Finland has been a strong proponent for open data for a long time. Since 2010, a significant amount of public sector data has been published openly, and much of this data is geospatial by nature. Accurate geospatial data with nation-wide coverage is highly valuable for many applications, including matters related to national security and military applications. When such information is provided as open data, it can also be used by other countries, including hostile nations. Furthermore, geospatial data can also be used by criminals and other malicious actors, and therefore there have always been possible threats related to open geospatial data.
Traditionally, threats related to open geospatial data have been divided into two categories: threats to privacy and threats to national security. Threats to privacy have typically been handled carefully, as there are numerous datasets that pose obvious threats to privacy, such as accurate census data. Therefore, the public sector has developed mature best practices on how to handle privacy concerns, and there are also international guidelines to assess risks related to open data (Open Data Institute, 2022). For example, census or population registry data should never be published at an individual level, but the data should be aggregated to minimize the privacy risks.
After the Balkan wars of the 90s, the majority of Europe has been in a state of deep peace. Therefore, the potential national security threats related to open geospatial data have been given relatively little attention. Potential threats from other nation states have been sidelined by other concerns, and often dismissed as irrelevant due to increased European integration. This is true even in Finland, which never downsized her army or dismantled the national preparedness organizations. The Russian invasion of Ukraine caused a rapid and radical change in the global geopolitical environment. In Finland this caused a radical shift in discussion about national security.
Here, we report the results of a work, where the security concerns related to open geospatial data in Finland were studied. The main research questions for this work are:
What kinds of threats related to open geospatial data exist?
How can the threat-related open geospatial data be mitigated and managed?
Before our project, open discussions regarding the need for threat assessment in the new geopolitical environment had already started within the Finnish geospatial ecosystem. This gave a useful basis for scoping our research, as well as provided an environment where the findings could be discussed.
In the study, we focused specifically on matters related to national security. Specifically, our focus was on national geospatial datasets maintained by the National Land Survey of Finland (NLS), including e.g. the Finnish topographic database. Even though our focus was on the data produced by NLS, our findings are applicable more generally, as our approach considered potential threats enabled by open geospatial data in general.
As a main research method for the study, we used semi-structured interviews. We interviewed approximately 20 individuals from 13 Finnish organizations.The majority of the interviewees were from public sector organizations. During the last few interviews, there were not many new insights to be gained. Thus, we concluded that we had reached the saturation point in terms of new information and no further interviews were needed.
Based on the interviews, we created a number of threat scenarios. The threat scenarios were used as examples on what sorts of threats might be related to open geospatial data. The scenarios were then discussed and further refined with a number of experts on national security and the Finnish geospatial ecosystem.
In our results, we assigned the threats into categories, and gave recommendations for mitigation strategies related to open geospatial data. The results of the work are closely related to earlier threat assessment work done on a national level. Our results include several insights about how open geospatial data could be used to threaten critical infrastructure, important infrastructure, soft targets, as well as the privacy of individuals. Similarly, our results list potential sources of threats including other nation states, terrorist organizations and lone wolf terrorists, criminals, and foreign companies. Both the targets and the threats are well-known already in national security work and are not unique to the geospatial ecosystem.
In most of the threat scenarios discussed, open geospatial data could help malicious actors to plan and execute activities that can cause harm. Based on our analysis, the threat related to a specific dataset most often did not directly target the publisher of the dataset, nor affected the dataset itself. For example, detailed building data can be used to plan burglaries, and accurate road network and topographical data can be used to plan an armed invasion. Thus the targets of the malicious activity are elsewhere, and the data is used as means to gain more information about these targets.
To balance the potential unwanted use scenarios, the benefits of open geospatial data were also discussed throughout our interviews. When considering the threats and mitigation strategies, it is crucial to remember the benefits of open data. Just because it is possible to misuse a dataset is not alone a reason to try and limit the use of the data. Only if the threats are significant enough compared to the benefits gained from open data, should limitations to the data be considered.
Our study brings an important new aspect to the narratives around open geospatial data, as there is not much open discussion or research related to the potential threats caused by spatial data, or the relationship between open data and potential threats. Furthermore, our study reveals that there is an urgent need for further developing the guidelines (such as the one by Open Data Institute (2022)) and risk assessment frameworks that would better consider the threats and risks related to opening and sharing geospatial data from the perspective of national security.
References
Open Data Institute. (2022). Assessing risk when sharing data: A guide (p. 21). Open Data Institute. https://www.theodi.org/article/assessing-risk-when-sharing-data-a-guide/