Mutual aid organizations, such as food banks, disaster relief, direct cash assistance, and bail funds, serve as critical community pillars, yet their efforts are increasingly under threat in a hostile political landscape, and they often lack the resources to build the necessary digital infrastructure to defend against online attacks.
To address this challenge, the UC Berkeley Cybersecurity Clinic and Fight for the Future collaborated to create a guide aimed at enhancing the cybersecurity practices of mutual aid organizations. Released as part of the CLTC White Paper Series, the guide — Securing Mutual Aid: Cybersecurity Practices and Design Principles for Financial Technology — outlines best practices to help mutual aids use financial technology, enhance their cybersecurity, and design secure digital platforms.
The report was authored by Elijah Baucom, Director of the UC Berkeley Cybersecurity Clinic, as well as three alumni of the Cybersecurity Clinic class: Anna Lanzino and Yvette Vargas, both graduates of the UC Berkeley School of Information’s Master of Information Management and Systems (MIMS) program, and Nicholas Perematko, a senior undergraduate in the Industrial Engineering & Operations Research department at UC Berkeley.
“For various reasons, many mutual aid organizations have not implemented adequate security measures to protect their technological and financial systems,” the authors wrote. “This leaves their networks, communities, and assets vulnerable to cyber threats…. By empowering mutual aid groups with practical cybersecurity protocols, we aim to fortify their operations and protect the communities they serve.”
In the guide’s introduction, the authors explain that they initially set out to create a developer guide for a financial technology platform for mutual aids, but the project evolved into a best practices guide focused on improving overall cybersecurity and addressing specific financial technology use cases, along with a checklist for developers who create platforms for mutual aids. The guide is intended to build on the report Financial Confidentiality in the Age of Digital Surveillance, commissioned by Fight for the Future and created by Convocation Research + Design, which explored the effectiveness of diverse privacy technologies in safeguarding financial data.
To inform the guide, the Cybersecurity Clinic conducted interviews and pro bono cybersecurity risk assessments with six mutual aid groups representing a range of services within the human rights sector. Each assessment identified the group’s key digital threats and provided tailored recommendations for improving digital security. The guide presents an overview of common issues identified, and offers practical recommendations to mitigate digital risks. It also includes a section on key design takeaways for developers and technologists seeking to build mission-aligned financial platforms that meet the needs of mutual aid communities. Below are key takeaways for mutual aid organizers and financial technology designers.
Key Takeaways for Mutual Aid Organizers
The report includes several recommendations for mutual aid organizers to enhance their cybersecurity posture based on current practices, including:
Limit personal information on accounts. Mutual aids should avoid linking members’ personal bank accounts, credit cards, or personal information (like phone numbers or names) to accounts on payment platforms such as PayPal or Venmo. Instead of using personal payment accounts, consider using a dedicated account that is not directly tied to any specific member’s personal information, like a business/organization account, or obtaining a phone for treasurer duties.
Be aware of deplatforming. Deplatforming, when an account or its functions are temporarily or permanently banned by a technology platform, is a common experience for mutual aids, and is often done without reason or explanation. Organizations should diversify their technology platforms to avoid relying on one service.
Prioritize using privacy-centered services and understanding privacy settings. Mutual aids often rely on Big Tech platforms, like Meta’s WhatsApp and Google. Our report provides recommendations for harm reduction techniques for organizations relying on Big Tech platforms, and also outlines more private secure alternatives if a mutual aid is interested in migrating. For all platforms, mutual aids should tailor settings for better security, for example by implementing multi-factor authentication.
Establish policies for data retention, communication, and other areas to enhance cybersecurity posture. Mutual aids can establish policies and guidelines for how sensitive and non-sensitive information is communicated, and more broadly how data is stored and retained. Minimizing the amount of data that is collected and stored will better protect the organization.
Key Takeaways for Financial Technology Designers
The final portion of the report outlines design implications for a future payment platform that is aligned with the mission of mutual aids. Following are key takeaways:
Build with mutual aids. Designers should be mission-aligned with mutual aids and cultivate long-term, trust-based partnerships. The design process should include mutual aid community members and adapt based on their feedback.
Design for community control and privacy. Mutual aids are typically grassroots, decentralized, and privacy-conscious. Designers should create technology solutions that consider this structure and provide controls for mutual aids to maintain autonomy over their data. By default, a platform should protect payment data and metadata where possible.
Design with deplatforming in mind. It’s likely that mutual aids will face deplatforming. To prepare, designers should enable funds to be routed through multiple payment methods.
Design for accessible identity management. Most mutual aids do not have hierarchy-based roles and technical staff. Designers should make it easy to create organizational accounts that have accessible configuration.
Design with built-in security. Designers should include security measures, like multi-factor authentication and zero-knowledge encryption, by default.
Maintain open standards. A platform designed for mutual aids should be open-source and auditable.
Prioritize accessibility. Designers should prioritize the accessibility of the tools they are building to ensure they are WCAG-compliant and usable.
“The risks faced by mutual aid funds are real, but so is the potential for building systems that reflect the care, trust, and autonomy that define mutual aid work,” the authors write in their conclusion. “These design principles are not meant to prescribe a single solution, but to offer a starting point that is rooted in our interviews and risk assessments of mutual aid funds. Our hope is that this guide contributes to the larger effort of building technology that protects and sustains community organizers as they carry out their essential work.”
Securing Mutual Aid: Cybersecurity Practices and Design Principles for Financial Technology
