Mobile privacy and data security have become a big topic as more and more NGOs use mobile phones as a way to disseminate information and engage their clients. Jenny Adlem discussed these issues in her blog post addressing the potential benefits and pitfalls of big data – and today I’ll go a bit further by discussing some of the things we will do to foster greater mobile privacy and data security.
At engageSPARK, we feel it is our responsibility to design and build a platform that fully protects our users’ security and privacy. We have spent time learning about the potential pitfalls that may involuntarily infringe upon our users’ personal privacy and in some instances, compromise their physical safety. As part of our pledge to be as open as possible with our customers, we’d like to give a quick overview of the issues and steps we have taken to ensure that engageSPARK fully protects our users’ mobile privacy and information security. Hopefully those reading this article can learn from some of our research and help contribute to moving this whole industry forward.
Overview of the Issues
As mobile phone penetration increases in developing countries, and all over the world, mobile phones have become an important way for non-profits to broadcast information about their services, and a crucial source of collecting data to analyze trends in areas where information has traditionally not been attainable. Along with the positives come potential negatives that include: insufficient technical protection of highly sensitive personal information and illegal surveillance by governments or other organizations that may compromise personal liberties.
First, family members share mobile phones, a well-documented behavior that is often brought up in mobile for development projects as an example of a mobile privacy issue. Sending sensitive patient data or test results to a shared phone could have potentially devastating consequences. HIV positive status in many parts of the world may be the end of someone’s reputation or career. Some projects have started to mask test results by using code words or sending results to trusted “friends” but not all projects do this.
Second, government-mandated SIM registration also poses a huge potential risk for those involved in political activity that is deemed a threat. Personal health information leaking into the wrong hands and political persecution are only two of the issues at stake with mobile and other ICT systems for development.
Third, utilizing these large data sets for analysis has been a huge promotional point for NGOs when communicating to their donors the value of mobile based projects. Crisis mapping, such as what Ushahidi has done with mapping the violent outbreaks that followed Kenya’s 2007 presidential election, would not be possible without access to mobile data. This is only one example of the huge potential that mobile and big data have to unearth patterns and predict and prevent future crises.
Other uses for big data that have been identified include mapping transport patterns, virus outbreaks, housing sprawl, and even defining smog patterns. However, we must be wary of data falling into the wrongs hands, and at engageSPARK we’d like to share what we are doing to prevent that from happening.
What We Can Do
New America Foundation’s recent report, Dialing Down Risks: Mobile Privacy and Information Security in Global Development Projects, provides guidelines that any nonprofit or for profit organization can and should follow. At engageSPARK, we have reviewed and analyzed this report and think it is valuable to share some of the suggestions that can help other organizations. Sharing ideas with others is one way that we hope to build a stronger knowledge base amongst our community. The report discusses basic rights of users in regards to privacy and security, something that we all need to keep in mind as we design and build platforms that collect personal information.
Knowledge and Transparency
* Users should know how mobile ICT4D data collection systems operate.
* Users should know how and with whom personal information might be shared.
* Users should know when new information is collected and/or shared.
Agency and Control
* Users should have to consent to data collection and sharing before any information is collected.
* Users should have the ability to access, audit, and amend their personal data.
* Users should have the ability to hold data collectors responsible for gross negligence, misuse, and/or harm resulting from data collection/sharing outside of the project
The report then continues to outline and describes 5 basic principles for organizations to follow, which we will discuss in more detail. You can access the full report here.
Principle 1: Address Surveillance Risks
Projects should take steps to ensure that user data is secure from third party surveillance.
At engageSPARK, we are using enterprise-level, bank-grade security protection / encryption measures.
Principle 2: Limit Data Collection and Use
Mobile ICT4D projects should limit data collection to what is absolutely necessary for the project’s goals.
While engageSPARK will not be designing the engagements for nonprofits or organizations, we will provide tours and tutorials that will show how to limit data collection to what is absolutely necessary.
Principle 3: Promote and Facilitate Transparency
Mobile ICT4D projects should be transparent about what data is collected, how it is shared, and how it might be used in the future.
We have plans to help each organization client create their own public webpage to promote and share the kinds of projects and anonymized summary of project information that can be safely shared with the public or other organizations. Our marketplace functionality allows non-profits and other organizations to share the set up and details of their projects with others to help each other learn what works and what doesn’t.
Principle 4: Incorporate User Feedback
In addition to addressing user questions and concerns, mobile ICT4D projects should give users the ability to access, amend, and/or delete their data.
Organizations should already have a clear channel for communicating with their users, whether it be through the help system or broadcasting an email address or phone number where they can be reached. At engageSPARK, we have developed a beta testing program as well as encouraging users to send us their feedback via our website. We don’t delete or restrict data storage amounts, so all engagements created as well as contacts uploaded will be stored on our systems, with security measures in place to protect the privacy of contact information. We also coordinate various user testing programs to facilitate user feedback in various stages of our development process.
Principle 5: Assume Responsibility
Mobile ICT4D projects should assume accountability for potential risks and harms incurred via their projects and platforms.
It is all of our responsibility, as users and developers of different ICT for international development projects, to be transparent and clear about what information we give as users and what information we collect as implementers.
We hope these guidelines spur more discussion about this topic and encourage other projects to share their guidelines, ideas, and issues with the community.