EFF: Keeping Each Other Safe When Virtually Organizing Mutual Aid

Keeping Each Other Safe When Virtually Organizing Mutual Aid

Communities across the country are stepping up to self-organize mutual aid groups, uniting virtually to offer and coordinate support to those who are in need. In solidarity with the need for physical distancing, many people are organizing online using Google spreadsheets, Google forms, public posts on Twitter and Facebook, and private messages on social media platforms. 

There is great beauty and power in this support, but it also puts security concerns in the spotlight: overlooked privacy settings and overbroad collection of personal data can lead to the unintended disclosure of private information that can be used to harm the very people seeking help. Though these efforts may seem like they have equal benefit in helping connect people in need to people with resources, the privacy and security implications for these mediums vary widely. 

At EFF, we’ve been approached by U.S.-based mutual aid organizers to provide guidance on digital security and privacy considerations for organizers and volunteers, to better protect the communities they work to support. Our hope with this blog post is to provide considerations for those organizing mutual aid efforts, collecting and storing information, and connecting people with needs with people who want to help. However, we’ve also included some short lists of questions at the bottom of this post for anyone interested in contributing to, benefiting from, or aggregating information about mutual aid efforts. If you're interested in learning more, keep reading. Our recommendations are below, followed by a detailed walkthrough of digital security considerations for mutual aid organizers. 

Here are some security considerations to keep in mind for organizers, which we’ll go into in depth in each section of the post: 

These are all questions that organizers should think through when designing these efforts, that participants should feel empowered to ask organizers about. The information shared in these efforts can be sensitive, and a prime target for potential phishing attempts. It’s important that everyone involved in these efforts understand what the risks are and how to minimize them through thoughtful data collection.

Why Data Security Matters When Organizing Mutual Aid

To make these considerations a little more relatable, throughout this post we’ll imagine the journey a mutual aid organizer, Layla, might take. Layla recognizes it’s urgent to set up an effort to connect people who need financial support to helpers with resources. She decides to set up a website with a corresponding easily viewable document for people to share and promote their needs, and to provide a way to connect further.

But, in doing so, Layla has determined that she wants to protect her community’s sensitive data from people with bad intentions. Personal data can be misused in a variety of ways, and there are, unfortunately, a lot of people who want to take advantage of others’ vulnerability during these uncertain and stressful times. These are just a few:

Phishing: In learning very specific information about people’s circumstances— such as their emails, Venmo or banking information, their real names, their addresses, the circumstances of them asking for aid, their health information, and their stories—bad actors can scam the very people seeking help. In particular, malicious people take advantage of finding as much information they can about their targets to make a more realistic-sounding scam. 

Layla will need to think through how to limit how visible this information is, and ensure she is only collecting sensitive data if it’s absolutely necessary.

Doxxing vulnerable groups and facilitating targeted harassment: Private information about someone’s livelihood, workplace, and home address can be published with the intention of harassing them. This harassment can be digital, financial, and physical. Digital harassment usually takes the form of abusive comments and behavior online. Financial harassment might mean using this information for fraudulent billing. In other cases, attackers have spammed Venmo requests until the user accidentally accepted. Physical harassment can range from stalking to the practice of prank calling the police so they swarm the victim’s address (“swatting”). Even under normal circumstances, these activities can endanger someone's livelihood or safety. They can be even more detrimental for people who are already marginalized or are particularly affected by current events. 

As Layla is supporting a community at risk of their private information being used for targeted harassment, she needs to think through how to protect this information from getting in the hands of bad actors.

Government collection: Many governments collect information about citizens at scale. At its most harmful, this collection and sharing of data between government agencies can put already targeted communities even more at risk, especially when someone might already be surveilled (because of their immigration status, sexuality, gender, health, financial insecurity, faith, ethnicity, or political affiliation).

In Layla’s case, she especially worries about Immigration and Customs Enforcement further targeting people in her community, and does not want to collect information that could be misused to facilitate raids.

Selling of data: Companies big and small are constantly scraping the web for information about individuals that they can aggregate and sell, such as is done for third-party tracking 

Layla’s community members are worried that sharing their information might mean that they wind up on more telemarketing lists, or that multiple companies that they may not know or recognize begin to track them.

