Where & when does documentation happen and how we can make it more secure?

8 posts / 0 new
Last post
Where & when does documentation happen and how we can make it more secure?
What does human rights documentation look like? Where does it happen? When are events documented? Who documents events? This discussion thread will explore the different ways that human rights documentation happens and how we can make the documentation process more secure.
Consider these questions below when sharing your comments in this discussion topic:
  • When does documentation happen actively (like recording a testimony) versus when does documentation happen passively?
  • It’s not always human rights defenders that collect documentation of human rights violations. When is this information collected by other practitioners?
  • Also: Why does "Open" matter in documentation technology?

Share your thoughts, experiences, questions, challenges and ideas by replying to the comments below.

For help on how to participate in this conversation, please visit these online instructions.


Levels for for documenting

I return the comment of Enrique, shared in the video this morning. 

There are various levels or ways to document 

  1. Collect information from archival documents, as the case of Guatemala with the inferences that are being calculated in Quantitative Research in the Archives of the National Police and the results have been being shared, for example see the papers presented at the JSM in 2009 , Session 585: the Guatemalan Police Archive Project: Sample Design, Weighting, and Analysis, http://www.amstat.org/sections/srms/proceedings/ or publication in Spanish http://archivohistoricopn.org/media/informes/Gu%C3%ADa%20Usuario%2014_11...                                                             
  • Another example is the report entitled ¨ Archivo en Cifras¨, available at   http://archivohistoricopn.org/media/informes/El ​​20Archivo%%% 20in% 20cifras 20color07042011.pdf                      
  • Both files documenting primary outcomes, it is still not the final version of the research, but highlights the question What is public and for what is published.\\
  1.  Collect information from other publications produced. Metadata, as Enrique mentioned. And here I speak from collecting statistics made ​​by others, to create their own statistics from original documents found in internet.   This point awakens another question for debate tomorrow.
  • The safety statistics. It is necessary, in my opinion, to know, how these data were collected.   How reliable are the statistics that are showing me from knowing how they were collected.

And here I would like to converse in another session on the Guatemala case and the Historical Archive. Which is related to the following topic on Choosing the best method to collect. There Details and informations galore on the internet but there is little about the methodology they used to collect it and even less on measures to ensure the confidence of the data.


Recording of our Tuesday Google Hangout

We had a great hangout today! Many great topics, questions, ideas and challenges came up and I look forward to diving deeper into all of them here in this online forum!

Using open sources

The question when documentation occurs is important, not only to sensitise accidental documentalists about what to do with the documentation (for example, storing it in a structured way, enhancing security when communicating it), but also to see how relatively easy it can be to do very meaningful documentation, using open sources.

A very well known example is that of Brown Moses, a blogger who has been following the Syrian conflict and became an internationally renowned expert - without having to leave his house in England. At the heart of his work is a clever system of youtube channels and other social media that he checks and analyses every day, which you can find here: http://brown-moses.blogspot.com/

Another example is that of a Belgian researcher, who looks at country of origin information for asylum seekers. He set up channels for sources all across the Balkans that will not only give him almost all published information, but also allows him to tag it on the fly. This way, he can retrieve it months later when he is asked to look at a specific question by a case worker, or when he is preparing a special report. In fact, he also has opened most of this to the public and it is used, not only by COI researchers in other countries, but also journalists.  You can find the two most important hubs here: https://twitter.com/balkannews and https://delicious.com/cedocabalkan.

It is noteable what they do with information that is openly available, but what is really striking is the information management systems they have set up (them being youtube playlists or Twitter news agencies), which required years of fine-tuning, but are very effective.



Informed tool development and the post-expert arena

Thank you all for a great conversation. I found particularly insightful the discussion Molly initiated around whether the focus should be on responsible use of technology or HR documentation processes. As the title suggests, I think Enrique hit the nail on its head by defining informed tool development.

I spend large amounts of time thinking about the distance between tool development and the last mile. Mostly because I also find myself guilty at times of "if you build it, they will come" bias. The builder-user relationship doesn't need to be a dichotomy. It can (and should) be an informed, iterative relationship, starting from a needs assessment, through agile development, validation and piloting.

