Preventative Practices

Preventative practices are about maximizing team safety by 1) reducing the likelihood of targeting and 2) hardening the target so that if that targeting occurs, the impact is minimal. Preventative strategies are significantly lower cost, both financially and in terms of effort and energy, than reactive ones; investing in secure infrastructure and a little bit of preparatory organizing is easier, cheaper, and more effective than scrambling to respond to an attack after the fact, and in the best-case scenario, you’ll never need to use it.

There are a few sets of categories to understand preventative practices. Understanding these distinctions can help you create a holistic strategy to protect your people!

Organizational vs. Individual

Some practices can be adopted on the organizational level, and some on the individual level. An organizational strategy can include both organizational practices (for example: Does the organization have a dedicated security or tech support person or team? What are the organization's policies around secure handling of client data?) and individual practices supported or enabled by the organization (for example: Are individual employees’ home addresses easy to find on the open internet? Does the organization encourage and support multi-factor authentication for individual logins into internal systems?).

Security vs. Privacy

Security is about protecting authorization and access to enter and get information from accounts, databases, and internal communications. Security tools include things like enabling two-factor authentication on email accounts to prevent unauthorized logins.

Privacy is about controlling where personal information can be publicly found and making it harder for bad actors to find information they can use to cause harm. Privacy tools include things like data scrubbers that find places where your home address is published online and take it down. There is no such thing as retroactive privacy; once information is out, you cannot control it.

Technology vs. Policy

Technological Practices are about what software, platforms, and tools your team uses and how they are set up. Technological tools can be things like using email clients, database software, and internal and outward-facing communication tools that are the right ones for your organization's needs, and set up with the right features.

Policy Practices are about your organization's policies, and how they are distributed. Policies can include personnel practices and steps you can take to understand various threat scenarios and create advance plans for responding to them, rather than having to start planning a response while already in crisis. These policies should be made available to team members during onboarding or training.

If your organization has a budget to dedicate to preventative practices, companies like TallPoppy, Equality Labs, and Brightlines do organizational consulting to help identify and put into place the most effective practices for your organization's needs.

Some of these tasks can also be the purview of an existing security or tech support team. However, certain opt-out services (see Individual Technological Privacy Practices) need the user to provide significant personal information, which employees or members may prefer to provide to a third-party than to their employer.

Organizational Technological Privacy Practices

Individual Technological Privacy Practices

Individual Technological Security Practices

Organizational Policy Privacy Practices: Doxxing Prevention

Organization Policy Privacy Practices: Protecting Online Presence

Organizational Policy Privacy Practices: Protecting Physical Location

Organizational Preparation Practices

Organizational Technological Privacy Practices

Choosing the Right Tools

When choosing what software, platforms, and tools to use for different types of communication and data storage, the primary considerations to balance are privacy and accessibility.

It’s also essential to consider the different privacy considerations when facing threats from non-state and state actors.

For example, communication tools with end-to-end encryption can often be more complex and less convenient, but keep your data more secure. What tools do your team members use for internal communication? Are they encrypted? Where are the companies based? Do the companies have a history of data breaches? Do they resist subpoenas by law enforcement, or do they hand over data when asked for it?

It's also essential to consider client or patient data, particularly if your organization is providing services that are currently criminalized or may become criminalized.

How are client and patient data being gathered and stored? Could the data you’re storing put those clients or patients at risk? How are you weighing ease of use against privacy for your clients and patients as the landscape of legal risk shifts?

Organizational Technological Privacy Practices

Choosing the Right Tools

Does your organization use apps for internal or outward-facing communication? What encryption do those apps offer? Do the apps collect location or other data that may be or become available to bad actors, whether state or non-state?

Protecting data from non-state actors (such as the threat of data breach) and state actors (such as the threat of subpoena) take different tools. Both can be important when working in a field that is, or may become, criminalized (or otherwise targeted by the state). Use your threat modeling tool to determine what risks you’re currently facing and what may be on the horizon.

Individual Technological Privacy Practices

One of the primary priorities in keeping personal information off the public internet is to keep online harassment from moving offline as much as possible. To that end, supporting employees and members in keeping personal information confidential is a crucial step in preventing the disruption of your organizational operations through doxxing.

Opt-Out Services: “Opt-Out” means removing your personal data from data brokers, which are websites that trawl the open internet for, aggregate, and sell personal data like home addresses, cell phone numbers, and family member names. Opt-out services clean individuals' digital footprint by removing their information from data brokers; they are the single most impactful individual privacy tool available to protect against doxxing, and organizations should pay for accounts with these services for all at-risk members or employees. DeleteMe and Brightlines are the two most common Opt-Out services.

