Nonprofits and Data

last person joined: yesterday 

This group is for those interested in learning and sharing about all things data-related for nonprofits. The Nonprofits and Data group is for people using data to serve a mission, either directly or by improving nonprofits and the nonprofit sector. That includes everything from collecting data and managing databases to analytics, data visualization and data mining. Here are some examples of topics we discuss: using data to improve organizational effectiveness, measuring impact, using data for storytelling, tools for data management and analysis, figuring out the “right” data to collect, and learning skills to help us use data better.

Digital safety and security in a hostile climate?

  • 1.  Digital safety and security in a hostile climate?

    Posted Oct 04, 2019 15:18
    Hi all,

    This question falls at the intersection of data and communications, so I'm cross-posting it to the Digital Communications group. Sorry for the duplication if you're in both groups.

    I work at an organization that is both Jewish and LGBTQ. With the continued rise of hate groups, I am concerned about the safety and security of the staff at my organization.

    Sites like Vanguard News Network (VNN), the Daily Stormer, 4chan, 8chan, etc. often target specific individuals for Gamergate style harassment, threats, doxxing, or worse.

    We like to have an open culture at our organization, and part of that is a website section with staff photos and bios. We recently became aware that a photo of one or our staff was taken from our website and posted on VNN in a thread about "ugly Jews."

    Given the nature of the web, there is no way to prevent determined people from reusing photos from a website. I know that organizations like SPLC and the ADL do not post the names and photos of staff other than their most senior staff, and I'm considering recommending that we take this path for the safety of our staff.

    I would very much like to find a blacklist of websites or ip addresses of known hate groups, so I can block traffic coming from those sites to ours. Or a service that can help us with something like this. I also worry about a denial of service attack on our website.

    1) Is anyone aware of a service or blacklists that I can use to prevent direct traffic from hate sites from visiting our site?

    2) If you work at an organization with similar safety concerns, what measures have you taken to protect your staff?

    3) What do you do (if anything) to protect against denial of service attacks?

    Thanks!

    --Leah

    ------------------------------
    Leah Kopperman
    leah@keshetonline.org
    Director, Data & Constituent Relationship Management (CRM)
    Pronouns: she/her/hers

    KESHET
    New York Office
    601 W. 26th Street, Suite 325
    New York, NY 10001
    P: 646.828.9246
    F: 617.524.9229
    www.keshetonline.org
    ------------------------------
    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 2.  RE: Digital safety and security in a hostile climate?

    Posted Oct 04, 2019 17:14
    Hi Leah,

    This (to me, technically) a fascinating topic, but also, of course as a human being, quite depressing that it's necessary.

    I don't know of any services exactly like you mention, but I did want to throw one thing out, just for thought.  Supposing you could identify traffic coming from identified hate group websites, would you choose to block it, or would you choose to "personalize" your content or web experience in some way, and serve alternate content to that audience?

    Again, I have no answers... just saying that technically, showing alternative content is just as easy as blocking, so knowing that, is there a strategy you can think of for your content that might be better than blocking?

    Nate

    ------------------------------
    Nathan Gasser
    President & Executive Chef
    Report Kitchen
    :::
    A more delicious way to publish your
    project, policy, and research reports.
    :::
    http://reportkitchen.com
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 3.  RE: Digital safety and security in a hostile climate?

    Posted Oct 07, 2019 14:13
    Hi Nathan,

    that's an interesting idea and one that hadn't occurred to me. I'm not sure that we'd want to do it or not, but it's worth presenting to our leadership.

    --Leah

    ------------------------------
    Leah Kopperman
    leah@keshetonline.org
    Director, Data & Constituent Relationship Management (CRM)
    Pronouns: she/her/hers

    KESHET
    New York Office
    601 W. 26th Street, Suite 325
    New York, NY 10001
    P: 646.828.9246
    F: 617.524.9229
    www.keshetonline.org
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 4.  RE: Digital safety and security in a hostile climate?

