Digital security as organizing practice

The movement is being watched. This is not paranoia — it is the operating environment.

In April 2025, Attorney General Pam Bondi rescinded the Justice Department's longstanding policy protecting journalists from subpoenas, clearing the way for federal prosecutors to demand records from news organizations and their service providers. In January 2026, FBI agents executed a search warrant at the home of a Washington Post reporter. The message was explicit: the government will use legal process to identify and expose people it considers threats, and the protections that once constrained that process have been removed.

Journalists are not the only targets. Organizers, activists, and the organizations they build are equally exposed — often more so, because they have fewer legal resources and less institutional protection. The question facing every group working to build the pro-democracy movement is not whether to take security seriously. It is whether to build security into the movement's DNA before it's needed, or to scramble to address it after something goes wrong.

The answer is before. But security done badly — as a checklist distributed at the beginning of a training and never integrated into how the organization actually works — is almost as dangerous as no security at all. What the movement needs is not a security checklist. It is a security culture.

The threat model

Security decisions start with understanding who you're protecting against and what they're after. This is called threat modeling, and it sounds more technical than it is. It's simply the practice of asking: what do we have that someone would want, who would want it, and what could they do to get it?

For a U.S. pro-democracy organization operating in 2026, the realistic threat landscape includes:

Legal process. Subpoenas, search warrants, and National Security Letters can compel organizations and their service providers to hand over data. This is not theoretical. The DOJ has demonstrated its willingness to use these tools against journalists; organizers should assume they are also in scope. What makes legal process particularly dangerous is that it reaches not just what you hold, but what your vendors hold — your email provider, your CRM, your messaging platform.

Platform exposure. Every piece of organizing data stored on a commercial platform is subject to that platform's policies and legal obligations. When law enforcement requests data from Google, Meta, or a major CRM provider, those companies generally comply. Your contact lists, your message history, your event attendee records — all of it is accessible if the government asks for it and the platform cooperates.

Infiltration and social engineering. Historically, the most effective attacks on social movements have come not from technical exploits but from human ones — informants, infiltrators, and people who misrepresent their intentions to gain access to sensitive information. Technical security cannot fully protect against this, but organizational security culture can limit how much damage any single compromise can do.

Data breaches. Organizations that collect and store large amounts of personal data — contact databases, donor records, volunteer lists — are targets for theft as well as legal demands. A breach that exposes your members' information is a serious harm to those people and a potentially devastating blow to organizational trust.

The good news is that the most effective security practices address all of these threats simultaneously, and they are not as technically demanding as most people fear.

The most important security principle: don't collect what you don't need

The data that causes you the most legal and security risk is data you've already collected. The most powerful security practice available to most organizations costs nothing and requires no technical expertise: collect less.

General Strike US has built this principle into the architecture of their Strike Card program. They explicitly limit personally identifiable information to name and phone number — not address, not employer, not income, not political affiliation. Their reasoning is direct: they consulted with labor lawyers to develop a subpoena policy, and they've structured their data collection around the assumption that the government may one day demand their records. By minimizing what they hold, they limit what can be seized.

This is called data minimization, and it should be the first question any organizing group asks when designing a new program, tool, or database: do we actually need this information? If someone doesn't need to know a volunteer's home address to assign them to a phone bank, don't collect it. If a petition doesn't need to capture occupation to serve its purpose, remove the field. If meeting notes don't need to name the people present, don't include names.

The principle extends to retention. Data you no longer need is data that can still be subpoenaed, stolen, or leaked. Organizations should establish and practice data retention policies: how long do we keep contact records for people who never engaged further? How long do we keep communications records? The answer doesn't need to be "forever."

Tiered security: not everything needs the same level of protection

One reason security culture fails in most organizations is that it's presented as binary — either you're secure or you're not — which makes the whole enterprise feel overwhelming. The more useful frame is tiered: different information requires different levels of protection, and the goal is to match the protection to the sensitivity.

