Unfortunately, that assumption doesn’t fly far with the BIS according to the BIS folks I’ve spoken to. There is a certain amount of understanding shown for aid agencies but that does not mitigate the need for those agencies to practice due diligence. I would bet that their procurement teams are still running their product (EIN) numbers through some sort of screen like eCustoms. In any event the Sudan exemption that was granted a few years back makes it less of a hassle to export to the country.

When I worked in South Sudan where ‘go bags’ were the norm we had a set of emergency close down protocols that took all of 30 seconds. Your day to day activities always included steps that insured you could immediately adhere to those protocols with only a moment’s notice. Unfortunately, I’ve seen plenty of folks that don’t run a tight ship and that get jammed for it.

Encryption is good but ensuring that it doesn’t violate donor country laws, host country laws and is properly implemented could prove a monstrous task, especially that last one. Better to just to drag your laptop and thumb drive with you.

I’m working on the assumption (supported by anecdotal reports) that the Sudanese government has been using this opportunity to have a good shuffle through the offices of those NGOs that have been expelled. I’m sure that our lists of community leaders could come in very useful to them, for example.

Unfortunately even the partners are subject to US jurisdiction as far as the US is concerned. A lot of in-house counsel spend their hours whittling these regs into pill shaped forms so that Ops can even take a shot at digesting them. And as far as the money is concerned there is a whole other branch of gov’t that tracks the transactions.

Security is always an issue in every site so it’s best to operate with the mindset that everything will eventually be seized. Besides, I am not sure what we could tell them that they don’t already know. Often times we’re playing catch up.

What am I missing? Whose data was seized in Darfur and what was the outcome?

As you know, I am for radical transparency in the humanitarian sector except where beneficiary, staff and partner privacy and security is concerned. Given the attitude of the Sudanese government towards those three groups, I think pretty much anything on the books falls into that category?

GnuPGP should fall under the ‘publicly disseminated’ category which leaves it lightly regulated. These regulations are one reason I pushed Ubuntu as an alternative. I know some agencies have spent a lot of time figuring out which hardware and software systems are the best fit for each country.

While I am all for encryption it tends to breed suspicion and can even draw the attention of individuals that were previously not interested in your gear. Better to run things in the clear whenever possible.

We’re thinking right along the same lines because before I read your article, I posted a similar piece on the HFP Blog, here.

Although I soft-spun the problem in my post, presented more as a news update with an intriguing question, I think you’re assessment of “criminal negligence” is well said.

It’s only a matter of time until we see a Russia or a Pakistan completely wipe out the address books, contact lists, and documents of a major aid organisation, with crippling effect.

I wonder what the flash appeal for that would look like?