What do community builders *need* to know about security

(And why we can't just take GDPR to mean Gosh Darnit, Please Read!!!!)

🔗
Heads up! A previous version of this blog post exists on the Orbit website when I was their Senior Technical Community Advocate. I have since updated this post to include more general education + resources.

Community builders rely on trust — reinforce this trust with security, safety, compliance, and privacy.

Several intrinsic contracts happen within the world of community building. Communities often bring a lot of good to people's lives and tend to come with an exchange of information, sharing of knowledge, and data.

As a community builder — you are in a position of trust to ensure that the community you're working with remains safe, healthy, and trusted for time to come.

To retain trust within the community — the community industry as a whole should make sure to take a stand for security, safety, compliance, and privacy.

If we don't — these spaces could bring havoc and potentially physical, financial, and/or legal harm to folks.

But what do these steps even mean within the context of community building?

Practical advice and implementation haven't always kept up with the status quo. And, like many other things, when they hit the mainstream lexicon — these topics are now more susceptible to hype, jargon, and technical brouhaha that may not be present otherwise.

Have no fear — I'll break it down plain and simple and provide a no BS way to get your footing (and keep you and your community safe).

When we talk about security, safety, compliance, and privacy — at the end of the day, it comes down to trust.

  • Who is trusting you with information?
  • Who are you trusting with your information?
  • Whose trust are you risking when you share information?
  • Why should someone trust you?

These are seemingly straightforward questions at their core — but when we dive in deeper, we can see how complex they can start to get.

So what do these terms mean?

Before diving into how we keep our community safe — it's essential to dive into the what and why.

  • Safety means that there is no harm (mental or physical) that can be caused to the person.
  • Security is the act of protection from harm to the individual and measures put into place to protect someone from harm.
  • Privacy is the notion that one can withhold information or details for comfort or safety.
  • Compliance is regarding the laws or regulations that enforce measures in a given market for either civilian or consumer protection — and companies are forced to implement security or legal steps to comply.

It's easy to conflate these terms and use them interchangeably, but by getting into specifics, we can provide immediate solutions to each of the above rather than vague generalizations.

For example, creating a safe and secure community is essential — and while a community may appear very safe at first and appears not to need guidelines or moderation, this does not make it secure with proper protection measures keeping a community safe. Using specific terms allows us to break down how we're healthily building these communities.

Who is trusting you with information?

Every time we communicate with someone, we learn more about them. It can be as innocuous as simply knowing they have a cat — or something as complex as their deepest darkest secrets.

The fact of the matter is — whether it seems silly or severe, it's important to keep whatever someone has trusted you with safe and secure. And not just because someone doesn't want their dirty laundry aired out with the community — but because of compliance and security.In recent years, both market forces and a barrage of (rightly so) fired-up activists and legislators around the globe passed a series of laws dictating what and how companies can and cannot use your data, specifically personal identifiable information (PII).

PII is protected by laws we'll dive into later. PII represents data that may directly or indirectly identify a natural person. This could be someone's name, contact info, purchase habits and preferences, location, contacts, and a barrage of similar data that would make someone findable on the web.

As community builders, this is the type of data we use daily to foster connections or understanding within a community. However, it is more important than ever to think through how this is being stored and shared — with legal enforcement on the line; we need to be honest about how this is progressing.

GDPR, CCPA, and Trust

In 2018 — you probably received a barrage of emails regarding two laws passed — one in Europe known as GDPR, or the General Data Protection Regulation, and one in California known as the CCPA or the California Consumer's Privacy Act.

These policies started putting strict enforcement for companies and organizations not only to tell you how they're planning to use your information but have you explicitly consent to how they are going to use it and do so in layperson's terms, among other increased protections for users, including a user's right to be forgotten.

While the laws have different nuances and enforcement tactics, they have started to outline and guide companies and organizations on how your data is used and what protections users have about it. That's right — users often implicitly trust you to protect their data and keep it safe.

And if users aren't implicitly trusting you — they may be explicitly trusting you. Many organizations require that their vendors comply with these laws and regulations.

Think about it: How do you approach compliance in your community?

