I was feeling a little depressed over the weekend. I’d reread Paul’s post on why he wasn’t liveblogging the Global Symposium +5 in Geneva. It bothered me. I could sense his frustration at what he sees as the slow progress in the world of humanitarian information exchange. Maybe I’m reading too much into it but I thought I could detect a similar sentiment at the NGO security blog in recent weeks as well. Of course there is a good chance it’s just me.

When I started this blog I had a vague idea that I could share some ideas and maybe pass on a little hard won wisdom. I suppose I also thought that I could, in a small way, influence the course of the NGO security world. Seeing people I respect have doubts made me question whether I could make a difference. In effect, “what the hell makes me think I can change anything when these guys, so much more articulate and educated than myself, are feeling stymied?”

Fortunately for me, and my mood, serendipity intervened. I received three packages. Two are ‘tech toys’ with a security bent (I’ll post about them over the next couple of days). I’m a geek at heart so shiny gadgets, software, and such always pick me up. It was the third package that really made the difference however.

OK, I confess that it wasn’t really a package per se but ‘three packages’ just sounds better. Actually it was a video I downloaded off the web and hadn’t watched until this morning. It’s a presentation by a guy named Stephen Downes at the National Research Council, Institute for Information Technology, in Canada. I won’t bore you with the details. You can watch it yourself below. Go ahead, don't let the lead frame fool you.



Stephen’s presentation made me realize that I had it wrong. This blog is not about me teaching. It’s about me learning. It’s about learning the way I always wanted to learn. It’s about me becoming a better NGO security officer... or maybe just better.

Through blogs, RSS feeds, email, YouTube, Skype and a myriad of other online tools I’m connected to, and learning from, people who aren’t afraid to push the boundaries and strive for something beyond the status quo. I have access to teachers who are also fellow students. I have access to fields of endeavour too niche for textbooks and lectures. When was the last time you saw a textbook about “Security Reporting, Accessible Maps and GeoRSS” or “YouTube for Security Training”?

All of this has been a round about way of getting to what I really want to say. To all my teacher-students out there, you are making a difference. Thank you.


Note: If you’re not sure if I mean you I probably do. You can also check out the sidebar on the resource page for some hints if you are still unsure.

Tags: online tools, NGO Security, Social Networking

Twitter has added the ability to track keywords. Now whenever someone sends a public update containing your word or phrase of interest you’ll receive a copy of the update. How is this useful for NGO security officers? I’m currently tracking several towns in trouble areas, Tsunami, and a variety of other keywords. You’re only limited by your creativity. One word or warning though: you’ll get ALL public updates with the search term, even ones in languages you don’t speak.

I've also finally added the solution to our geographic distribution analysis problem.

Tags: NGO Security, Tools, Twitter, Analysis

I met the Rev Fr Nicholaspillai Packiyaranjith of the Jesuit Refugee Services while I was in Mannar district a few weeks ago. He struck me as a quiet, principled man, who was dedicated to his beliefs and service to others. Despite the difficult security situation in the area he continued to work hard to bring relief to the poorest and most vulnerable. In short he was the type of man I endeavour to be.

On the afternoon of 26 September 2007 while travelling towards Vellankulam in an LTTE controlled area of Mannar his vehicle was struck by a command detonated Claymore. Fr. Packiyaranjith was killed instantly. His driver was severely injured.

No one has accepted responsibility for this brutal and myopic act. Nor is anyone likely to. The government blames the LTTE. The LTTE blame the government.

Over the weekend the sheer senselessness of his death left me feeling frustrated and depressed. This morning however, I had a revelation. Fr. Packiyaranjith was the type who, if he had been given the choice, would have chosen to spend his last moments in his quest to help others.

Sri Lanka needs more like him.

Tags: Sri Lanka, NGO Security, News

On 12 and 13 September there were a series of earthquakes near Indonesia spawning fears of another Asian Tsunami. It proved to be a good test of our Twitter based NGO security tree.

I was in Mannar, Sri Lanka at the time and I didn’t have a useable Internet connection. My first warning of the situation came when a concerned staff member called wanting to know “when is the Tsunami going to hit!” As the fear of a Tsunami spread I started to receive more and more calls from staff. Soon the mobile system was completely overburdened in many parts of the country and creaking under the strain in others. The very slow, single line dial-up Internet connection continued to work but proved to be all but useless for gathering timely information.

