Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
We know nonprofits are facing challenges in a challenging time. At Community IT, when we think about and enact cybersecurity for our clients in the nonprofit sector, we generally are focused on protecting the organization, its data, its systems, and its finances from bad actors. Those hackers are overwhelmingly interested in financial benefits: getting you to wire the money to their bank account instead of your real bank account. While some cyber criminals are interested in gaining insights into your advocacy area or your networks, a majority of cyber crimes against nonprofits are purely financial.
But what happens when your nonprofit is involved in an advocacy area, a country, or an issue that has suddenly become controversial? Media attention turns to your spokespeople, your staff, your board, and your volunteers – anyone who has been associated with your organization’s issue. Particularly online. It isn’t long before that online attention can become threats against your personnel.
“Doxxing” is a term for when an opponent releases personally identifiable information about you – your home address, phone number, your parents, your kids’ personal information. People can then start calling you because they disagree with something you said that has been promoted online with your phone number and personal details. Doxxing is meant to inspire terror and to shut you up. And sometimes the online rancor, coupled with personal information, can lead unhinged individuals to go beyond harassment to act on these online threats.
In this interview, Carolyn talks with Shauna Dillavou, co-founder of Brightlin.es, a security company that works in the nonprofit sector to prevent personal vulnerabilities for staff who may be in the online media spotlight.
With decades of experience in the intelligence community, Shauna co-founded Brightlines to provide resources to nonprofits, foundations, and others who face threats and escalation against their staff or spokespeople.
In this podcast on anti-doxxing and nonprofit staff safety, learn the types of personal threats that are becoming more common, and the steps you should take to protect your vulnerable staff.
Community IT is proudly vendor-agnostic and our podcasts and webinars cover a range of topics and discussions. Podcasts are never a sales pitch, always a way to share our knowledge with our community. Brightlines is one of many services that exist to improve the security of your staff, executives, and board members. This interview with Shauna Dillavou explores the parameters of the problem and gives general advice on steps to take if you or your staff are threatened online.
Shauna Dillavou is a seasoned intelligence analyst with decades of experience working for the US government. She formerly was part of a team locating cartel associates by their online traces, and founded Brightlines to reverse-engineer that experience to protect vulnerable staff from online doxxing and threats to their personal safety. Unfortunately in recent years the threats against nonprofit staff have grown, making this service necessary and timely.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.
She learned a lot about anti-doxxing and nonprofit staff safety from interviewing Shauna Dillavou for this podcast.
Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about your email safety and phishing attempts, you shouldn’t have to worry about understanding your provider.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
If you’re ready to gain peace of mind about your IT support, let’s talk.
Carolyn Woodard: Welcome to the Community IT Innovators Technology Topics Podcast. My name is Carolyn Woodard. I’m the host.
I wanted to say a little bit about just acknowledging that the nonprofit sector is going through some pretty, pretty challenging times right now. I really appreciate everyone being with us on this podcast.
And I’m very excited today to be here with Shauna Dillavou. She is a cybersecurity and online safety expert and the co-founder of Brightlines. Well, Shauna, I wanted to start by asking you to introduce yourself and tell me about your background. I’m particularly interested to know how you got involved in cybersecurity, which is such a male-dominated space.
Shauna Dillavou: I came to Washington out of college in Washington, DC., and I worked at some nonprofit doing some association doing communications work. And I got into graduate school for urban planning at USC. I know – all these degrees I never ended up using. My undergrad degree is in Spanish. Whatever.
I got into this program at USC and moved to Los Angeles. But while I was there, I went on a summer trip to Beijing, and I thought it was such a fascinating place. From the built environment perspective, right? From the way that they were building it, abandoned things that no one was ever going to use or never got finished. It was so wild. And all the politics that were involved, even on the local level, like having to take a local minister out for drinks and get him super hammered and sing karaoke until 2 a.m. or 5 a.m. and that’s how you got a deal.
