A look at how social media use increases the risks of humanitarian operations in insecure regions
Social Media Use and Risk
International humanitarian organizations are increasingly using social media platforms to promote programming, share photos and project achievements, and receive real-time updates from across the globe. From Facebook to Instagram and Twitter to personal blogs, these sites and services allow project teams to share updates and information with a wider audience than ever before. However, as non-governmental organizations (NGOs) operating in unstable and complex environments place an increasing amount of information into the public domain, new security risks can develop.
Although a handful of NGOs have adopted comprehensive social media policies as part of a wider security policy, many organizations are only starting to consider the risks these new tools pose while others have yet to consider the rapidly emerging risks.
Crafting policies around social media and security is challenging not only because of the difficulty of enforcing policies, but also because of the need to gain employee buy-in of social media risk mitigation measures despite the fact it may be perceived that policies may infringe on staff personal lives and freedom of expression.
Based on interviews with security and communication experts from an array of organizations and agencies, this paper provides a summary assessment of the security risks to NGOs that social media poses, the steps that have been taken to alleviate these risks, and the challenges in implementing social media policies.
The Drawbacks of a Valuable Tool
It is a fact that social media is here to stay. Social media sites like Facebook and Twitter have experienced explosive growth and popularity. As was seen during the Arab Spring of 2011, social media has also taken hold in the developing world and among marginalized populations. Given the potential security risks involved in placing a great deal of information in the public domain, NGOs need to be proactive and take steps to build a framework for well-developed organizational policies on the use of social media as it relates to staff safety and security in the field.
Receiving real-time updates on protests in Mali.
Accessing up-to-date data on road closures in Afghanistan.
Sharing project accomplishments in Pakistan with millions of people.
Sending photos of Nigerian beneficiaries around the world.
These are some of the invaluable ways that NGOs use and benefit from social media platforms.
Operating in under-developed parts of the world and often in regions of strife, the benefits that Facebook, Twitter, and other social media services provide are impressive. However, these benefits often overshadow the risks posed by posting and sharing an ever-increasing amount of information in public spaces.
As a result of sharing certain information through online profiles and blogs, there have been cases of compromised security for NGO personnel operating in insecure parts of the world.
Bloggers have been decapitated by drug cartels in Mexico.
Project personnel have become targets for abductions and kidnappings in Afghanistan.
One staff member in Mali blogged about being beaten in a protest to the dismay of her employers.
Although NGOs operate under an array of policies and procedures when carrying out programs in insecure environments, very few groups are considering specific social media policies. This paper takes a deeper look at these risks; the policies needed to mitigate these risks, and the challenges in implementing policies:
Section 1 provides a view as to how social media messaging may benefit an organization, but also increase security risks for NGO staff operating in unstable regions.
Section 2 presents a summary of the aspects of social media policies that NGOs need to consider in order to mitigate the threats that the tools potentially pose.
Section 3 addresses the challenges NGOs face in putting these policies into practice.
This paper is based on interviews with communications, security, and legal experts from an array of international NGOs and donor agencies. Those interviewees that agreed to be referenced are listed on the acknowledgement page.
Benefits and Risks
A Powerful Set of Tools
Interviews with security and communications experts at a number of humanitarian and development organizations revealed that social media is overwhelmingly viewed as a powerful and positive tool.
Twitter has proved exceptionally useful as the copious amount of users provide numerous data points and have the potential to focus attention on an issue very quickly. The use of Twitter during protests in Mali, for example, allowed aid workers locally and in home offices to obtain live updates. Despite the confusion, the simple process of following a select network of twitter users—ideally identified in advance—sometimes provided reliable information on what was happening on the ground. Re-tweeted erroneous information, however, remains a challenge. Twitter also proved useful for obtaining updates during contentious moments in Cairo and Kenya, during which home-office staff turned to Twitter feeds to ensure the safety of staff.
Capturing the degree to which Twitter was used during the Egyptian Revolution in 2011, HyperCities, a digital research and education platform, tracked and displayed tweets related to the uprisings. Displayed via an interactive map (http://egypt.hypercities.com/), tweets included:
“gunfire in Syria st, Mohandiseen. Exactly who is firing is unknown #jan25” (@noov78)
“Syria Street completely closed off. Gunfire exchanged between unknown parties. #jan25” (@dancefromiraq)
“Everyone is back and calm. Surprisingly enough I didn’t feel scared atall #JAn25” (@monasosh)
“Reports that the police will retake Cairo tomorrow. Things could get ugly. #Egypt #jan25” (@ianinegypt)
Twitter is also widely used in evacuation scenarios after and during disasters to track those roads and routes that have been shut down or are inaccessible.
During the 2010 earthquake in Haiti, for instance, the Nielsen Company reported:
“much of what people around the world are learning is coming from social media… analysis of data shows that Twitter posts (‘micro-blogs’) are the leading source of discussion about the quake…While most online consumers rely on traditional media for coverage of the quake, they are turning to Twitter and blogs to share information, react to the situation and rally support. The Twitter account for the Red Cross, which on average, had been adding roughly 50-100 followers a day before the quake, has gained more than 10K followers since.”