Fortunately I quickly started to get SMS’s. Some came from feeds I was following on Twitter: BBC, Reuters, CNN, EQTW, etc. Others came directly or were forwarded from UNOCHA, the Sri Lankan Disaster Management Centre, the Met office, the police and assorted individuals. Twitter allowed me to quickly forward the useful ones to all my followers while limiting the strain on the overburdened mobile system.

There were some glitches however. I continued to receive forwarded text message warnings long after credible sources had given the all clear. In some instances it seems that text messages became trapped in the telephone companies’ SMS system and were released as the queue began to clear. In some cases staff, confused by contradictory information, continued to forward outdated information.

Unfortunately the biggest problem with the Twitter based NGO security tree was one of buy in. Only a fraction of the staff who were intended to be served by the tree had bothered to sign up. The manual SMS security tree, which had been left in place as a backup, failed for much the same reason.

Lesson Learned: While emergency communications tools continue to improve, and become easier to use, buy in remains the number one problem. NGO staff members, especially office staff, often prove reluctant to dedicate even minimal effort to their own personal security until it proves too late.

For some background, check out “Social Networking tools for NGO Security – Part 1”.

To see a live feed of the NGO Security stream check out the demo page here. There is a Jaiku based stream as well.

Tags: NGO Security, Twitter, Jaiku, SMS, Social Networking

The other night I was having dinner with some NGO friends when the subject of government eavesdropping on NGOs came up. One of the people at the table said that in the past they had used an email trick to allow sharing sensitive information amongst team members. Essentially the premise was that one could sign up for a free web mail account and share the account password amongst team members. Members would draft emails as usual but rather than sending them they would simply leave them as drafts. Other team members would then read them by going to the account.

The idea was that as long as the email wasn’t sent it couldn’t be monitored. Unfortunately it is just not true as Nart Villeneuve points out here.

I recalled the conversation a few days later and wondered what the problem was. It is not that my friends weren’t aware of the potential risks, and they are certainly not unintelligent. I think the issue is that most aid workers already have more than enough work to do without trying to keep up with the latest developments in IT security. So the problem becomes one of learning about IT security in small, manageable, easily absorbed bits.

Fortunately there are resources that can help. Thanks to Bruce Schneier at Schneier on Security for pointing out securitycartoon.com. I don’t think it is meant to be funny but it does present IT security in a straightforward and comprehensible manner. Subscribe to the RSS feed to make it even easier.

Privaterra is a good resource that covers data privacy, secure communications, and information security for Human Rights NGOs.

Over course you shouldn’t miss Nart’s blog. It isn’t NGO specific but it covers Internet privacy, freedom of expression, censor-ware, security, surveillance and anonymity. Whether you are interested in "Cyber-Cafe Monitoring in India" or need to know how to avoid internet filtering Nart’s blog is a good place to start.

Tags: Blog, Technology, NGO Security, online tools

A couple of weeks ago I emailed Paul Currion and happened to mention that I wanted to plot RSS news feeds on an easily accessible map. Paul passed my question onwards and it mushroomed into an interesting conversation between some very clever people. Numerous hat tips and thanks to you all. I’m still experimenting with some of the ideas that were shared and I’ll update everyone at some time in the future.

So far I’ve run into some stumbling blocks:

• In Google Maps Sri Lanka is a big empty space. The only thing missing is a ‘here be dragons’ label
  • RSS to GeoRSS utilities tend to encode the first place name encountered. This means that a story about Trincomalee will be plotted to Colombo if Colombo is in the by-line
  • Some utilities don’t work well on some platform/browser combinations
  • It seems the IT section’s web filters are causing some problems as well
  • Popfly seems to work pretty well but so far the Geonames database they use only covers the US

Common sense update

No sooner did I post my common sense rant then I came across this picture.



My common sense tells me that aircraft getting struck by lightning would be an extremely rare and very dangerous event. Apparently my common sense has let me down as this article and the reader comments explain.

Tags: NGO Security, Maps, GeoRSS

I don’t know how many times I’ve heard some variation of this statement; “Security is just common sense.” I’ve seen NGOs use this belief to justify not dedicating resources to security. “We don’t need a security officer… we have experienced staff with good common sense.” Worse, I’ve seen people use it to justify breaking security procedures. “Its all just stupid rules… my common sense will keep me out of trouble.”