    Posted Oct 07, 2019 14:42

    Leah, that is awful that is happening to your colleagues and your organization.  @Joshua Peskay recently asked what services organizations were using to monitor this type of threat/harrassment -- while not exactly ​the same, perhaps he might have some other ideas that have come up in his research so far.  Also, here's a guide that's a bit more comprehensive but may give you some ideas: ANTI-DOXING GUIDE FOR ACTIVISTS FACING ATTACKS FROM THE ALT-RIGHT (I think @Ken Montenegro worked on this or knows the people...I'm not sure, but he might have some suggestions anyway).​

    Anybody else have suggestions or resources to share?  



    ------------------------------
    Janice Chan
    Co-Organizer, NTEN Nonprofits and Data group
    Twitter: @curiositybone

    Consultant, Shift and Scaffold
    www.shiftandscaffold.com
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 5.  RE: Digital safety and security in a hostile climate?

    Posted Oct 08, 2019 13:18
    Thanks for the mention @Janice Chan. I was one of the co-authors and have had the pleasure of collaborating with the folks from Equality Labs who have dealt with this issue extensively.

    To Joshua's point, there's really a vacuum in the nonprofit/mission-driven sector for that type of security service model. It's important to remember that our opposition, sometimes nonprofits themselves like the Koch Foundation, invest money in monitoring what they see as their opposition. On the social betterment side, most postures are exclusively defensive. Some folks who might have more security programs are international nonprofits like Human Rights Watch, Amnesty International, and Freedom House. That said, and to point, I can't think of a resource that focuses on supporting more progressive organizations.​

    I'm also tepid about progressive groups turning to a consultancy full of former military, law enforcement, and corporate security folks because some groups will have objectives contrary to what their security resource believes in. Security is largely about trust and I wouldn't trust the large commercial firms due to potential conflicts of ideology. The folks at Vision, Change, Win are building a security practice, and folks from the Radical Connections Network (I'm one of many co-founders) is also trying to figure out how to build holistically secure movements.

    For DDOS mitigation, @Dar Veverka wisely identified Cloudflare. I'd add Deflect which does something very similar but soley for mission driven groups. They're here: https://deflect.ca/ --.

    Speaking of DNS, one option for international travelers is Umbrella from the OpenDNS/Cisco folks to supplement endpoint protection.

    Finally, a great part of security is control, and I'd suggest a remote wipe product like Prey Project (or some other MDM solution).

    ​Hope that helps and stay safe.
    --ken
    ps: My friend Joan Donovan (@bostonjoan on the twitters) has been doing interesting work on following the alt-right as have comrades at Unicorn Ninja. They're both worth a look for folks who want to go into that rabbit hole (with caution).

    ------------------------------
    Ken Montenegro
    Information Technology Director
    Los Angeles, CA
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 6.  RE: Digital safety and security in a hostile climate?

    Posted Oct 08, 2019 14:12
    Thanks Dar, Janice, and Ken,

    For some reason the tagging function isn't working for me right now, so I hope you see this.

    I put out feelers in a bunch of places and I was referred to a nonprofit organization called Access Now that offers "real-time, direct technical assistance and advice to civil society groups & activists, media organizations, journalists & bloggers, and human rights defenders" through their "Digital Security Help Line" https://www.accessnow.org/help/#contact-us   I reached out to them yesterday and today they also gave me Deflect and Project Galileo from Cloudflare.

    Notably, Access Now will offer us tech support to implement Cloudflare or Deflect, so that's a really useful resource for smaller orgs.

    They also said they weren't aware of a list of hate sites to block but said that dnsbl.info is a blacklist of known spammers and malware distributors. To Ken's point about oppo research, a blacklist of hate sites would be so helpful. The Southern Poverty Law Center has their "Hatewatch" project, which I've been aware of for a long time. Their Hatemap includes a downloadable list of hate organizations by state https://www.splcenter.org/hate-map HOWEVER, it doesn't include any URLs, just names and states. I can see why they might not want to post the URLs but I'm sure that most of the orgs on their list have some kind of online presence.