Social media has proved popular for marketing and fundraising as well. Many NGOs encourage staff to use the tools and explicitly post organization-specific Facebook pages to promote their message and reach a wider audience. A number of large and notable NGOs and UN agencies maintain Facebook pages to share photos and stories, garner support and readership, and elicit opinions and feedback.
These examples, however, only highlight the advantages of social media platforms; without regard to security or the risks these tools potentially pose. If NGOs use social media tools irresponsibly—especially in insecure regions—potential security implications arise.
The Risks that Social Media Pose
As NGOs launch humanitarian programs overseas, they aim to present themselves as impartial parties working towards development and progress. However, it is often hard to maintain impartiality, especially in complex environments where the presence of an international program can be viewed as controversial. It becomes increasingly difficult to convey an image of impartiality when humanitarian and development employees post updates and photos that potentially give more voice to one side of a conflict than the other or publicly discuss a controversial issue. Put succinctly, crises can be created when people add information to a scenario.
What does an irresponsible post look like?
When operating in an insecure environment, irresponsible online behavior could involve posting photos or updates that reveal office locations or addresses, provide details on security or schedules, highlight personal information of staff, and offer controversial opinions.
These activities potentially put an organization at risk by identifying vulnerabilities that could be exploited. Insurgent, criminal or terrorist groups may target an NGO specifically because of the nature of their work or Western affiliation. Information gleaned from organizational and employee social media pages can make one organization a more attractive target than others.
For example, development programs that deal with reproductive health or girls’ education are often met with opposition from traditionalist or conservative groups in a number of areas throughout the world.
Posting messages about these projects in complex environments, which present the goals of the program while providing details on project locations and posting pictures of beneficiaries, will put organizational staff and the beneficiaries at risk. Although these programs are designed to empower and protect women and girls, if too much information is made available, they can easily become targets of hate and violence.
What Risky Social Media Usage Looks Like
- Posts or photos that reveal employee location or schedules
- Posts or photos that show security systems
- Posts or photos that reveal financial information or location of finances
- Posts stating local addresses or office locations
- Posts that indicate an employee is out of the office and thus has left their home unattended
- Geocoding on smart phones and other devices that reveal employee locations
- Controversial posts about local groups or beliefs
- Posts about controversial programming
- Posts or profiles that include excessive personal information and could be used as proof of life questions in a hostage situation
- Posts that reveal information about a partner or donor organization
Personnel and organizational use of social media in insecure regions of the world presents three types of risks:
- Risks to organizational reputation from inappropriate or incendiary posts
- Risk of increased vulnerability from sharing too much information
- Risks of retaliation from groups opposed to a program’s mission
Examples that contributors to this paper discussed:
“A blogger writing for a western organization in Afghanistan was found to be the target of an abduction plot. Although she was careful not to mention names or details of her location, there was enough information to use against her and a western intelligence agency discovered that an abduction plot was underway.”
“A staff member on a project in Africa added photos to a blog in an effort to provide information about the project, but one of the pictures clearly showed the location of the office safe.”
“More broadly, there have been numerous situations in which western aid workers in Islamic countries have posted content on Facebook that was deemed insensitive to the Muslim faith.”
Another factor to consider in assessing the risks of social media is the outreach activities of partner organizations. Although strict policies at one organization could limit exposure, if in-country partners mention or tag other groups in revealing or controversial posts, all groups are put at risk.
The Risks: An Overview
- Posts on social media sites can impact the reputation of an organization
- Posts can reveal too much information about locations or operations and increase staff vulnerability
- Posts regarding controversial programs or sensitive issues can increase the likelihood
An Array of Policies
Crafting and implementing policies and procedures for employee use of social media as it relates to security may not be a common practice among some commercial or nonprofit organizations.
Incorporating social media policies into standing security policies has not been a major concern for two reasons; viewed as a human resources versus security issue and the complexity of balancing individual rights with organizational policies. These issues show the level to which social media activities are not viewed as a security concern, these policies—if in place at an organization—are likely developed by public affairs or communications departments with little-to-no input from security staff. The focus of these policies is therefore on how to use social media to interact with the public, but not inclusive of how to properly use social media in order to mitigate potential risk.
There are organizations where personnel have identified the risks that social media pose, but for the most part other security measures take precedence and social media policies—if enacted—are ill-defined and random.
Using the people interviewed for this paper as a small and diverse sample—the recommended aspects to consider in designing security related social media policies fall into five key categories:
- The goal of the policy
- Restricted behaviors and activities
- The policy designers and reviewers
- Enforcement and compliance
- Education and training
The Goals of the Policy
Some groups put social media policies in place to promote the use of these tools or to make sure that employees are not threatening organizational reputation through posts.
A more comprehensive social media policy will have a security aspect that ensures an employee’s online activity is not putting the user, coworkers, beneficiaries, partners, or the organization at risk.
Social media policies should include an emphasis that staff should discuss only those things which they would want to be directly or indirectly quoted in public. There must be exclusions on controversial statements about stakeholders, partner organizations, or their parent organization. This reinforces awareness of protecting organizational reputation.
