A joint project of Human Rights Watch and New York University to document human rights abuses in the Democratic Republic of the Congo has been taken offline after exposing the identities of thousands of vulnerable people, including survivors of mass killings and sexual assaults.
The Kivu Security Tracker is a “data-centric crisis map” of atrocities in eastern Congo that has been used by policymakers, academics, journalists, and activists to “better understand trends, causes of insecurity and serious violations of international human rights and humanitarian law,” according to the deactivated site. This includes massacres, murders, rapes, and violence against activists and medical personnel by state security forces and armed groups, the site said.
But the KST’s lax security protocols appear to have accidentally doxxed up to 8,000 people, including activists, sexual assault survivors, United Nations staff, Congolese government officials, local journalists, and victims of attacks, an Intercept analysis found. Hundreds of documents — including 165 spreadsheets — that were on a public server contained the names, locations, phone numbers, and organizational affiliations of those sources, as well as sensitive information about some 17,000 “security incidents,” such as mass killings, torture, and attacks on peaceful protesters.
The data was available via KST’s main website, and anyone with an internet connection could access it. The information appears to have been publicly available on the internet for more than four years.
Experts told The Intercept that a leak of this magnitude would constitute one of the most egregious instances ever of the online exposure of personal data from a vulnerable, conflict-affected population.
“This was a serious violation of research ethics and privacy by KST and its sponsoring organizations,” said Daniel Fahey, former coordinator of the United Nations Security Council’s Group of Experts on the Democratic Republic of the Congo, after he was told about the error. “KST’s failure to secure its data poses serious risks to every person and entity listed in the database. The database puts thousands of people and hundreds of organizations at risk of retaliatory violence, harassment, and reputational damage.”
“If you’re trying to protect people but you’re doing more harm than good, then you shouldn’t be doing the work in the first place.”
“If you’re an NGO working in conflict zones with high-risk individuals and you’re not managing their data right, you’re putting the very people that you are trying to protect at risk of death,” said Adrien Ogée, the chief operations officer at the CyberPeace Institute, which provides cybersecurity assistance and threat detection and analysis to humanitarian nongovernmental organizations. Speaking generally about lax security protocols, Ogée added, “If you’re trying to protect people but you’re doing more harm than good, then you shouldn’t be doing the work in the first place.”
The dangers extend to what the database refers to as Congolese “focal points” who conducted field interviews and gathered information for the KST. “The level of risk that local KST staff have been exposed to is hard to describe,” said a researcher close to the project who asked not to be identified because they feared professional reprisal. “It’s unbelievable that a serious human rights or conflict research organization could ever throw their staff in the lion’s den just like that. Militias wanting to take revenge, governments of repressive neighboring states, ill-tempered security services — the list of the dangers that this exposes them to is very long.”
The spreadsheets, along with the main KST website, were taken offline on October 28, after investigative journalist Robert Flummerfelt, one of the authors of this story, discovered the leak and informed Human Rights Watch and New York University’s Center on International Cooperation. HRW subsequently assembled what one source close to the project described as a “crisis team.”
Last week, HRW and NYU’s Congo Research Group, the entity within the Center on International Cooperation that maintains the KST website, issued a statement that announced the takedown and referred in vague terms to “a security vulnerability in its database,” adding, “Our organizations are reviewing the security and privacy of our data and website, including how we gather and store information and our research methodology.” The statement made no mention of publicly exposing the identities of sources who provided information on a confidential basis.
In an internal statement sent to HRW employees on November 9 and obtained by The Intercept, Sari Bashi, the organization’s program director, informed staff of “a security vulnerability with respect to the KST database which contains personal data, such as the names and phone numbers of sources who provided information to KST researchers and some details of the incidents they reported.” She added that HRW had “convened a team to manage this incident,” including senior leadership, security and communications staff, and the organization’s general counsel.
The internal statement also noted that one of HRW’s partners in managing the KST had “hired a third-party cyber security company to investigate the extent of the exposure of the confidential data and to help us to better understand the potential implications.”