It just seemed bonkers to me, and I loved it. I wanted to get back, and when I finished graduate school, I applied for a fellowship called the National Security Education Program, Boren Fellowship, and I got it. So, I went to China on this fellowship to do research and to study Chinese. Part of the requirement of the fellowship was that I would come home and work in national security for the US government.
The summer before I left for China, I’d come back out here and worked for a now-defunct group that did open-source intelligence. OSINT, they call it or open-source intelligence. Think about it like you’re standing listening to a couple talk at a party, and what you’re gathering by standing there listening is OSINT. If you were to ask a question and move the conversation in a way, that would be human intelligence or HUMINT.
Our job at that time, and this is like 2007-8-9 – keep in mind that Twitter launched in 2007. It was a time when everybody was sharing everything online, and we were really just sifting through just thousands of pieces of data every day, to define trends in different places. And at the time I had Spanish, right? So, I was looking at Spanish-speaking companies, countries.
And when I came back from my fellowship, I worked on China and then on Mexico and really thought about drug cartels or monitored drug cartel activities. And while I was there, I got to work with the DEA to help them identify the US side of cartel operations. It’s a lot more nuanced than that, but I was using the methods we use today at Brightlines, in reverse. I was doing targeting and investigation of people, and I knew how we could find them. And so, four years ago, when I started Brightlines, I took those methods and turned them on their head to see how we could find our clients and what we could do to remove the information.
Carolyn Woodard: Can you talk a little bit about the kinds of threats that nonprofit personnel face online or in-person?
Shauna Dillavou: Nonprofits have been going through it. I would say they’re on the front lines. Y’all are on the front lines of being targeted. It wasn’t until Brian Thompson was killed in New York last month that other sectors have really started to understand that this affects them, that physical security concerns affect them. We don’t have to explain that to nonprofit clients.
I’ve been working for a long time in progressive spaces. I founded a nonprofit in 2013 and ran that through 2017. I understand all of the different transparency things that open up our data and our personal information to scrutiny, to FOIA, to different transparency laws. Between that, and nonprofits really and the civil society sector writ large, being out in front, fighting fascism and the erosion of democratic norms and democratic democracy full stop, it’s been nonprofits who are the most targeted.
I founded this company with the intention that, I guess, with the understanding that if a person couldn’t participate in our democracy, if they couldn’t advocate for something that they believed in, if they couldn’t show up to vote because they were scared, if they couldn’t run for office, they couldn’t be out in front as a public figure because they couldn’t afford the security, then we weren’t living in a democracy any longer.
I founded this company for nonprofits. The threats that they’re experiencing, of course, like anybody else, there’s going to be cyber security problems, right? There are cyber security threats. There’s infiltration of networks and phishing and other kinds of social engineering. Basic password management is still a problem because you have a resource issue always, right? That’s how we like to keep our nonprofits, begging (for funding.) Silly. I would say nonprofits have been the canary in the coal mine when it comes to doxxing, which is what the problem that we fight.
Is it useful to explain what doxxing is?
Carolyn Woodard: Oh, yes, I think so. Yeah. I can jump in and just say, when we think about cybersecurity for our clients, a lot of what we think about and put in place are those protections for the organization. So, against wire fraud or phishing attempts that are going to get access to the organization’s data or research, that sort of thing. Or usually, it’s financial. They just want to get you to wire the money to their bank account, instead of the one you’re supposed to send it to.
But that was what I thought was so interesting, talking with you about the personal safety and personal data of staff at nonprofits.
Can you talk a little bit about what happens if you’re an advocacy organization and you’re the executive director, so you’re out there speaking on your organization’s behalf, or maybe you’re working in a country, like you said, in China or another country where there are state-sponsored actors who want to know your network, your people that you’re in contact with.
Can you talk a little bit about, then, what are those types of personal threats?
Shauna Dillavou: Yeah, you bet. The thing I didn’t mention about being a woman in a male-dominated space is that you really realize your superpowers as being gendered as a woman, right? Like the things that you’re trained to do on the basis of your gender.
