Back to Resources

Digital Communications Security

Help us improve our organizing resources. Let us know what you think!

From social media to Google Drive to Zoom, the public square has moved online. As our political environment becomes even more and more polarized, it is important that activists practice healthy digital hygiene to keep themselves and their data safe from bad actors. Be proactive - your digital privacy and security should not be left up to chance. The following information is not exhaustive but it’s a good start for anyone who wants to practice healthy online safety habits. 

Digital Security Checklist

  1. Identify a trusted security expert or advisor for your group if possible.
  2. Take an inventory of your main communications systems and assess what your top information security priorities and risks might be.
  3. Keep all your systems up to date; install legitimate security patches.
  4. Review the privacy settings on your social media accounts.
  5. Use strong passwords on all your important accounts.
  6. Enable 2-Factor Authentication whenever possible.
  7. No security system is perfect; assume anything you write or send online may become public.

Thinking About Security

Different groups communicate with each other or store information in different ways. And just like steps to ensure physical security, it’s important to consider the risks you and your group might be facing—or might not. Many security measures require compromises in terms of the ease of communication or cost to an organization’s institutional memory. Being secure is less convenient than just doing nothing, and the goal should be to identify what’s most important to you and your group, and focus on what you can effectively do to secure that, rather than devising an iron-clad system that’s impossible to use.

In the end there are no guarantees of perfect security, especially in online communications. The safest approach is to assume that anything you write online could at some point become public, attributed to you. Truly sensitive discussions may need to be restricted to in-person or over the phone conversations. But at the end of the day, you are planning local advocacy focused on your members of congress to insist that they represent you and your values: that is a fundamental American right.

Keeping Up to Date

Online security is an incredibly complex and rapidly evolving subject, so our first recommendation is to identify members of your group or in your community who have professional technical skills in this area and consult with them directly about your particular needs and situation. We cannot provide detailed technical guidance without knowing your unique situation; trusted expert help is always valuable if it’s available.

Short of this, the most important basic security step you can take is to make sure all of your digital systems are up to date with the latest patches and updates from their respective companies (Microsoft, Apple, Android, etc). In almost all cases today, these updates are distributed for free whenever companies identify significant vulnerabilities in their systems or software—provided you are certain they are being distributed authentically from the company, they should always be installed as soon as possible.

Backup your Data

Backing up your data ensures you have an additional copy on a separate device. Online cloud services like Google Drive, Microsoft OneDrive, Apple iCloud, Dropbox etc. are great at what they do but they do not necessarily count as backups. For example, if the only version of a file you have is in google drive that file is not considered backed up. If someone deletes that file for whatever reason, you will lose it. Backing up your data on an external hard drive (an encrypted one) is strongly recommended. This will ensure that no matter what happens to your computer, or online files, you also have an additional copy of your files. The Backup and Restore Service for Windows and the Time Machine service for Mac are free and relatively easy to set up and use. 

Protecting Your Privacy

Most of the steps we think of when we first think of online security involve seeking to restrict access to our private correspondence and information, to prevent others from observing them. While it’s important to take what steps you can in this area, a bigger concern may come from opponents who might seek to harass or intimidate you or your fellow activists on the basis of information available in the public sphere. In almost all cases, these are nuisance actions that seek to drain your energy for activism and distract you from other things, and the best response is to block and ignore them as best you can. But online harassment can still have a real impact and in some rare cases may escalate into physical threats.

As much as possible, we recommend reviewing in detail the privacy settings on your social media accounts, and being conscious about what information you share about yourself with the public and how easy you make it for people to contact you. (In many cases, information like home addresses or phone records may already be public.) You should especially be mindful of any high-profile group leaders or spokespeople, or members of minority communities, who may find themselves the first target of harassment. As part of your initial security assessment, you might consider tasking some volunteers to conduct “opposition research” on public-facing members of your group, to understand what information is or is not already out there for others to find.

We strongly recommend everyone reads and implements The EFF (Electronic Frontier Foundation) steps in Doxxing: Tips on How to Protect Yourself Online & How to Minimize Harm are really useful.

