The news that a platform used by at least 11 major operational NGOs and UN agencies may be relatively easy to breach, potentially exposing the personal, location, and demographic data of tens of thousands of highly vulnerable people, is deeply disturbing but not surprising.
The real scandal here is not that these vulnerabilities reportedly exist, but that there is still no intentional, comprehensive agenda or political will to decisively address the root causes of this incident and limit the possible fallout.
Reports last month, from Devex and IRIN, that Red Rose’s beneficiary data tracking platform may have serious security vulnerabilities should be a wake-up call to the entire humanitarian sector.
According to the reports, Mautinoa Technologies, a competitor of Red Rose, was able to enter a cloud-based server of Catholic Relief Services and access names, photographs, family details, PIN numbers, and map coordinates for more than 8,000 families receiving assistance from the NGO in West Africa. In a statement, Red Rose told the news agencies the access was only possible due to a password management error, and that its systems were secure and robust.
Mautinoa said there were further “fundamental” weaknesses in security and encryption in the system.
The danger this type of breach could represent for crisis-affected and vulnerable populations cannot be overstated.
The humanitarian community must not press the “snooze button” on the alarms that are likely now ringing in agency headquarters and country offices around the world following these allegations. Rather than circling the wagons, humanitarian leaders need to address the growing threat posed by potential catastrophic data breaches head on.
Critical incidents – such as breaches of platforms and networks, weaponisation of humanitarian data to aid attacks on vulnerable populations, and exploitation of humanitarian systems against responders and beneficiaries – may already be occurring and causing grievous harm without public accountability.
The alleged Red Rose vulnerabilities are simply one reminder of the long-standing absence of commonly agreed and enforced technical, ethical, and regulatory standards for treating sensitive beneficiary data in digital systems in the humanitarian sector.
The more traditional technical domains of humanitarian action, such as nutritional assistance, shelter provision, and water, hygiene, and sanitation activities are covered by the broadly agreed “Sphere” minimum standards, which act as industry benchmarks. But, so far, there are no standards or commonly agreed guidelines for how humanitarians should ethically and safely be custodians of digital data.
Instead, there are a plethora of individual policies, codes of conduct, and statements of intent across the humanitarian community.
The draft revision of the Sphere handbook currently includes language broadly calling attention to data security and privacy as a protection issue but does not tackle specifics, such as external certification and auditing, training, and jurisdictional issues.
The result is a fractured landscape of voluntary policies that look good on paper but lack broader doctrinal agreement and means for enforcement.
The sector’s collective failure to adequately regulate and professionalise humanitarian information activities is both morally untenable and operationally unsustainable.
Continued inaction may soon undermine trust between humanitarian agencies and the people they seek to serve, eroding the meaning and value of the core humanitarian principles of humanity, impartiality, independence, and neutrality.