Top 6 Digital Safety and Privacy Tips for Advocacy Orgs

Activist and advocacy organizations are on the frontlines of advancing the safety and rights of vulnerable populations. In the past year, we’ve seen growing efforts by state and federal governments to inappropriately access and intentionally misuse data. Attempts to criminalize people seeking reproductive healthcare, deport millions of undocumented residents, and harass or intimidate protestors and grassroots organizers have made it more critical than ever to protect and secure sensitive and identifying data.

To reduce the potential of digital harms for community members, staff, and volunteers, advocacy organizations should develop digital security and privacy protocols. While data safety needs vary depending on the kind of organization, how sensitive the data is, and what kinds of threats communities face, all advocacy organizations should implement these six basic privacy measures:

Encryption helps people store information and communicate securely. It scrambles data and then requires a key to unscramble it, so the original data can only be viewed or accessed by those with the key. Using encrypted services is one of the best ways to ensure messages, web activity, and data stored on devices are protected.

Google Messages and iMessage use end-to-end encryption, but dedicated encrypted services, like Signal or Proton Mail, are better suited for communicating sensitive information. Beyond their privacy focus, many encryption tools also prioritize data minimization, user control, and features such as disappearing messages, which can add an additional layer of security. Depending on their needs, organizations should identify the tools that will work best for them.

Encrypting hardware is also important. Full-disk encryption can help protect all data held on a device’s hard drive including files, operating systems and configurations—even if they are lost, stolen, or confiscated. These features are available on mobile devices through iOS (and iCloud) and the Android Open Source Project.

Remember: If it’s not encrypted, it’s exposed.

Strong passwords are critical to protecting accounts. For a password to be strong, it should be alphanumeric, using a combination of letters, numbers, and symbols. Tools like diceware and other word/code generators create complex passwords that are difficult for unauthorized users to guess. It’s critical to regularly update passwords and avoid using the same passwords across different accounts or linking account logins.

Password managers handle multiple, complex passwords by creating and storing them, so users only need to remember one complex master password to access them all.

While password managers are helpful tools, it’s important to note that they can also be vulnerable targets because they create a single point of failure if a master password is ever compromised. To help prevent this, always set up multi- or two-factor authentication (MFA/2FA) to ensure that only authorized individuals are accessing accounts. Some MFA/2FA methods, like a code generator app or hardware token, may offer more security than others, but even using email or SMS/text based 2FA is better than not using any methods at all.

Remember: A few extra steps could mean way fewer breaches.

Privacy-focused web browsing tools offer an easy way to reduce data collection and tracking online. Browsers like Firefox or search engines like DuckDuckGo don’t track online activity and give people options to minimize how much personal information is shared.

How people get online is also important; they should try their best to avoid connecting devices to public WiFi or hotspot networks. If using public WiFi is a must, avoid logging into personal accounts, and access the internet with a virtual private network (VPN). VPNs secure connections and help reduce the amount of information that’s tracked. The best tool for activists and advocacy organizations may change or depend on evolving needs, so we recommend regularly checking trusted sources, like the Electronic Frontier Foundation’s Surveillance Self Defense toolkit or reporting from Wired, to get the latest recommendations for the best privacy-focused browsers, search engines, or VPNs.

When online, pay attention, as scammers rely on urgency, trickery, and spoofing routine transactions. Assessing a link before clicking helps protect against phishing attacks, malware, and ransomware. Bad actors may try to reel in personal information by asking users to click a link, open an email attachment, scan a QR code, install software on devices, or enter usernames and passwords into a website. The old advice stands: If the sender is unfamiliar or the email ID looks fishy, proceed with caution. And never respond to spam. Instead, suspicious messages should be reported, blocked, or flagged.

Don’t forget to update software and devices regularly in case the worst happens. Backing up information regularly will ensure critical and/or sensitive information is still accessible despite any malware or ransomware attacks.

Remember: If a message feels off, it probably is. Better to be overly cautious than overly trusting.

Being offline today often doesn’t feel like an option—but people can choose what information is shared. Social media platforms and websites collect personal information that can be used for targeted advertising, collected and sold by data brokers, and leave users exposed to online harassment or doxxing. Organizations, activists, and volunteers can reduce risks by being thoughtful about what’s shared publicly and not posting unnecessary personal details.

Pro tip: To know what’s publicly available, users should google their name, address, or phone number. If there are too many results, they can be reduced by opting out of data broker registries with tools like DeleteMe and TallPoppy—but limiting what data is shared in the first place is still the best policy.

Even organizations’ public-facing accounts don’t need to share everything. Web or social media managers can use account settings that limit data sharing when possible and control who can see, interact with, or contact the organization.

Meanwhile, individuals should delete old posts and photos, limit visible profile information, and set their accounts to private when possible. Individuals should consider using a screen name or creating separate accounts for personal and professional/activist use. Before sharing photos, users should check that they don’t reveal location or other identifying details—or go a step further and remove the location metadata on photos before sharing them. They can also set clear boundaries so that friends and family know what they can or can’t share about an individual.

An organization should be intentional about what it shares and how. Web managers should restrict account access to only those who need it and review permissions regularly. Organizations should also get consent before sharing photos or personal information about staff, volunteers, or community members. They should avoid posting unnecessary staff details on websites or social media and make sure everyone understands institutional online safety policies and practices.

When engaging online, organizations and individuals should set clear boundaries to reduce risks. Avoid interacting with unknown, hateful, or trolling accounts. Direct requests for information to public resources or official channels of an organization. If it’s a trusted connection, consider moving it to an encrypted service for better protection.

Remember: Digital footprints can be tracked, so limit what information is shared.

Default settings are designed for data collection, so make sure to customize them for as much data minimization as possible.

Taking the time to review and adjust settings across devices, browsers, and apps can significantly reduce how much data is collected. Customizing settings at each level adds an extra layer of privacy.

• Devices → Limit app permissions (contacts, photos, camera, microphone, location) and turn off mobile ad identifiers. Remember to keep device software updated consistently.
• Web Browsers/Search Engines → Adjust settings to turn off or delete browsing history, reject unnecessary cookies, and limit third-party data sharing and targeted advertising.
• Apps → Delete unused apps and review permissions before downloading new ones. Think critically about whether or not an app is actually needed before it’s downloaded. Even simple ones, like a flashlight app, may unnecessarily request access to devices or data, such as phone logs or a camera. Revisit all of your apps’ privacy settings regularly—especially after updates.

Remember: Fewer enabled permissions, fewer problems.

Digital safety is collective care. How an organization collects, stores, and shares data can protect people—or put them at risk.

Organizations should start by reviewing the data currently collected by asking simple questions: Is this data truly needed? Where is it stored? Who can access it? How long is it kept? Data should be kept and secured only when the data is absolutely needed.

Data minimization reduces harm caused by data surveillance, especially when it comes to vulnerable populations. Data that isn’t collected can’t be stolen, misused, or shared. Where collecting data is deemed critical, organizations should clearly explain its use, retention, and options for opt-out or deletion. Consent matters.

Organizations should create clear shared digital security practices for all staff and volunteers. Practices include implementing secure communications, keeping accounts and devices safe, using approved apps and tools, practicing safe web browsing, and maintaining digital safety training. Staff in charge of digital security should regularly review these practices and get technical support when needed.

Not all threats to data privacy and security are purely digital. Regulating physical access to data and devices is also critical. It’s integral for organizations to screen volunteers, limit access to workspaces, and require sign-ins or appointments to protect devices and networks.

The safest digital spaces are the ones we build together.

Remember: Safer spaces start with us.