If you are the victim of doxxing, harassment, or threats (online or offline), we recommend that you keep a record of the incident(s), including: names of persons involved, dates, locations, screenshots or photos, summaries, and any other relevant details. These records are important if you would ever like to report the incidents to your law enforcement, apply for a protective order (if applicable in your jurisdiction), or otherwise need to refer back to the incidents. 

In addition to harassment and threats of violence, many states have criminalized doxxing and online harassment. If you would like to know more about the laws in your state, you can check your state’s criminal code or contact your state legal aid to speak with a pro bono attorney. 

Protecting Your Accounts

Beyond your privacy, the main priority is inventorying the most important services and accounts you use online and to make it as difficult as possible for others to break into them. In most cases, your email account will be the first and most important service to secure, as it is often used as a means of gaining access to other services; beyond this, social media (Facebook, LinkedIn, Twitter), banking, and other key services (Apple or Microsoft IDs, Paypal, etc) should also be part of your review.

In almost all cases, these services encrypt their traffic, so that (barring a high degree of sophistication and resources) the content of a message is only visible to the sender and recipient (or whoever that recipient passes it along to). That means your first priority should be developing strong passwords that prevent anyone from breaking into accounts and bypassing encryption entirely. (Use of online services like these inevitably requires placing trust in the security of the service providers. While many place a high priority on customer data security, breaches are not uncommon. Again, you should assess how sensitive the information you may be storing online is, and consider alternatives in extreme situations.)

There are many guides to create strong passwords—essentially, the longer and more complex and regularly changed the better, which makes remembering them more difficult for the actual user. Password manager services can help with this; this review describes some of the more popular options. Regardless of what you use to create passwords, as a general rule:

  • Do not reuse passwords between sites.

  • Do not give answers to password recovery questions (your mother’s maiden name, your high school football team) that are discoverable by a basic Google search. Best practice for sites that require this is to make your answer itself a strong password.

  • Never email passwords or write them down in a document stored anywhere on the web.

You can check the strength of your passwords by going to a well known reputable site like this. Bitwarden will let you know how secure your password is and the estimated time to track. The more secure the password is, the longer it will take to crack, making it less enticing to hackers.

Besides strong and unique passwords, enabling two-factor authentication on all of your accounts is the most important step that will dramatically reduce the risk of someone breaking into your account. Two step authentication adds an additional verification step. In order to access your account(s) you will be asked two things: something you know (your password) and something you have (your phone). After enabling two steps on your accounts, you will enter your user name and password to access your account as usual. The service will then send you a random unique code to your phone that you will have to enter in order to gain access to your account. Without that code, access will not be granted. Even if a hacker has your password, they will not be able to access your account without your phone. The likelihood of a hacker to have both of those is low, which significantly reduces your risk. 

Each service will have its unique way to enable 2 steps authentication. Here are a couple of examples for larger companies: Google Account; Microsoft Account; Apple Account. Similar FAQs should be available for most of your services. If you can’t find one, reach out to that service support team via their online support page.

Many hackers seek to impersonate security programs, services, or warnings in order to exploit users’ anxieties and induce them to open up their systems to an attacker—this falls under a general category of attacks known as “phishing”. Always be careful when receiving file attachments or links from suspicious sources. These emails tend to create a sense of urgency asking you to click on said link quickly or something bad might happen. If you are ever asked to re-enter your password, be very careful to confirm that you have been directed to the legitimate website and not a fake portal seeking to capture your login details. This FTC article on How to Recognize and Avoid Phishing provides additional information.

Many internet services now allow you to use logins from major service providers like Google instead of creating a separate sign-in, a process which involves you linking their applications to your login. It’s good to periodically review any associated applications you have linked to your main accounts and confirm that nothing there is out of place and they have not been granted improper access to account information—in the case of Google, this can be done by reviewing the “Connected Apps and Sites” section of your account’s security page.

Additional Resources

Again, this is a very complex and frequently changing subject; there are lots of organizations and resources out there with more expertise on it than us. There are also various services and tools that might be unique to your use case and we couldn't possibly be able to cover them all. We do want to share a few suggestion:

A few other places you can look for guidance include: