What do community builders need to know about security?

Several intrinsic contracts happen within the world of community building. Communities often bring a lot of good to people’s lives and tend to come with an exchange of information, shared knowledge, and data.

As a community builder —  you are in a position of trust to ensure that the community you’re working with remains safe, healthy and trusted for time to come.
In order to retain trust within the community — the community industry as a whole should make sure to take a stand for security, safety, compliance, and privacy.

If we don't — community builders could bring havoc and even potentially physical, financial, and/or legal harm to our community members. 

But what do these steps even mean within the context of community building?

Practical advice and implementation haven’t always kept up with the status quo. And, like many other things when they hit the mainstream lexicon — these topics are also now more susceptible to hype, jargon and technical brouhaha that may not be present otherwise. 

Have no fear — we’re going to break it down plain and simple, and provide a no BS way to getting your footing (and keeping you and your community safe).

When we talk about security, safety, compliance, and privacy — at the end of the day, it comes down to trust. 

• Who is trusting you with information? 
• Who are you trusting with your information?
• Whose trust are you risking when you share information? 
• Why should someone trust you?

So what do these terms mean?

Before we dive into the how we keep our community safe — it’s important to dive into the what and why as well.

What exactly do all these terms mean?

• Safety means that there is no harm (mental or physical) that can be caused to the person.
• Security is the act of protection from harm to the individual, and measures that are put into place to protect someone from harm.
• Privacy is the notion that one can withhold information or details for comfort or safety.
• Compliance is in regards to the laws or regulations that enforce measures in a given market for either civilian or consumer protection — and companies are forced to implement security or legal measures to comply.

It’s easy to conflate these terms and use them interchangeably, but by getting into specifics, we can provide direct solutions to each of the above rather than vague generalizations. For example, creating a safe and secure community is essential — and while a community may appear very safe at first and appears not to need guidelines or moderation, this does not make it secure with proper protection measures keeping a community safe. Using the specific terms allows us to break down just how we're healthily building these communities.

Who is trusting you with information?

Every time we communicate with someone, we learn more about them.  It can be as innocuous as simply knowing they have a cat — or something as complex as their deepest darkest secrets.

The fact of the matter is — whether it seems silly or serious, it’s important to keep whatever someone has trusted you with safe and secure. And not just because someone doesn’t want their dirty laundry aired out with the community — but because of compliance and security.

In recent years, both market forces and a barrage of (rightly so) fired-up activists and legislators around the globe passed a series of laws dictating what and how companies can and cannot use your data, specifically personal identifiable information (PII).

PII, which are enforced by laws we’ll dive into later, is data that may directly or indirectly identify a natural person. This could be someone’s name, contact info, purchase habits and preferences, location, contacts, and a barrage of similar data that would make someone find-able on the web.

As community builders — this is the type of data that we use on a day-to-day basis to foster connections or understanding within a community. However, it is more important than ever to think through how this is being stored and shared — with legal enforcement on the line we need to be honest about how this is progressing.

GDPR, CCPA, and Trust

In 2018 — you probably received a barrage of emails in regards to two laws passed — one in Europe known as GDPR or the General Data Protection Regulation and one in California titled CCPA or the California Consumer’s Privacy Act.

These policies started putting in strict enforcement for companies and organizations to not only tell you how they’re planning to use your information, but have you explicitly consent to how they are going to use it, and do so in layman’s terms among other increased protections for users including a user’s right to be forgotten.

While the laws have different nuances and enforcement tactics, they have started to outline and guide companies and organizations on how your data is used and what protections users have about it. That’s right — users often implicitly trust you to protect their data and keep it safe.

And if users aren’t implicitly trusting you — they may be explicitly trusting you. Many organizations require that their vendors comply with these laws and regulations.

💡 Think about it: How do you approach compliance in your community?‍

• Are users opting into receiving alerts or notifications from you?
• Are you telling them in plain language what you’re using their info for?
• Are you providing a way for users to opt-out or honoring their right to be forgotten?
• Are you keeping personally identifiable information secure and not sharing this in public spaces?
• Are you notifying your community about the vendors you use, i.e. data-subprocessors?
• Do your users know how to modify, correct, or erase their data from your platform? is that info easily available on your website or emails?

Privacy, Identity, and Trust

While legal trust is what is typically enforced, community builders often are faced with different privacy and identity issues as well. 

The internet is an amazing place, and many folks have found communities or places where they belong online, where they might not belong in the offline world. This means that community members may use an alias or an alternate identity when navigating certain spaces.

Certain communities may also be discussing more sensitive or delicate topics as well, where someone might not be comfortable talking about it publicly.

Community builders at times will be privy to information that would reveal these aliases, or come across sensitive conversations that are happening within these communities. It is of utmost importance and safety that members do not have their identity or other personally identifiable information revealed without explicit consent.