I don’t know that I would, this sounds horrible, I don’t know that I would trust a man for my security, because I don’t think he has ever experienced what it’s like to walk down a street and know where everybody is and be afraid. I don’t think he’s ever gone on a run and worried that he would be raped. I think about that. I think about that all the time. I think about that for my two young daughters all the time. And it’s a thing that we don’t even realize we’re thinking about. And so, it’s not just like a physical concern, right? I think women, we’ve been genderized to think about it for our communities, for our families, how to take risks in ways that are useful or that uplift other people.
Security really ought to be like a woman-dominated place. Or as I would argue, the more intersectional the identity, the broader the attack surface. If you have a BIPOC woman, a black woman especially, that seems to me to be the person who’s lived experience is going to inform best what security methods you want to use. I would never tell a Black woman that she’s safe if she doesn’t feel safe. She’s going to know. Do you know what I mean?
So, okay, getting back to your question at hand, what was it?
Carolyn Woodard: So what is doxxing?
Shauna Dillavou: Doxxing comes from hacker speak, I would bet from the 90s, for dropping documents. So, dropping docs, meaning that you are sharing someone else’s personal information, probably personally identifying or identifiable information.
I would add to it that the intent of a doxx is to create terror for the person whose information is shared, and to incite others to take action, to show up, to make contact with them.
We have this escalation, there are indicators that someone is getting close to coming to see you in person, right?
The intention of doxxing is to incite others to make a phone call or send a text, or send a DM or an email, something that’s less traceable, or and then start to take physical action, right? Show up at a place, with the intent of harming, right? Of creating terror and harming.
OK, in any organization, but I would argue, especially in a nonprofit, people are your biggest asset.
It takes a long time to find the right people. When you find them, you want to keep them. They’re there for often ideological reasons. They’re there because they believe in the mission, the vision, the values of the organization. Otherwise, they could go somewhere else and get paid more. They’re obviously not in it just for the cash.
Often you have folks who stayed a long time, who have a lot of institutional knowledge, who care greatly, and those aren’t things you can just create in for-profit companies. That takes a lot of effort. So, you want to protect your people.
Now, a lot of the issues that nonprofits cover these days have suddenly become controversial. How is it that Catholic Charities of Southwest Ohio is a controversial thing? It’s beyond me. But they, like any Catholic Charities organization chapter, are helping refugees in Springfield, Ohio. Helping refugees was like Christ’s work, right? Which is what Catholics, this organization intends to do. Somehow that became a controversial thing. And the organization itself, its work was controversial because it was helping a group of refugees.
But an attacker in the United States on US soil isn’t necessarily going to have the knowledge to go after their security, right? Their information, like attack their systems. And that’s also not gratifying to them. So, what they’ll do is find someone to scapegoat, to target as a scapegoat for the organization.
That tends to be folks who are out in front, who are the public-facing figures, the executive directors, the folks whose names, the board members might be on a 990 tax form, right? Or the folks who are out in front, who are having the conversations, sharing information on social media, whose name gets attached.
And if it’s not those folks, it’s going to be, generally speaking, a young woman presenting person, generally of intersectional identity, that gets targeted. Because women “should know better,” they “should know their place.” And any person of color also ought to know her place, right? If you’re non-binary or trans, forget about it. Like, that’s the target. That’s such a… That’s the target. It gets so easy to not defend the more vulnerable, I guess, in that sense. We’re more willing to let trans folks be the target.
So, what does that usually look like? In a pattern of escalation, often the client wouldn’t be aware for a long time. The person wouldn’t be aware that it’s happening.
Carolyn Woodard: Unless you’re in those spaces. If you’re on Telegram, and they’re chatting, and they’re talking about you. But you wouldn’t be in there because you’re just a normal nonprofit staff person doing your nonprofit things.
