Ethical Considerations When Using Geospatial Technologies for Evidence Generation
- Author: unicef-irc.org
- Full Title: Ethical Considerations
When Using Geospatial Technologies for Evidence Generation
- Category: articles
- Document Tags: #geospatial
- URL: https://www.unicef-irc.org/publications/pdf/DP%202018%2002.pdf
Highlights
- Crowdmapping: The aggregation of crowd-generated inputs such as text messages and social media feeds with geographical data to provide real-time, interactive information on events (Wikipedia). (View Highlight)
- Geographic information systems (GIS): A suite of software tools for mapping and analysing data which is georeferenced (assigned a specific location on the surface of the Earth, otherwise known as geospatial data). GIS can be used to detect geographic patterns in other data, such as disease clusters resulting from toxins, sub-optimal water access, etc. (AAAS, 2017). (View Highlight)
-
New highlights added January 20, 2024 at 1:41 PM
- Geomasking: A method used to minimize disclosure risk, referred to as geographic masking, or geomasking. This approach alters a record’s geographic location in an unpredictable way that is sufficient for preserving the spatial distribution of the variables while minimizing the possibility of identification of individuals (Allshouse et al., 2010). (View Highlight)
- GeoTagging: Adding geographical identification metadata (usually location data, i.e. longitude and latitude coordinates) to various media such as photographs, videos, websites and SMS messages (View Highlight)
- Internet mapping technologies: Software programmes like Google Earth and web features like Microsoft Virtual Earth are changing the way geospatial data is viewed and shared. The developments in user interface are also making such technologies available to a wider audience whereas traditional GIS have been reserved for specialists and those who invest time in learning complex software programmes (AAAS, 2017). (View Highlight)
- Remote sensing: Imagery and data collected from space or airborne camera and sensor platforms. Some satellite image providers now offer images showing details of one meter or smaller, making these images appropriate for monitoring humanitarian needs and human rights abuses. Remote sensing technologies include convention radar, laser altimeters, altimeters, acoustic ultrasound, aerial photographs, hyperspectral imaging and multispectral platforms (AAAS, 2017). (View Highlight)
- Geographic information systems (GIS) software is capable of analysing and visualizing large quantities of data to identify correlations, trends and patterns in relation to geographical location. The data used for this modelling and, frequently, the analysis of this data may be provided and undertaken by social media and telecommunications organizations, providing a relatively cheap means to generate evidence, particularly for larger geographical areas. Further, analysing databases of this magnitude can provide insights that could not previously be gleaned/acquired using traditional offline data collection methods. (View Highlight)
- Disaster risk preparedness and mitigation (includes: GIS and satellite, drones with electro-optical, infrared, multispectral or hyperspectral sensors). GIS analysis can be used in disaster management to model potential environmental impacts, thereby enabling more targeted planning and potentially reducing the impacts on infrastructure and persons (Rodríguez-Espíndola, 2016). (View Highlight)
- Public information and advocacy (includes: GIS, satellite, remote sensing, drones with electro-optical and infrared cameras). These technologies can be used to see and show the scale of damage caused by conflict or disasters as well as the pace of recovery, or to highlight specific problems in relation to infrastructure or mobile populations (Gilman, 2014, p.6). (View Highlight)
- For organizations with a limited budget for software licenses, open source GIS software can be used to reduce overhead costs and ensure all relevant agencies can effectively engage with coordination efforts and/or reap the benefits of GIS systems. With this proliferation of high quality open source software and with software companies such as Microsoft building functionality into their preexisting suite of programmes (such as Excel and Power BI), GIS software is becoming a faster, more accessible, user-friendly and cheaper tool to support coordination and health surveillance. (View Highlight)
- Crowdmapping. Crowdmapping facilitates the monitoring and mapping of rapidly changing events or unreported incidents and their geography. It can provide data in instances where accessibility was previously not possible, where volatility or lack of security and danger created impediments to comprehensive data collection or where previously there was a deterrent to face-to-face reporting. Examples include: using crowdmapping to track movements of persons (internally displaced people or IDPs) in a conflict zone; monitoring areas of high incidence of violence against women and children; or mapping areas (and particularly poorer areas) that have never been mapped before. (View Highlight)
- The following are the key potential risks of using geospatial technology for evidence generation:
� Privacy, security and surveillance issues relating to the capacity to directly or inadvertently observe private property, capture sensitive personal information and potentially put persons in harm’s way
� Privacy and safety risks related to transmission, sharing and storing of geospatial data � Uncertain consent when using data from third-party providers
� Negative political associations with visible data capture devices like UAVs equipped with a camera/ image capture payload
� Unintended or unknown surveillance � Lack of representativeness, robustness or usefulness of data
� Discrimination can be consciously or unconsciously built into algorithms – without the final user’s knowledge.