💡 Think about it: How are you thinking about privacy, identity, and trust?

• How do I address my community members? Am I giving them a space to tell me how they would like to be addressed?
• How do I interact with members in private channels or in public spaces? How might these differ? Should they differ for the protection of members?
• How are issues elevated within the community? Is there a space to report issues anonymously? How are claims of harassment or abuse addressed?

Who are you trusting with information?

Every login, Slack message, tweet, photo, discord message, text, NFT, and even dare I say courier pigeon gives away a little bit more about ourselves. From the words that we use to communicate to how we communicate about them.

But what about all the little steps in between?  Who else might have our information (and the information of our community members)?

In the rise of community, we’ve seen a rise of community tools as well — everyone is trying to find a new way to improve the day-to-day grind. This makes us (and subsequently our community’s data) a prime subject for anyone seeking to maliciously use our data.

We often overlook all the third-party apps and tools that we use to help us on our journey to build better communities. As community folks - we must be vigilant in the different tools we use, how we use them, and what access they have to not only our data but our community’s data.

Set up safeguards for yourself or if you’ve got one, chat with your compliance and security team, they often have deeper knowledge and insight into what’s happening in these spaces.

💡 Think about it: How are you protecting yourself and your community’s data?

• Do you use 2FA (2 Factor Authentication) or SSO (Single Secure Sign-On) with your logins? 
• Do you change passwords regularly and use a password manager or other secure way of saving them? 
• How do you store logins and passwords? Who has access to this? 
• Are you sharing logins across a team? How? Who has access to them?
• What apps or tools do you use in your community? What do they have access to? Are these organizations GDPR / CCPA compliant?

Whose trust are you risking when you share information?

As a community builder — oftentimes you are a sort of treasure trove of knowledge about your community. Birthdays, celebrations, career milestones, and other opportunities all come to mind as that top-of-mind data that you get when you’re building community.

Add this on top of any information you might be privy to based on your role in your organization as well. Community builders have a lot of knowledge bouncing around in their brains.

Every time that you share even things that seem innocuous - or share something via a private message, you open yourself up to further vulnerabilities. 

A rule I’ve taken from the journalism world: don’t conduct yourself in a manner or share information that you’d be embarrassed to see on the front page of the New York Times.

It’s quick to have the perception of trust and privacy online — platforms tell us these details are secret, trusted, and safe, but are they really?

DMs, Slack messages, and private conversations held in public spaces — you’re merely a screenshot or recording away from it being exposed to the world. Be conscious of what you’re sharing with whom, and who is at risk when information leaks.

💡 Think about it: How do you treat sensitive information?

• Who are you sharing information with? Why? How is this being shared? 
• Where might things be written down? 
• Who is most at risk of information being shared?
• What vulnerabilities does your organization have? What vulnerabilities do your community members have?

Why should someone trust you?

We’ve spent a lot of time diving into all the different ways that we should investigate our own behavior and set up safeguards within our own practices and for our own community — but how are we communicating how we should be trusted and the community and products that we work with can be trusted.

Security, safety, compliance, and privacy are no longer a nice-to-have, but a need-to-have. Aside from the 6-figure monetary fines that can happen if your practices aren’t compliant — users are now more aware of data best practices and more likely to participate in communities that are trusted.

It starts with transparency – share what you’re up to, what you’re doing, and how you’re doing it. Then, follow through. Do what you say you’re going to do.

These actions of trust start on a small scale. Be human, be transparent, share what you know and what you don’t know.  Provide ways for folks to learn more or reach out.  Make yourself available for questions. If you can’t answer the questions — find someone on your team who can.

Trust doesn’t happen overnight, how your community carries itself and the smaller interactions and intricacies within your community are important in creating an environment where trust is the norm.

💡Think about it: How do you actively foster trust in your organization?

• How are you disclosing updates, policy changes, and keeping people in the know?
• How are you answering or addressing questions that the community might have? 
• What best practices do you have internally? Externally? How are these communicated?

Understanding the role a tool plays within an organization.

In community building — you’re likely to encounter two different types of entities as categorized by GDPR; Data Controllers and Data Processors. While it seems a bit semantic, it’s important to understand how these types of entities differ and what risks you’re putting your community at with each.

‍Data Controllers are a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.

Put simply — data controllers determine why data is needed, how that data is used, and processed.

‍Data Processors are a legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.

Orbit falls under the class of being a data processor, as with tools like certain payment gateways, Google Analytics, or other metrics/measurement software.

Be mindful and seek clarity from your security team on what tools you’re using and gain clarification if it is a data controller or data processor. For context — PayPal is both a data controller and a data processor depending on how it is being used. Also note where your data is being stored — different precedents exist between different countries as far as data sovereignty goes.

