For all these approaches, from the fully public to the paranoid, the same principle applies as in a Signal conversation: A piece of information is only as secure as the least secured device that accesses it. So as you consider your threat model and whose devices and accounts within your group have access to your most sensitive data, make sure they’re appropriately locked down: That means full-disk encryption—here’s a breakdown for Windows and Mac—strong passwords (we recommend a password manager), and multifactor authentication on all accounts for both cloud- and self-hosted services.
TLDR: A growing spectrum of collaboration approaches offer a range of options: from insecure-but-accessible Google Docs, to end-to-end encrypted or self-hosted tools like Proton and CryptPad, to storing and editing files locally and sharing them over Signal. Choose what works best for you based on your threat model.
Meet IRL Safely
If you’re in the same region as people you’re organizing with, does it make sense to bypass all of these digital gymnastics and just hang out? In many cases the answer is a resounding yes, experts told WIRED—but there are caveats here, too. First you should do the same threat model evaluation for in-person meetings that you did for your digital organizing: Is the association between you and the people you would be meeting already public? Or is it a secret that you know each other and work together? Carry out this same evaluation for the location where you would meet and anywhere else you would go together, just as you would for where and how you host sensitive data.
If you cannot be spotted together or be seen coming or going from a secret or sensitive location, meeting in person may not offer privacy benefits. You could be observed by bystanders, followed by law enforcement, or tracked via cell phone data, surveillance cameras, face recognition, automatic license plate readers, or any of the myriad ways that you can be surveilled in the physical world.
Just as with your threat model assessment for your data, there are no doubt plenty of situations where your affiliation is already public or non-sensitive—meeting people you know from your neighborhood, for example, or people you regularly volunteer with through a religious group, labor union, or other non-secret organization. If you can be seen together without giving away anything sensitive, experts emphasize that in-person meeting is one of the most valuable and potentially secure ways to collaborate.
“The communication that people have together physically can never be replaced, and I champion it,” Freedom of the Press Foundation’s Holmes says. “I would like to say that the best encryption is the noisy bar where you’re whispering to somebody. But we always do have to think about surveillance architecture, which is incredibly prevalent.”
TLDR: Meeting in person eliminates many technical vulnerabilities that could compromise your organization’s privacy and security. But consider your threat model: If the very fact of your meeting needs to stay a secret, physical surveillance can make in-person meetings just as–or even more—risky than digital communications.
Assess, Then Act
The truth, says Distribute Aid’s Taylor Fairbank, is that all organizing that runs counter to the interests of the powerful, digital or physical, carries a threat of surveillance and its consequences. “There’s always going to be some inherent risk to helping other people, unfortunately,” says Fairbank. “That’s the reality that we live in, so think about what you’re doing. Build your own threat model. And if you’re not willing to accept the inherent risks of doing something, then don’t do it.”
But Fairbank also says that those considerations shouldn’t prevent people from acting. “Look at the risk in context, make informed choices, try to be as safe as possible,” says Fairbank. “But, my God, go out there and help people. Because we need it.”
