The attacks in Mumbai were both devastating and tragic. As with any traumatic event people search for something to blame and for this event the case is being built that technology and openness of data enabled the terrorists in their endeavors. The guilty technology parties include Blackberry, Garmin and the usual suspect Google Earth.

This is an issue I’ve dealt with a lot during my time doing geospatial research. In fact there is a strong case to be made the creation of FortiusOne is a direct result of government fears about open geospatial data. It was a collection of open source infrastructure data and the vulnerability analysis that first brought attention to our research and lead to an article by the Washington Post. Then as now there were calls for the data and technology to be classified.

What fascinates me is that anytime security concerns reach a high level, geospatial technologies are often singled out. No one is saying that Blackberrys should be removed from the population, but we regularly hear of calls to ban Google Earth and even GPS (in Egypt they actually did). I think this is largely due to how attractive “security through obscurity” can be to governments reacting to a crisis. It is easy to do and everyone in the public can see it. Maps are inherently visual and the public understands them. So, you can ban Google Earth, ban GPS, take loads of geospatial data off line and everyone can say you’ve done something.

Problem is while you’ve done something you’ve really accomplished nothing. India’s strong gun control policies did not stop the terrorists from being exceedingly well armed (although arming citizens won’t prevent attacks either).

The knee jerk reactions to the Mumbai attacks do highlight some of the challenges the Obama administration will face with “opening up government data in universal formats”. What is the balance between openness and security? Do the benefits of innovation and growth outweigh potential security risks of more openness and transparency?

These were all question we faced building GeoCommons. The economies of scale and networks effect of having large amounts of geospatial data aggregated and easily accessible versus the security risk of that same data and ease of use enabling bad actors. This is where I think “security through obscurity” falls apart. The data is out there and by disabling or banning technologies that make it easy to find we only lull ourselves into a false sense of security. The bad guys will still find the data we’ll just be blissfully unaware that the data is available. On the other hand if the data is well organized and easy to access then we at least know what is out there. We then have the head start of knowing what is exposed and in the worse case scenarios we can remove sensitive information that has been made public (although it is really quite hard to put the genie back in the bottle).

I call it “security through awareness”, which allows organizations to think about what they are exposing and how it is being used both positively and negatively. Some times organizations release data with no clue of it being used in negative ways. Take this collocation facility that was once used as a critical piece of our financial infrastructure:

The map has where the fiber runs into the building as well as all the access points and was posted on the company website to advertise redundancy to fiber cuts. Want to know where the fiber runs?

This data is all far out date and systems, vendors and topologies have changed, but there is plenty of detail needed for a bad actor. We did a whole exercise across several scenarios back in the day and you do not need any of the technologies being blamed in the Mumbai incident. I’d argue that we have a much better chance of preventing terrorism by embracing technology and more openness. It will enable far greater awareness. To go to the far extreme imagine a world of crowd sourced security - where society knows something is sensitive and thus twitters warnings when they notice suspicious activity around it. How many potential tip offs could there have been to the Mumbai incident if the crowd sourcing had been leveraged. A SMS with a picture or tweet to an official tip line from the fisherman who saw the terrorists come in by boat. Arm your citizens with technology not guns.

Popularity: 7% [?]