It is important to keep in mind — wherever your community data is coming from, that people have consented and opted into communications with you. This can be more implicit like a follow on Twitter, or more explicit through a sign-up form or registration.

Putting things into action

As a community builder (and possibly a community builder that is using Orbit) we should make sure that the following are not just something that we think about, but also something that we act on as well.

Private things stay private

As a community builder, it’s important to make sure private things stay private. From your logins, conversations, to the community data itself — even something as seemingly innocent and innocuous as a screenshot, or even sharing a password with a coworker without the right security precautions can lead to data breaches and leaks.

You’re in a position of trust (and possibly liability) if something were to get out.‍

Add in the extra layer of security ‍

You’ve likely heard this before — but password managers are your friend.  Use a password manager AND multi-factor authentication (MFA) or Single Sign-On (SSO) in order to make sure even if someone DOES get your password, you’re still good to go. Change your passwords on a regular basis and don’t share them with others.

Be mindful of third-party integrations, plugins, or tools

Anytime that you add an integration, software, or additional tool — you make yourself (and your organization, teammates, and members) more open to vulnerabilities.

At Orbit — before using any new tool, we have a security checklist that is completed and filled out — that is run by our security team in order to make sure everything is secure and we’re not putting our members at risk by using it. It’s important to really read those terms and conditions (like really read them) and what you’re giving them access to read and to do. Many seemingly benevolent apps actually can have very perilous implications. Talk to your team and see if they have a security checklist in place — if they don’t, talk to your team about making one.

Orbit-specific safety precautions

Securely sharing reports

We get that you need to share reports and what’s happening in the community with team members, your boss, or potentially other stakeholders. Putting in the right safeguards and using secure links, instead of screenshots to information can make sure that when sharing reports can help keep your community safe.

How to share reports in Orbit

1. Navigate to the reports page and select the report or figure you want to share
2. ‍Click on the reports page to get a detailed view of that figure
3. Copy and paste the link to share the report, or click the download icon to download the report to share

Honoring GDPR Requests

Have you received a GDPR request such as a right to be forgotten notice? This isn’t something to shirk at, if not handled correctly, you could be liable to the tune of fines in the hundreds of thousands of dollars and other legal headaches. Contact your security team and make sure that you are documenting notices and actioning on them appropriately,

Deleting + Blocklisting members within Orbit

Sometimes you need to delete or even blacklist a member within the community. Here’s how to ensure that you can effectively do so when you receive the information to “opt-out” someone from all communications.

1. Notify your security team ASAP when you receive the notification — they can help you navigate this matter properly for safety + security matters. Don’t have a security team? Tell your point of contact for HR or legal matters. It’s important that these are actioned with the right priorities.‍
2. Remove the member from your Orbit workspace. Do this by navigating to the member’s profile and clicking on delete on the lower right-hand side of the profile by the member’s page.
3. When deleting a member — make sure to check that they are blocked as well. Ask the member for all relevant social handles and email contact info — remember that they do not have to give it to you. However, it does make this process easier to ensure they have been removed. Members can be unblocked manually within Orbit — but do not do this if it’s a GDPR-related request without the explicit permission of the individual who made the request.

Practicing what we preach

‍Security, safety, compliance, and privacy are all things that we take very seriously at Orbit, not only for the folks who use our product but for the people we work with and the community we collaborate with. We love to practice just as much as we preach.

On top of constantly analyzing our own security, we also require industry best practices internally, including mandatory SSO and 2FA on devices, frequent security reviews, and being extremely mindful of how we handle sensitive data in all contexts. Our team is SOC2 Compliant and upholds industry standards for compliance as well. (Curious to get into details? contact our security team)

For community builders, sometimes the last thing you want to do is fill out a vendor checklist or justify security controls — But knowing what those checklists are for and knowing why your security or compliance teams are asking those questions lets you fill them out better, faster, and helps keep your community safe.

My recommendation? Follow industry best practices, and when it comes to compliance, make sure you have someone available who understands your organization's specific legality and compliance requirements (thanks, Jindrich!). 

‍It’s more than just good practice.‍

If you think security, safety, compliance, and privacy aren’t worth investing in? Think again.

More and more users and organizations are doubling down on security and privacy and requiring this of all of their vendors. More people than ever before are getting online, and we’ve come to move even more of our lives online from ecommerce, to education.

We also saw an explosion of online communities across a variety of industries.  From groups organizing around healthcare, mutual-aid, and even activism, there are more data points and potential vulnerabilities bouncing around the internet than at any other point in history. 

Community builders have to do their part not only because it’s a best practice or because of increased enforcement of regulations — but rather because the fate of our online world depends on it.

Building healthy communities requires we take security, safety, compliance, and privacy as an ongoing focus.