� Data collection from smart devices may be disproportionately present in more affluent neighborhoods and has been shown to reinforce inequitable public service/resource allocation.
� Data stored on servers could be accessed or stolen by governments, militants or malicious parties.
� Data may not be appropriately or fully disposed of and remain on servers or other hard drives, both known and unknown. (View Highlight)
- Surveillance and privacy. Visual data capture from remote sensing technologies has the capacity to directly or inadvertently observe private property and capture sensitive personal information, violating individuals’ privacy and potentially placing them in harm’s way (Gilman, 2014).
The nature of surveillance and privacy risks differs according to the nature of the data captured and the mechanism for capturing this data. Each of the following data capture processes and attendant data can and have been used within development and humanitarian contexts generated by partners or by the organization itself. (View Highlight)
- Data captured through geospatial tagging via social media: In these contexts, the individual has, to some extent, a degree of control over the geospatial data provided. Most individuals do this consciously, choosing to tag themselves to identify their location. However, users may be less aware of the steps necessary to disable the automatic geotagging of the photos and videos they take with their cellphones and to prevent metadata from being made available every time they post these on social media. They are further at risk when others tag or visually capture them and inadvertently identify their location. There are options for the individual to de-tag themselves however this requires awareness of having been tagged. (View Highlight)
- Visual data captured through remote viewing, UAVs/drones and satellite technologies: In these instances, the person or groups involved may not be aware of this invasion of privacy or, if they are aware of this violation of their privacy, are unlikely to be able to mitigate against it or be easily able to take remedial action in real time or retrospectively. There is little possibility for individuals or populations to provide informed consent for this type of data collection and therefore for any subsequent analysis, use or dissemination and sharing of the data. (View Highlight)
- Georeferenced data collection: In these instances, geolocational data is directly collected from persons as part of broader data collection/survey processes. The georeferenced data sets could give rise to disclosure risks. These risks relate to the potential for an individual’s identity to be exposed in the release of a georeferenced data set. The risks of this occurring are increasing as it is becomes increasingly possible and easier to link published health and other administrative data back to individuals using their geographical location (Hampton et al., 2010). (View Highlight)
- It is worth highlighting that some of the risks related to surveillance and privacy may be minimized if data sets are de-identified, aggregated to a sufficient level and/or, if possible, geomasked. (View Highlight)
- Ethical Considerations When Using Geospatial Technologies for Evidence Generation Innocenti Discussion Paper 2018-02
distanced, as long as data transfers are secure. (View Highlight)
- The efficacy of de-identification and aggregation strategies however, are contingent on geographical distribution and density of populations, point of access of data by third parties (i.e. when third parties actually access the data pre or post deidentification) and the capacity for re-identification using other data sets. In relation to visual data, the resolution and distance are contingent on the needs and purposes of the data to be collected. It should be noted however that there are limitations to the efficacy of de-identification at the personal level because in certain instances, such as population tracking, interception of visual data identifying groups may be just as risky as identification of individuals. (View Highlight)
- Privacy and safety related to transmission, sharing and storing of geospatial data. Comprehensive privacy, data protection and storage standards may be largely non-existent in many countries where geospatial data is being collected. This is particularly problematic in development and humanitarian contexts where data is frequently shared between agencies, donors and NGOs. Further, data may be directly or indirectly shared with (or accessible by) the private sector and/or the state, neither of which may be bound by human rights and/or humanitarian standards. Access to this data may be the result of formal contractual or political agreements and/or the consequence of transmitting sensitive information over insecure mobile networks or using platforms where privacy can be compromised via coercion or hacking. (View Highlight)
- Consent and data use from third party providers. Geolocated information derived from third party sources such as social media or telecommunications companies is unlikely to have been collected from those who had provided informed consent for this secondary use of the data. While contractual provisions may have allowed for on-sale or sharing of data, it would be hard to argue that consent for this particular use of this data (even aggregated in an anonymized way) is truly informed. (View Highlight)