The responsible data aspect here is important: it is related to the needs assessment that should inform the process, as well to the larger aspect of general considerations on responsibility and ethics when developing data-driven projects. As most of you know, the engine room is very involved in building collaborative, theme-based outputs on this issue through the Responsible Data Forum (https://responsibledata.io).

I also wish to add my two cents on the discussion around information sensitivity, especially when published openly online. In my opinion, two main aspects here are the project lifecycle considerations (how to ensure that the project has an expiration date and that it is actually possible to commit to it), as well as the point Daniel raised on organizational policy for dealing with sensitive data in the collection and management phase. The challenge here is that data collection has become ubiquitous and so easy to implement, it has breached the "expert only" arena and is squarely in the hands of people without in-depth training on data management, privacy and security. A complex prescriptive system of procedures won't work in such contexts — but some sort of protection system needs to be in place. This brings us to the challenge of developing guidelines and checklists that are mostly heuristic in nature, don't presume previous knowledge and are descriptive in their approach. In short, a fine balancing act between efficacy and learning curve in thinking responsibly about data collection and management.

Examples of great organizational policies & security cultures?

Great points, Tin! And thanks for sharing the Responsible Data Forum link.

I wanted to raise a few more questions about your points around the development of an organizational policy for dealing with sensitive data in the collection and management phase. Friedhelm wrote about the role of organizational policy in data security, but he also highlights the importance of organizational culture - that yes some of these tools might add a few extra minutes to your day but that you value security (and the security of the communities you work with) so it's worth it.

I'm eager to learn of any examples in which organizations have done this well. Any examples of great organizational policies around data security? Examples of tactics used by leaders and practitioners to build an organizational culture that values data security? It would be great to learn from these examples!


Kristin Antin, New Tactics Online Community Builder


I am not sure, if there are any good examples of organizations with effective data security policies that are available publicly (would be great, if someone else knows of any). My hunch is that organizations are hesitant to share such kind of information, despite security folks constantly saying that this obscurity does not enhance the level of protection against a dedicated attacker.

There are certainly some great resources on how to embark on this process. One of the best is the manual Dmitri has drafted (http://www.frontlinedefenders.org/esecman/ - on page 106ff), another is the Electronic Frontier Foundation's Security Self Defense Project (which requires some slight updating): https://ssd.eff.org/risk. Yet, there certainly is a gap in materials that help organizations and groups contextualise it for their work, closing potential failure points, without overburdening themselves with too much change at once.

As for culture change, one thing that seems crucial from observations is that there needs to be a truly convinced champion in the organization. This person does not have to be a geek, nor to become one. But she has to be driving the process, identifying the right partners (this can be specialised organizations like equalit.ie, or simply peers that have dealt with this before in their organization), thinking from the inside what enhancing information security means for them. This person needs patience, persistance and should, step by step, convince colleagues. Once there is critical mass, some notable improvements (ideally easily achievable), a policy becomes sensible. Policy with no prior experiences on what works and what is important runs the danger of being too far from reality, and may not be applied.

But what are the prerequisites for such a culture? Some speculations:

  • The organization is outward-looking, meets peers, goes to events - is actively interested in exchange.
  • The organization is not arrogant in the sense that they believe their solutions are best (and by default better than by their peers, which they call competitors).
  • There is a sense of collaborative problem-solving, rather thinking in compartments (also known as: "not my problem").
  • The organization takes risks in trying out new things, rather than probing every novelty until it's to dull to excite.

For all of these, there need to be people who lead by example, who are not afraid of dissent, but can get back together when there is crunch time.

As I said, these are speculations based on observations.

Citizen journalism?

I think your examples and suggestions are great. One additional question -- Enrique also highlighted in the Google hangout on Tuesday that more and more ordinary people are participating in documentation as "citizen journalists." Are there examples of organizations that are doing security well while also involving non-professionals in, and training them about, documentation? Perhaps Witness?

Topic locked