There is only one problem. Common sense is NOT good for security! Common sense is based on a whole series of faulty assumptions, biases and quirks.


Assumption of Common Knowledge

The first assumption is sometimes referred to as “Assumption of Common Knowledge”. In other words you know something so well that you think everyone must know it too. It just seems so obvious to you that it must be common sense.

The faulty logic of Assumption of Common Knowledge is revealed when common sense is cited in instructions. Reliance upon the term common sense when giving instructions pre-supposes that the instructed already has a grasp on the subject, and therefore needs no specific detail.

Some examples from security advice I have read:

“When working in high-risk areas use your common sense.”
“When travelling in a foreign country use common sense to avoid offending people.”
“If you are involved in a motor vehicle accident and an unruly crowd begins to form use common sense.”
“Use common sense during first aid emergencies.”

Do these statements make sense to you? Consider that in most security manuals, immediately after the “use common sense” statement, you’ll find a checklist of things that you should and shouldn’t do when in such a situation. If it is truly common sense why is the checklist needed?

Not convinced? Try these:

“When deciding whether or not to bilaterally transect the artery use common sense.”
“When connecting new wiring to the building mains use common sense.”
“If you are alone when you go into labour use your common sense.”
“When conducting sensitive hostage negotiations use common sense.”

Do you feel a sudden need for more detailed instructions? If saying, "use common sense" worked security procedures wouldn’t be nearly so wordy.


Cultural Norms

Every culture and subculture has norms which members are immersed in and unable to distinguish from common sense. Anyone with experience working in other cultures has had the experience of running up against cultural practices that seemingly lack any semblance of common sense. Eventually of course you realise that members of other cultures may also view your own cultural norms as similarly nonsensical. The physical reality of the world remains the same wherever you travel but the ‘common sense’ rules people use to navigate it change.

Examples:

“Saudi flag on football = good PR” vs “Saudi flag on football = insult to Allah”
"When negotiating “be open and honest” vs “allow participants to save face”
“Using weapons to protect NGO personnel and property decreases security by sanctioning violence” vs “Weapons are necessary for protection. Its just common sense!”

By the way, the last statement was expressed to me by national staff members of a large INGO. While they were willing to accept that the ‘soft’ international program staff might not see the necessity for self-defence weapons they really could not believe that a security officer couldn’t see the common sense in it.


Plausibility

In effect it sounds like it makes sense. Clichés often fall into this category. “Opposites attract” - common sense right? “Birds of a feather flock together” – common sense too!

Clever arguments, well stated, can be persuasive even if built on a foundation of bias lacking evidence. Take for example the politician who exclaims, “What we need is a common sense solution to the conflict” leaving the majority nodding their heads sagely while overlooking the fact that the opposition never actually supported a solution devoid of common sense.

“Mosquitoes can spread AIDS.” By now most of us should know that that just isn’t true. Surprisingly many people still believe it. To them it just sounds plausible. “AIDS is spread by body fluid to body fluid contact… mosquitoes transfer body fluid… mosquitoes spread AIDS.” It’s just common sense, right?


Cognitive Biases

There are a large number of cognitive biases that cloud our thinking and skew our common sense. Covering them all is beyond the scope of this article but consider these:

Optimism bias ⎯ the tendency to be overly optimistic about the outcome of intended actions
Recency effect — the tendency to consider recent events as having more import than earlier events
Zero-risk bias — the preference for reducing a small risk to zero over a larger reduction in a greater risk


Pre-Pubertal Learning

Ideas learned before puberty are difficult to unseat and are generally believed by the holder to be common sense. Thought processes change during puberty allowing most of us to more readily consider inconsistencies, question assumptions, and assess the grey areas of life. However, what we have learned prior to puberty generally remains unchallenged.

Most children accept "morality of authority" in which truth is what a credible authority figure has stated is truth. In effect parents, primary school teachers, and religious instructors all shape our ‘common sense’. Later in life it is difficult for us to unlearn these truths. How many of us still believe that sound travels better through liquids than through air or that Ben Franklin's kite was struck by lightning? How much harder is it to change our perceptions of risk?