- Unintended or unknown surveillance. An individual’s geospatial data is also available by default via the GPS receiving capabilities of smartphones. This feature can facilitate surveillance by third parties including applications companies and their affiliates, governments (either through legitimate or illegitimate means) or other nefarious individuals or organizations (for political or criminal purposes). This capacity for surveillance is further problematized by the fact that applications and data stored on mobile phones are less protected from unauthorized access than on most desktop and mobile computers (Ben-Asher et al., 2011). As noted above, geospatial data collected, whether for good or nefarious purposes, will be unlikely to have received truly informed consent for its use. (View Highlight)
- Security in the context of crowdsourcing. There may be instances where individuals and possibly children put themselves in unsafe conditions in order to participate in crowdsourcing activities. For example, when participating in crowdmapping, individuals may enter into unstable or unsafe environments in order to map previously unmapped areas (Cebrian, 2016). (View Highlight)
- Lack of representativeness of the data. Data collected on a particular platform will reflect the population of users of that platform. In the instance of social networking sites developed for smartphones, this will exclude populations that do not have access to this relatively more expensive technology. The exclusion of particular cohorts (say children under 13) means that the findings may not always reflect the scale and scope of populations within particular geographical settings. (View Highlight)
- Indirect data collection (i.e. data collection undertaken by third parties) means that inference of specific insights relating to geography is less straightforward given that the quality and validity of the data cannot be directly assessed. This implies that insights may need to be interrogated and qualified, with explicit reflection on the strength of the explanatory power of the model. (View Highlight)
- Revelation of personally identifiable information (PII). Even if initially de-identified, geodata that is subsequently combined with other databases may lead to clear identification of individuals. It is extremely difficult (arguably impossible) to guarantee that a certain type of anonymization will hold over time since new data sources might be released by third parties that could compromise the security of any system (Sweeney, 2002; De Monjoye et al., 2013). (View Highlight)
- The time required to clean and validate data sets so that they are useable and in a format that is understandable to those on the ground may make third party geospatial data use redundant or counter-productive, particularly where information is time sensitive. (View Highlight)
- Lack of data stewardship. Unless formalized in memorandums, contracts or institutional practice, PII may not be sufficiently protected without a clear agreement between partners relating to its responsible use that seeks to protect and limit access to this type of data. (View Highlight)
- Inappropriate data modelling undertaken by persons who do not take into account the limitations of the data and/or do not understand and take into account the social, political and environmental contexts in which the data was collected, can lead to bias and inaccuracies in predictions, trends and consequent decision making based on these flawed findings. (View Highlight)
- Dependence on ICT Infrastructure. Geolocational data generated by volunteers and/or obtained via third party data (frequently provided by private organizations such as social media and telecommunication companies) may be susceptible to incorrect inferences if the data set is incomplete, inaccurate or unrepresentative. Outdated local infrastructure, inconsistent access to electricity and government blocking of platforms and apps may make geospatial information collected not only more susceptible to security breaches but also likely to be incomplete or insufficient for decision making (Nyst, 2013; Moestue and Muggah, 2014). These issues may be particularly problematic in the context of humanitarian emergencies and within authoritarian regimes. (View Highlight)
- The population under inquiry may be unaware that policies, programmes and actions are based on simple or complex geographical modelling (for further discussion on discrimination and big data see Ethical Issues when Using ICT Innovations for Evidence Generation Paper No.1) and hence will be unaware of any inherent discrimination in individual or population based decision making. This prevents any legitimate queries, restitution or disputation of decision making, thereby precluding accountability in decision making. (View Highlight)
- Personally identifiable data or demographically identifiable data stored on servers could be accessed or stolen by governments, militants or malicious parties through hacking, backdoors or legislation, irrespective of the location of the data provider and the protective legislation in their home country. This is true whether storage is cloud-based or on a local server. (View Highlight)
- The primary risk relating to disposal of data is that the data is not appropriately or fully disposed of and that it remains on servers or other hard drives, both known and unknown. (View Highlight)
- Reflecting on and maximizing the benefits
� Be clear how the data collected or the mapping undertaken using geospatial technologies will specifically address or concretely inform policy, programming or advocacy needs within the local context.