    Related to your specific responses:

    1) Cloudflare: I'm aware of their services but didn't know they donated some to nonprofits. I will investigate that option; at first glance it looks like we might not exactly fit their criteria, but they do the ADL and ACLU, so maybe we do. I'm going to apply.

    2) ​​I will take a look at Joshua's thread here https://community.nten.org/communities/community-home/digestviewer/viewthread?MessageKey=ff2f95b0-74fb-423c-b99c-34fb34ed232f&CommunityKey=a8e1e11e-7bc9-471c-8d12-7b1386bff668&tab=digestviewer#bmff2f95b0-74fb-423c-b99c-34fb34ed232f

    3) I will look at Ken's/Equality Labs' anti-doxxing article here https://medium.com/@EqualityLabs/anti-doxing-guide-for-activists-facing-attacks-from-the-alt-right-ec6c290f543c

    4) I will also look at Deflect, I haven't heard of them before today (from both Ken and Access Now).

    5) I will look at Umbrella

    6) I will look at Project Prey (what a name)

    I'll keep you updated as I learn more.

    Tomorrow is Yom Kippur so I'm offline until Thursday.

    --Leah


    ------------------------------
    Leah Kopperman
    leah@keshetonline.org
    Director, Data & Constituent Relationship Management (CRM)
    Pronouns: she/her/hers

    KESHET
    New York Office
    601 W. 26th Street, Suite 325
    New York, NY 10001
    P: 646.828.9246
    F: 617.524.9229
    www.keshetonline.org
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 7.  RE: Digital safety and security in a hostile climate?

    Posted Oct 08, 2019 14:27
    Thanks so much for compiling and sharing that back with the rest of the group, @Leah Kopperman!  (Yes, the tagging is a bit wonky at times but anyone who participated in this thread should see it unless they've muted it.).

    And thank you all who've jumped in so far -- such a wonderful community we have here and so glad you're all a part of it!​

    ------------------------------
    Janice Chan
    Co-Organizer, NTEN Nonprofits and Data group
    Twitter: @curiositybone

    Consultant, Shift and Scaffold
    www.shiftandscaffold.com
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 8.  RE: Digital safety and security in a hostile climate?

    Posted Oct 09, 2019 11:32
    > To Ken's point about oppo research, a blacklist of hate sites would be so helpful. The Southern Poverty Law Center has their "Hatewatch" project, which I've been aware of for a long time. Their Hatemap includes a downloadable list of hate organizations by state https://www.splcenter.org/hate-map HOWEVER, it doesn't include any URLs, just names and states. I can see why they might not want to post the URLs but I'm sure that most of the orgs on their list have some kind of online presence.

    If I'm understanding your goal, you're looking at a scenario where something is posted on another site about your organization or one of your staff; and people with potentially hostile intent, read it and link from there to your site.  In that case, you're probably equally or more likely to see this scenario arise with discussion boards or individual social media posts, rather than an "official" organizational website like those that Hatewatch might monitor. In my limited experience with occasionally checking organizations like this out, their official sites are often very primitive, seldom updated, and typically don't feature discussion boards or places people can post.

    So the challenge there is, you need more than a domain-oriented blacklist, since topping the list could very well be Twitter, Facebook, and Reddit -- all of which send you legitimate visitors as well as hostile ones.  You need to know which page/post from the site sent you the traffic.  Unfortunately Facebook and Twitter (don't know about others) hide the details of their referrers, so you won't be able to determine the individual Facebook post that sent you the visitors, for example.  This approach should work for Reddit and probably other discussion boards.

    One interesting possibility is employing "sentiment analysis" which refers to software that can take in a bunch of text (like a social media or discussion board post, or a comment submitted to your feedback form) and score it based on certain words and phrases.  Typically, you get scores from -1 (strongly negative) to 0 (neutral) to +1 (strongly positive).  Theoretically (although probably not in real-time) you could try blocking referrals from strongly negative sites.  It would also be interesting to monitor reactions to your social media posts (comments, retweets etc), or comments posted to any forums you run, and flag ones with strong negative scores.