Policies could prohibit employees from posting pictures, locations, program descriptions, and organizational details on any site other than the company website. Additional policies relating to technology could also be established, such as requiring GPS coordinate tagging of photos taken with smart-phones is disabled. Focusing on security and political sensitivities, employees could be advised to be extremely careful with the content and usage of their personal social media accounts and could be advised to completely cease all social media use when in a crisis situation: no posts, no updates, and no photos.
The Policy Designers
Social media policies focusing on the promotion of an organization or protecting its reputation are typically drafted and reviewed by communications or public affairs departments, with a goal of shaping employee interaction with the public.
However, to address the complex security risks that social media can create, these policies should be reviewed—if not designed—by security and IT security personnel. A thorough policy design process may start with an organizational web audit to assess employee use of social media and potential risks it poses.
Enforcement and Compliance
Discussed in the challenges section below, enforcing social media policies is without question the most difficult aspect of the equation. Enforcement components of policies can also greatly affect the degree to which employees comply. Enforcement may be reactionary – in that employees are approached and disciplinary measures are discussed only after certain posts have been flagged as inappropriate.
A stricter set of enforcement mechanisms, which outline disciplinary actions, could drastically affect how closely employees follow unique organizational social media policies.
Trainings and Education
In many cases, human resources departments may touch upon social media policies in trainings for new personnel, but policies and best practices are not reinforced throughout an employee’s tenure or prior to their departure for an overseas requirement.
Conversely, a more comprehensive training program will ensure staff follow and understand social media policies. They may, for example, receive significant attention in new employee training, pre-deployment training, and during in-country briefings. Further, communications teams may consider consistently sending out messages reminding people of the policies.
In discussing the planning and implementation of security-driven social media policies, interviewees highlighted several key challenges. These included enforcement, education, breach of personal rights, and the discrepancy between policies for international versus local staff.
Once a policy is in place, which limits social media use, how can an organization ensure employees are following policies?
Enforcement is critical challenge to address because it ties to liability. If a group creates a policy that acknowledges the risks linked to social media use, then the organization could be held accountable if they are not able to enforce the policy and an employee’s online presence results in a security breach.
Constant monitoring stands to ensure employees are not posting inappropriately on some platforms, but not others. Twitter feeds are in the public domain, but Facebook pages can be made as private as the user desires. In addition, constant monitoring would require a significant amount of personnel time. Are organizations thus left relying on the honor system for social media policy compliance? What other enforcement strategies can a development group employ?
Education and Training
In teaching staff about the risks and policies regarding social media use, trainings must be clear and consistent. Do staff understand and accept the security implications of individual online behavior? Do employees know how to make sure geocoding on smart phones is disabled and social media profiles are private or de-activated? Do employees acknowledge and understand that their actions reflect on the company and put others at risk? These will all be hurdles to overcome as a group designs training materials and modules around social media policies.
Tied to education is the perceived infringement on personal expression that organizational social media policies stand to increase. As social media policies become more restrictive, employees may question the extent to which their employers can control personal activity outside of the office. Isn’t social media presence an expression of free speech? Many employees use social media on a daily basis. How do organizations ensure and justify that these behaviors change once a staff member is in a complex environment? NGOs may overcome this challenge through education that clearly outlines the risk of online behavior in insecure areas.
To date, humanitarian and development groups that employ social media policies for staff working in contentious areas often focus only on international or home-office staff. But as users of social media networks increase in the developing world, shouldn’t there be an emphasis on policing the online activity of local staff as well? Although international staff may demand equity, local staff may see restrictions on their new window to the outside world as unjust. NGO social media policies need to find a delicate balance to address this discrepancy.
Organizations operating in complicated environments should not expect their employees’ use of social media to dissipate. In fact, they should encourage responsible social media use to promote the success of international programs. However, an organization has an obligation to specifically outline the parameters of the use of social media and how it expects staff to consider the security risks when posting.
From smart-phone geocoding revealing employee locations to staff Facebook posts, which complicate associations with local groups, the risks that irresponsible social media use pose are numerous. In crafting policies, an organization must consider these risks and determine best practices for mitigating them through policies, trainings, and enforcement.
Throughout this paper, we have highlighted the risks and benefits of the use of social media for groups and individuals operating in uncertain environments. We have outlined the characteristics that NGOs must consider as they design and implement policies, and highlighted challenges that international groups may face as a result of employing stricter social media standards.
This discussion is not meant to be prescriptive, but rather serve as an illuminative guide that brings more attention to the link between social media use and security concerns.
The author, Colin Groark, and Cosantóir Group would like to thank the following individuals for their thoughts, ideas, questions, and overall interest in the subject matter that contributed significantly to the writing of this paper.
USAID/Office of Foreign Disaster Assistance (OFDA) Safety and Security Coordinator
Concern Head, Emergency Unit
International Relief and Development (IRD) Director, Risk Management and Global Security
Independent Consultant and NGO Security Blogger
Save the Children International Director, Global Safety and Security
Cosantóir Group Senior Associate
Education Development Center (EDC) Director, International Security
Chemonics Director, Safety and Security Department
Cosantóir Group Senior Associate