One of the many achievements the Occupy Wall Street movement can claim is that it conclusively demonstrated how powerful social media can be when used for a collective purpose. Unfortunately, for Occupy groups and other horizontal or resource poor organizations, maintaing a strong social media presence can be as difficult as it is vital.
No one gets paid. There is typically a high turnover rate- people leave and new people enter with some regularity. Also, unless the group has developed effective internal conflict-resolution mechanisms, friction around high-visiblity assets like a Twitter or Facebook account can be paralizing.
These issues complicate already difficult questions facing any organization attempting to negotiate the twin requirements of “security” and “access”: how do we prevent malicious agents from gaining access to our accounts? If someone leaves, do they take the “keys” with them? How can we be sure grant access to an account when it is needed?
While there many great commercial tools available to manage social accounts between teams, like Hootsuite, Sprout Social, and others, they can be challenging to implement and prohibitively expensive- especially when your budget is non-existent. The alternative, informally sharing access, can lead to an excessive, paranoic focus on “security” which may create a climate that is an incubator for interpersonal conflicts.
One solution which has been effective for the OOMedia team is using Google Docs to manage passwords. Instead of focusing on “security”, in the sense of building walls, we focus on “transparency”, as a means of building knowledge.
Google Docs for Password Managment
There are two primary issues to address: one ensuring that access to media accounts are shared. This raises our “bus factor”- meaning the number of people who, if suddenly hit by a bus and killed, would take access to the grave with them. The problem here of course is that the more widely access is shared the more vulnerabilities are introduced.
Docs as a password management tool can mitigate these threats significantly. Below is a pdf of the actual Google doc the OO Media team uses to manage our accounts:
As you can see, the process is fairly straightfoward:
1) compartmentalization and sharing:
- no one person has access to everything at once.
- more than one person always has access to each account.
- this doc a master list of every media account we use, including social media and the website.
- split every account’s passwords into a separate google docs.
- if there is varying levels of access (like with wordpress), admin accounts get their own doc.
- share with the minimum number of people who are actively working on the account
- set up a calendar reminder every week to reassess access and permissions.
2) password security:
- set up a calendar reminder to change passwords every week.
- use a random password generator to auto-generate strong passwords.
- if someone needs access to a particular account, but is not a media collective member, give them only access to that doc, and change passwords after.
This allows a wide and changing group of people to have access to all accounts without potentially compromising the platform. If a user needs access to any password, they can request it by clicking on the “share” link at the top of any doc.
When this strategy was first suggested, some wondered at the wisdom of placing access to these accounts on servers owned by corporations who can and have illegitimately disclosed private information to the authorities and others. My response to that objection is twofold:
1)Google’s record on transparency regarding responding to government requests for activist information is actually pretty good. Not what many of us would like, but they are not an arm of the CIA either.
Further, Google’s entire business model- cloud computing- is based on trust. It is very much in their interests that their users information is understood to be private and secure. For a company like Google, relatively rare and small mistakes make front-page headlines. This can obviously have catastrophic consequences. Google has billions of dollars to pour into online security, which logically makes them a safer bet than a server in some guy’s closet.
2)There is no real “security” anymore. The nature of the internet today is that absolutely everything that touches it compromised. In the past “Risk Avoidance” may have been a meaningful concept, but today the only sensible position is “Risk Mitigation”. Given enough time, money, resources, and talent any database can be breached. The key concept is trust. If a close friend’s Facebook account suddenly began posting uncharacteristically offensive material, wouldn’t you naturally assume that their account had been hacked and not that they suddenly became a bigot? Transparency builds trust, which is more important to the health of a “brand” than “security”, which is ultimately illusory.
Alongside questions regarding “access” there inevitably questions about “content” and “policy” and strategy: what kind of content should we share? How often? How do we respond to hostile comments? These are questions I would like to return in future posts. Stay tuned!