“To become more secure, you must determine what you need to protect, and whom you need to protect it from.” – Electronic Freedom Foundation
Communities can sometimes come under threaten from bad actors who want to attack/abuse members of your organization or other community members. Your system could also be attacked by spammers and hackers, trying to find vulnerabilities to exploit. In order to counter these, it helps to have a plan.
The Electronic Frontier Foundation recommends creating your own personal security assessment by asking these questions:
- What do you want to protect?
- Who do you want to protect it from?
- How likely is it that you will need to protect it?
- How bad are the consequences if you fail?
- How much trouble are you willing to go through in order to try to prevent those?
An example assessment:
We want to protect our community of commenters discussing gender-wage disparity from the vitriolic, misogynistic trolling we’ve seen on social media. If our community members are attacked, we could lose their trust or their business — and possibly receive bad press. It’s worth focusing our limited resources to manage this issue through moderation and/or technology.
From a community’s perspective, you want to protect your members from being attacked and feeling vulnerable. Among the things that could happen: a brigade of racists group together and make a coordinated attack on the conversation by reporting dozens of posts and leaving abusive comments to overwhelm your moderators; spammers could overwhelm the comments with links to scam sites; bad actors could find a way into your system and doxx (reveal the private information of) community members or your journalists; and of course a nasty back and forth argument, aka a flame war, might break out between two or more existing members, which sours others from coming back.
In order to be prepared, you want to make sure your team knows how to moderate effectively.
Here’s a checklist of some other things you might want to consider:
- If you are asking your audience to share personal stories that you will publish anonymously, how bad would it be for them if their contact information were leaked?
- How carefully do you protect what technologists call PII (Personally Identifiable Information) in your newsroom?
- If your system gives everyone access to every form and its answers, how easy would it be for a new intern or someone you don’t know you can trust to access private information?
- If you have told your audience that you will keep people’s identities secret, what steps do you take to protect them from potential leaks from within, and hacks from outside?
- Have you documented all of your processes in a place where the team can see them?
Bad things might not happen, but it’s important to have a plan in case they do.