Shauna Dillavou: There are not too many nonprofits that have the budget to pay for one of those threat intelligence services to monitor their people all the time. That stuff’s expensive. And also, for the most part, it’s not going to produce anything. And who knows if it’s even any quality? We’ve talked to four of them to partner with. It has taken four to find one that we’re think, this might work, because you have all of these models interacting and behind it to understand sentiment. And they’re not built necessarily for nonprofit folks. They’re not necessarily built for ideologically motivated attackers, and that’s who we’re focused on. They’re built more to understand trends, like, for a brand, and not for individual people and the targeting of individual people.
I really want to make sure I speak about this. We built this for ideologically motivated attackers. We built our tool Brightlines this way, because we understand it.
And I would say, as like a person who presents as a woman, as a woman, I understand what it feels like when you tell someone no and they won’t stop. A dogged attacker, right? I feel like I don’t have to make this case to most other folks who present like I do.
An ideologically motivated attacker is a dogged attacker. They will not stop. I’ve seen other tools that say, we will look at four pages of your Google search results. And I’m like, LOL, why bother? You need to look at 200 pages. You need to look at every result, because I know the attacker will, right?
A lot of what we’re doing in nonprofit work these days, especially in what has suddenly become progressive, when it’s, I think, just really humanity, you know, just human focused, right? The work that we’re doing is somehow controversial, and there needs to be someone “who pays for it.” And I think it’s the same kind of ideologically motivated attacker who would go after a staff person.
Carolyn Woodard: You said that you have this research on the types of things, how you know someone is getting close to you. So, if a staff person or an executive or a board member of a nonprofit or anyone else listening has received threats, what are the usual first threats, and what are the usual first steps that they should take?
Shauna Dillavou: I think today you don’t have to worry that you wouldn’t know. There’s not so much hiding about it. I mean, you’ll see people get doxxed on Twitter because no one’s going to stop them.
Carolyn Woodard: Well, and once your phone number gets out, it’s out. For the Sandy Hook families, it was the first weekend people started leaving them death threats on their phone numbers, on their home phones.
Shauna Dillavou: Who was it?
Carolyn Woodard: The Sandy Hook families. The worst thing in the world has just happened to you and the next weekend, people are calling your phone number. Yeah, it’s just terrible.
Shauna Dillavou: I’m so disgusted.
Carolyn Woodard: I know. So, if you are a staff person that is suddenly become known, that you are associated with something that has suddenly become controversial perhaps, then you’ll know pretty quickly that people are threatening you.
Shauna Dillavou: I mean, Mariann Budde, the bishop of the Episcopalian Church, she was doxxed the next day.
Carolyn Woodard: It was that evening. Yeah.
Shauna Dillavou: Yeah, that evening. On a mainstream social media channel. I think the gloves are off because no one’s stopping them in terms of law enforcement at the state, local, federal level.
And the platforms have washed their hands of this. They’re not interested in doing any kind of content moderation any longer. They don’t have to. Section 230 doesn’t make them. And nobody up here in Washington is making them either. So, you will know (when you are being threatened online).
Carolyn Woodard: Now, what should you do when you (are threatened)? Because it’s terrifying, like you said. You received the first phone call and you’re terrified. What do you do?
Shauna Dillavou: Okay. We had this case where a client came to us this week or last week and they said, “hey, my partner fired someone from this organization and then he sent her a nasty note. What do we do?”
We were worried, right? So, we went and investigated the person online and got an idea for who he was.
And then we said, I asked very specifically, did he send it to her personal email or to her work email? It was to her work email.
And I was like, well, he didn’t go do any digging on her. He’s not demonstrating any signs that he’s trying to bring harm to her home.
Now, if they come to your personal phone number, it’s also really easy to find that. Like maybe she’d already shared it with him, right?
Or I would put social media first. If (the threat is from) an online only source, it’s like, well, that’s awful and I’m sorry, but also, you know, social media.
If (the threat/s) come to something that you’re near, your email, your phone number, if your loved ones start to get messages, texts, phone calls, emails, then it’s clear that the person is more interested in creating harm.
At that stage, you want to make sure that you’re safe in your home, right? If you’re worried that something is escalating and happening more and more, you’re getting more and more phone calls, (get to safety first).