� Assess the benefits of using geospatial technologies for data collection in the context of pre-existing information sources and/or the viability and resource implications of alternative data collection mechanisms.
� Collect evidence wherever available identifying the explicit benefits of the technologies and the appropriateness of the data collection method.
� Collect only data that is necessary. To the greatest extent possible, reflect and plan for the data collection within strategic planning processes.
� If third party data or consultancy expertise is to be used, ensure that a non-disclosure agreement is included in the procurement process and that experts are briefed on any relevant, organizational ethical procedures and requirements pertaining to privacy.
� Ensure that there are sufficient numbers of qualified staff and/or time and resources to produce meaningful and timely information. (View Highlight)
- Ensuring privacy and security
� Acquire consent where relevant and feasible. If the project is likely to capture personally identifiable data then, wherever possible and feasible, informed consent should be obtained in advance. If this is not possible, information on the project should, at a minimum, be provided on the organization’s or office’s webpage and/or the landing page on social media.
� When receiving secondary data, take into account data providers’ expectations regarding the privacy of data. Care should be taken in the use of this secondary data, reflecting on the context in which the data was collected, the nature of the population whose data is being analysed, the information used, the likelihood of identification of individuals and the degree to which expectations of privacy can be met.
� De-identify personal data (incl. visual data) to the greatest extent possible and as soon as possible. Disaggregate geographical clusters to the strict minimum needed, adopt the weakest possible visible resolution (i.e. maximum useful distance for visual data), remove identifying information and/or obscure visual details, while maintaining the usefulness and meaningfulness of the data for programme, policy and decision-making purposes.
� Consider using geomasking techniques to mitigate against re-identification of individuals in data sets produced. Discuss the value of geomasking for your project with the geospatial experts involved. (View Highlight)
- � Review visual data as soon as possible to ensure that identifying information is not shared nor made public.
� Build in privacy by design. Wherever possible, when developing a project involving geospatial technologies ensure that privacy concerns are identified and mitigated against in relation to the software used, the transmission channels, the storage built/used and the platforms for dissemination.
� Consider the privacy policies of third-party geospatial data providers (such as social media services). When using third-party data, consideration should be given to the privacy policies of the organization and their implications including (where relevant):
– Anonymization and aggregation of data provided by the third party – Safe transmission mechanisms for data (e.g. encryption used at all times when data is being sent from one party to the other)
– Whether there are clear conditions evidencing respect for individuals’ rights relating to their data. This could include consent arrangements for non-operational use of data, notification of potential sharing of data (including information about with whom it may be shared), right to removal of personal data from data sets, etc.
When deciding (a) whether to use the third-party data and (b) whether it is feasible or appropriate to create an MoU to ensure privacy and security in the transfer and receipt of data or analysis.
� Wherever possible only de-identified geospatial data should be accepted from third parties in place.
� If deciding to proceed with a partnership to accept geospatial data from third parties, then measures should clearly be taken to publicly acknowledge the nature of any partnership and the safety measures taken to protect the privacy of those whose data has been used.
� Carefully consider the risks, benefits and alternatives if the potential partner is incorporated or subject to the legislation in a country with broad surveillance powers and a history of (a) gross violations of individual privacy and/or (b) interrupting national access to media channels including social media. In other words, consider the reach of the relevant government in terms of access to or blockage of use of technologies.
