal Regulation of Humanitarian Assistance in Armed Conflict: Achievements and Gaps.
83. International Committee of the Red Cross, “Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts (Protocol I),” United Nations Treaty Series 1125, no. 17512 (1978): 3–608, https://ihl-databases.icrc.org/ihl.nsf/WebART/470-750004.
84. Robin Geiss, “Cyber Warfare: Implications for Non-International Armed Conflicts,” International Law Studies 89 (2013): 639.
85. Nathaniel Raymond, Britney Card, and Ziad Al-Achkar, “What Is ‘Humanitarian Communication’? Towards Standard Definitions and Protections for the Humanitarian Use of ICTs,” European Interagency Security Forum, no. August (2015): 1–5, https://www.eisf.eu/wp-content/uploads/2015/10/2041-EISF-2015-What-is-humanitarian-communication.pdf.
86. Johanna G. Wagner, “An IHL/ICRC Perspective on Humanitarian Space,” Humanitarian Exchange (London, December 2005), 24–26, http://odihpn.org/wp-content/uploads/2006/01/humanitarianexchange032.pdf.
87. Daniel Gilman and Leith Baker, “Humanitarianism in the Age of Cyber-Warfare: Towards the Principled and Humanitarian Emergencies,” UN Office for the Coordination of Humanitarian Affairs Policy and Studies Series, no. 11 (October 2014), https://www.unocha.org/sites/unocha/files/Humanitarianism%20in%20the%20Cyberwarfare%20Age%20-%20OCHA%20Policy%20Paper%2011.pdf.
88. Overseas Development Institute, “Humanitarian Space: Concept, Definitions and Uses Meeting Summary Humanitarian Policy Group,” in Roundtable, 2010, 1–7, https://www.odi.org/events/2655-humanitarian-space-concepts-definitions-uses.
89. Rahel Dette, “Do No Digital Harm: Mitigating Technology Risks in Humanitarian Contexts,” 2015, 2.
90. Ibid., 15.
91. Sean Martin McDonald, “Ebola: A Big Data Disaster – Privacy, Property, and the Law of Disaster Experimentation,” The Centre for Internet and Society, no. 2016.01 (March 1, 2016), http://cis-india.org/papers/ebola-a-big-data-disaster.
92. George Chamales and Rob Baker, “Securing Crisis Maps in Conflict Zones,” in 2011 IEEE Global Humanitarian Technology Conference (IEEE, 2011), 426–30, https://doi.org/10.1109/GHTC.2011.47.
93. Nathaniel Raymond, Caitlin Howarth, and Jonathan Hutson, “Crisis Mapping Needs an Ethical Compass,” Global Brief, February 2012, http://globalbrief.ca/blog/2012/02/06/crisis-mapping-needs-an-ethical-compass/.
94. Gilman and Baker, “Humanitarianism in the Age of Cyber-Warfare: Towards the Principled and Humanitarian Emergencies.”
95. Anthony Paul Lester, David Pannick, and J.W. Herberg, eds., Human Rights Law and Practice, Third (London: LexisNexis, 2009), 359.
96. Daniel J. Solove, Understanding Privacy (Cambridge: Harvard University Press, 2010), 103–4.
97. Organization for Economic Cooperation and Development, “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” 42.
98. Daniel J. Solove, “Privacy Self-Management and the Consent Dilemma,” Harvard Law Review 126, no. 7 (2013): 1880–1903.
99. Kate Crawford and Megan Finn, “The Limits of Crisis Data: Analytical and Ethical Challenges of Using Social and Mobile Data to Understand Disasters,” GeoJournal 80, no. 4 (August 1, 2015): 491–502, https://doi.org/10.1007/s10708-014-9597-z.
100. Raymond, “Beyond ‘Do No Harm’ and Individual Consent: Reckoning with the Emerging Ethical Challenges of Civil Society’s Use of Data.”
101. Gemalto, “Data Breach Statistics 2016: First Half Results Are in,” 2016, http://blog.gemalto.com/security/2016/09/20/data-breach-statistics-2016-first-half-results/.
102. United Nations General Assembly, “Universal Declaration of Human Rights.”
103. McDonald, “Ebola: A Big Data Disaster – Privacy, Property, and the Law of Disaster Experimentation.”
104. Grant Gordon, “Monitoring Conflict to Reduce Violence: Evidence from a Satellite Intervention in Darfur,” March 3, 2016, http://www.grantmgordon.com/wordpress/wp-content/uploads/2010/06/GG-EoD.pdf.
105. CHS Alliance, Groupe URD, and The Sphere Project, Core Humanitarian Standard: Core Humanitarian Standard on Quality and Accountability.
106. European Data Protection Supervisor, “Guidelines on the Rights of Individuals with Regard to the Processing of Personal Data,” February 25, 2014, https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Guidelines/14-02-25_GL_DS_rights_EN.pdf.
107. Jay Cline, “Data Quality — the Forgotten Privacy Principle,” ComputerWorld, September 2007, http://www.computerworld.com/article/2541015/security0/data-quality—-the-forgotten-privacy-principle.html.