Tags: NGO Security

According to this Reuters piece …

Sri Lanka is among the most dangerous places on earth for humanitarian workers, the UN’s aid chief says, calling on the government to probe civil war abuses and consider an international rights monitoring mission. Aid agencies say 34 humanitarian staff have been killed in Sri Lanka since January 2006, including 17 local staff of Action Contre La Faim shot dead in the restive northeast a year ago in a massacre Nordic truce monitors blamed on security forces. “There is a concern ... about the safety of humanitarian workers themselves and the record here is one of the worst in the world from that point of view,” John Holmes, UN Under Secretary General for Humanitarian Affairs, told Reuters in an interview late on Wednesday during a visit to Sri Lanka.

Read more…

This is not news to most of us who work here but it is a reminder just how bad the situation has become. Sri Lanka can be a very deceptive place. It is important that we not let the sunshine, beauty, and beaches blind us to the risk that NGO staff, especially national staff, face in what is in essence a civil war. I worry that we have begun to accept these deaths as the price of doing business here.

Tags: News, NGO Security

There is a real gap in the availability of good analytical training and resources for NGO security officers. Most NGO security manuals introduce the topic by stressing the importance of good analysis and an understanding of the local context. They might then go on to briefly cover actor mapping, and if we are lucky incident plotting. Beyond that the reader is left to his or her own devices.

Admittedly there have been a number of recent analytical studies that examine the patterns of violence against NGOs. These studies come replete with multiple regression analysis and complex equations like this one; "Sec100k = -1.384 + 1.691*BorderPak + -0.00011*Poppy + 0.036*Homeradio". I’m sure these studies are useful for developing policy and keeping underemployed academics out of the soup lines. However, they are unlikely to provide much solace when the country director wants to know how he can safely keep program running despite the recent spate of IED attacks.

In order to try and address these shortcomings I am opening the conversation on security analysis for NGOs. We’ll start with simple, robust, and inexpensive tools and techniques that can be used anywhere under any conditions. We’ll also examine more advanced tools that take advantage of the latest in ICT.

Anyone who wants to share tips and techniques should feel free to do so. It doesn’t matter to me whether you do your analysis on the back of an empty cigarette package under a sputtering lantern or on the latest networked GIS platform in a brightly light office. The goal is to identify and share best practices and to encourage the development of new tools and techniques.

I'll post the first technique shortly.

Tags: Analysis, NGO Security

Nick seems to be posting again on the NGO Security blog. This is good news! Welcome back Nick.

Tags: NGO Security, Blog

The economist has an interesting article on how technology is changing the power dynamics between NGOs and their beneficiaries. There are even a couple of paragraphs covering concern about how mobile phones and similar technologies might impact on NGO security.

Tags: Technology, NGO Security, SMS, Mobile Phones

NGO in a Box has a Security Edition that includes Free and Open Source Software (FOSS) to aid NGOs in securing and protecting their data and online activities. The package seems ideally suited to human rights, anti-corruption, and womens groups, as well as independent media outlets. Any other group that wants to protect their data from abuse, misuse, and vandalism might want to check it out as well.

Tags: NGO Security, Technology, Software

I was experimenting with Twitter when it occurred to me that it was an ideal tool for NGO security officers. Rather than using the service to merely update friends on what I was having for breakfast I could be sending out security information alerts and updates. All my “followers” would then get current, low cost, security information.

This method has many advantages over the SMS security tree method commonly used by NGOs. Traditional security trees tend to fail when one or more members (the branches of the tree) do not receive or pass on the text messages they receive to those below them, typically because they are on leave or because the tree information is not up to date. Traditional trees can also be expensive. Each SMS sent by every member of the tree comes out of someone’s budget. This can add up quickly if you are sending out several messages a day to a two hundred-member security tree.

Social networking services like Twitter or Jaiku allow us to avoid these problems. Essentially Twitter and Jaiku allow the head of the security tree to send one SMS to the service’s server. The service then distributes the SMS to all the “followers” (subscribers) of the account more or less simultaneously. This means the tree still works even if members are missing. In addition you only pay for the SMS to the service’s server. SMS messages from the server to each of the followers are free*.


* Most mobile service providers only charge for text messages that are sent while those received are free.

Tags: NGO Security, Twitter, Jaiku, SMS, Social Networking