“We are still discussing with our partner organizations the steps needed to fulfill our responsibilities to KST sources in the DRC whose personal information was compromised,” reads the statement, noting that HRW is working with staff in Congo to “understand, prepare for, and respond to any increase in security risks that may arise from this situation.” HRW directed staffers not to post on social media about the leak or publicly share any press stories about it due to “the very sensitive nature of the data and the possible security risks.”
The internal statement also said that “neither HRW, our partners, nor KST researchers in the DRC have received any information to suggest that anybody has been threatened or harmed as a result of this database vulnerability.”
The Intercept has not found any instances of individuals affected by the security failures, but it’s currently unknown if any of the thousands of people involved were harmed.
“We deeply regret the security vulnerability in the KST database and share concerns about the wider security implications,” Human Rights Watch’s chief communications officer, Mei Fong, told The Intercept. Fong said in an email that the organization is “treating the data vulnerability in the KST database, and concerns around research methodology on the KST project, with the utmost seriousness.” Fong added, “Human Rights Watch did not set up or manage the KST website. We are working with our partners to support an investigation to establish how many people — other than the limited number we are so far aware of — may have accessed the KST data, what risks this may pose to others, and next steps. The security and confidentiality of those affected is our primary concern.”
Two sources associated with the KST told The Intercept that, internally, KST staff are blaming the security lapse on the Bridgeway Foundation, one of the donors that helped conceive and fund the KST and has publicly taken credit for being a “founding partner” of the project.
Bridgeway is the philanthropic wing of a Texas-based investment firm. Best known for its support for the “Kony 2012” campaign, the organization was involved in what a U.S. Army Special Operations Command’s historian called “intense activism and lobbying” that paved the way for U.S. military intervention in Central Africa. Those efforts by Bridgeway and others helped facilitate a failed $780 million U.S. military effort to hunt down Joseph Kony, the leader of a Ugandan armed group known as the Lord’s Resistance Army, or LRA.
More recently, the foundation was accused of partnering with Uganda’s security forces in an effort to drag the United States into “another dangerous quagmire” in Congo. “Why,” asked Helen Epstein in a 2021 investigation for The Nation, “is Bridgeway, a foundation that claims to be working to end crimes against humanity, involved with one of Africa’s most ruthless security agencies?”
One Congo expert said that Bridgeway has played the role of a “humanitarian privateer” for the U.S. government and employed tactics such as “private intelligence and military training.” As part of Bridgeway’s efforts to track down Kony, it helped create the LRA Crisis Tracker, a platform nearly identical to the KST that tracks attacks by the Ugandan militia. After taking an interest in armed groups in Congo, Bridgeway quietly pushed for the creation of a similar platform for Congo, partnering with NYU and HRW to launch the KST in 2017.
While NYU’s Congo Research Group oversaw the “collection and triangulation of data” for the KST, and HRW provided training and other support to KST researchers, the Bridgeway Foundation offered “technical and financial support,” according to a 2022 report by top foundation personnel, including Tara Candland, Bridgeway’s vice president of research and analysis, and Laren Poole, its chief operations officer. In a report published earlier this year, Poole and others wrote that the foundation had “no role in the incident tracking process.”
Several sources with ties to KST staff told The Intercept that Bridgeway was responsible for contracting the companies that designed the KST website and data collection system, including a tech company called Semantic AI. Semantic’s website mentions a partnership with Bridgeway to analyze violence in Congo, referring to their product as “intelligence software” that “allows Bridgeway and their partners to take action to protect the region.” The case study adds that the KST platform helps Bridgeway “track, analyze, and counter” armed groups in Congo.
Poole said that the KST had hired a cybersecurity firm to conduct a “comprehensive security assessment of the servers and hosting environment with the goal of better understanding the nature and extent of the exposure.” But it appears that answers to the most basic questions are not yet known. “We cannot currently determine when the security vulnerability occurred or how long the data was exposed,” Poole told The Intercept via email. “As recently as last year, an audit of the site was conducted that included assessing security threats, and this vulnerability was not identified.”
