Security Best Practices
This document has basic guidelines and policies for information security procedures for Sister District Project.
The Sister District Project is a grassroots political startup. We organize our 45,000 volunteers across the country to build progressive power and capacity in order to win strategic state elections for Democrats. Our organization’s strength and ability to flip seats is in no small part due to the equal emphasis we place on people and technology. Ensuring the privacy, security and trust of our volunteers, partners, donors and the larger political community is integral to ensuring we maintain the integrity of our values and are leading in our approach to security and privacy.
Trust and integrity are integral to the success of Sister District Project and we are aware that our mission makes us a target. We are being targeted. We have seen brute force attacks on our website, phishing emails designed to procure sensitive information and offensive messages on a variety of our communication platforms. Our volunteers have been targeted by trolls. Several of our candidates have been the victims of Republican backed fake websites and posts from right wing trolls. We have seen organizations like the Women’s March and Indivisible have their credibility diminished by fake accounts and fake events. Republican politicians at the highest levels use their position to encourage attacks in our communities and specifically to attack Democratic organizations and leaders. We take each of these attacks, hacks and malicious activities seriously to understand how we can better keep our organization, all of our volunteers, partners and the broader political landscape safer with the ongoing work that we do.
Our credibility and integrity is essential to the work we do and to achieving our goals. Our success is not only dependent on the work we do as an organization but also is dependent on being a respected contributor to progressive change. If volunteer details are leaked or used for purposes outside of our mandate, then people will no longer trust in giving us their details. If we don’t protect the financial information of our donors, they will stop giving. If we can’t speak in a unified voice, they weaponize our words against us. If we don’t account for our volunteers in the field, then we lose the trust of our community.
Wheel of Trust
Volunteer Leader Protocols
Personal Digital Security:
The internet has an open architecture that makes it easy for anyone to access, publish and post content, send and receive emails. But, the internet can not distinguish good vs bad. Being mindful of your interactions on the internet and establishing best practices for keeping yourself safe is what helps keep Sister District safer.
Volunteer Leaders have access to data, tools and resources that are the property of Sister District and contain private details about volunteers and our organization. The following list of protocols is specifically for working with Sister District, and we encourage you to adopt and apply these best practices for all interactions online.
- Protect your email, username and password. These credentials are your keys to accessing software, applications and services on the internet.
- Use unique usernames and strong passwords. This will make it harder for someone to hack. It’s estimated that more than 80% of hacks are the result of weak passwords. A strong password is defined as a mix of upper and lowercase letters, more than 16 characters in length and contains at least one special character. Consider using a passphrase which is a sequence of words instead of using just one word.
- Use an identity and access management tool. These tools enable you to have a separate username password for each website, and remember the passwords for you. Some popular tools are: LastPass and One login. These store login credentials in a centralized vault, you access with one master password.
- Multi Factor Authentication (MFA) is an authentication method that confirms users identities by confirming their identity by 2 or more factors. Two Factor Authentication (2FA) is the most common. Users login via a laptop, then use a mobile device or security token to provide a second form of authentication. You don’t have to have an identity and access management tool to use MFA.
- Sharing login credentials and sensitive information. If you aren’t using an identity and access management solution, then use a one-time, self destructing note service like Privnote or Onetime Secret to safely share this information. Don’t use email or slack to share passwords.
- Note that these systems are designed to work across many different types of applications and services but they may not always work for every application out of the box. They require some patience to set up because there are many different standards and implementations of encrypting data.
Update all internet connected devices to the latest version. Software makers constantly release new versions to patch vulnerabilities in their software, and can be set to automatically update. Consider selecting the setting on your device that will make the update as soon as there is a new release. Here is a list of the most common devices that need updates
- Mac Update information
- PC/Windows Update Information
- Chromebook Update Information
- iPhone/iPad Operating Systems
- Android Operating Systems
- iPhone/iPad Applications
- Android Applications
Public wifi and free internet services can leave your devices vulnerable to attacks. Pay attention to the networks that you use when you connect to the internet. While it isn’t always possible to access via a secure connection, try to use a service from a well known wifi provider eg a Telco like AT&T or XFinity. Never share files or sign up for any service by giving out your email address or any other personal information on a public or free wifi service.
Be mindful and pay attention when sending and receiving emails. Scams involving email are rampant and are becoming very sophisticated. Email is a very effective tool for hackers because they utilize social engineering tactics to procure sensitive information. Social engineering is a type of attack that relies on human interaction and using these interactions to manipulate and deceive.
- Is this a legitimate email that you would expect to receive from this person or organization?
- Is the content of the email what you would expect to see?
- Does the branding look legitimate?
- Are the details in the email correct eg their address, phone number, copyright information
- Is there a legitimate reason for there to be a link or attachment to download in the email?
- Never use a link to login or give private information. Always go directly to the site and login.
- If you are not sure about the legitimacy of the link, there are free browser plugins that can scan the link for malware and viruses.
URL shorteners can obfuscate malware.
- If in doubt, delete the email.
Respect other people’s email addresses and their inboxes. Treat these as you would want your own email address and information treated. Seek people’s permission before adding them to any list, just as you would want anyone to do the same for you. If you are not sure or have any concerns, please forward the email or suspicious link to firstname.lastname@example.org.
