The situation in Afghanistan is heartbreaking for everyone. Those who are there, those with family there, and those with friends, colleagues, and care for our fellow humans.
Digital tools are helping people find those still there and connect them with others and options, including recommendation letters that can help them leave the country. Those same digital tools are also creating dangerous risks that are spreading misinformation and allowing the Taleban to identify ‘collaborators’.
We need to ensure responsible data practices even in the middle of this crisis.
An Information Vacuum
Many people are understandably desperate to get out. However, Afghans at risk due to association with the United States will struggle to find anything helpful on the official US Embassy website. Clicking the Emergency Assistance link at the top of the embassy website leads to a suggestion to “Dial 119 for Kabul Police”.
Visa applicants requesting a Special Immigrant Visa (SIV) receive minimal feedback on the status of their requests. For example, whilst Afghans who worked under contracts and subcontracts can apply for the visa, it remains unclear if those who worked under cooperative agreements and grants commonly used by USAID programs can apply.
Precious little information is out there to be found from trusted sources. The Afghan media was consistently rated as more free than India and Pakistan. Afghan media outlets such as Tolo news (the country’s most popular news channel) are operational, but the outlook for media freedom remains uncertain. The ability of organizations such as the UNCHR to operate trusted helplines can be impacted by the rapidly unfolding situation.
Insecure Data Collection
The lack of reliable official information has led to an information vacuum being filled with dubious online forms and email addresses.
Official parties are using generic data collection forms like Google Forms and Office365 Forms that makes it incredibly easy for malicious actors such as people smugglers or the Taleban themselves to make copycat forms. Even skilled information security professionals are having trouble determining which forms are genuine.
Yet embassies and humanitarian organizations are not warning people about the importance of keeping their information safe. Organizations collecting information need to make it easy to verify forms and understand how the data will be used and shared by the organization.
Even those who are well intentioned may lack the cybersecurity skills to secure such sensitive information. For example, Facebook groups of well meaning people have sprung up and collected thousands of members who are sharing sensitive data – everything from personally identifiable information to meeting points and contact names. One government Google Form asks for a current address in Kabul.
Each of these data collection or sharing activities could easily be used by malicious actors. They can join a Facebook group or send phishing emails to form owners to get their password. We do not want to make it easy for a malicious actor to download a list of vulnerable Afghans with associations that could put them in danger.
Harmful Digital Histories
Communication and storytelling are a critical part of the humanitarian sector. Those tools had tremendous (until now tragically underutilized) potential to show the world the progress made in Afghanistan.
Those same photos and stories can also create a risk for those featured. The speed of unfolding events shocked many and has led to urgent calls for deleting personally identifiable information – from images to data sets. This may finally show organizations that they should have contingency plans in place before collecting such stories and media in the first place.
Even when the original media is obfuscated or deleted, it can live on in many forms such as search indexes that are far more difficult to delete rapidly. It’s entirely plausible that malicious actors would download such information in advance such that they can act on it when they have an opportunity.
What We Should Do Now
The duty of protection in the humanitarian sector extends to digital dimensions that can have real serious real world consequences, especially right now in Afghanistan. Here’s what we all need to do right now to improve data security practices and help the Afghan people:
- Fill the information vacuum: put up clear FAQs on official websites. Make sure all official announcements can be verified through official channels. When using things like generic form software, make sure it can be verified. For example, put the form inside a frame (e.g. iframe) on the official website so people only see and use the official link.
- Collect sensitive information securely: ensure users can authenticate any data collection instruments used to collect sensitive information. Don’t ask others to submit their personal information using a procedure that you wouldn’t feel comfortable using with your own bank account number.
- Think before you share: don’t share anything that encourages insecure data collection. Don’t share unverified rumors that might encourage people to join a crowd that could endanger them, like at banks and airports.
- Help Afghans access verifiable information on visas: The Visa For Afghans wiki makes sure that all information has a reliable reference for all information provided.
- Donate to reputable individuals or organizations: if you can finally support these efforts, be sure you know the person running a grass-roots campaign, or focus on major organizations who are on the ground in Afghanistan.
- Lobby for fair access to visas for Afghan refugees: Let your political representatives know that you want Afghans to have fair access to visas – regardless of contracting mechanisms.
- Support Afghan refugees near you: look for organizations helping refugees who are arriving near you and see how you can support them directly and locally.
What We Should Do Tomorrow
The situation in Afghanistan should be a warning to all of us who share images, data, and stories of our constituent activities. Regardless of the country, our storytelling can endanger people now or years in the future.
We all should be supporting responsible data policies within our organizations and with our peers and their organizations. Here’s a few links to help you get started:
Hi Mike,
Security is not an afterthought and we (humanitarian sector) need to protect data everywhere, at all time and mesures must be taken before we set boots on the ground. Protecting data really is about protecting people, specially when those we serve are the most vulnerable.
Perhaps the most important principled in privacy are (1) data minimization and (2) purpose limitation. In many cases, not having the data is the best protection and one can ask whether all these massive central databases of biometric data was necessary?
As sad as it is, let’s hope the situation in Afghanistan will be a wake up call.
Very good points. Thanks for sharing!
The current developments in that country is quite disheartening. We watch every day from very far but as an IT person, I am equally concerned about information systems security matters. Relying on what we see on media broadcasts that the combatants have taken over and are gleefully roaming around with lots of highly sophisticated military vehicles and arms that were probably left in the hands of the local security agencies. Just hope that they, especially those hell-bent on causing pain to humanity through their acts of terrorism do not hack and cyber exploit any weaknesses in the country’s IT systems which may end posing concerning dangers to the entire world. It will be unfortunate to experience other disruptive cyber attacks on IS systems as the entire world is still smarting from vulnerabilities arising from the Covid-19 situation.