Why is security important to human rights documentation?

13 posts / 0 new
Last post
Why is security important to human rights documentation?
Welcome to the discussion! We want to start this discussion by explore why security is particularly important to human rights documentation efforts. The human rights information practitioners are collecting is sensitive, by nature. It often includes information about human rights abuses such as victims' testimonies, names of perpetrators, witnesses and locations.
Consider these questions below when sharing your comments in this discussion topic:
  • What kinds of risks threaten documentation efforts? There are many layers, let’s unpack them.
  • What are the principles and standards that we need to uphold to protect vulnerable populations? Let’s unpack the ‘Do no harm’ principle.

Share your thoughts, experiences, questions, challenges and ideas by replying to the comments below.

For help on how to participate in this conversation, please visit these online instructions.


Talking about security

To discuss and reflect. There are three levels, in my opinion, needs to be consider when thinking about security. 

  1. Those original documents (whether in paper as archival documents, digital or physical evidence such as microfilms, videos or cassettes) At this level you have to think about your physical guard, preservation and conservation for access. 
  2. Digital Documents (Whether the original have been scanned, as in the case Archive in Guatemala, or other documents are electronically generated or photographs, for example) 
  3. Data collected from the primary source, ie, the systematization of information on the basis of an intention, whether research questions, legal issues, or they make inferences, as the case of Guatemala. 
For each of these level or time, security is crucial and require different treatments.
What are your security concerns for each level of documentation?

Thanks for starting the discussion, Carolina!

You mention above that security is crucial for each of the 3 levels/phases of documentation (original documents, digital documents, data collection from primary source) and that each phase requires different treatments. Can you share more about the security concerns at each level/phase? For example, when you're working with original documents, what are the threats to that information? What kinds of things are you concerned about? I'm imagining a wide range of threats like weather, government forces, theft, data loss, etc and I think seeing the spectrum is useful because the threats are different for each program based on the level (as mentioned above), the context, the purpose, etc.


Kristin Antin, New Tactics Online Community Builder

Responding to Kantin, Security Level


Adding to latent threats that you mention it, I add an important and fundamental, that is, the guarantee to return the original document.

  • Since many documents are required for various types of ususarios from researchers interested in learning a particular topic, any citizen who wants to know what has happened, a relative of any missing or justice-related institutions to support or expertise trials sector. For all cases, sharing information includes the need ensure that the document exists, which is part of the Historical Archive and to certify that it is possible.
  • Of course there are natural threats such as climate, The humidity and natural destruction, so the decision was made to, scan documents, which are currently available in https://ahpn.lib.utexas.edu/esWith the loss of data, which is also a potential threat, these images are deposited in several remote servers, in order to ensure no loss of information for any eventuality. Well finally the purpose of this Archive is the access and the world has these records at their disposal.


What can happen?

It happened when I wrote this comment - once I wanted to publish it, I got an error message and my post was gone. That is not catastrophic in this case, just a few minutes of typing, but is still a clear illustration of, probably, the most common threat for all documentation efforts:

  • Information loss (through theft, destruction, machine or human failure)

Depending on the type of information, this however, can also be the easiest to avoid, thanks to the invention of the photocopier and the database dump. Depending on the protection needs (preserving original documents can be a lot harder), often there is no excuse to not do everything possible to manage this type of threat.

This is different for the two other main threat types:

  • Privacy loss (interception of communications, illicit access)
  • Tampering (falsification of records, deletion of parts)

Especially when using computers at one point, very often adversaries have superior capacities against which it might, ultimately, be impossible to defend against fully. This does not mean, there is nothing that can and should be done: by upping the stakes it may become too costly for an adversary to attempt this. This can mean that properly implemented encryption will help to protect crucial documents (if not all). This can also mean proper monitoring, so that it becomes known when a breach happens - fear of being detected will help to keep away some adversaries, or to give a proper response to people at risk and the wider public.


Recording of our Google Hangout

Thank you Chris, Enrique, Carolina and David for joining our Google Hangout today! Many great points, ideas and questions were shared - I look forward to continuing the discussion here on the website.

What is our responsibility to the security of human rights data?

I wanted to highlight a few points from Enrique about why security is important in human rights documentation (Enrique please clarify any of these points if I am misrepresenting them!):

What is unique about human rights documentation?

