Mobile Phones in International Development: Insecure and Problematic for Security and Privacy

There is a new report by Hibah Hussein, a researcher at the New America Foundation that sharply critiques the lack of privacy and security considerations in mobiles-for-development projects. As readers of this blog know, mobile phones are proliferating as a communications and information delivery channel in international development - in health care projects, those focused on economic development and livelihoods, and also in social accountability and transparency work. We here at NDI have certainly extensively used mobile phones in systematic election monitoring, for citizen outreach and delivering civic information, and for citizens to hold their elected officials accountable. 

But, as Hussein poses, mobile phones are inherently insecure channels easily surveilled and monitored by design (after all, telcoms charge by usage and thus watch closely what you do), poorly regulated if at all with meaingful privacy protections in most developing countries, and thus inherently subject to deliberate or inadvertent privacy and security breaches. Since mobile projects in development often target the most vulnerable and marginalized populations and much of development happens in countries with poor governance all the way to outright dictatorships, this combination, Hussein argues, is a recipe for disaster.  She notes that international development projects lack privacy and security procols and guidelines and proposes a framework for them to consider in their projects. 

Hussein conducted an extensive and thorough literature review but misses a number of critical points that would have been obvious is a practitioner rather than a researcher had written the report.  Here is my take on the absolutely critical issue of privacy and security in international development and a critique that takes into consideration the peculiar field of international development.

A few points: 

• International development writ large as a field is unfortunately extremely and aggressively non-political. Donors such as USAID other than in the democracy-supporting units, tend to shy away from making funding and project implementations contingent upon basic adherence to human rights principles. If Hussein notes that "international development projects vary greatly based on goals, funders, and communities,  but given the sector's strong commitment to global human rights, normative principles [of privacy] are of crucial importance" she is unfortunately very wrong. Aid, by and large, is by and large not consistently tied to human rights by Western countries, as numerous studies have shown.  Hence, tying privacy and security as human rights principles to aid projects is not going to fly, given how aid currently flows. 
• We need to much better understand what large international aid implementers are actually doing in regard to securing or not securing personally- identifiable information transmitted via mobiles and how they safeguard information against abuse, especially in repressive countries. A very superficial desk survey as Hussein conducted that outlines some of the risks inherent in mobile communications (such as, for instance, revealing someone's sexual preference or HIV status) is simply not enough to really understand whether the situation is as dire as Hussein describes. A Chicken Little 'the sky is falling' alarmist view does no good if it's not supported by real, substantiated, and current data points. While I do believe that there are a lot of very poor practices (I have seen many) there are also projects that take privacy and security of beneficiaries very seriously. What the percentage is of each ought to be substantiated with hard data, not conjecture.
• Surprisingly, given the desk review ofthe literature, Hussein misses a landmark report by the mHealth Alliance on mobile privacy in health that was published in June to great fanfare.  The report investigated the legal and regulatory frameworks in a number of countries with a large number of m-health projects and advocates cogently for comprehensive frameworks that take into consideration the legal, cultural, and technological complexities of m-health projects in particular. A similar approach can be adopted for projects in other areas.  The report is a must-read as it is by far more comprehensive and nuanced than the New America piece. 
• Lastly,  it is surprising that Hussein advocates essentially for self-regulation of the international development field in regard to mobile security and privacy, leaving aside the donors, that is Western countries with omnibus privacy laws, that control the purse strings of much of these projects. Leaving aside the growing influence of Chinese-funded projects and direct foreign assistance (and the inevitable significant security and human rights problems that that poses), Western donors must act decisively and assertively in demanding in their funding thorough risk and threat assessments, and make funding contingent on those. Donors also must demand independent reviews of large-scale projects' security practices (a point wholly ignored by Hussein).  
• Currently, donors do not understand this field sufficiently to even begin to demand a stringent set of precautions and audits to ensure that privacy and security princples are sufficiently adhered to. Similarly, there needs to be a new and re-invigorated discussion about tying direct foreign aid for social and other services of a country to ensuring the privacy and security of data about its people in its use if tech - by caveat, what that means is a renewed discussion about what aid and human rights means in a technological age. 

Western countries and their aid as well as Western-funded development projects are currently far from even beginning to consider how to ensure that the safety and privacy of citizens in developig countries is safeguarded. Hussein's report is a timid beginning to open that debate but it is nowhere near thorough, data-driven, nor far-reaching enough to start that debate.