If your organization can’t afford to pay for Opt-Out services, another option is to support and encourage employees to use these self-help tools to protect themselves and each other. If your organization has more people power than cash, it is possible to opt-out manually rather than through a service. IntelTechniques, Yael Grauer, TrollBusters, and Crash Override have compiled lists of data brokers and guides for removing data from them.

Individual Technological Privacy Practices (2)

Secure Communications: Secure communications strategies include both technological strategies, such as choice of communication platform, and policy strategies, such as considerations around how and when to share or conceal sensitive information, including personal information.

The important thing to remember is that the first step is always threat modeling, so that your team can make these choices based on an analysis of the actual threats and the team’s actual risk tolerance, rather than based on fear or panic.

If your organization has more of a budget or higher risk, organizations like Equality Labs, TallPoppy, and Brightlines have one-on-one consultations that can clear digital footprints in more depth and in an ongoing way, including searching for facial recognition data and data breaches that have affected team members.

Individual Technological Security Practices

A network is as secure as any individual node.

The security of the entire organization relies on the security culture of the individuals that make up the organization; one member getting hacked or phished – such as mistakenly entering their email password into a false copy of their login page – can compromise the whole organization.

There are a few technological tools that, when integrated into the organization’s security culture, can significantly reduce the likelihood of this happening.

Password Managers: A secure password manager, like Bitwarden or OnePass, instituted as an organization-wide tool, will reduce the likelihood that a bad actor can log into a member’s account and compromise your data.

Multi-factor authentication: Every login should have multi-factor authentication enabled, whether for an individual’s email address or the organization’s Instagram account. Multi-factor authentication makes unauthorized logins much more difficult.

Individual Technological Security Practices (2)

Virtual Private Networks: Not all organizations need this level of security, but for any criminalized or potentially criminalized work, a VPN camouflages online activity to separate it from the physical address associated with an IP address. This can also be helpful if your organization has a physical location whose address needs to stay private.

TOR ("The Onion Router"): TOR is a type of browser that stringently protects the user's browsing history. In areas where types of healthcare or advocacy are criminalized, a defendant's online history can be used as evidence. For example, a medical provider researching gender-affirming care in a state with criminal penalties could use a TOR browser to prevent their search history from being used to prosecute them.

These are individual tools, but your organization can pay for accounts for individuals and provide regular and accessible trainings to help individuals set up password managers and multi-factor authentication on all of their accounts, which will raise the overall level of technical protection against unauthorized logins throughout the organization.

A Note On Choosing Tools

Feminist Frequency has compiled a step-by-step guide for implementing these tools.

One effective way to evaluate technological tools for efficacy and trustworthiness is to ask someone connected to the privacy/security communities for recommendations. The landscape of available technology changes fast, and the scope of available tools is broad and hard to understand for someone not embedded in that world, but reputational information is available and usually reliable. Many of the organizations referenced in this handbook, like Feminist Frequency, Crash Override, and the Digital Defense Fund, can provide recommendations for credible, decentralized, encrypted tools.

The important thing to remember is that these tools often feel intimidating to individuals, and many people respond to this by doing nothing.

The best way to increase use of digital privacy tools at your organization is to make adoption accessible and unintimidating.

Organizational Policy Privacy Practices:

Doxxing Prevention

Many organizations provide direct contact information for individuals on their public-facing websites, share photos, videos, and personal stories of their members or employees, or otherwise intentionally disclose personal information.

For organizations with higher risk of harassment and doxxing, it’s advisable to have a clear policy about personal contact information, personal and organizational social media, website, and other content. Being visible on public websites, social media, or content is a risk factor.

While public information about staff and easy access to contact them has benefits for transparency, accountability, collaboration with colleagues, and trust-building with communities, organizational policy about mitigating the associated risk should be made collaboratively with the team and with an understanding of all team members' risk assessment and tolerance.

Organizational Policy Privacy Practices:

Protecting Corporate Information

There are several publicly accessible sources of sensitive information that it's easy to overlook until they've already ended up in the database of a bad actor. It's helpful to be strategic about filings and publications, and minimize the inclusion of member or employee personal information, including home addresses, in things like:

Public tax filings
County assessor websites
Website registration records
Professional Licensures
Testimony to, lobbying at or public comments filed with legislative or administrative bodies
Academic publications
Professional continuing education offerings

Organizations and individuals should seek and provide clarity about what information must be included, and what is being publicly shared or will be accessible on request. Can a licensing body redact a public address from its registry? Can employees list a company address when giving public comments? Any entity that requests data has the potential to release that data.