Sister District Community Digital Security
Sister District uses various monitoring tools and software applications to keep our website and other digital platforms safe, but we can only monitor activity that passes through our servers. That means many interactions happen on a daily basis that can not be monitored.
We are a distributed organization and our brand serves as a powerful tool to help us build a voice that people know and trust. Speaking with a unified voice and using approved brand collateral makes it more difficult for hackers to spoof emails or create collateral in an attempt to deceive users and discredit Sister District.
- Sign ups should be done through the website at sisterdistrict.com/volunteer.
- Use only approved Sister District branding and be familiar with our branding guidelines.
- Never post private information like private physical addresses, private email addresses and personal details publicly eg for events like fundraisers or any event at a private home.
- Use a team email address for mass emails and when an email address is required publicly.
- Use the Sister District Project address
- If your team has a website, use SSL certificates and keep them updated. Make sure all forms on the site have Google reCaptcha enabled.
- Be mindful of who you follow and who follows you on Social Media platforms
- Are you actually following a real person or organization? Confirm they are really who they say they are before liking, following, re-tweeting etc.
- What is the tone of their interactions with other people online?
- Block any suspicious accounts from Sister District handles and personal handles
- Share any information about suspicious people and activity with District Captains on the District Captain Facebook Group.
- Report any suspicious behavior immediately to email@example.com
What do you do if you get hacked
- Don’t panic – this happens.
- Turning off your computer will not fix the problem.
- Alert us at Sister District – we can help to diagnose, evaluate and propose a course of action
- What we will do is disable your accounts so they can’t be furthered tampered with
- Validate that your machine has not been compromised, and help fix your machine
- Help you reset all your online passwords and help bring you back online
Sister District Real World Security
We exist today because we are willing to stand up and fight for democracy, to stand up for our rights and to protect the rights for all even as others seek to suppress those rights. What makes us unique at Sister District Project is that we are so much more than an email database. We do most of our work out in the real world, in communities across this country. Through this work we build real relationships which build trust and understanding between each other. Our email addresses, data, and digital footprint are a representation of ourselves in the real world. We encourage all our District Captains to treat the digital privacy and security of their volunteers the same way you would treat your own – with care and responsibility.
Trolls and Bots on Social Media
What is a troll?
A troll is someone who deliberately provokes you and your followers on social media. Their goal is gain attention by saying mean, angry, and inflammatory things to upset you and your followers. They are NOT people who are simply frustrated or confused, and are looking for genuine resolution.
What is a bot?
Bots are automated programs, not real people. However, they may generate posts and other content that looks very similar to real content – especially content that mimics real life trolls. For this reason they can be difficult to distinguish, but a little savvy sleuthing usually quickly reveals whether or not it’s a real person.
It’s important to note that not all bots are bad! There are bots that give weather updates, answer common questions, post sports scores, or tweet edits made to Wikipedia from IP addresses in Congress. As with any technology, a bot is not inherently bad or good – it’s how humans use and interact with the technology that determines its worth.
How to identify bots
There is no surefire way to identify a bot, but common sense goes a long way. When reviewing their social media account, ask yourself:
- Do they have a picture that looks genuine and like it should match someone of their profile? Or, is it:
- Blurry / low quality with no people in it
- Suspiciously similar to a stock photo
- Of a different age / gender / demographic than the rest of the profile
- Of a person, but their face and other identifying information are obscured
- Can you find the origin of their profile pic using a reverse image search?
- Do they post at strange times for their alleged time zone?
- Do they post a LOT, every day (every few minutes)?
- Is their spelling / grammar / sentence formation not quite right?
- Note that this shouldn’t be confused with someone for whom English is a second language. People trying to communicate in a second language may make a grammatical error, but it’s usually clear what their genuine intent is. Errors made by a bot are usually nonsensical and fragmented.
- Do they have other social media accounts and a digital footprint that match?
- This can be a key way to identify a bot from a troll. A troll is a real person (albeit, a mean person). Trolls may even have perfectly respectable day jobs and social lives – a bot does not.
- If it is a bot, please take the time to report it! This helps the entire ecosystem. See below for instructions.
How to respond to trolls
Once you’ve determined that you’re dealing with a troll and not a bot, it’s time to find a solution. Trolls are real people, and they should be handled differently from bots (although it can be difficult to tell the difference). The key thing to remember is: a troll is out to make you angry, so if you respond with anger it will only feed them.
At Sister District, many of our volunteer teams have private Facebook groups and pages for their teams. If a troll gets onto your private page or group, feel free to immediately ban them and delete the comment.
But on a public page or post, deleting comments (however unkind) can sometimes look like you are trying to “cover up” something negative. On public Facebook or Instagram pages and posts, we recommend simply replying to the comment and explaining that it violates the Sister District Code of Conduct, so you are removing their commenting privileges. If the comment is bad enough that it also violates the platform’s Terms of Service, report the account user to the platform as well.
How to report bots
We strongly encourage you to flag and report bots to the relevant social media platform. It may feel futile, but it’s critical that we do our part to combat the influence of nefarious bots on our elections and public discourse. Most social media platforms have made it easier to flag or report users – it’s typically done by going directly to the user’s account. However, processes change quickly so do a quick Help Desk search for the most up-to-date guidelines on how to report a suspected bot.