  1. Are users opting into receiving alerts or notifications from you?
  2. Are you telling them in plain language what you're using their info for?
  3. Are you providing a way for users to opt out or honoring their right to be forgotten?
  4. Are you keeping personally identifiable information secure and not sharing this in public spaces?
  5. Are you notifying your community about the vendors you use, i.e., data subprocessors?
  6. Do your users know how to modify, correct, or erase their data from your platform? Is that info readily available on your website or via emails?

Privacy, Identity, and Trust

While legal trust is typically enforced, community builders often face different privacy and identity issues as well.

The internet is a fantastic place; many folks have found communities or places where they belong online, where they might not belong in the offline world. Community members may use an alias or an alternate identity when navigating specific spaces.

Specific communities may also be discussing more sensitive or delicate topics as well, where someone might not be comfortable talking about it publicly.

Community builders, at times, will be privy to information that would reveal these aliases or come across sensitive conversations within these communities. It is of utmost importance and safety that members do not have their identity or other personally identifiable information revealed without explicit consent.

Think about it: How do you approach privacy, identity, and trust?

  1. How do I address my community members? Am I giving them a space to tell me how they want to be addressed?
  2. How do I interact with members in private channels or public spaces? How might these differ? Should they differ for the protection of members?
  3. How are issues elevated within the community? Is there a space to report problems anonymously? How are claims of harassment or abuse addressed?

Who are you trusting with information?

Every login, slack message, tweet, photo, discord message, text, NFT, and even dare I say, courier pigeon gives away a little bit more about ourselves. From the words we use to communicate to how we speak about them.

But what about all the little steps in between? Who else might have our information (and community members' information)?

In the rise of community, we've also seen a surge of community tools — everyone is trying to find a new way to improve the daily grind. This makes us (and subsequently our community's data) a prime subject for anyone seeking to use our data maliciously.

We often overlook all the third-party apps and tools that we use to help us on our journey to build better communities. As community folks - we must be vigilant in the different devices we use, how we use them, and what access they have to our data and our community's data.

Set up safeguards for yourself, or if you've got one, chat with your compliance and security team, they often have more profound knowledge and insight into what's happening in these spaces.

Think about it: How are you protecting yourself and your community's data?

  1. Do you use 2FA (2 Factor Authentication) or SSO (Single Secure Sign-On) with
  2. your logins?
  3. Do you change passwords regularly and use a password manager or other secure
  4. way of saving them?
  5. How do you store logins and passwords? Who has access to this?
  6. Are you sharing logins across a team? How? Who has access to them?
  7. What apps or tools do you use in your community? What do they have access to?
  8. Are these organizations GDPR / CCPA compliant?

Whose trust are you risking when you share information?

As a community builder, you are frequently a treasure trove of knowledge about your community. Birthdays, celebrations, career milestones, and other opportunities come to mind as top-of-mind data you get when you're building community.

Add this to any information you might be privy to based on your role in your organization. Community builders have a lot of knowledge bouncing around in their brains.

You open yourself up to further vulnerabilities whenever you share even things that seem innocuous - or share something via a private message.

A rule I've taken from the journalism world: don't conduct yourself in a manner or share information that you'd be embarrassed to see on the front page of the New York Times.

It's quick to have the perception of trust and privacy online — platforms tell us these details are secret, trusted, and safe, but are they really?

DMs, slack messages, and private conversations held in public spaces — you're merely a screenshot or recording away from it being exposed to the world. Be conscious of what you share with whom and who is at risk when information leaks.

Think about it: How do you treat sensitive information?

  • Who are you sharing information with? Why? How is this being shared?
  • Where might things be written down?
  • Who is most at risk of information being shared?
  • What vulnerabilities does your organization have? What vulnerabilities do your community members have?

Why should someone trust you?

We've spent a lot of time diving into how we should investigate our behavior and set up safeguards within our practices and for our community — but how are we communicating how we should be trusted? How about the community and products that we work with can be trusted?

Security, safety, compliance, and privacy are no longer nice-to-haves but need-to-haves. Aside from the 6-figure monetary fines that can happen if your practices aren't compliant — users are now more aware of data best practices and more likely to participate in trusted communities.

It starts with transparency. Share what you're up to, what you're doing, and how you're doing it. Then, follow through. Do what you say you're going to do.

These actions of trust start on a small scale. Be human, be transparent, and share what you know and what you don't know. Provide ways for folks to learn more or reach out. Make yourself available for questions. If you can't answer the questions — find someone on your team who can.