Think about it in three tiers:

Public information — anything the organization intends to make publicly available, including public statements, event announcements, published materials, and general organizational information. This needs basic security hygiene (strong passwords, two-factor authentication on publishing accounts) but doesn't require encrypted communications.

Organizational information — internal communications, member databases, financial records, volunteer lists, meeting notes, strategy documents. This is the layer that most organizations leave underprotected. It doesn't need to be treated with the same care as highly sensitive information, but it absolutely should not live unprotected in personal Gmail inboxes or shared Google Drives with broad access permissions. Use organizational email rather than personal accounts, limit access to databases on a need-to-know basis, and use strong passwords and two-factor authentication everywhere.

Sensitive information — anything that could put individuals at risk if disclosed: the identity of undocumented participants, whistleblower communications, direct action plans, information about people who are targets of surveillance or harassment. This tier requires genuinely secure communications tools and practices. It should be shared only with people who need to know it, and ideally not retained in writing at all.

Most organizations over-protect their public information and under-protect their organizational information. The goal is to get the match right.

Secure communication tools: what to use and when

The most important communication security tool for organizers is Signal. Signal is an end-to-end encrypted messaging app that encrypts the contents of messages so that only the sender and recipient can read them — not Signal, not your phone carrier, not the government. It also retains very little metadata about who you communicate with.

Signal should be the default for any organizational conversation that rises above the tier of fully public information. Set it as the standard for your team's internal communications. Not because every conversation is sensitive, but because making it the default means you don't have to make a judgment call about which conversations to protect.

A few important Signal practices:

• Enable disappearing messages for sensitive conversations. For a direct action, set messages to disappear within an hour or a day. For general organizing conversations, a week or a month is reasonable. Messages that no longer exist cannot be subpoenaed.
• Use it for calls as well as messages. Signal's voice and video calls are also encrypted.
• Don't use it as a substitute for organizational security. Signal protects message content, but it doesn't protect you if the person you're talking to is an informant or has their phone physically seized.

What about WhatsApp? WhatsApp uses Signal's encryption protocol, so the contents of messages are secure. But Meta — WhatsApp's owner — collects extensive metadata about who you communicate with, how often, and what groups you're in. In 2024, Meta complied with 78% of government data requests. The content of your messages is protected; your social graph is not. If the people you're organizing with are unlikely to move to Signal, WhatsApp is significantly better than regular SMS or Facebook Messenger — but it is not a full substitute for Signal for sensitive work.

Email. Standard email is not secure. It passes through multiple servers, is stored by your provider, and is accessible to law enforcement with a subpoena. For sensitive communications, use ProtonMail — an end-to-end encrypted email service based in Switzerland. Critically, ProtonMail's encryption only protects messages between ProtonMail users. Sending a ProtonMail message to a Gmail address is not encrypted end-to-end. For truly sensitive email, both parties need to use ProtonMail or a compatible encrypted email tool.

For documents and files. Google Docs and Microsoft 365 are convenient, but they store your data on servers that are subject to legal requests. For highly sensitive documents, consider CryptPad — an encrypted, open-source alternative to Google Docs that cannot hand over your data because it cannot read it. For less sensitive organizational documents, the more important practice is access control: limit who can view and edit documents, don't leave broad sharing permissions open indefinitely, and remove access when people leave the organization.

Password management. Weak passwords and password reuse are responsible for a significant share of organizational security breaches. Every person in your organization should use a password manager — Bitwarden (open-source, free for individuals) or 1Password are the most widely recommended options. Every account should have a unique, strong password. Every account that supports it should have two-factor authentication enabled.

The subpoena problem and what General Strike US got right

The General Strike US subpoena policy is worth examining in detail, because it represents exactly the kind of organizational security thinking that most groups don't do.

Their position is transparent and public: they collect only name and phone number, they store it encrypted, they have consulted with labor lawyers, and they have a published policy explaining what they will do if the government demands their data — including notifying Strike Card signers before complying. They also offer mail-in and in-person alternatives for people who don't want to submit information digitally at all.

This is security as organizing practice. It's not just a technical configuration — it's an organizational commitment made visible to the people who need to trust the organization with their information. It answers the question that every potential member implicitly asks: what happens to my information if things go wrong?

Every organizing group should be able to answer that question. If you can't answer it, that's a gap worth closing.

The practical questions to work through:

• What data do we hold about our members and participants?
• Where is it stored, and who has access?
• What would happen if we received a subpoena for it?
• What would we tell the people affected?
• What can we do now to minimize the risk?

Organizational security culture vs. individual security checklists

The reason most security training fails is that it treats security as a set of individual behaviors rather than an organizational culture. You can train every person in your organization on Signal, password managers, and data minimization — and six months later, most of them will have drifted back to their habits, because the organization's systems and norms haven't changed.

Security culture means security is built into how the organization operates, not added as an individual responsibility on top of everything else.

Some practical markers of security culture:

Organizational defaults, not individual choices. Your organization uses Signal for internal communications, not because people remember to use it, but because that's what the team channel is. Your shared documents have controlled access, not because individuals think to restrict them, but because that's how your shared drive is configured. Defaults are more reliable than decisions.

Least privilege access. People should have access to the information they need to do their work, and not more. A volunteer coordinator doesn't need access to the full financial database. A regional organizer doesn't need access to the contact records for every chapter nationally. This isn't distrust — it's limiting the blast radius of any single compromise.

Offboarding protocols. When someone leaves your organization — for any reason — their access to organizational systems should be revoked promptly. Dormant accounts with active credentials are a common security vulnerability.

Regular review. Once a year, someone should review who has access to what, whether all current tools are still appropriate, and whether there's information being retained that no longer needs to be. This doesn't need to be a technical audit — it can be a two-hour organizational review.

Security fatigue is real. The organizations with the strongest security cultures are the ones that have made security the path of least resistance, not the ones that have made the strongest demands on individual behavior. If your security practices require heroic ongoing effort from every member, they will fail. The goal is sustainable habits.

Where to start

If your organization is starting from scratch on security, here is a prioritized sequence:

First, do these immediately: Enable two-factor authentication on every organizational account. Set Signal as your team's default communication channel. Make sure everyone uses a password manager. These three steps take less than an hour and close the most common vulnerabilities.

Second, do these this month: Audit what data you're collecting and where it's stored. Implement access controls on your databases and shared documents — not everyone needs access to everything. Establish a data retention policy: decide how long you keep different categories of information and stick to it.

Third, do these this quarter: Develop an incident response plan — what do you do if you receive a subpoena, if someone's account is compromised, if a member's data is exposed? Run a tabletop exercise where you talk through a scenario. Brief your board or leadership on your security posture. Make sure people who handle sensitive information have received basic security training.

Resources that go deeper: The Freedom of the Press Foundation's digital security guides are written for journalists but directly applicable to organizers. The Electronic Frontier Foundation's Surveillance Self-Defense (ssd.eff.org) is a comprehensive, accessible reference. Activistchecklist.org offers a prioritized, practical guide specifically for activists and organizers. Access Now runs a 24/7 Digital Security Helpline (accessnow.org/help) that provides direct support to civil society organizations facing threats.

The movement cannot afford to treat security as someone else's problem, or as a technical specialty that requires a specialist, or as something to address after something goes wrong. The infrastructure of the movement — its contact databases, its communication channels, its relationships, its institutional knowledge — is exactly what hostile actors want access to. Protecting it is not a distraction from organizing. It is organizing.

The DOJ has made clear it will use every legal tool available to identify and expose people it considers threats to the current order. The movement's response is not to go dark or go silent — public organizing, public protest, and public advocacy are not only legal but essential. The response is to be deliberate about what information exists, where it lives, who can access it, and how it is protected. To make security a practice, not a policy. To build it into the movement before the movement needs it.

Because by the time you need it, it will be too late to build it.