    Back to your original point on the possibility of blocking traffic referred to you by hate sites... a simple first step you can take would be to look at your existing Google Analytics referrals for the past 6-12 months and see if you can spot any sites you'd consider to be hostile.   If so, you've got something to work with as far as detecting/blocking those visitors.

    Nate


    ------------------------------
    Nathan Gasser
    President & Executive Chef
    Report Kitchen
    :::
    A more delicious way to publish your
    project, policy, and research reports.
    :::
    http://reportkitchen.com
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 9.  RE: Digital safety and security in a hostile climate?

    Posted Oct 10, 2019 19:11
    I also recommend https://hackblossom.org/cybersecurity/, a DIY Guide to Feminist Cybersecurity
    --
    Lisa Jervis
    Principal
    Information Ecology: Strategic technology for progressive organizations
    https://iecology.org/

    My pronouns are she/her.
    I am in the Pacific time zone.

    Want to send me encrypted email? My public key is available at https://ecl.gy/lj-gpg.



    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 10.  RE: Digital safety and security in a hostile climate?

    Posted Oct 11, 2019 08:17
    Hi Lisa,

    thanks for that link. It looks great.

    --Leah

    ------------------------------
    Leah Kopperman
    leah@keshetonline.org
    Director, Data & Constituent Relationship Management (CRM)
    Pronouns: she/her/hers

    KESHET
    New York Office
    601 W. 26th Street, Suite 325
    New York, NY 10001
    P: 646.828.9246
    F: 617.524.9229
    www.keshetonline.org
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 11.  RE: Digital safety and security in a hostile climate?

    Posted Jan 03, 2020 16:12
    Hi everyone,

    Now that I have Cloudflare set up I've been working on establishing firewall rules that will block traffic from hate sites by using referrer headers that list the specific domains to block. I recognize this is far from a fool-proof solution, but it will block casual visitors.

    One of my outstanding questions had been finding a list of known hate sites to block. I've found a useful one and thought I would share it with you all. It seems well researched, comprehensive, and relatively up to date. It's a special research report created by the Middle East Media Research Institute (MEMRI) called "Online Incitement Against Jews, People Of Color, Muslims, And LGBTQ – Chapter III: Sources And Details Of Their Online Information" and it lists a ton of hate sites that I wasn't aware of.

    My caveat here is that I can't vouch for MEMRI as an organization. Their advisory board includes some people that are quite problematic, though it does look like they make some effort to balance that out.  Anyway, I don't know about MEMRI as an org, but I do know that for my purposes their online incitement list is pretty valuable and I thought that some of you might also find it useful.

    --Leah

    ------------------------------
    Leah Kopperman
    leah@keshetonline.org
    Director, Data & Constituent Relationship Management (CRM)
    Pronouns: she/her/hers

    KESHET
    New York Office
    601 W. 26th Street, Suite 325
    New York, NY 10001
    P: 646.828.9246
    F: 617.524.9229
    www.keshetonline.org
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 12.  RE: Digital safety and security in a hostile climate?

    Posted Jan 04, 2020 13:58
    These folks have a similar service which, unlike Cloudflare, does not provide protection to white supremacists:
    --ken
    Ken Montenegro :: Technologist, Lawyer, Factotum :: https://flowcrypt.com/me/kmontenegro 



    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 13.  RE: Digital safety and security in a hostile climate?

    Posted Oct 07, 2019 19:29
    Edited by Dar Veverka Oct 07, 2019 19:35
    For DDOS, Cloudflare. The $20 Pro is good but check if your org qualifies for their Project Galileo, which is the Business level for free. Depending on the service level you get, the Web Application Firewall piece will be able to do IP address blocks for you. That is included in the Business level. I forget if it's in the Pro level.

    https://www.cloudflare.com/galileo/

    (H/T Jason Shim)

    ------------------------------
    Dar Veverka
    Director of Information Technology
    Urban Teachers
    Baltimore, MD
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 14.  RE: Digital safety and security in a hostile climate?