These are all hard problems with terrible consequences: an organizer might determine that they are willing to go through substantial precautions to prevent these bad outcomes, using the principles we outline below. 

With all of these potential threats in mind, Layla knows she wants to protect the submitted data, and as someone from a targeted community, she recognizes that the data she is collecting is very sensitive. Using a security plan (or “threat modeling”) framework, we can brainstorm through the following questions with Layla:

  1.     What do you want to protect?
  2.     Who do you want to protect it from?
  3.     How bad are the consequences if you fail?
  4.     How likely are these threats?
  5.     How much trouble are you willing to go through to try to prevent potential consequences?

The following are considerations that can help Layla and those like her answer these questions.

Define Your Intended (And Unintended) Audience

In thinking through questions around building your community's security plan, it can be helpful to define your goals with this effort and scoping for the size of your initiative.

Who are you trying to reach? Is this effort for a neighborhood community (a group of 20 neighbors who know each other), a local community (people within a township or county, up to hundreds), or larger? The considerations for each of these varying sizes have differing security plans.

What can you clearly communicate to people participating in your effort? Plan to establish expectations at the outset—not just for people asking for and giving help, but external parties that may wish to amplify your effort. Currently, there’s a large trend of aggregators cross-linking to other mutual aid efforts, and there’s a chance that an effort you intended to be more closed off may get more visibility than you intended. Be clear about structuring your asks for this community: think about how you can make the process transparent to someone just joining the effort: when they submit, how many days should they expect for a response? What happens if a response is fulfilled or unfulfilled? What happens to this document and the data within it?

How much data do you need to organize that aid? Different audiences may require different levels of data collection. Which brings us to our next point.

Collect As Little Data As Possible 

Connecting people for mutual aid requires you to share some information about the participants. But it’s important to be mindful of the sensitivity of certain types of data—especially regarding a person’s medical history, location, and identity. Collecting as little data as possible to accomplish your goals helps lower the risk that bad actors will acquire enough information to do harm to those who provided that data. 

Certain types of identifying information may be less risky for a community to share than others. Layla, for example, may know that some people in her community worry about exposing their phone numbers publicly, and so opts to only include an email address field in her form. A first name and email address allow her to identify her participants, so she also decides she doesn’t need to store their last names. She might also encourage her community to use email addresses that do not include their first and last names.  Now, if the data were to fall into a bad actor’s hands, they would have a harder time uniquely identifying each participant. 

Thinking about how long you need to keep information is also important. Deleting information that you no longer need is a great safety measure. Some organizers use documents such as spreadsheets to organize one-time efforts where they don't need to keep the data forever. 

Since your community may have different needs and concerns, here are some questions you might ask to ensure you’re only collecting what’s strictly necessary:

  • What types of information do you need to accomplish your goal?
  • Are there redundancies in the data you’re asking for? If so, can you remove some of those fields?
  • Which types of data are the most sensitive to your community? Can you ask for a different, less sensitive alternative piece of information, and still achieve your goal?
  • At what point can you delete this spreadsheet and the submitted data? 

Be Mindful of Permissions, And Transparent About Access

Within a service like Venmo, Facebook posts, or Google Sheets, users can limit visibility by adjusting settings.

For example, people using Venmo might be surprised that all their transactions are public by default. Users can adjust the settings for their transactions to Private, to be visible to the sender and receiver only; however, Venmo always makes the record of who you are interacting with publicly visible. Google products, like Docs and Sheets, can be made private to be only visible to invited email addresses within a trusted community. Facebook posts can be made more private by limiting visibility to certain friends or communities. 

However, permissions and access considerations go beyond individual tools, and organizers need to think them through from the beginning. For example, instead of using a large Google Sheets document that’s publicly accessible, visible, and editable by anyone, Layla might consider using a Google Form to have her community submit requests for aid and offers to volunteer. Layla might be comfortable with the minor trade-off that a Google Form requires a few trusted people to vet requests, and she might choose to communicate that process clearly with her community members. 

Or perhaps Layla decides to act as matchmaker only—connecting those offering services and those requesting help—by introducing them over email, and encouraging them to use an end-to-end encrypted tool to communicate further details.

