What’s interesting about the ReliefWeb Client Outreach statistics?

Quite a lot. ReliefWeb is the single most information portal for the humanitarian community, so it’s worth paying attention to how that community uses online services, what sorts of information it values, and so on. It’s also interesting because ReliefWeb went through a huge overhaul a couple of years ago, described in Sebastian Naidoo’s valuable article from the Information Management Journal, “Redesigning the ReliefWeb” - a redesign which I think was more interesting for the process (described by Sebastian) than the final result - but unfortunately there isn’t really any available baseline comparison to judge whether that investment has been worthwhile.

I’d love to promise you that this is going to be really exciting, but it isn’t. All I can give you is an impressionistic take on the stats…

A large proportion of users are coming back at least once a week, if not more often. This is an impressive result which demonstrates how critical ReliefWeb is for the sector. It’s also a tremendous opportunity for ReliefWeb to create a real community around the site, which is something that hasn’t really been explored properly yet. This question is particularly important because the achievement needs to be qualified - the main reason why people visit ReliefWeb is “Job Searching”. This isn’t a surprise to anybody who knows ReliefWeb - the Vacancies section has always been the most popular section of the site - but it remains problematic. How can ReliefWeb use the popularity of the vacancies to direct users towards more interesting and/or useful parts of the site.

It’s very obvious how narrative-driven ReliefWeb users are: the five most valuable types of information are all textual (Situation Reports, Country Background Information, Analysis and Evaluation, News and Assessments). Most of these resources, in my opinion, offer a very low return on investment for the reader - they’re lots of work to plough through, with very little substantive content for most of them. So what about non-narrative information? Maps are sixth in line, most valuable to 9.2% of respondents, and Financial Reports and Appeals are most valuable to a miserable 2.9% of respondents. That’s not a bad % for maps, but are people getting maps from other sources - UNOSAT, MapAction, HICs? It would be useful to know exactly what maps they’re downloading - this would be a very useful stat for ReliefWeb to release.

There are some interesting open questions tucked away at the end of the survey (what technical features would you like, what is the main weakness of the site) but they haven’t been crunched into anything useful. The pop-up box just gives me a long, long, long list of responses, many of which are gibberish. I used to speak gibber, but my language skills are rusty - it may take me some time to get anything useful out of them. A quick glance at the responses demonstrates a sad truth of surveys - never, ever ask an open question, because you’ll only get a useful answer about 30% of the time.

ReliefWeb’s position as the single most important online resource for the humanitarian community isn’t going to be challenged any time soon - but it will be challenged. While it is an effective portal site - breakdowns by country / disaster / theme - I’m not convinced that ReliefWeb is really using its position to shape the way the sector uses online tools, to represent the sector to the outside world, to provide critical operational information in a wide range of formats.

The only way that will change (particularly since ReliefWeb suffers from being trapped inside OCHA) is if enough people lobby OCHA to enable ReliefWeb to be more responsive both to the needs of users - but also to the changing technology available to us. In many ways ReliefWeb reflects the problems facing the UN as a whole, in danger of being overtaken by faster and more flexible organisations. This user survey is a good starting point for ReliefWeb - and it’s especially impressive that they’ve made the entire results of the survey available if you want to see for yourself.

As well as the recent problems with public transport schemes, there’s been no small concern about whether biometrics are as secure as our governments tell us. Now The Register tells us that a hacker group in Germany has published the fingerprint of Wolfgang Schauble, Germany’s interior minister, and promises that this could be used to fool any fingerprint-based identification system. That’s not why I noticed this article - trust me, there’s going to be a lot more examples of people demonstrating that ID schemes aren’t going to deliver. What stood out from the article was this quote from Karsten Nohl:

The whole research has always been inspired by showing how insecure biometrics are, especially a biometric that you leave all over the place. It’s basically like leaving the password to your computer everywhere you go without you being able to control it anymore.

