Soon after the Supreme Court decision to overturn Roe v. Wade, reproductive-rights advocates began raising concerns about digital privacy and security for those seeking abortions outside of states that now banned them. Among other things, women were urged to delete menstrual-cycle apps and use encrypted or coded language when accessing reproductive care.
This post-Roe reality should be seen as a wake-up call for the nonprofit world, which for too long has acted as if digital rights are optional. Nonprofits and foundations need to commit to a deeper understanding of their responsibilities in the digital age, especially as more rights come under threat following the court’s decision. That means taking concrete steps to govern and manage the data they collect and store in ways that don’t harm the people they purport to serve.
It may seem ironic that a decision focused on what we do with our physical bodies should unleash such public concern about our digital selves. In truth, these connections and concerns are well known among digital-rights advocates, especially those in historically marginalized communities who are most often targeted and harmed by digital surveillance.
Most nonprofit leaders, however, seem to have little interest in addressing these problems within their own organizations. They typically claim they can’t afford the costs of protecting their data and don’t have the expertise. Many insist they will be hampered by privacy regulations and have asked for and received exemptions from laws such as the California Consumer Privacy Act, which gives consumers more control over their personal data.
For decades, training sessions and workshops focused on the safe collection, use, storage, and governance of digital data have been offered by Stanford’s Digital Civil Society Lab, where I work, and several other organizations, including the Responsible Data forum, Access Now, Electronic Frontier Foundation, and Aspiration Tech. But these are routinely seen as relevant only to an organization’s technology staff. In reality, anyone in an organization with an email address is a point of access to its digital systems and therefore has a responsibility to protect their digital data. That includes the board of directors.
Nonprofit managers are responsible for three things — people, money, and data. There is no organization today that is not generating, collecting, storing, and often sharing digital data on people. And that data can be used for harm. Ransomware attacks overall increased almost 100 percent from 2020 to 2021. Within the field, the attacks revealed by Blackbaud and several hospitals and schools offer clear proof that a nonprofit’s data is valuable beyond the organization’s walls.
Even more concerning are the growing number of ways that poor data governance and security practices can cause real harm to the same people nonprofits aim to help. Data collected from website visits, online-webinar registrations, newsletter sign-ups, search-engine use, and online donations can be used to create detailed digital pictures of the people interacting with an organization.
A potential nightmare scenario awaits if zealous state governments use such information to criminalize pregnant people and enlist members of the public to enforce laws that harm women. Pregnant people have now joined the ranks of other groups facing oversurveillance of their digital lives, including Black people, people of color, immigrants, Indigenous communities, public-assistance recipients, queer people, and disabled individuals. Collectively, these groups make up a majority of the country.
Nonprofits and foundations that aren’t taking data protection seriously aren’t really pursuing their missions. Following the Roe decision, even Big Tech companies started to get the message — at least in part — about the dangers posed by their data storage. Google announced it will destroy location data on visits to abortion clinics rather than release it to law enforcement. Apple is introducing a new lockdown feature on its phones that prevents governments from hacking into personal devices. These are important, albeit insufficient, steps by companies with vested interests in data accumulation over personal safety.
What Must Change
The nonprofit world has no excuse for not acting with at least as much urgency. Several things need to change. First, the love affair between civil society and Big Tech companies must end. Much of the field is enamored with “tech for good” promises, eager to accept tech grant money, and happy to receive software and hardware donations. But these practices should be recognized for what they truly are: attempts to make nonprofits dependent and beholden to Big Tech companies for both funding and data management.
Second, nonprofits and foundations need to prioritize the safety of the people they serve over the allure of social media. The news site the MarkUp has written extensively about how hosting a Facebook widget on a website communicates user interactions back to the company. If a hospital or women’s health nonprofit website has such a widget, it is effectively broadcasting to Facebook information on who visits the site, what it does there — including booking an appointment — and where it is located.
Third, all nonprofit technical assistance, training, and funding programs should adapt their offerings to the realities of pervasive 21st-century digital surveillance. The digital data managed by nonprofits needs to be as carefully and thoroughly aligned with an organization’s mission as its financial and human resources. That means all consulting services also need to integrate digital data safety and governance into their work.
Finally, nonprofits and foundations must recognize that the real expertise on safe use of digital systems will come not from corporate sponsors or free software giveaways, but from the digital activists and advocates with whom they share nonprofit status. Civil society is home to the expertise, scholarship, and policy ideas that can both keep individuals safe and help nonprofits and foundations match their data practices with their missions.
The painful end of Roe should be a signal to all nonprofits and foundations to finally recognize the potential harms of unchecked technology and take the actions they have long delayed: ensuring that digital protections are part of every program, every grant, and every action they take.