Encrypt All The Things 

There are many types of encryption, and it’s helpful to get familiar with those that are relevant to your mutual aid effort. EFF spends a lot of time writing about the vast benefits of encryption. You can read a more thorough summary on types of encryption at our beginner-friendly educational resource, Surveillance Self-Defense.

When selecting a method to facilitate communication, it’s helpful to think through who can see what data, and how that data is stored and protected. When accessing a service through the Internet, your traffic (and all its submitted content—“data”—and information about the content—“metadata”) is passed through multiple devices controlled by multiple entities before arriving at the intended destination device. It can be very distressing to learn that information that was intended for one person was in fact visible to many people. 

A diagram of an unencrypted text message sent to another phone.

The diagram shows unencrypted data in transit—which is often the default setting for Internet service providers. On the left, a smartphone sends a green, unencrypted message to another smartphone on the far right. Along the way, a cellphone tower passes the message along to company servers and then to another cellphone tower, which can each see the unencrypted “Hello” message. All computers and networks passing the unencrypted message are able to see the message. At the end, the other smartphone receives the unencrypted “Hello” message.

One thing to think about is how the data is moving in transit: how are people sharing the information, how are they communicating their needs and services, how are they contacting each other? And how can you make it as safe as possible?

In general, end-to-end encryption is the best option available to protect communications data to be between just sender and recipient, as it encrypts between the users’ “end” devices. Examples of end-to-end encrypted messaging tools include SignalWhatsApp, and Keybase. However, before joining an end-to-end encrypted service, the community needs to hear about this mutual aid effort in the first place, and they might first learn about it through a website.

Which brings us to our next point: be wary of services and websites that aren’t encrypted. For example, if a service is just using HTTP (and not HTTPS) to collect information submitted from a form, this means their sensitive data is not encrypted.  

A web browser, with "Secure", a lock, and "HTTPS" prominently shown.

If you’re someone who is running a website, like Layla, you can get a free HTTPS certificate through Let’s Encrypt. Check out this list of web hosts that provide HTTPS certificates to see how to get a free Let’s Encrypt certificate and provide basic security for your users.  

For those hoping for assistance from a mutual aid effort, be wary of services that don’t use encryption. Know that mutual aid efforts that encourage you to send very personal information over HTTP offer no protections: anyone from your Internet Service Provider to someone passively looking at your network or the website provider’s network can access the data that is submitted. Instead of HTTP, look for services using HTTPS, which means that the data is using transport-layer encryption.

Thinking About Trust And The Sensitivity of Your Community’s Data

The good news is that most services on the web use HTTPS to protect that data in transit. However, this doesn’t necessarily mean that the service deserves your trust. Is it someone who you know personally, running their own website for mutual aid efforts? Do you trust them to protect the data being submitted? Or is it a large company, like Google, Facebook, or Twitter? Does the company provide different settings for documents and posts, such as “public,” “private,” or restricted to a small group?

In particular, ask yourself the following questions:

  • How sensitive is the data that you’re collecting on this platform?
  • Do you trust in the security capacity of the service provider?
  • Do you trust they'd handle your community’s data responsibly?
  • What do you do if you don't trust them?

For some people’s security plans, knowing that a large company like Google or Facebook can see all their communications within the platform is an acceptable risk—for others, this may be completely inappropriate for their community and would violate trust. Those people may instead choose to go with a more privacy-protecting product or to use an end-to-end encrypted service. For more detail on how to consider a service, check out these questions for assessing a vendor’s data security

Regardless, organizers will want to think about how to facilitate communication outside of a company’s service and view. That is, moving from just transport-layer encryption like HTTPS, where the company or website provider can see communications happening on the platform, to an end-to-end encrypted service, where those communications can just happen between the intended sender and intended recipient. 

Illustration of the difference between transport-layer and end-to-end encryption.

The top diagram demonstrates transport-layer encryption, where a company's devices in the middle can decrypt messages exchanged between users; The bottom diagram demonstrates end-to-end encryption, where the decrypted message is only visible to the end devices and not the service providing devices.

Layla might encourage her community to use a tool like Signal or WhatsApp to communicate more details of their story, as she has determined that she doesn’t need to collect nor know this private information. 

Other Things To Consider

 As Layla’s organizing effort gains traction, she may consider cross-linking to other mutual aid organizing efforts to amplify their work. However, each organizing effort has different security plans, and may have different levels of comfort with publicity, or with being cross-linked as a national network of mutual aid efforts. For folks creating these aggregating documents, it’s a good practice to ask each of these organizers individually if they’re okay with their effort being amplified.