Trust doesn't happen overnight; how your community carries itself and the more minor interactions and intricacies within your community are essential in creating an environment where trust is the norm.

Think about it: How do you actively foster trust in your organization?

  • How are you disclosing updates, and policy changes and keeping people in the know?
  • How are you answering or addressing questions that the community might have?
  • What best practices do you have internally? Externally? How are these communicated?

Understanding the role a tool plays within an organization.

In community building — you're likely to encounter two different types of entities as categorized by GDPR; Data Controllers and Data Processors. While it seems a bit semantic, it's crucial to understand how these types of entities differ and what risks you're putting your community at with each.

  • Data Controllers are a legal or natural persons, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.

    Put simply — data controllers determine why data is needed, how that data is used, and processed.
  • Data Processors are a legal or natural persons, agency, public authority, or any other body that processes personal data on behalf of a data controller.

    Many of these community tools (Orbit, Common Room, Commsor, Homeroom) fall under the class of being a data processor, as with tools like specific payment gateways, Google Analytics, or other metrics/measurement software.

Be mindful and seek clarity from your security team on what tools you're using and gain clarification if it is a data controller or data processor. For context — PayPal is both a data controller and a data processor depending on its use. Also, note where your data is stored — different precedents exist between other countries regarding data sovereignty.

It is essential to keep in mind — wherever your community data is coming from that folks have consented and opted into communications with you. This can be more implicit, like a follow on Twitter, or more explicit through a sign-up form or registration.

Putting things into action

As a community builder (and possibly a community builder that is using one or more of these tools) we should make sure that the following are not just something that we think about but also something that we act on as well.

Private things stay private

As a community builder, it's essential to ensure private things stay private. From your logins, conversations, to the community data itself — even something as seemingly innocent and innocuous as a screenshot or even sharing a password with a coworker without the proper security precautions can lead to data breaches and leaks.

You are in a position of trust (and possibly liability) if something were to get out.

Add in the extra layer of security

You've likely heard this before — but password managers are your friend. Use a password manager AND multi-factor authentication (MFA) or Single Sign-On (SSO) to make sure even if someone DOES get your password, you're still good to go. Change your passwords regularly, and don't share them with others.

Be mindful of third-party integrations, plugins, or tools

Anytime you add an integration, software, or additional tool — you make yourself (and your organization, teammates, and members) more open to vulnerabilities.

Many places that handle PII have a security checklist completed and filled out — and typically run by a security team to ensure everything is secure. It's important to read those terms and conditions (like really read them) and what you're giving them access to read and do.

Many seemingly benevolent apps actually can have very perilous implications. Talk to your team and see if they have a security checklist in place — if they don't, talk to your team about making one.

Honor GDPR Requests

Have you received a GDPR request such as a right to be forgotten notice? This isn't something to shirk at; if not handled correctly, you could be liable to the tune of fines in the hundreds of thousands of dollars and other legal headaches. Contact your security team and make sure that you are documenting notices, and actioning on them appropriately.

Practicing what I preach

Security, safety, compliance, and privacy are all things that I take very seriously in what I do, and for the people I work with and the community I collaborate with. I love to share my learnings, findings and forever

I use a password manager, have 2FA on devices, use a VPN when on public wifi, and have genuine concern about where my data is online.

For community builders, sometimes the last thing you want to do is fill out a vendor checklist or justify security controls — But knowing what those checklists are for, and knowing why your security or compliance teams are asking those questions lets you fill them out better, faster, and helps keep your community safe.

My recommendation? Follow industry best practices, and when it comes to compliance, make sure you have someone available who understands your organization's specific legality and compliance requirements.

It's more than just good practice.

If you think security, safety, compliance, and privacy aren't worth investing in? Think again.

More and more users and organizations are doubling down on security and privacy and requiring this of all of their vendors. More people than ever before are getting online, and we've come to move even more of our lives online from ecommerce, to education.

There's been an explosion of online communities across a variety of industries. From groups organizing around healthcare, mutual aid, and even activism, there are more data points and potential vulnerabilities bouncing around the internet than at any other point in history.

Community builders have to do their part not only because it's a best practice, or because of increased enforcement of regulations — but rather because the fate of our online world depends on it.

Building healthy, sustainable communities requires we take security, safety, compliance, and privacy as an ongoing focus.