Crisis mapping has had a major impact in the last 18 months, helping to collate information and coordinate activities during the Haitian earthquake in early 2010 and the Japanese tsunami that struck earlier this year.
But crisis mapping tools are increasingly springing up in politically fraught situations, too; most notably, they have been used to provide humanitarian relief during the protests that have swept through the Middle East in recent months. Since some authorities may want to undermine these efforts, or even attack those involved, it’s becoming vital to protect these systems from interference, says George Chamales, a hacker and activist who has served as technical lead for crisis map deployments in Libya, Pakistan, and Sudan.
Crisis mapping tools—which combine communications technologies with a Web-based platform for analysis—can be used to organize information contributed by participants using mobile phones and other devices, and to display important updates on a live map.
“The groups [building] humanitarian response technology are using the same [Web 2.0] technology [hackers] are used to going after, but they’re doing it in a really hostile situation where there are huge consequences if something goes wrong,” Chamales told an audience of security researchers at the Black Hat conference in Las Vegas. Chamales called on the community to help test crisis map technology and protect it from sabotage.
Crisis mapping came to prominence during the Haitian earthquake, when the technology proved vitally useful to rescue efforts. But Chamales notes that the current trend is to deploy crisis mapping tools in difficult political situations. “The problem is that natural disasters don’t shoot back,” he says.
There have been no recorded incidents of a crisis mapping tool being misused or attacked by a political enemy so far, but this could soon change, Chamales says. For example, when a crisis map was deployed to help with flood relief efforts in Pakistan, the Taliban issued threats to foreign aid workers. “And there we were building a giant map showing exactly where those workers would be,” he says.
Tense situations like the one in Pakistan have made workers and volunteers cautious. When deploying a crisis map in Libya, for example, volunteers initially kept the map private and password-protected. When they opened a map for the public, they were careful to keep that separate from the information collected for the private map. If the information on the private map were available to anyone, it could have endangered some activists.
Chamales says that crisis maps can’t afford to go through the same security-related tumult that often strikes maturing technologies. In a hostile political situation, he says, leaking information could lead to people being arrested or killed. Or, if a site is knocked offline by an attack, people could lose a lifeline. “If these technologies get labeled as dangerous to run,” Chamales says, “major organizations could stop using them. The information might still be out there, people might still be talking, but no one would be listening.”
Chamales will also deliver his appeal this weekend at Defcon, another Las Vegas conference, but geared toward a more informal audience of hacking enthusiasts.
One problem is that crisis maps are often set up under extreme time pressure. “We don’t know the people setting this up, and the classic model is to support whoever has momentum,” Chamales says.
Crisis mappers have been working with Chamales and others to implement better security. “We’re hoping [Chamales] will catalyze some support to address these issues,” says Patrick Meier, director of crisis mapping and new media at Ushahidi, an open-source platform that has pioneered the technology (and was originally used to collect information after Kenya’s disputed elections in 2007). “The platform, as it stands, is not designed to be used in hostile environments. So every time a group or individual does so, we explicitly tell them about the security issues of using technologies in general in hostile environments.”
Meier says that Ushahidi has spent months trying to get a grant to bring someone on board to help with security. In the meantime, the organization offers a long list of guidelines for communicating securely via e-mail, mobile devices, and social networks. This includes a how-to for Tor, technology that can hide a user’s Web browsing; how to use strong passwords and more secure e-mail accounts; and how to encrypt instant-message conversations.
Ushahidi also collects and posts security vulnerabilities that need to be addressed.
“Crisis mapping is a form of media, and media becomes a contested space when real-world conflicts are taking place,” says Ethan Zuckerman, a board member for Ushahidi and a senior researcher at the Berkman Center for Internet and Society at Harvard University. “There’s been online conflict over the #Syria hashtag, for instance,” Zuckerman adds, “as pro- and anti-government forces use Twitter to communicate about the protests and government response.”
Zuckerman says the community has long been taking steps to address security. For example, shortly after Ushahidi’s launch, the team began a project called Swift River, designed to help people receiving real-time reports determine which ones are credible. But he adds: “As crisis maps become more prominent, it’s increasingly important to consider them as contested spaces, and to take seriously the idea that adversaries will try to manipulate them.”
Keep up with the latest in Security at Business of Blockchain 2019.
May 2, 2019