Topics

Building a Culture of
Security
A Strong Foundation:
Securing Accounts and
Devices
Communicating and
Storing Data Securely
Staying Safe on
the Internet
Protecting Physical
Security
What To Do When
Things Go Wrong

Staying Safe on the Internet

Social Media Safety

Last Updated: July 2022

Your organization can reveal a lot – and sometimes more than it intends – by posting and commenting on social media. Whether it is Facebook, Twitter, Instagram, YouTube or region-specific social media sites such as VKontakte and Odnoklassniki, you should always think carefully about what you post, and properly configure any privacy settings that may be available. This is true not only for your organization’s official pages, but also in some cases for staffs' personal accounts and those of their family and friends too.

Social Media Security and Civil Society

Cellphone image

Even low risk organizations can be targeted and harassed on social media without proper security policies in place. In this example from 2018, a non-profit animal shelter lost thousands of dollars and alienated supporters after an unauthorized account administrator set up a fake fundraising effort, and fake accounts impersonating employees appeared on the platform. If hackers will go to those lengths to make a few thousand dollars off of an animal shelter, you can imagine the damage sophisticated adversaries might be able to inflict if they were to gain access to your organization’s accounts or successfully impersonate you online.

In addition to hacking accounts, civil society groups and individual users in many countries are also facing repercussions for content posted on social media. In one example in Zambia from 2020, police arrested a 15-year-old student for allegedly defaming the president in a Facebook post. The child, who posted under a pseudonym, was identified by the phone number used to register the account and his internet protocol (IP) address.

Develop an organizational social media policy

Assume that anything posted on social media could become public knowledge, and craft an organizational social media policy accordingly. This policy should answer questions such as: Who has access to your social media accounts? Who is allowed to post and who needs to approve posts? What information should/should not be shared on social media? If you post photos, location information, or other identifying information about your staff, partners, or event attendees have you asked for their permission, and have they considered the risks?

In addition to developing your policy and making it clear to staff, be sure to properly configure your privacy and security (often referred to as “safety”) settings. Some key questions to ask yourself as you decide what privacy and safety settings make the most sense for your personal and organizational accounts, include:

  • Do you want to share your posts with the public, or only with a specific group of people internally or externally?
  • Should anybody be able to comment, reply, or interact with your messages or posts?
  • Should people be able to find you or your organization using your email address or (personal or professional) phone number?
  • Do you want your location shared automatically when you post?
  • Do you want to block or mute hostile accounts?
  • Do you want to block specific words or hashtags?

Each social media site will have different privacy and safety settings, but these general concepts apply universally. As you consider these questions, take advantage of helpful privacy guides from the major platforms: Facebook, Twitter, Instagram, and YouTube. For Facebook in particular, be cautious about your privacy choices regarding Groups. Facebook Groups are a popular spot for engagement, advocacy, and information sharing, but unrestricted groups can be joined by anyone. It is not uncommon for “fake” accounts to pose as real people in an effort to infiltrate private social media groups or pages. Therefore, accept “friend” and “follow” requests carefully. Remember that your organization’s social media accounts are only as secure as the accounts that are “linked” to it. This is especially important to remember for Facebook, where your organization’s page may be managed by someone’s linked personal account.

Online Harassment

Unfortunately, many organizations face significant harassment online, especially on social media. Such harassment is often directed with even more intensity at women and marginalized populations. Online violence against women in particular can create a hostile environment that leads to self-censorship or withdrawal from political or civic discourse. As identified in NDI’s Gender, Women, and Democracy team’s Tweets that Chill report, when attacks against politically active women are channeled online, the expansive reach of social media can magnify the effect of harassment and psychological abuse, undermining women’s sense of personal security in ways not experienced by men.

As your organization develops its social media policy, it is important to be cognizant of these dynamics. Build into your security plan structured support for staff who face negative messages, insults, and threats on social media, both as part of their jobs and in their personal lives. Develop an anti-harassment infrastructure within your organization, including surveying your staff to understand how online harassment impacts them and create a rapid response team to help staff face challenging situations. PEN America’s Online Harassment Field Manual also provides detailed recommendations on how you can support staff who face such harassment. You might consider, if your staff are comfortable doing so, reporting incidents of harassment and/or problematic accounts directly to the platforms as well.

When engaging with staff who have been the victim of harassment online (and in the physical world as well), it is important to be sensitive. As outlined by the Association for Progressive Communications’ Women's Rights Programme’s Take Back the Tech, understand that a survivor may be dealing with trauma, and recognize that violence (online or offline) is never the fault of the survivor. Ensure such issues can be raised and discussed (if staff are comfortable doing so) in a confidential and safe environment, with the option of anonymity. And include in your organization’s security plan a list of local professionals, organizations, and law enforcement agencies that you can connect staff to for legal, medical, mental health, and technical assistance if needed. For additional ideas, check out Feminist Frequency’s Online Safety Guide.