Advice for abortion advocates: the time to do a digital security check-up is now
Digital Defense Fund provides digital security support to abortion access organizations in the United States. Our mission is to leverage technology to defend and secure access to abortion. We envision a future where technology and innovation support secure, autonomous reproductive decisions, free from stigma. Our small but mighty team works hand in hand with our grantees as partner, service provider, and funder to ensure they have the solutions they need to achieve their goals.
As the future of abortion and criminalization of our work continues to become more and more uncertain, it's critical that we all make sure we're protecting ourselves, each other, and the people we serve. All nonprofit employees can help guard their organizations against financially motivated cybercrime. Abortion access workers have the additional responsibility of keeping an eye out for ideologically motivated attacks as well. Fortunately, these digital security best practices can protect you from both.
We know that digital security can seem scary and out of reach for many people. At Digital Defense Fund, we truly believe that anyone can take control of their digital security!
Take a moment to consider what the sensitive information is in your accounts, and why someone might want access to it. Do you have access to the information of people who use your organization’s services, who donate to your work, who receive or perform abortions? Are you someone who manages your organization’s finances, or has access to other sensitive employee information?
Our tips will cover ways to prevent and mitigate how someone might try to access your password or other entry point to your sensitive data, and how to address your own personal privacy. No method is foolproof, but we can all reduce our risk. Together as a movement, we can all improve our collective data hygiene so we can do our part to protect our own and our community’s privacy, and feel safer living our mission out loud.
The following steps do not require technical knowledge. We’re also here to support you if you run into any challenges. Send us a message on our contact form if you need help with any of these recommendations!
Protect your accounts:
If you only do one thing, turn on two-factor authentication (2FA) also known as multi-factor authentication (MFA) or two-step verification (2SV).
What is 2FA? Two-factor authentication means you need a second factor -something else in addition to a password - in order to get into your account. This second factor is often a code you receive via SMS or an authenticator app, or a physical hardware token like a Yubikey.
Why: Even if a cybercriminal manages to get your password, they still won’t have enough information to get into your account.
What if you get locked out? When you set up 2FA, you’ll have the chance to save one-time-use recovery codes in case you lose your second factor. We recommend saving these in your password manager.
Now that you’ve got 2FA turned on, start changing passwords: use a different password for every account.
Why: When a website doesn’t have sufficient security, cybercriminals can hack their databases and steal the usernames and passwords of all their users. These usernames and passwords are then shared online and used in “credential stuffing” attacks where a cybercriminal tries all the username and password combinations on different sites. So if you were in the LinkedIn breach, cybercriminals will try your email and LinkedIn password on other websites like Uber, PayPal, or Google.
Is your password in a breach? You can use the website www.haveibeenpwned.com to check if your email and passwords have been in any website data breaches.
Use a password manager to generate and securely store all those passwords!
Why: Password managers are purpose built with security in mind. They use end-to-end encryption to protect your data. The encryption key is your password manager password and they do not store this for you. Because they don’t store the encryption key, even if a password manager were breached, the data would all be encrypted. When you use a password manager, you only have to remember one (long and unique) password: the password for the password manager!
Make it long! We recommend using a four or five word passphrase as the password for your password manager. Since the password manager doesn’t store this for you, save it in a locked filing cabinet or give it to a trusted friend in case you forget it.
Protect your privacy:
Google yourself to see what someone attempting to harass you might see.
Most harassers use Google to find information about their targets. Since your previous Google searches can influence your search results, we recommend using an incognito or private browsing window to search yourself. Using an incognito or private browsing window clears Google cookies and logs you out of your Google account.
Identify search results that you would like to remove.
Removing your information is a great way to learn about the personal data economy, but can also be tedious. Abortion access employers often offer information removal subscriptions like DeleteMe to employees as a benefit of their employment. If your employer does not yet offer this benefit, encourage them to reach out to Digital Defense Fund to learn more. You can remove data aggregator results by opting out of each website. This data removal workbook by Michael Bazzell shares the opt out links for various data aggregator sites.
Double check the privacy settings on your social media accounts.
Compartmentalize public and private social media accounts. Information you share on your accounts can be used against you by a harasser in creative ways (for example, by identifying your location or threatening your family). Know what is public by default. For example, even on a private Facebook account, your profile photo and cover photo albums are public.
Document any harassing posts, messages, etc. and share them with your employer.
Take pictures, screenshots, and save messages that contain harassing messages. You can also reach out to Digital Defense Fund for support if you are experiencing online harassment! Send us a note through our contact form.
Digital Defense Fund is here to support you! Check out the resources on our website to learn more, or drop us a note if you have any questions.
Note for abortion access movement employers: living in fear shouldn’t be part of the experience of working in our movement. You can help protect your employees (and your organization) by providing password manager accounts and training; enforcing 2FA and providing free second factor hardware tokens; giving every staff member access to data removal subscriptions; providing holistic security stipends; and creating proactive policies to assist any employee experiencing online harassment. We can help you with this! Reach out to us via our contact form for assistance.