There was a FOIA dump of emails after the 2020 election that involved a client. And he had made some like just funny remark to a colleague of his who was an election worker, a state employee. And these (other) guys made hay of it when they got that email dump, and they went after him. And over the course of a weekend, it blew up, right? It was more texts, more phone calls, more and more and more. It was really escalating and then it just stopped.
So, as it was escalating, I said, get your family – he had two little kids – I said, get your family, just get out of the house for a weekend. Because we can’t know who knows your address right now, we can’t get it taken down in two days. We can’t move it that fast, right? So just leave and give yourself peace of mind for a minute.
I think the volume, the rhetoric – if it’s a lot of the same rhetoric, if it’s somebody just copy pasted, that feels like a bot attack that someone paid for. And I’d be less concerned than if you had all these unique different people saying things to you.
And then if it’s a person, say on social media that you’ve discovered has found you and is sharing information about you. And they’re a level of influencer, right? Say they have a couple hundred thousand or a million, millions of followers. I would take that risk far more seriously to some extent, right? If you find somebody who’s threatening you physically, and he has a thousand followers, that’s still problematic, right? I would take that very seriously too.
And anytime someone crosses that line, you think about the lethality index that they talk about in domestic violence. The lethality index they talk about is, if a person has ever tried to choke you, he’s seven times more likely to kill you.
I think about this like this. If someone has uttered the words, I will kill you or I will harm you or I will harm your children, I would take that very seriously, even if they don’t. Because a guy showed up to Comet Ping Pong with some guns once, because he heard a rumor that that was where children were being trapped. You know, like some folks don’t need much motivation. And so, if they’ve made those kinds of comments, I would take that very seriously.
What do you do? Depends on your comfort level with your local constabulary.
Are you comfortable calling the police? Probably, you know, maybe.
As an organization, what you can do is support your staff person.
If you can, help them get out of their house, if they need to do that, right?
If you can help them assess where they are, if they can relinquish some control of those accounts to have help like removing messages if there’s a lot of hate flooding in that way.
Or help documenting messages.
If someone can take over support with law enforcement, or run point with law enforcement on behalf of the employee, I think there’s a lot that can be done as that situation begins to escalate.
And of course, everyone should use a data broker scrubbing tool. We use Kanary. It starts with a K. I think everyone would benefit from that.
We (Brightlines) work more in prevention. As something is happening, it’s really hard to say, do this, this, and this. There’s not a formula unless you feel confident or you really are worried that something is going to physically happen to you. But I can talk about prevention all day long.
Carolyn Woodard: I was going to say, this is probably a good moment to say, what does your company do? What’s the service that you provide? What are the range of things that you can do too?
As I understand it, your company, for the most part, is trying to clean the online space of how to find you personally.
Shauna Dillavou: Yes, we’re looking for your risky personal information and how you can manage it, ameliorate it, remove it, right?
We built our company to be, I guess I would call it, we’ve built it on a trauma-sensitive framework. The entire premise of the company, all of our processes, and our ultimate product is about presenting the information and having the client make informed decisions.
The idea is that this returns agency to someone who’s experiencing a trauma. And so it helps, it’s just sensitive to that, right? We help someone who’s really going through it.
What we do is gather information about you that we can find online and understand how easy it is to find your home address.
First, things folks like to protect are the names of their partners or their children, different parts of their identity, their parents, generally, if they’re elderly.
They like to protect the ways in, sometimes they don’t always know this, but the ways to get that information, your personal email addresses, your personal cell phone number, your relative locations. It can be really easy to pinpoint which Jack Smith you’re looking for if you know that he lived in Tulsa, Oklahoma at one point, right? And a common name like that, is this a Jack Smith I want to find?
So, there are things that may not be overt pieces of personal identifying information. We always like to say that PII (Personally Identifying Information) is more than your social security number. It’s a lot more, right?
It’s your image. It’s so easy to find so much about people with reverse image searching and, and facial recognition these days.
It’s your date of birth.
