Full Report
From threat modeling to encrypted collaboration apps, we’ve collected experts’ tips and tools for safely and effectively building a group—even while being targeted and tracked by the powerful.
Analysis Summary
# Best Practices: Secure Grassroots Organizing and Digital Privacy
## Overview
These practices address the risks of high-level surveillance, data tracking, and infiltration faced by grassroots organizations. They provide a framework for protecting sensitive communications, member identities, and operational data from powerful adversaries, including state actors and private data aggregators.
## Key Recommendations
### Immediate Actions
1. **Perform Threat Modeling:** Identify your most sensitive data (e.g., donor lists, meeting locations), who wants it (adversaries), and what the consequences are if it is compromised.
2. **Migrate to Encrypted Messaging:** Cease using SMS or unsecured platforms (like Discord or standard Slack) for sensitive coordination. Move teams to **Signal** for messaging.
3. **Enable "Lockdown Mode":** High-risk individuals using iOS devices should enable Apple’s Lockdown Mode to reduce the device's attack surface against sophisticated spyware.
4. **Enforce Multi-Factor Authentication (MFA):** Use hardware keys (e.g., YubiKey) or TOTP apps (e.g., Raivo, Aegis) rather than SMS-based codes.
### Short-term Improvements (1-3 months)
1. **Implement Disappearing Messages:** Set global timers for all group threads to minimize the "data trail" available if a device is physically seized.
2. **Adopt Privacy-First Collaboration Tools:** Move document editing from Google Docs to end-to-end encrypted alternatives like **CryptPad** or **Skiff**.
3. **Harden Mobile Devices:** Conduct a "privacy audit" of member devices, disabling location services for unnecessary apps and removing unused social media integrations.
### Long-term Strategy (3+ months)
1. **Decentralize Information:** Structure the organization so that no single person has access to the entire member database or all operational secrets.
2. **Develop Incident Response Plans:** Create "burn" protocols for what to do if a member is detained or a device is lost.
3. **Establish Secure Onboarding:** Create a standardized "security kit" for new members that includes mandatory tool setup and privacy training.
## Implementation Guidance
### For Small Organizations
- **Focus:** Low-cost, high-impact tool adoption.
- **Guidance:** Rely on Signal for all internal communications and use free, encrypted tiers of privacy-focused tools. Prioritize physical device security (strong passcodes).
### For Medium Organizations
- **Focus:** Policy and consistency.
- **Guidance:** Appoint a "security lead" to manage access controls. Implement standardized document retention policies (e.g., "we do not store meeting minutes for more than 30 days").
### For Large Enterprises (Movements)
- **Focus:** Resiliency and compartmentalization.
- **Guidance:** Utilize mesh networking protocols (like Thread) for localized communication resilience. Deploy enterprise-grade hardware security keys for all staff and use "Need to Know" access architecture for centralized databases.
## Configuration Examples
### Signal Messenger Hardening
- **Registration Lock:** Enable a PIN so your number cannot be re-registered elsewhere.
- **Screen Lock:** Enable biometric/passcode entry to the app.
- **Disappearing Messages:** Set a default timer of 1 day to 1 week for all new chats.
### Browser Privacy (Firefox/Brave)
- **Privacy Badger:** Install to block invisible trackers.
- **uBlock Origin:** Configure in "Hard Mode" to prevent unauthorized scripts from running.
## Compliance Alignment
- **NIST Cybersecurity Framework:** Aligning with "Identify" (Threat Modeling) and "Protect" (Encryption/MFA).
- **GDPR/CCPA:** Utilizing data minimization principles to reduce the "blast radius" of a data breach.
- **Electronic Frontier Foundation (EFF) Standards:** Following "Surveillance Self-Defense" (SSD) guidelines.
## Common Pitfalls to Avoid
- **"Security Through Obscurity":** Believing that because your group is small, you aren't being tracked.
- **SMS Fallback:** Using Signal for some things but reverting to SMS for "quick updates" (this exposes your social graph/metadata).
- **Ignoring Cloud Backups:** Having encrypted chats but allowing the phone to back them up unencrypted to iCloud or Google Drive.
- **Oversharing on Social Media:** Posting photos of meetings that reveal faces, locations, or whiteboards with sensitive info.
## Resources
- **Signal Messenger:** hxxps[://]signal[.]org
- **CryptPad (Encrypted Office):** hxxps[://]cryptpad[.]fr
- **EFF Surveillance Self-Defense:** hxxps[://]ssd[.]eff[.]org
- **Privacy Guides:** hxxps[://]privacyguides[.]org
- **Tor Project:** hxxps[://]torproject[.]org