Organizational Policy Privacy Practices:

Protecting Online Presence

It is recommended to have a robust social media policy and training available for any member or employee whose job description includes interacting with social media. Social media hygiene for an organization under threat includes: being intentional about output (e.g., removing metadata and geotagging from photos before posting them, ensuring that content does not compromise confidential member information) and being intentional about input (e.g., having a clear policy for what comments or responses will be removed, or flagged and removed).

An organization that is hosting online events, such as Zoom events, should anticipate the possibility of “zoombombing,” or unauthorized logins by malicious actors seeking to disrupt the event. This can be addressed technically, including with a waiting room and RSVP list, or by assigning a member to a security detail authorizing them to immediately eject anyone who acts disruptive.

Organizational Policy Privacy Practices:

Protecting Physical Location

Some organizations have a physical location that needs to be open and accessible to the public for the organization to function, such as a clinic or a walk-in office, and some do not. Organizations that don’t need an accessible location can use a virtual office service to have a public address that doesn’t compromise their actual location. Some states also have address confidentiality programs to protect office addresses from publication requirements in the event of threats.

Publicly accessible physical locations are necessarily vulnerable to certain types of threat, including infiltration, malicious law enforcement reports, bomb threats, and right-wing protestors showing up in person.

Preventing infiltration, including by bad actors posing as volunteers, clients, donors, or patients, is not always possible. Still, operational security strategies such as careful screening and sharing information only on a need-to-know basis can mitigate the potential harms.

Remember that some right-wing organizations such as Project Veritas take video or audio recordings inside clinics and offices to release doctored content, and consider security protocols to make that more difficult.

It is essential to be thoughtful about balancing the effect of individual security protocols on individuals your organization wants to protect against vs. the effect of those protocols on individuals your organization serves. For example, checking names against identity documents could catch someone who registered under a false name to effect sabotage, but could also screen out a trans person who hasn't accessed legal name change, a houseless person unable to get identity documents without an address, etc.

Organizational Policy Privacy Practices:

Protecting Physical Location

There's no one right answer for all organizations trying to screen out bad actors, but your organization can weigh the factors relevant to the people you serve and do the best you can.

In the event of SWAT threats or bomb threats, please refer to the Involving Law Enforcement section of this manual.

Responding to protestors can be done through various strategies, which can be learned from the extensive experience of abortion clinics.

Many clinics recruit volunteer escorts and legal observers to ensure that employees, clients, and patients can safely access the location.

Federal and State laws such as the Freedom of Access to Clinic Entrances (FACE) Act can be used by some locations to prevent obstruction of entrances by protestors. These laws don't only protect access to abortion clinics, but could also cover providers that offer certain reproductive health services in addition to or as part of gender-affirming care. More information about state laws protecting clinic access can be found here.

Organizational Preparatory Practices:

Internal Reporting Mechanism

To prioritize the safety of members and employees, it is vital to provide accessible internal reporting mechanisms and transparent intra-organizational communication about threats. Organizations should have a robust reporting policy that ensures all members and employees have access to the information they need to make informed safety decisions. They should be provided with accessible options to make those safety decisions, including significant availability to work from home if they deem it necessary to preserve their safety.

Organizational Preparatory Practices:

Playbooks

These policies and technological tools must be aimed not only at making attacks or breaches more difficult, but also preparing everyone involved for the possibility of those attacks or breaches happening. Having concrete playbooks with advance plans for different scenarios to which targeted employees or members can refer in case of an incident protects you from having to devise a plan mid-crisis. These playbooks should be as user-friendly as possible, because the moments that your team will need to pull them out are already moments of crisis.

In creating these playbooks, your team can draw from your threat modeling activity and from the reactive practices explored in this document to plan to evaluate, isolate, mitigate, respond to, and learn from any incident.

These playbooks can be created with the following considerations in mind:
What threats has your organization already faced?
What response strategies were effective or ineffective?
What threats have organizations like yours faced, and how did they respond?
What threats from state or non-state actors are your team members most concerned about?
Who could be impacted by an incident?
Who in your networks is most vulnerable?
Who needs to know when something happens, and who has resources that you can call on?
What would an effective or ineffective response look like?
How would you know if your efforts had succeeded or failed?
What discrete tasks will need to be done in the immediate aftermath of an incident?
How can the team allocate those tasks in advance so the labor is distributed?