Like HRW, Bridgeway disclaimed direct responsibility for management of the KST’s website, attributing that work to two web development firms, Fifty and Fifty, which built and managed the KST from its inception until 2022, and Boldcode. That year, Poole said, “Boldcode was contracted to assume management and security responsibilities of the site.” But Poole said that “KST project leadership has had oversight over firms contracted for website development and maintenance since its inception.”
The Intercept did not receive a response to multiple messages sent to Fifty and Fifty. Boldcode did not immediately respond to a request for comment.
Warnings of Harm
Experts have been sounding the alarm about the dangers of humanitarian data leaks for years. “Critical incidents – such as breaches of platforms and networks, weaponisation of humanitarian data to aid attacks on vulnerable populations, and exploitation of humanitarian systems against responders and beneficiaries – may already be occurring and causing grievous harm without public accountability,” wrote a trio of researchers from the Signal Program on Human Security and Technology at the Harvard Humanitarian Initiative in 2017, the same year the KST was launched.
A 2022 analysis by the CyberPeace Institute identified 157 “cyber incidents” that affected the not-for-profit sector between July 2020 and June 2022. In at least 60 cases, personal data was exposed, and in at least 28, it was taken. “This type of sensitive personal information can be monetized or simply used to cause further harm,” the report says. “Such exploitation has a strong potential for re-victimization of individuals as well as the organizations themselves.”
In 2021, HRW itself criticized the United Nations Refugee Agency for having “improperly collected and shared personal information from ethnic Rohingya refugees.” In some cases, according to HRW, the agency had “failed to obtain refugees’ informed consent to share their data,” exposing refugees to further risk.
Earlier this year, HRW criticized the Egyptian government and a private British company, Academic Assessment, for leaving the personal information of children unprotected on the open web for at least eight months. “The exposure violates children’s privacy, exposes them to the risk of serious harm, and appears to violate the data protection laws in both Egypt and the United Kingdom,” reads the April report.
In that case, 72,000 records — including children’s names, birth dates, phone numbers, and photo identification — were left vulnerable. “By carelessly exposing children’s private information, the Egyptian government and Academic Assessment put children at risk of serious harm,” said Hye Jung Han, children’s rights and technology researcher and advocate at HRW at the time.
The threats posed by the release of the KST information are far greater than the Egyptian breach. For decades, Congo has been beset by armed violence, from wars involving the neighboring nations of Rwanda and Uganda to attacks by machete-wielding militias. More recently, in the country’s far east, millions have been killed, raped, or driven from their homes by more than 120 armed groups.
Almost all the individuals in the database, as well as their interviewers, appear to have confidentially provided sensitive information about armed groups, militias, or state security forces, all of which are implicated in grave human rights violations. Given the lawlessness and insecurity of eastern Congo, the most vulnerable individuals — members of local civil society organizations, activists, and residents living in conflict areas — are at risk of arrest, kidnapping, sexual assault, or death at the hands of these groups.
“For an organization working with people in a conflict zone, this is the most important type of data that they have, so it should be critically protected,” said CyberPeace Institute’s Ogée, who previously worked at European cybersecurity agencies and the World Economic Forum.
The KST’s sensitive files were hosted on an open “bucket”: a cloud storage server accessible to the open internet. Because the project posted monthly public reports on the same server that contained the sensitive information, the server’s URL was often produced in search engine results related to the project.
“The primary methodology in the humanitarian sector is ‘do no harm.’ If you’re not able to come into a conflict zone and do your work without creating any more harm, then you shouldn’t be doing it,” Ogée said. “The day that database is created and uploaded on that bucket, an NGO that is security-minded and thinks about ‘do no harm’ should have every process in place to make sure that this database never gets accessed from the outside.”
The leak exposed the identities of 6,000 to 8,000 individuals, according to The Intercept’s analysis. The dataset references thousands of sources labeled “civil society” and “inhabitants” of villages where violent incidents occurred, as well as hundreds of “youth” and “human rights defenders.” Congolese health professionals and teachers are cited hundreds of times, and there are multiple references to students, lawyers, psychologists, “women leaders,” magistrates, and Congolese civil society groups, including prominent activist organizations regularly targeted by the government.
