Information Security in Conflict Zones
In today’s post GDPR-era, the citizens of most developed countries are regularly reminded by governments, media companies and non-governmental organizations of the importance of complying with the GDPR and other privacy laws. However, little or no attention is paid to the data processing operations in conflict zones. Such zones often do not have any laws protecting confidential and personal information or, if they have such laws, they are unenforceable due to the lack of working governmental institutions.
As a result of the lack of enforceable legal frameworks in conflict zones, criminals and others can easily gain unauthorized access to information that can be used to injure humanitarian workers and other civilians. Hence, the security of information in conflict zones is of vital importance to protect the fundamental rights of the civil population in those areas.
Below, we examine four information security threats that civilians in conflict zones need to address in order to protect the security of their information. Those threats are: forcing individuals to leave their computing devices, blackmailing individuals and their families with the aim to access sensitive data, physical security threats and unlawful interception of communication. Below, we examine these four threats and provide recommendations on how to address them.
Forcing Individuals to Leave Their Computing Devices
In dangerous environments, such as repressive countries and detention facilities, users of computing devices (e.g., cell phones, laptops, tablets) may be forced to leave their computing devices to the guards or armed forces. In this regard, a humanitarian worker noted: “In many places, we are not allowed to have any electronic tools with us. When you go in a prison, you cannot even have your phone with you. You have to leave it at the entrance or at the car.”
Humanitarian workers and others who decide to leave their electronic devices to third parties put the confidentiality of their data at high risk. For example, such third parties may install spyware applications on the computing devices which will enable them not only to get remote access to the information stored on those devices, but also track the location of the owners of the devices. Third parties may also copy information to peripheral devices, hard drives and other storage devices.
Individuals willing to avoid the threats mentioned in the preceding paragraph need to either make sure that their computing devices do not store any confidential information or encrypt their confidential information in such a way that it will not be possible for third parties to decrypt it.
Blackmailing Individuals and Their Families With the Aim to Release Sensitive Data
Humanitarian workers and local population in conflict areas are often coerced to disclose confidential information. Such coercion may involve threats against the lives and well-being of the holders of confidential information and their families. To mitigate the effect of such threats, persons holding confidential materials can transfer them to people outside of the conflict zones or people who are about to leave the conflict zones. In this context, a humanitarian worker stated: “The authorities will not be able to threaten me because I can leave the country the day after.”
It is worth mentioning that threats to humanitarian workers in conflict zones may have a strong impact on the threatened individuals, as civilians in such zones are often under attack. For example, in January 2018, four gunmen stormed the office of the Save the Children aid agency in the Afghan city Jalalabad and killed several people. The attack clearly indicates the pressure applied on humanitarian workers by armed groups.
Physical Security Threats
Servers and other computer equipment in conflict zones are of high risk of being damaged or compromised by armed forces and civilians.
Armed forces may destroy computer equipment in order to prevent civilians from communicating with others. Salweh, a former Syrian detainee, explained to reporters that most women and girls in her cell were imprisoned because of suspicious Internet activities after their mobile phones were seized. Salweh explained: “The Syrian security officers blame the revolution on Facebook, and how Syrians misused it. They are obsessed with this idea that anyone who carries a mobile phone is suspect.”
Civilians in conflict zones may destroy computing devices or delete important data stored on their devices in order to prevent armed forces from accessing sensitive information. Umm Hassan, a Syrian citizen fleeting the destructed country, said to a reporter: “My phone is my lifeline … But, please help me. How do I delete everything on it?”
Therefore, to protect their confidential information, individuals in such zones are advised to encrypt all their information and store it on cloud-based servers outside of the conflict zones. Any computing device located on the territory of the conflict zones must be stored in a dedicated room that is always locked and accessible to specific individuals only.
Unlawful Interception of Communication
Armed forces in war zones often intercept all mobile communications. In 2010, the British newspaper The Guardian announced that Taliban sympathizers and foreign spy agencies were routinely tracking top secret military phone calls of the U.S.-led coalition. This clearly shows that mobile communications in conflict zones (including communications exchanged through highly protected military infrastructure) are highly susceptible to interception and should be avoided.
If such mobile communications cannot be avoided, it is preferable if the communicating parties use pseudonyms and do not share sensitive data, such as:
- Personal data (e.g., date and place of birth, names, gender, and governmental ID numbers)
- Medical data (e.g., information about health conditions)
- Forensic data (e.g., information about grave sites, bodies and circumstances of disappearance)
- International humanitarian law data (e.g., information about violations of war laws)
- Critical infrastructure data (e.g., information about damages of critical infrastructure resulting from military attacks)
Individuals and organizations in conflict zones who want to protect their confidential information need to take special information security measures. Such measures may include, but are not limited to, storing confidential information on secure cloud platforms (not on mobile or desktop devices), encrypting all sensitive information, keeping any mobile devices storing confidential information in dedicated locked rooms, communicating by using pseudonyms and sharing as little sensitive data as possible. Without taking appropriate measures, the integrity of the confidential information and the lives of a large number of individuals can be at risk.
Want to read more? Check out some of our other articles, such as:
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She holds an advanced Master’s degree in IP & ICT Law. Her particular interests include data protection, cybercrime law, and legal aspects of e-commerce business.