It’s your political affiliations. It’s who you donate to, right? That is out there on every FEC filing apparently known to man.
What we will do is search across about a dozen databases, from things as easy as data brokers, to anywhere that your accounts have been hacked and shown up on the dark web, where you have like orphaned accounts, your facial recognition. We’ll search with a bunch of Boolean terms across public search engines, like Google.
And then we go and look very hard at public records, because we understand that public records are the source data for data brokers, whether they get those records by buying them from our states and cities and counties, or if they scrape online databases. I think that also happens quite a bit, because localities don’t know how to set that stuff up so that it can’t be scraped. Or if they do know now, they didn’t when they set it up, and there’s no budget to do that now.
So, in looking at all of that data, we do we look for the things that are the bright red flags, like, on whitepages.com, I found your address and your name. We probably need to remove that, right?
But we’re also going to say like, oh, this is your partner’s name. Oh, I found his address on the voter role for your state, even though you’ve been removed because you’re a federal judge. It’s easy to Google and find your husband’s name and your grown child’s name and they’re both registered to vote there.
We would want to know like, oh, I know your date of birth from your bio, right? And then you talk about this article growing up in Ohio, and I found on a data broker that these are your parents’ names, so now I can order your birth certificate.
So, we want to look at like the entirety of the data that’s out there and what picture it tells about folks and then what we can do about it.
Carolyn Woodard: Because I think for a lot of people, for example I wouldn’t know how to take my information down from most of the platforms I use and databases that are out there.
Shauna Dillavou: The removal piece is so challenging. There’s no privacy framework. And even in California and Virginia and the states that have them, they’re really focused on consumers, on the companies having consumer data, which is important.
But I mean, even after CCPA California Consumer Privacy Act was enforced, California’s DMV was selling its database.
I mean, the US change of address database, they don’t sell the data, and they’ll tell you over and over, “we don’t sell your data.” They just sell licenses to the database. So, they’re giving your data away. Still, you know, like you’ve trusted USPS to not do like what? Like how? USPS, you’re selling my information. Cool.
Okay. So, there are a lot of these kind of dark patterns and weird ways and dishonest ways that they get around this.
But for the most part the privacy framework doesn’t cover our public records. And short of data brokers removing your information for a while, they might just pop it right back up, or they might buy another data set and put it back on. They’re not going to honor that request forever. It feels very whack-a-mole.
Carolyn Woodard: You were telling me that your service is a subscription because it’s ongoing, your personally identifying data will pop up again a month later. And I think you told me it’s relatively expensive because even though it just takes a moment for some keyboard warrior to figure out your parents’ address, it takes a really long time and a lot of labor to take those down.
Shauna Dillavou: Yeah. I mean, yes. Listen, a couple of things. The timing is long because data brokers, they drag their feet. They don’t want to remove information. It’s not their top priority. I get that.
But also, we often advocate for people shifting their public records in legal ways, right? And that takes time because you’re dealing with bureaucracies. If you move your home into a revocable trust, that can cost a few thousand bucks. You have to wait for a lawyer to do this, to do that. You have to make some tough decisions and have conversations. And then you record it, and that recordation takes the time that it takes. It can take months. It took me a few months to get my house into a trust.
So, that’s where people’s lives are busy. This isn’t a top priority until it is.
Carolyn Woodard: Right. And I think you said when we were talking earlier that one of the things a nonprofit can do in that situation to protect their staff who are under this harassment would be to work with their funders to help provide that security or safety protection.
Shauna Dillavou: Yes. We’ve seen a surge in funders’ understanding that the movement will die if the people can’t do it. And the people can’t do it. Choosing between their family’s safety and their job isn’t a choice.
We’ve seen funders, there are a couple of different funds that will do emergency support or security support. I think Democracy Protection Network, the Rossi Fund, the RSI Rossi Fund. Those folks will help nonprofits, specifically. Solidaire Funds.
Five Ways Funders Can Support Social Movements (SSRI)
And I would imagine (you should ask) most funders that are already funding you, because that can be a faster way to get funding in the door for security. They understand the problem of doxxing, because it’s happened to so many of us now.