“It’s like leaving the password to your computer everywhere you go” - I’m going to have that made into a T-shirt. When cast in those terms, it makes me think dark thoughts about how these sorts of systems might be used to commit fraud against relief distributions, where any system would have to skew towards false positives rather than false negatives. I will try to flush these thoughts out in a longer post soon…

Chris Albon leads us to UNOSAT’s latest and frankly greatest production - a map of Somali pirate activity. Pirates are no laughing matter, but all this map lacks is a big X to show where they buried all the WFP food shipments they’ve been hijacking. I have no idea how this post provides any insight into how technology can support the humanitarian community, but hey - pirates.

Earlier this week, Paul noted that computer network attacks could have an impact on future relief efforts. In the early days of NATO’s Kosovo air war in 1999, I remember chirpy NATO spokesman Jamie Shea saying that the NATO website was under attack by Serbian hackers. Who knows whether it was true, or just a ruse of some sort, but was it the first government-acknowledged mention of cyber-warfare? There are a few more interesting things to note about that story: the BBC still had an “Internet Correspondent”, reporting on events in that far-off planet of “cyber-space”, and it was filed on 1 April 1999. Hmm …

Anyhow, back to the important business of digital security. I prefer the blander term information assurance because the work we’re discussing has so many angles to consider beyond ICT. To illustrate this, marvel at the McCumber Cube, designed by security guru John McCumber in 1991:

[Graphic courtousy Munawar Hafiz, on Wikipedia]

Handy, eh? This clearly relates geeky technical and operational considerations to the purposes for which information is collected and used in the first place. There’s little point considering how to secure information before defining why it needs securing, which requires a consideration of who might gain/lose from possession of the information.

Likewise, as Kevin over at Patronus rightly pointed out, social engineering – or how an adversary relies on your politeness, habits and generally positive view of humanity to get you to hand over the jewels – is an effective way to break the most technically secure of systems. Commercial organisations have long been using external actors to test how vulnerable they are to theft of information. This penetration testing industry has become commonplace enough in the US to spawn its own reality television show. This service (and perhaps the reality TV show!) could easily be extended to NGO offices, should the need be demonstrated.

I wonder how McCumber’s information assurance model dovetails with common approaches to NGO security, and how current materials – like the ECHO Generic Security Guide - could be updated to take it into account.

Pass the cube around the office and start the discussion.

I promise that this is going to be my last post in what has turned into “Digital Security Week” here at humanitarian.info. A lot of my thoughts on this have been brewing since the the cyber-assault on Estonia last year, which at least had the positive effect of bringing the issue to a much wider audience than ever before.

This is the flip-side of e-governance - increased government reliance on the internet creates more opportunities for abuse. However Estonia has learnt from its experiences, with the result that it’s now a far more difficult target for cyber-attacks, as well as successfully prosecuting at least one of the perpetrators.

Although the attack has not been tied to any specific institutions, suspicions that the Russian government may have been involved have persisted, which raises a critical question, posed at its simplest by a BBC report on digital Estonia:

As a member of NATO, a military attack on Estonia would be treated as an attack on all NATO states. So, how about a cyber-attack that cripples its information infra-structure for weeks?

If the Kosovo war were to happen today, I have no doubt that NATO and the UN would be subject to similar attacks, whether organised by another government or not. I wrote yesterday about the experience of the Save Darfur campaign, and with the recent unrest in Tibet, a number of Tibetan NGOs are reporting malicious emails with attachments that target client side vulnerabilities.

At the moment, most of our organisations are not vulnerable in the same way that Estonia was - I doubt most people working in the field would even notice if their organisation’s website went down. (Advocacy organisations who rely on the web for their organisational presence are far more exposed.) However our servers can still be overwhelmed, leading to the failure of key finance, admin, communication and logistics functions; and we grow more dependent on the internet for these functions every day.

The best time to address these issues is now - before they become problems. The humanitarian community needs to make sure that digital security receives the same attention as physical security, addressing skill gaps in our staffing at headquarters and the field, and making sure that our technology adoption prioritises security as a critical factor.

We haven’t even begun to discuss more basic aspects of digital security, such as encrypted communications or secure storage. Maybe Digital Security Week should turn into Digital Security Month…

Hat tip on the Tibet story: NGO Security.

I should be careful - I’m going to give myself Blogger’s Wrist if I keep posting. However it seems like the issue of digital security is a vital one for the entire humanitarian community right now, in a variety of ways. Obviously security needs to be a consideration across the entire organisation, and there’s been significant improvements on that front in the last few years (the tragedy is that it took Iraq to bring the message home).