� Establish an agreement/MoU with service providers or volunteer organizations clarifying arrangements for data sharing and personal identity protection arrangements, including what procedures to follow if community consent is needed. (View Highlight)
- Understanding data risks and limitations
� Understand potential limitations in the data. Limitations of the data could include: data gaps, who is included or excluded from the data (pertaining to accessibility of technologies, devices and profiles and demographics of participants), merging of incompatible databases/data sets, inclusion of outdated data, etc. Any limitation of geospatial data (whether collected directly or indirectly through a third party) should be understood. Discussions should be had with data providers and data experts on these limitations in order to:
– Understand whether the data is fit for purpose – Ensure that any findings are appropriately qualified with clear consideration of the implications of the limitations
– Ensure that recommendations based on findings are similarly qualified with clear consideration of the implications of the limitations
� Consider the possibility of discrimination against disadvantaged groups that are collectively associated with particular geographical areas. Correlations between particular populations in light of factors such as their geography and the relationship between location, poverty, gender and race may result in geographical trends and predictive models that discriminate against certain persons in relation to their access to services and their opportunities. Where discrimination is a possibility, the use of geospatial technologies and data should be reconsidered and/or any resulting decision making should be carefully triangulated with other data sources. (View Highlight)
- Assessing and managing the risks
� Use a risk assessment framework. In light of privacy and security risks and potential data limitations, prior to adopting geospatial technologies for evidence generation or embarking on a partnership for the provision of data for GIS modelling from third parties, a risk assessment should be undertaken. This requires an assessment of risk profiles relative to the potential benefits to relevant communities. The checklist provided in this brief can be used as a very basic risk assessment tool. Other tools include:
– A risk assessment tool created by the UN Data Privacy Policy Group that can be adopted and adapted http://unglobalpulse.org/sites/default/files/Privacy%20Assessment%20Tool%20.pdf
– The Information Accountability Foundation (2016) Big Data Assessment Framework and Worksheet http://informationaccountability.org/wp-content/uploads/IAF-Big-Data-Ethics-Initiative-Part-B.pdf
� Make contingency plans. Include in any risk assessment appropriate contingency plans in the event that (a) access to technologies or infrastructure is blocked or breaks down unexpectedly, (b) data is wiped remotely, or (c) a privacy breach occurs.
� Consider providing training or tips on potential risks and protection strategies for individuals involved in a crowdmapping exercise. Individuals should be informed about how to conduct themselves safely in the physical environment, the ethics and risks of capturing others in any photography used in the exercise, what types of sites should not be photographed or entered (e.g. certain government buildings or locations where criminal activity takes place) as well as possible online risks. (View Highlight)
- � Manage expectations in relation to assumptions that mapping areas will directly and immediately result in rectification of environmental hazards and restoration and rejuvenation of local areas.
Engaging communities in risk assessment and sharing of findings � Collaborate with all relevant stakeholders to populate a risk assessment framework.
� Share Findings. Findings of the data should, wherever possible and appropriate (without compromising privacy or security), be shared with the communities involved. (View Highlight)
- Using unmanned aerial vehicles: Engaging communities and being sensitive to perceptions
� Ensure communication and engagement with the community prior to use of visible devices like UAVs to prevent misunderstandings as to the nature of the device and the purpose of its use.
� Launch and land a UAV from the location to be surveyed rather than remotely7 to highlight transparency in use and allow for an opportunity for appropriate explanations and dialogue with the community in advance.
� If a UAV landing is to be remote, ensure a recovery team is available at the remote site so that the UAV (and data collected) do not fall into the hands of wrong people.
� Unless absolutely necessary, use UAVs in natural disasters and more stable political contexts and avoid conflict settings given the potential negative political/military associations of UAVs and the consequent assumptions that may be made regarding affiliations and agendas.
� Avoid recording information that if intercepted, would threaten the security of persons. (View Highlight)
- Legal considerations
The specificities of the numerous applicable local and international legislation and regulations are beyond the scope of this paper. Legal advice should always be sought from an organization’s legal office. However, the following issues should be kept in mind when designing and implementing a geospatial technology project:
� The legal environment governing geospatial technologies is constantly evolving. The organization using UAV technologies should be aware of the applicable legislation and should design the project in such a way as to comply with such legislation.
� Any third-party service providers or contractors or implementing partners involved in the project should be required to comply with all applicable legislation.
� National legislation in certain jurisdictions may set a lower standard than best practice or ethical considerations would warrant. In such cases, implementing organizations and their partners should be guided by best practice or ethical considerations (as noted in this paper) and not just the minimum legal standards. (This may involve setting a higher standard for contractors than applicable by law). (View Highlight)
- (View Highlight)
- (View Highlight)
- (View Highlight)