Those who are documenting human rights violations are "agents of change" which will generate some kind of resistance. This is the nature of human rights work. The resistence will be from different adversaries, with different strengths, and will look different depending on your context.

What are the risks?

Often when we think about the risks related to human rights documentation, we focus on the practitioners who are documenting the violations. But as Enrique mentions in the hangout today, we should expand this notion of risk to go beyond these documentors, to include vulnerable populations.

Enrique points out that the data being collected includes:

  1. Data from vulnerable populations
  2. Evidence about the actions of the documentor
  3. Ethical implications about the topic being documented

Why is security important to human rights documentation?

Secure documentation is important. Our responsibility to the populations for whose information we are collecting goes beyond the present time and space. It is important to consider how our documentation actions now may impact the future security of this information if it pass along to another institution.

As human rights documentors, what is our responsibility to the populations from which we are collecting data? How long does that responsibility last? Are there ethical principles that exist for the human rights community specifically about documentation?

- Kristin Antin, New Tactics Online Community Builder

Members tagged in this comment: 
involve communities, share ownership

Strong +1 on recognizing risks data collection creates for involved communities, and assisting communities with recognizing and managing it. The documentors, the practitioners, are obviously in an exposed position and need to be able to protect themselves and their organization. They are also usually in a more privileged position in terms of capacity and access to tools, information, and safety networks.

The information might ultimately put at risk the community — and they should have a say in how data on themselves is collected, managed and used, starting with informed consent and ending with a shared decision on when to extinguish the project or platform that data is enabling.

Questions to ask

A resource that, we hope, can help practitioners manage this responsibly is this collection of questions to ask yourself frequently (that were created during the engine room's responsible data forum): http://www.fabriders.net/qafs/

They are also available in Spanish: http://monitoring.escr-net.org/blog-des-noticias/preguntas-datos-y-comunidades-marginadas

Convenience versus security


Another thing to put on the table in terms of data security is to consider whether it is collecting data from the past (either near or far) or whether it is to share something happening in the present.  That is, currently, devices like cell phones, facebook, instagram or other software used to transfer sensitive data from one place to another.  As mentioned in the online conversation this morning. Convenience versus security.  Another thing to discuss is, what data is collected, and how it is collected, what method is used, for example, the convenience and utility of using random samples.

more questions

To add to Carolina's question of convenience vs. security, perhaps we can also discuss how we address or balance other sometimes conflicting approaches, like:

  • encryption vs. preservation of data
  • not recording/removing sensitive information vs. ability to authenticate and determine trustworthiness of documentation
  • ethical stance to uphold promise of privacy vs. justice (e.g. if you promise to keep a recording private but the person commits a crime or admits to committing a crime in the recording) 
More on convenience vs security.

In regards to convenience vs. security, it is really a balancing act in my experience. I think that the key is understanding what the consequences of a security breach would be and weigh that against the convenience factor. This of course can be different for different types of documents or people. For example one person may have no negative consequences by providing a testimony or documents while someone else may face the most serious of consequences.

Having a security policy in place is a good starting point as well as having a security level classification system for materials. 

Policy is useful, culture counts

That is very true, having a policy in place and some classifications can be really helpful. At the end of the day, these are calls to make for the people involved - awareness and policy can help people to make more sensible decisions when faced with a convenience vs security question.

However, as far as possible, security should be built into the workflow, so it is "what just happens", without being annoying. Oftentimes, a security measure is not prohibitively inconvenient, it is simply perceived as such, because people really don't like to change their habits. For example, having strong passwords is something that really does not have to be inconvenient - a password manager actually makes many people's lifes easier.

It is a matter of project/organisational culture, too. The inconvenience argument often comes from those, who just want to get their work done and as much of it as possible. Fair enough. Often, this implies thinking: more of the same. This is, in the long run, problematic, not only for security - which is why it is important to foster a culture where change is welcome and frequent. To get there can be hard, but easily attainable short term goals can help, as that will help foster engagement, a sense of achieving something (like awarding the password master in the office). Policy and procedures can then be the next step.

In short, it is important people are sensitised that they are making judgement calls, but making good calls should not be something that will take them a lot of time, because they know, have colleagues to ask or documents to refer to.

Topic locked