Digital security, though -  we’re behind the curve. Most security officers don’t know enough about technology, and most IT staff don’t know enough about security. When I wrote the initial post yesterday, I was scratching my head for practical steps that organisations can take - there are a lot of things that we can do, but where should we start?

Luckily Bruce Schneier’s article in Wired this week, Inside the Twisted Mind of a Security Professional, is absolutely right - we start by thinking differently about the world.

Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities…

This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.

This points to the reason why most UN or NGO staff make such terrible security officers - project staff in those organisations are generally problem-solvers, sent in to a situation to fix something that’s not working properly. Security awareness training is critical for these staff, particularly as part of their induction, but you can’t expect them to change their orientation entirely.

More pertinently for us, this is also the reason why neither IT or security staff should be solely responsible for IT security - it takes both side of the fail / fix equation to build resilient IT infrastructure. So: the first practical step that you can take is to bring those two groups within your organisation closer together, so that they can bounce problems and solutions off each other. It’s that simple.

No sooner had I written yesterday’s post about digital security than the New York Times has a piece by Nicholas Kristol on how the Save Darfur campaign website has been under attack recently - from Chinese IP addresses.

As the coalition’s China advocacy campaign has intensified, officials have noticed increasingly sophisticated and subversive attempts to intercept emails and infect computers with malicious programs.

Kristol relies mainly on innuendo to suggest that the Chinese government might be behind the attacks, with very little evidence to support the accusation. From a technology point of view, though, it’s irrelevant who’s responsible - this is a cautionary tale for NGOs and other organisations. We can enjoy the benefits that technology brings - but we also need to guard against the dangers. The price of liberty, and all that…

Public transport doesn’t often provide pointers for the humanitarian community. The recent cracking of the London OysterCard (following hot on the heels of the earlier crack of the Dutch transit card system) came as no surprise to digital security experts, but it should teach us fundamental lessons about information security and personal privacy issues.

Security researchers say they’ve found a way to crack the encryption used to protect a widely-used smartcard in a matter of minutes, making it possible for them to quickly and cheaply clone the cards that are used to secure office buildings and automate the collection of mass transportation fares.

No electronic identification scheme is secure. It doesn’t matter how good your technology is, any system which is built by humans can be cracked, and the only defense is to make the cost of cracking it as prohibitive as possible. (The kicker is that you never know if you’ve successfully achieved that - until somebody cracks it and it becomes embarrassingly obvious that you haven’t.) On top of that, the more complex and expensive a system is, the more difficult it is to fix it when something like this happens.

In themselves, these obstacles aren’t insurmountable - largely because they’re technical in nature - but you see the real issues when you look at how these schemes are implemented. Governmental (and intergovernmental) organisations are notorious for a) thinking that technology can fix problems which are not technical in nature (for example, running a public transport system) and b) frequently mismanaging technology projects, often with the assistance of the vendor.

In a public transport system, this is not a life-and-death issue. What if this was a tracking system for food aid, though, where RFID has begun to be introduced as the solution to our logistics inefficiencies? Or a refugee registration database in a country where human rights abuses are endemic? Or an employee identity card scheme in a country where terrorists are targeting UN and NGO offices? You start to see where this might be going…

There was also related news that MI5 have requested “full automated access” to the OysterCard database. In a liberal democracy where the rule of law holds, that might not be too worrying - but there are a number of countries in the world that don’t fit that description, and where giving access to this sort of information to the government might not be in the best interests of the beneficiaries.

The fear of cyber-warfare has climbed Whitehall’s agenda since last year’s attack on the Baltic nation of Estonia, in which Russian hackers swamped state servers with millions of electronic messages until they collapsed. The Estonian defence and foreign ministries and major banks were paralysed, while even its emergency services call system was temporarily knocked out: the attack was seen as a warning that battles once fought by invading armies or aerial bombardment could soon be replaced by virtual, but equally deadly, wars in cyberspace.

