Online Atrocity Database Exposed Thousands of Vulnerable People In Congo

An anonymous reader quotes a report from The Intercept: A joint project of Human Rights Watch and New York University to document human rights abuses in the Democratic Republic of the Congo has been taken offline after exposing the identities of thousands of vulnerable people, including survivors of mass killings and sexual assaults. The Kivu Security Tracker is a 'data-centric crisis map' of atrocities in eastern Congo that has been used by policymakers, academics, journalists, and activists to 'better understand trends, causes of insecurity and serious violations of international human rights and humanitarian law,' according to the deactivated site. This includes massacres, murders, rapes, and violence against activists and medical personnel by state security forces and armed groups, the site said. But the KST's lax security protocols appear to have accidentally doxxed up to 8,000 people, including activists, sexual assault survivors, United Nations staff, Congolese government officials, local journalists, and victims of attacks, an Intercept analysis found. Hundreds of documents -- including 165 spreadsheets -- that were on a public server contained the names, locations, phone numbers, and organizational affiliations of those sources, as well as sensitive information about some 17,000 'security incidents,' such as mass killings, torture, and attacks on peaceful protesters.

The data was available via KST's main website, and anyone with an internet connection could access it. The information appears to have been publicly available on the internet for more than four years. The spreadsheets, along with the main KST website, were taken offline on October 28, after investigative journalist Robert Flummerfelt, one of the authors of this story, discovered the leak and informed Human Rights Watch and New York University's Center on International Cooperation. HRW subsequently assembled what one source close to the project described as a 'crisis team.' Last week, HRW and NYU's Congo Research Group, the entity within the Center on International Cooperation that maintains the KST website, issued a statement that announced the takedown and referred in vague terms to 'a security vulnerability in its database,' adding, 'Our organizations are reviewing the security and privacy of our data and website, including how we gather and store information and our research methodology.' The statement made no mention of publicly exposing the identities of sources who provided information on a confidential basis. The Intercept has not found any instances of individuals affected by the security failures, but it's currently unknown if any of the thousands of people involved were harmed. 'We deeply regret the security vulnerability in the KST database and share concerns about the wider security implications,' Human Rights Watch's chief communications officer, Mei Fong, told The Intercept. Fong said in an email that the organization is 'treating the data vulnerability in the KST database, and concerns around research methodology on the KST project, with the utmost seriousness.' Fong added, 'Human Rights Watch did not set up or manage the KST website. We are working with our partners to support an investigation to establish how many people -- other than the limited number we are so far aware of -- may have accessed the KST data, what risks this may pose to others, and next steps. The security and confidentiality of those affected is our primary concern.'

Read more of this story at Slashdot.