    Posted Oct 14, 2019 19:28
    @Leah Kopperman I'd recommend reaching out to Lu Perez at Vita Activa. ​Her organization provides online support and a solutions laboratory for women and LGBTQ who are facing violence online and harassment. She may have additional resources to share.

    I noticed you're using WordPress and would recommend adding a firewall by Sucuri which would help prevent DDoS attacks and prevent suspicious activity from reaching your website.






    ------------------------------
    Chuck Spidell
    The Nonprofit WordPress Security Expert
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 15.  RE: Digital safety and security in a hostile climate?

    Posted Dec 26, 2019 12:00
      |   view attached
    Howdy all! This thread has been quiet for a while, but I wanted to post a quick update and resource.

    I had a limited scope engagement with a nonprofit to evaluate threat intelligence monitoring/alert services. I created an anonymized version of the report and am attaching here as PDF.

    Three reasons:

    1) If this report is helpful to ANYONE - great.
    2) If anyone reads the report and has any feedback or comments (or additions), awesome.
    3) I actually reference this NTEN thread in the report. Seemed only fair to share it here as follow-up.

    Happy holidays all!

    -JP

    ------------------------------
    Joshua Peskay
    Vice President of Technology Stratefy
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 16.  RE: Digital safety and security in a hostile climate?

    Posted Dec 30, 2019 14:10
    Hi Joshua,

    thanks for posting this! I'm going to take a look at the two less expensive services that you mention.

    Also: I had been meaning to come back to this thread with an update.

    I applied for Cloudflare's "Project Galileo" on behalf of my organization and we were accepted. The application process was pretty easy and I was notified of our acceptance within a week of submitting the application. I did the basic setup myself and and as long as you have a working knowledge of how to manage DNS records and have access to your domain name registrar, you can set up the basics in probably 20 minutes, plus the 24-72 hours for the DNS change that points your nameserver to Cloudflare.

    I need to take more time to get familiar with what everything means on the Cloudflare block log, but it has already actively blocked some malicious traffic for us.

    --Leah



    ------------------------------
    Leah Kopperman
    leah@keshetonline.org
    Director, Data & Constituent Relationship Management (CRM)
    Pronouns: she/her/hers

    KESHET
    New York Office
    601 W. 26th Street, Suite 325
    New York, NY 10001
    P: 646.828.9246
    F: 617.524.9229
    www.keshetonline.org
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 17.  RE: Digital safety and security in a hostile climate?

    Posted Jan 05, 2020 10:22
    Hi Leah,

    It's unfortunate that your organization is experiencing this but at the end of the day, the experience leads you to put some best practices in place. Most websites, regardless of content, will in fact experience some level of attack though DDOS is one of the most common.
    Cloudflare is a recommended solution that I've used over the past few years but it's not enough particularly depending upon where and how your website is hosted. I recommend a software firewall in as well. One that aligns with your website platform. Also, note that this will be an ongoing initiative where monitoring and optimizing will be required.

    Best of luck!

    Best,
    Seth

    ------------------------------
    Seth McMillan
    Windsor Mill, MD
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 18.  RE: Digital safety and security in a hostile climate?

    Posted Jan 13, 2020 19:49
    Thanks so much for sharing this, Josh! SUPER helpful. Information Ecology has been doing some thinking about open source intelligence gathering, for clients worried about these kinds of threats and who want to keep on top of what kind of information about them/their people is publicly available to those who are motivated to dig. This is v complementary (and when we have something to share, we will!).
    --
    Lisa Jervis
    Principal
    Information Ecology: Strategic technology for progressive organizations
    https://iecology.org/

    My pronouns are she/her.
    I am in the Pacific time zone.

    Want to send me encrypted email? Use our form at https://iecology.org/contact/ or get my public key from https://ecl.gy/lj-gpg.



    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline