#InteropWithHer: 8 Campaign Season Security Tips from Your Friends at OSDI

August 18, 2016

osdi.hfaWe came to Philadelphia, we have our nominee, the GOP is in disarray – now is the time for progressive technologists to consolidate gains as we close in on the general election.

Congratulations to Hillary for America and each one of you who helped make Secretary Clinton’s historic nomination possible. Bernie supporters, too, get a shout out for helping create the most progressive platform in the history of the Democratic Party. Let’s make sure new tools we build this cycle are more reusable by having standardized connectors with OSDI.

The next phase of this election is critical – and even more prone to risk. We’ve already had multiple security breaches and hacks threaten our efforts, and as campaigns of all sizes scale up and get into the field, the risk for data loss or sabotage increase. Don’t be that campaign manager who loses a phone without a security pin code and freaks everybody out!

Solid IT security practices will help your campaign make the most of volunteer energy and the scale that comes with the final drive to election day.

Solid IT security practices will help your campaign make the most of volunteer energy and the scale that comes with the final drive to election day.

Because we’re stronger together, OSDI members have collected our top field security tips for campaign technologists:

Make IT policy real. All new employees or volunteers who have access to campaign systems like websites, VAN, PDI, Organizer, etc must sign an IT policy form. You can find online templates for security and internet policies from CSO here. ~ Josh Cohen, chair of OSDI

2FA all the things! “2FA” stands for two-factor authentication. It means that when you try to make changes on your campaign Stripe bank account, for example, you’ll get a code by text message that allows you to proceed. You can read all you ever wanted to know about 2FA here at Lifehacker. And do it for all mission critical software. ~ Jason Rosenbaum, CTO at online organizing toolkit Action Network.

Password-protect important documents before sharing them. It’s dead simple to forward an email full of campaign plans. Make it a bit more difficult for the wrong party to pick up your secrets by encrypting and password-protecting documents. Check out the guide for Microsoft products such as Excel spreadsheets here and for Adobe PDFs here. ~ Chris Nichols, president of phone append vendor Accurate Append.

Would you want your mother to read this on the front page of The Times? Recent email dumps have reminded us that if you wouldn’t want it read on the news or going viral on Facebook, don’t say it/write it in an email. That goes for Slack chats, too. ~ Adriel Hampton, CEO at The Adriel Hampton Group

Lock up the keys. Use a tool like Meldium for password sharing within the campaign. ~ Seth Bannon, CEO at digital organizing software provider Amicus; Store passwords securely in a vault like KeePass or Password Safe.  Use your password storage app to generate strong passwords that you don’t have to remember or even see. ~ Mark Paquette, President of nonprofit software provider The Data Bank. Check out LastPass.com as well for password generation and storage ~ Joe McLaughlin, data geek at Citizen Action of New York

Use encryption. Without encryption, usernames, passwords, survey data, voter data etc. travels in plain text. When data travels in plain text, it is easy for anyone in the network to read it. All volunteer sign-up, membership sign-ups must be over a https. Campaign websites must be served over https. Internet Security Research Group now gives free SSL certificates. There is no reason for campaign websites to be available without encryption. In addition, all data flow between the different IT components of the campaign, like website to CRM, CRM to phone dialers, canvassing apps to CRM etc., must flow through an encrypted channel as well. Campaigns should avoid using software that does not provide an encrypted communication channel. ~ Augustus Franklin, founder of telephony provider CallHub

Require PIN codes on all personal devices and laptops: “A member of senior staff drops their phone while shopping for volunteer food at Costco. Their phone does not have a PIN code.  What’s in their email? What lucky supporter of your opposition picks up their phone and wins the jackpot? How many clean pairs of underwear is this worth?” ~ Josh Cohen

Do not share accounts. Only one person should be assigned to any account for any services or databases you use.  If there are multiple users on an account, and one leaves, then the others have to be locked out until a new password is distributed.  If more than one person is on an account, there is no way to tell which user may be responsible for mistakes, breaches, or possibly malicious use of the system. ~ Mark Paquette

Happy campaigning, and be safe out there!