Carolyn Woodard: And I’m sure a lot of people at foundations and such, if they’re funding something that has suddenly become controversial…
Shauna Dillavou: Listen, we have clients among a number of foundations. And I don’t know, they’ll say to us when we’ve talked to them in the past, now it’s less of a conversation, but they’ll say, oh no, the grantees need to bring their requests to us. We’re not going to tell them what they need. And they may not know that this is an issue yet and that they’re likely to be targeted.
So, if you’re hearing this and you’re thinking, wow, I really don’t want this happening ahead of whatever announcement we make for our next, whatever PR blitz or whatever campaign we’re doing next, I’m worried about this, it’s a good time to start that conversation with the funder.
Carolyn Woodard: That makes sense. I think also in my past experience with some volunteer activity too, I know it’s kind of cliche to say it’s generational, but be in touch with the younger staff at your organization, because they are in a lot of those online spaces that you might not be on, like even just on Twitter, X, that’s part of their job, and their advocacy is to know what’s going on in that social media sphere around your issue, or the country that you’re working in, or all of those different things. They’re going to be your eyes and ears and hear things that are happening sooner than maybe some of your older executives are going to know.
Shauna Dillavou: They’re more likely to get targeted.
Carolyn Woodard: Yeah, that’s true too.
Shauna Dillavou: It’s so interesting too, with folks at that level, there’s a kind of detachment that we see where they think, I can handle it.
Well, maybe you have a higher risk tolerance because you know you have a great alarm system and that you trust your local police and that you have a dog, you know. You know that you have all these physical security measures in place. You might even have a driver. If you’re an executive at a certain level, you’re not super concerned about it for yourself.
I think we often have to remind folks, how do your children feel? How does your partner feel? How do the rest of the staff feel? Because if they can’t get you, executive, they’re going to go after someone else on staff. And that person may not be as well resourced. And definitely won’t have the privileges of both middle age and wealth that a person at an executive level would probably have.
Carolyn Woodard: We talked at the beginning about the different threats that men and women and black women face in this sphere and that nonprofit staff are majority women in most sectors that nonprofits work in.
Do you have any final thoughts on that gendered nature of this threat at this moment? And do you have any takeaways about the most important things to keep yourself safe? Should you just not be online?
Shauna Dillavou: I mean, that ship sailed. I know, right? I know.
I remember early on. I got to know the folks who were targeted by Gamergate back in 2014. And the police, right? The police said to them, can’t you just get offline? And they’re like, are you daft? Like, really?
And now it’s so much worse, you know. I would say to women.
Carolyn Woodard: Can’t you just not eat food?
Shauna Dillavou: Right. Stop breathing air.
Recently, I found that my information was attached to all of these public records that I had nothing to do with. It’s just that’s the decision the city made. It’s like, how? Never consented, never informed, you know, whatever.
So, I’m going to say this, I think, as bluntly as I’m allowed. You know better.
You know best.
Take what you know, women, that you know because of your lived experience, particularly women and folks of color and women of color, and apply that here.
If something doesn’t feel right, that’s your intuition, or literally that’s your lived experience.
That’s the lived experience of your mommies and your grandmoms and your aunties and everyone who’s told you your whole life, this is not okay.
So, if you don’t like ride share because you’re getting into a stranger’s car, then don’t do it. That is weird, right? Like why do we do that? We don’t, you know, we don’t think about it. If you don’t like the way that the dating app is structured because you can’t change your location, don’t use it. And if folks want to give you a hard time because you carry a flip phone, like that’s really fine. That’s fine. You need to protect yourself.
I would say we have learned to navigate the physical spaces throughout our lives from the time we are young. I have two little girls and I see them navigating physical spaces. I see them thinking about it. And I see them seeing what they can and can’t get away with, right? You’ve known since you were able to walk really how you can do it. And so, that knowledge applies.
It’s just a matter of, I think, understanding that the streets are virtual. But the same knowledge applies.