It’s only a matter of time before humanitarian organisations come under similar attack - and we’re not prepared for it in the least. None of this means that this technology shouldn’t be used - it absolutely should be. What it means is that we need to be a lot more savvy not just about the technology issues but about the entire range of processes - procurement of the system, implementation within the organisation, sensitivity to the situation (including security concerns), and so forth - in order to make sure that we’re prepared to address these situations when they arise.

The White African faces a quandary:

Global tools that have real time read/write access are extremely powerful. Depending on ones motives, your impact can be good or bad. Even if your motives are good, your tool can be used for bad. How’s that for a quandry?

It’s certainly a quandary, but not a new one. It’s the same question that’s been asked about humanitarian aid since at least the 1970s, and has been one of the motors behind the humanitarian reform process. What’s more interesting is the assumption behind that question, an assumption that he describes quite clearly:

Just decades ago those who were not in close enough proximity to an event were unable to do much, if anything about it. Today, we can successfully effect change through digital tools and be thousands of miles away.

As I wrote in the comments, neither of these statements is quite true. Decades ago you could have joined Amnesty International campaign, or given money to a relief agency, or written to your MP; these options are still available, and will make a difference. The problem we have today is that many people feel that such actions don’t make enough of a difference - that they don’t have a big enough impact, or they don’t bring change quickly enough.

We have to start being honest, though; just because the internet works reliably and at high speeds, it doesn’t mean that humans work at similarly high speeds or with similar reliability. The impact of our actions will almost never be immediate, and will frequently lead to outcomes that we didn’t predict. Our expectations have been raised by the relentless cheerleading for the information revolution, and we need to lower those expectations or risk alienating people who want to get involved.

The real questions are the same ones that I ask myself in my own work whenever I approach a new project. What decision or action will this information inform, and who is responsible for making that decision or taking that action? The answers to those questions determine a) whether it’s worth collecting the information in the first place, and b) what we will do with the information once we’ve collected it. Unless we answer those questions clearly, and build our systems around them, we’re unlikely to effect any significant change, no matter how powerful our tools are.

(For a bit more on Ushaidi, Sanjana has a great interview with Ory Okollah, in which she explains clearly that the site has been used as an information-gathering tool, rather than a resource for conflict mitigation or resolution. Just to be clear, I think Ushaidi is absolutely worthwhile - but I’m looking forward to what comes next.)

• Following the collapse of the political process in Kenya, bloggers White African and Kenyan Pundit - both of whom are worth reading, by the way - have developed a Google Maps mash-up which deals with electoral violence in the country.  Called Ushaidi (’witness’ in Swahili, I think?), it enables people to report events either online or via SMS.  It’s not the first time something like this has been tried, but this an interesting organic attempt to pin down exactly what’s happening in the country.  As anybody working in human rights knows, gathering this sort of information is extremely difficult - particularly later on when it might be needed.  More explanation from White African in this blog post, coverage at Global Voices (with an interesting article on cyber activism in Africa) and the BBC.

• There’s been a fair amount of discussion about how the media and responders can work more effectively together in the last couple of years, and of course a whole heap of blogs and similar about how the new technology is going to change the face of disaster response, etc, etc.  So far, not much has happened, but TVE Asia and the UNDP Regional Centre in Bangkok have just published a free resource called Communicating Disasters.  It’s an interesting but disjointed read - I’m not exactly sure who it’s targeted at, to be honest…

• There was a brief flurry of blogging around Nathan Eagle’s article, The Mobile Web is NOT helping the Developing World - and what we can do about it, mainly because it burst the bubble of optimism around bringing the internet to the poorest through the Miracle of Mobile Telephony (TM).  Of course, Nathan’s position is not that it isn’t possible, just that we’re not doing it right at the moment.  Personally, I’m still waiting for some hard evidence that these efforts benefit the poor rather than the relatively well-off - but that might just be splitting hairs.

• Witness have launched The Hub, their online platform for human rights-related videos and media, after a long incubation period. Cutting through the bumf, it’s intended to connect individuals and organizations who are working on human rights around the world. It’s an interesting lunge at building global connectivity in a sector (human rights) that is notoriously factional, and the focus on media is potentially powerful - particularly new media forms, such as mobile phone content, which are incredibly powerful tools for mobilizing support. You can register at http://hub.witness.org/login.