The trauma felt by Gulf Coast residents from hurricane Katrina will undoubtedly linger for years.
But in the chaotic days that followed the hurricane, well-intentioned efforts by Microsoft Corp. to reunite scattered family members may usher in another kind of storm, this one involving the privacy of personal data belonging to the many residents forced into shelters.
When nearly 2,000 residents of New Orleans were rushed into the George R. Brown Convention Center and 25,000 into the Superdome in Houston, they readily gave up personal information to the Red Cross, expecting it to be used by officials to help reunite their families.
The goal was to compile a list of registered people and make it available to the public so that relatives could find missing family members. Unfortunately, CAN was still being piloted when Katrina struck, and was not ready for prime time use. This threw up a complicated set of problems around centralizing data (for that story, click here).
Microsoft was one of the many corporations that also rushed to help. Employees at one of the local technology centers, which provide consulting services and development work to local businesses, set up Katrinasafe.com, a database created to help missing persons find one another in Katrina's aftermath.
Stephen Lasley was one of the Microsoft employees in the region who was witnessing the dramatic human crisis unfolding in the early days after the storm. Lasley went to Red Cross headquarters to offer his computer skills, and was turned down twice before the overwhelmed organization, which was trying to register people at both shelters, would accept his help. By then, victims were desperate to post information about their missing loved ones.
The scene at the convention center and Superdome was chaotic, according to Lasley, who soon became frustrated with the disorganization and inactivity. He finally took matters into his own hands, making a copy of the Red Cross database containing the refugees' data and mailing it to Microsoft's headquarters in Redmond, Washington, where it was posted on the Katrina Safe Web site.
Lasley was aware of the potential privacy violations, and there were steps taken to remove some personal data, but everyone involved with the project felt the more pressing need was fast action, even if what they were doing was not exactly to the letter of the law.
"I don't want to say it was martial law exactly, but there were many examples of where regulations were relaxed in order to help people," he said.
The Internet becomes a lifeline
Using the Internet to post personal information during a disaster is not a new idea. One of the first instances of this occurred in Japan in 1995 just after an earthquake hit the city of Kobe. Later that same year, Japanese officials studied the feasibility of using the Internet as a lifeline and developed a program, called I Am Alive, which is still active today.
Some technology experts say the U.S. needs a similar program, with similar processes to protect privacy as well. "Security and privacy are constant issues, and people must stop to think about what specific data is needed for a particular function," said Scott Bradner, a senior technical consultant at Harvard University and a longtime advisor to several Internet governing bodies, including the Internet Engineering Task Force.
In general, experts say the biggest challenge to overseeing data security is not malice, but, as in Lasley's case, a lack of attention to detail. "People trying to do the right thing in a day-to-day situation don't think about implications," Bradner said.
Still, blundering ahead and turning over data just because it's there is not the right approach either. "In the end, you don't want people who are trying to do the right thing to be penalized for doing the wrong thing," Bradner added.
Perhaps one positive thing to come out of Katrina and the Katrinasafe site is that it is the harbinger of new Web-based emergency and contingency planning tools. The normal bureaucratic channels that respond to disasters were just too rigid and immobile to deal with the unfolding situation. Katrinasafe is an exemplary model of self-help, where people can step in and do something on short order using new tools, said Charles Cresson Wood, a consultant at InfoSecurity Infrastructure Inc., a Sausalito, Calif., consultancy.
Cresson Wood said privacy and regulatory questions can be addressed by a legal release for individuals to sign when they register at a site, and they should be made aware that the information they disclose may get into the hands of a third party.
"This will get them to think a little, and maybe not put their mom's Social Security number down, but just a description of her," Cresson Wood said.
"The best solution is forethought," said Fred Rickabaugh, chief information security officer for Premier Inc., a San Diego-based alliance of nonprofit hospitals and healthcare systems across the U.S. "What happened was probably very avoidable, and that's the saddest thing. There was reason to expect they should have given some thought to this. Sometimes it takes [a disaster like Katrina] to get people to think in these terms."
The Red Cross did not return calls for this story.