December 11, 2018

Disaster Information Flows: A Privacy Disaster?

By Madelyn R. Sanfilippo and Yan Shvartzshnaider

Last week, the test of the Presidential Alert system, which many objected to on partisan grounds, brought the Wireless Emergency Alert system (WEA) into renewed public scrutiny. WEA, which distributes mobile push notifications about various emergencies, crises, natural disasters, and amber alerts based on geographic relevance, became operational in 2012, through a public private partnership between the FCC, FEMA, and various telecommunications companies. All customers of participating wireless providers are automatically enrolled, though it is possible to opt out of all but Presidential Alerts.

Presidential alerts were just one of a set of updates designed to address recent events that have connected the trusted communication channel to the fear politics around fake news and misinformation, such as the January 2018 false alarm, when a ballistic missile warning was mistakenly disseminated to the state of Hawaii as a mobile emergency alert. The resulting chaos and outrage, led the FCC to revise protocols for tests of the system, distribution, and emergency alert formats, among other improvements.

In updating WEA, three priorities are addressed: (1) routine “live code testing” to ensure function and minimize confusion; (2) incorporate additional and local participants  into new and existing official channels; and (3) prevent misinformation or false alarms, by authentication, unifying format and overriding opt-out preferences in distributing the presidential alert. The objective is to provide trustworthy information during crises. Yet the specific changes have triggered concerns that allowing partisan officials and mimicking format conventions like character limits undermine the stated objectives, by facilitating imitation for disinformation, rather than engendering confidence in official alerts, as stated in a legal complaint about Presidential Alerts.

With the increased scrutiny around these changes, additional concerns around privacy and surveillance relative to disaster information communication practices have arisen. WEA structures information flows from multiple Federal agencies, along with agency specific Apps, based on aggregated personally identifiable information, including geo-location information, all of which are governed by privacy regulations, including the Privacy Act of 1974, and policies that focus on protecting accidental or malicious disclosure of Personal Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII). Policies and regulations enumerate a list of trusted partners with which the data will be shared and from whom it may be gathered during emergencies.

The specific types of information that can be gathered about individuals by FEMA, despite the diversity of sources and contexts involved, are precisely defined, such as: name; social media account information; address of geo-location; job title; phone numbers, email addresses, or other contact information; date and time of post; and additional relevant details, including individuals’ physical condition.

Furthermore, information sharing policies governance is less precise with regard to flows, than types.  This is particularly important because expectations change drastically when disaster hits.  Everyday information flows are governed by established norms within a particular context. Yet, disasters change our priorities and norms, as our survival instincts kick in. For example, our norms can oscillate between two extremes; on one side, we do not want to tracked in our daily activities, but during disasters, many feel comfortable broadcasting locations and possibly medical conditions to everyone in the area in order to be found and survive. Previous research had shown that users’ tend to be more lenient towards sharing information, that they normally wouldn’t with emergency services and other relevant agencies that are involved in the recovery situation.

While governance restricts disclosure of personally identifiable information information without users’ explicit consent, disclosures are exempt from asking for an explicit consent if efforts fall under “Routine Use” such as “Disaster Missions.” “Routine use” exclusion has broad implications, given the broad and permissive definitions, including: allowing “information sharing with external partners to allow them to provide benefits and services” (Routine Use H); allowing “FEMA to share information with external partners so FEMA can learn what our external partners have already provided to disaster survivors,” as well as disclosing “applicant information to a 3rd party” in order “To prevent a duplication of benefits” (Routine Use I); and requiring 3rd parties to disclose personal information to FEMA, relative to assistance provided.

The advent of the web along with the popularity of social media present a unique opportunity for agencies like FEMA, as they attempt to leverage new technologies and available user information to assist in preparation and recovery efforts. Increasingly, emergency agencies rely on disaster information flows from and to various opt-in apps–including Nextdoor, which allows calls for help when 911 is down; Life 360, which is helpful in tracking evacuations; and those from the Red Cross–during crises.

Additional categories of supplementary third party services and applications include:

Social networks: FEMA uses public data available on social media to help its operation. Twitter, Google and Facebook are also investing further resources to deliver features for users and emergency services specific to disasters. Apple and Google have also promoted various other emergency and disaster response mobile apps during this ongoing hurricane season.

3rd Party applications: Numerous diverse 3rd parties exist in this increasingly sociotechnical domain of FEMA partnerships relative to disaster communication, response, and recovery. Red Cross Apps provide one of the most popular supplements to WEA notifications and FEMA apps, sharing critical response data with other emergency response organizations and agencies. Ostensibly this standardizes critical information flows between stakeholders. However, it highlights individual users’ privacy concessions and challenges the regulatory schema on-the-books, particularly given that users of many of these emergency apps who opt-in for self-reporting are then tracked persistently, until they opt-out or uninstall, rather than the end of emergency.

IoT devices, drones:   Increasingly, drones and IoT monitor disasters in concert with third party applications are being deployed to complement FEMA and other agencies service in the field.  The information flows between involved stakeholders might not always align with users’ expectations.

In order to better balance pressing public safety concerns with long term consequences we need to understand information flows in practice around disasters. The following questions will be considered in our future work, structured through the contextual integrity framework:

What do disaster information flows look like in practice? There are many diverse official and third party channels. Despite good intentions, few have thoroughly considered whether the information flows they facilitate conform to users’ privacy expectations, or if not, whether they might lead to a privacy disaster, pun intended. This is especially critical in crisis situations, during which safety concerns tend to overshadow individuals’ privacy preferences.

How do rules-in-use about Information flows between stakeholders compare to governance on the books? Loopholes in requiring partners of agencies like FEMA to fully disclose the information they communicate around disasters, including PII and SPII used to personalize communications. Despite the imposed restrictions on gathering personal information and routine uses, it is important to raise additional questions about how broadly permissive social acceptance of reduced privacy under crisis conditions might be conflict with actual understanding of information flows in practice.

Where do we store information and for how long? Temporal aspects of privacy and the persistent location-monitoring associated with emergency channels raise real questions about perceptions on appropriate information flows around disasters and emergencies.