The Four Pillars of Security in Grantmaking

Human rights lawyers in Russia discover their email accounts have been hacked, exposing sensitive information about their cases and their clients. The offices of an LGBT organization in Malawi are broken into, and files with lists of activists are taken. A leading activist in exile has his family threatened, discovers he is being followed to meetings, and has his telephone tapped. Accused of possessing pirated software, an environmental organization loses 15 years’ worth of information after its computers are carted away during a raid on its offices.

All of these examples illustrate the very different—and very real—ways that people and organizations working to defend open society around the world can come under threat. Security issues are common in emergencies and high-risk situations, but that’s not the only place they occur. Over the past few years, organizations that have never been perceived to be at-risk have come under physical and digital assault. Those of us, like the Open Society Foundations, who fund this sort of work through our grantmaking, have a responsibility to understand the risks and help assess and resolve these potential threats together with the people on the ground.

The issue is not a new one by any means, and people fighting to build open societies have always experienced security threats. But as human rights work has moved online, so too have concerns with security. The recent uptick in digital attacks has provided a lens through which we can see the diverse spectrum of security threats that civil society faces. It is extremely important, however, that we try to see and understand a more complete picture of security. Though there has been a great deal of interest in digital security and secure communications training in the past few years, in fact, the process of uncovering an organization’s susceptibility to digital attacks often reveals a whole host of other security and organizational issues. If we treat one type of threat while ignoring others, we miss an opportunity to promote long-lasting and resilient strategies.

So what exactly are we talking about when talk about the different kinds of security threats? I propose that threats to NGO security should be understood in four broad and interlocking categories, and that our approach to security must take into account the whole—and often complex— picture. Digital security is not listed as a separate category below because we see it as integral to each of these areas.

• Physical security is the practical elements of protecting the office or home and the person. For a physical structure this could include security cameras, steel doors, alarm systems, and a protocol for opening the door. Physical security also extends to individual safety, especially for people on data-gathering missions. Procedures for individuals on missions, planning for the possibility of digital surveillance including location tracking, and emergency evacuation funds are some of the elements of a physical security discussion.

• Communications security focuses on the secure exchange of information. This ranges from robust passwords and encrypted email hosts to purchasing virus protection and legal and updatable software. The unique security issues of mobile phones, such as encrypting SMS and erasing data remotely, need to be considered separately.  Organizations should be able to look at the galaxy of possible technology and tools, and select the constellation that works best for them.

• Executive security looks at the most exposed and threatened individuals in an organization. A term from the private sector, in this context it addresses  physical assaults or threats to prominent activists and digital surveillance. Executive security asks us to think more broadly about the shifting exposure of any one person by looking at the situational and personnel specificities of traveling and interviewing, and learning to assess the risk of scheduled meetings. It also includes thinking through less obvious issues—for example, more and more we see government using tax laws to threaten individuals. Organizations need to find ways to discuss and balance the equation of vulnerability and visibility for the voices of the organization and the organization as a whole.

• Documentation security, the most frequently overlooked of these four pillars, plans for the long run. It includes the safety and wisdom of keeping paper vs. digital files, trust circles of who knows victims’ names, and creating a deliberate and organizational understanding of secret keeping. This can include archiving past files, and puts a priority on how best to preserve and categorize data, so that important information is not lost in the passage of time. It also draws on best practices of human rights, academic and medical confidentiality, and ethical obligation such as keeping the real names of victims far from their testimonies or obtaining legal permissions from victims. Documentation security also encompasses a research angle: thinking through how your own data collection might need to be altered to allow other like-minded organizations to use it in different venues for effective remedy. It is deeply intertwined with digital security, as many organizations will need strategies and tools to encrypt their data and move it securely to off-site locations.  

Of course, addressing security issues inevitably slows down the speed of an NGO response. It can be costly to implement and time consuming to follow, and we have seen it become a frustrating experience for people on the ground who are trying to document human rights violations or offer help to victims. At the same time we must remember in security development that courage and risk have always been part and parcel of human rights work, and must be considered as factors in, not barriers to security. As such, assessing and balancing risk is an important way to make sure that any intervention is the right one, at the right time for the organization.

What other lessons can we draw from the experiences of working on digital security for NGOs? Often, security plans are perceived to be external to the day-to-day work of the organization, and one-time trainings are rarely able to change a group’s own internal dynamics dramatically. With the recent emphasis on digital security trainings, many groups take away a sense that buying the right equipment or downloading the right software is the way to go, and lose caution because they trust the tool. Others take away the sense that encryption and the like are just too hard to implement comprehensively and have no guarantee, and leave training not much better off than when they began. Trainers tell of their lessons not taking hold; NGOs get frustrated by slower working speeds and the sense of futility in self-protection when it sets barriers to victims’ assistance or documentation. There’s also a risk that an organization might only look at digital security and ignore the other security threats in their midst.

So what should a human rights funder do?

It’s nothing new to say that security is a combination of physical and behavioral changes, plus equipment and capital purchases, but it’s pretty rare to find all of this implemented comprehensively in a sticky and long-lasting way.

Solutions are few, and costly. As funders, we should be aware of the risks and benefits of new tools for data gathering and communication, but we need to keep in mind that we’re also invested in the practice of human rights operationally and in helping organizations to accomplish their daily goals. Funding and approaches in security need to be both incremental and tailored to work with the work of the institution. We need to minimize new bottlenecks and alleviate existing ones.

Additionally, we shouldn’t forget—or fight against—the lessons of the past. New approaches to security should include established methodologies that the human rights field has used for decades. Often human rights practitioners forget how much security is already embedded in their daily work, and perceive security plans as outside of their day-to-day, when they have always been cautious to focus on the safety of victims and witnesses. New technologies should not distract from the need for a comprehensive security approach. Most importantly, as funders, we need to make sure a discussion about security includes the organization’s current risk management and information practices. The work of security, organizational development, and best practices of human rights documentation work should be treated as one unit, and should be funded, trained on, and discussed together.

By keeping these four parts of security planning in mind, grantmakers can be in a position to think through interventions in the field more comprehensively.

The time is right for several things to take place, and some are already in progress:

1. Information sharing: Organizations working on and thinking about security should be gathered together to share approaches, individual trainers, and experience with key non-tech organizations from the human rights field. The dissatisfaction with stopgap measures is palpable, and presents an opportunity to gather thinking.
2. Fund practice rather than tools: Rather than supporting the development or adoption of a specific technology, prioritize funding to organizations that are looking to engage long-term on improving security in their documentation and outreach practices. Providing security training is a growing field, but looking at security holistically is not as well understood or funded.
3. Be proactive: Donors should review their portfolios to develop a sense of where interventions are critical and an opportunity among core partners can arise. Organizations that are growing, and those that have experienced some unfortunate data loss, may be more ready than others to take up security-oriented changes.

To ensure a higher chance of success, we need to make all forms of security—physical, communications, executive, and documentation—integral to the support we provide for organizations.