“It’s really shocking,” said a humanitarian researcher with long experience conducting interviews with vulnerable people in African conflict zones. “The most important thing to me is the security of my sources. I would rather not document a massacre than endanger my sources. So to leave their information in the open is incredibly negligent. Someone needs to take responsibility.”
Breach of Ethics
Since being contacted by The Intercept, the organizations involved have sought to distance themselves from the project’s lax security protocols.
In its internal statement to staff, HRW emphasized that it was not responsible for collecting information or supervising activities for KST, but was “involved in designing the research methodology, provided training, guidance and logistical support to KST researchers, and spot-checked some information.”
“HRW does not manage the KST website and did not set up, manage or maintain the database,” the internal statement said.
The Intercept spoke with multiple people exposed in the data leak who said they did not consent to any information being stored in a database. This was confirmed by four sources who worked closely with the KST, who said that gaining informed consent from people who were interviewed, including advising them that they were being interviewed for the KST, was not a part of the research methodology.
Sources close to the KST noted that its researchers didn’t identify who they were working for. The failure to obtain consent to collect personal information was likely an institutional oversight, they said.
“Obtaining informed consent is an undisputed core principle of research ethics,” the researcher who collaborated with the KST told The Intercept. “Not telling people who you work for and what happens to the information you provide to them amounts to lying. And that’s what has happened here at an unimaginable scale.”
In an email to NYU’s Center on International Cooperation and their Human Research Protections Program obtained by The Intercept, Fahey, the former coordinator of the Group of Experts on the Democratic Republic of the Congo, charged that KST staff “apparently failed to disclose that they were working for KST when soliciting information and did not tell sources how their information would be cataloged or used.”
In response, Sarah Cliffe, the executive director of NYU’s Center on International Cooperation, did not acknowledge Fahey’s concerns about informed consent, but noted that the institution takes “very seriously” concerns about the security of sources and KST staff exposed in the leak, according to an email seen by The Intercept. “We can assure you that we are taking immediate steps to investigate this and decide on the best course of action,” Cliffe wrote on November 1.
Fahey told The Intercept that NYU’s Human Research Protections Program did not respond to his questions about KST’s compliance with accepted academic standards and securing informed consent from Congolese informants. That NYU office includes the university’s institutional review board, or IRB, the body comprised of faculty and staff who review research protocols to ensure protection of human subjects and compliance with state and federal regulations as well as university policies.
NYU spokesperson John Beckman confirmed that while the KST’s researchers received training on security, research methodology, and research ethics, “including the importance of informed consent,” some of the people interviewed “were not informed that their personally identifiable information would be recorded in the database and were unaware that the information was to be used for the KST.”
Beckman added, “NYU is convening an investigative panel to review these human subject-related issues.”
Beckman also stated that the failure of Congolese “focal points” to provide informed consent tended to occur in situations that may have affected their own security. “Nevertheless, this raises troubling issues,” Beckman said, noting that all the partners involved in the KST “will be working together to review what happened, to identify what needs to be corrected going forward, and to determine how best to safeguard those involved in collecting and providing information about the incidents the KST is meant to track.”
Fong, of HRW, also acknowledged failures to provide informed consent in all instances. “We are aware that, while the KST researchers appropriately identified themselves as working for Congolese civil society organizations, some KST researchers did not in all cases identify themselves as working for KST, for security reasons,” she told The Intercept. “We are reviewing the research protocols and their implementation.”
“The partners have been working hard to try to address what happened and mitigate it,” Beckman told The Intercept, specifying that all involved were working to determine the safest method to inform those exposed in the leak.
Both NYU and HRW named their Congolese partner organization as being involved in some of the original errors and the institutional response.
The fallout from the exposure of the data may extend far beyond the breach of academic or NGO protocols. “Given the lack of security on KST’s website, it’s possible that intelligence agencies in Rwanda, Uganda, Burundi, DRC, and elsewhere have been accessing and mining this data for years,” Fahey said. “It is also possible that Congolese armed groups and national security forces have monitored who said what to KST staff.”