Additionally, aggregators may want to consider the difference between types of information a mutual aid organizer publishes. It may range from the very sensitive (information about community members and requests and offers for help), to less sensitive, such as amplifying government financial assistance programs, or hospital calls to donate Personal Protective Equipment, restaurants offering takeout, and store hours for people with disabilities and the elderly.

For those aggregating and compiling mutual aid efforts, think through:

  • Why are you aggregating? What is your goal?
  • What different kinds of data or information are you amplifying? Do they need different privacy considerations?
  • What information do you actually need for your data aggregation to be useful to people?
  • Before linking to smaller data sources, can you communicate with the spreadsheet organizers? It’s helpful to get consent from the mutual aid organizers you are referencing, as they may not have intended for their work to be viewed beyond their communities.

 It’s incredible what mutual aid organizers have been able to accomplish in such a short span of time, especially in a time of such upheaval. Sites aggregating hundreds of local community resources have cropped up, connecting and supporting people in ways that may prove to be life-saving during this crisis. It’s more important than ever to ensure that mutual aid efforts are protective of the people they’re serving. Working security planning processes into your organizing is one way to make sure you’ve got the bases covered for you and your community.

* * *

Participating in Mutual Aid? Keep the Following in Mind

Collecting and sharing information

For those organizing mutual aid, collecting information from individuals, and creating solutions to connect people:

  • Define your audience
    • Who are you trying to reach? What expectations can your audience have about what’s needed from them, how they’ll receive updates, and the visibility of their data? Who shouldn’t have access to this information?
  • Collect as little data as possible
    • What minimum data do you need to accomplish your goal? Which types of data are the most sensitive to your community? Can you ask for alternative types of data instead?
  • Be mindful of permissions, and restrict access where possible
    • Do you need public access to your data? If not, can you restrict permissions to a smaller subset of your community?
  • Use encryption in transit and at rest
    • For the service or platform you’re using, who can see what data? Is your data protected when it’s sent or stored?
  • Think about which companies, people, and systems you’re trusting with this sensitive data
    • Can you suggest more secure channels for following up with more detailed information?
    • Can you connect participants through end-to-end encrypted platforms? End-to-end encrypted communications help to protect communications’ data to be between the intended sender and intended recipient. Some examples are Signal, Whatsapp, and Keybase.

For those aggregating and compiling mutual aid efforts, think through:

  • Why are you aggregating? What is your goal?
  • What different kinds of data or information are you amplifying? Do they need different privacy considerations?
  • What information do you actually need for your data aggregation to be useful to people?
  • Before linking to smaller data sources, can you communicate with the spreadsheet organizers? It’s helpful to get consent from the mutual aid organizers you are referencing, as they may not have intended for their work to be viewed beyond their communities

Using and contributing to mutual aid services 

For those using and contributing to these mutual aid services, check for clear communication from the organizer about:

  • What expectations are for participation in this mutual aid effort
  • Which information is necessary or not necessary to participate
  • Whether the platform (website form, spreadsheet, or other method) is using encryption, and ensure that it is at least using HTTPS
  • How publicly visible the data is, and how much organizers can see versus the general public
  • Where the data will be stored, and for how long
  • Whether there are end-to-end encrypted communication tools for connecting with participants further around sensitive details, and how to separate those details from a more widely-viewed platform

Additional considerations for people participating in mutual aid efforts are:

  • Know your risks: can you communicate these concerns with the organizers and talk through the steps they are taking to mitigate them?
  • Be wary of potential phishing attempts relating to the information provided.
  • Consider what you can omit: Do you need to give out your real name, or other identifying information such as your phone number or home address?  If your email includes your real name, can you use a different email that’s less connected to your identity?

We’d like to thank Sherry Wong, Rocket Lee, Mona Wang and Martin Shelton for their guidance. 


Comments

Popular posts from this blog

EFF: No Digital Surveillance of Iranians at the U.S. Border—or Within the U.S.

EFF: Corporate Speech Police Are Not the Answer to Online Hate

Living on the (IT) Edge: Schneider Electric at HPE Discover 2018