I’m hoping, Carolyn, to write, I’m writing a book proposal about this now. I’m hoping to have this guide on the market, the proposal on the market next March. I’m hoping to have this book next year published about how women (navigate this world), a guide really for women to survive.
Carolyn Woodard: Because I feel like that’s what’s changed.
I have friends who’ve worked in very, just on the surface, controversial areas, like providing escort services at abortion clinics, or working on the issue of gun violence, which is a very gendered advocacy issue. And some of the people who work for those nonprofits go into it, knowing “I’m going to have a security detail. I’m going to have to live in a house that no one has the address of because of the nature of my work.”
But what’s happened in the last five, ten years is this change of you’re not doing anything controversial, and you’re not the kind of person who would seek out that kind of job. And then in an instant, your whole life has changed because something that often doesn’t have anything to do with you. Like you passed a mint to your mom on election night, and suddenly, you know, it’s all over.
Shauna Dillavou: You’re getting paid 15 bucks an hour to count votes. You passed a candy to your mom, and now you own Rudy Giuliani’s penthouse.
Carolyn Woodard: Cold comfort.
Shauna Dillavou: Yeah, I’m sure it matters a little. Not kidding. So yeah, yes, I think, God, it can be any of us any time.
And I think what we’re learning is it’s not about what you’re wearing, you know?
I mean, I’m always happy to talk about our work. It’s so important.
And also to uplift, that this is a wildly gendered problem.
Carolyn Woodard: Yeah, it really is.
Shauna Dillavou: It plays into all of our institutional bias, you know?
Carolyn Woodard: Yeah. Just every cop who says, “oh, don’t worry, they’re probably not going to act on that.”
Shauna Dillavou: Yeah, “can’t you just get offline?”
Carolyn Woodard: It doesn’t make me feel better to think that maybe they are probably not going to (attack me).
Shauna Dillavou: No, no, it actually doesn’t make me any safer.
I mean, the evidence shows over and over that it’s women cops that de-escalate situations. It’s women politicians who send more money home to their districts. It’s women intelligence analysts who get the information, right?
Like, how are we still calling these soft skills?
Carolyn Woodard: Maybe your book will help the politicians who are so far behind on understanding this.
Shauna Dillavou: I think also the big tech folks. Who was building our tech? And based on what assumptions? And like, how? I think about that.
I was just thinking about all of these things, for example, the gig economy and this disruptive economy. And all that it’s done is, built this really tentative trust between absolute strangers coming into your home, or you getting into their car, or them shopping for you, but they know your name and your address and what you look like. And no one (asked us do we want this).
You know, I think about grandmothers being like, what are you doing? These are the things that you’ve been told your whole life you may not do. And here you are doing it, right? And everyone is doing it.
Who designed these systems? And on what basis? Those guys don’t have fear of a stranger harming them. But we do. You know, I think about that the way the tech gets built all the time. It’s built with a very different use case in mind. And we are not consulted.
If you built technology for black women, everything would be safer for everybody. Do you know?
Carolyn Woodard: And it would work. And it would be a party.
Shauna Dillavou: It would probably be cheaper. It would be good looking.
Carolyn Woodard: It would be awesome.
All right. Well, on that note, I want to thank you so much for your time today, Shauna. This was just such a fascinating conversation and unfortunate that it’s really needed. But thank you so much for sharing your expertise and good luck with the book. I look forward to it, and I know a lot of people listening could use it.
Shauna Dillavou: Okay. Well, I’ll keep that as motivation to keep at it.
Carolyn Woodard: Thank you so much for doing this with me.
Shauna Dillavou: Yeah, it’s my pleasure. Yeah.
Photo by Arleen wiese on Unsplash
CEO Johan Hammerstrom and Director of IT Consulting Steve Longenecker discuss how to choose nonprofit tech platforms March 19th at 3pm Eastern, Noon Pacific.
Fill out the form below to request a quote. We’ll be in touch shortly to discuss your needs and take the first step toward better nonprofit IT.