Nonprofits and Cybersecurity

Today's New York Times reveals that the folks who hacked the website of JP Morgan Chase, one of the world's largest banks, also hacked the website and account of the bank's affiliated charity arm - the Chase Corporate Challenge.

In July, GoodWill Inc announced that hackers had accessed information on payments processed by the nonprofit employment program.

Waaaaay back in 2007 hackers breached the security systems at Convio Inc., gaining access to donor information for more than 90 charitable organizations.

Universities have long been, and in 2014 seemed to grow as, a target for cybersecurity breaches.

I'm sure that hospital systems, not-for-profit health care providers, non-profit financial firms, and even philanthropic foundations are also tempting targets.

Why does this matter? In the Chase Corporate Challenge case it appears that hackers were looking for a way into the bank via the nonprofit portal. (NYT says that didn't work. In this case.) In other cases the stash of information - on donors and their financial information - may be tempting enough on its own. For those with malicious means beyond financial interests, accessing information on program participants or program beneficiaries or activities planned may be enough - especially for organizations doing politically, religiously, or culturally sensitive work.

All of this steals the thunder from one of my intended Blueprint 2015 predictions, that hacking, cybersecurity and nonprofits would rise to public attention next year. (Just came on earlier than I thought). 

Cybersecurity and protecting the digital information that nonprofits collect and store is important on the organizational level. It's also important on a systems level. Collectively, given the capacity constraints for most nonprofits and the linked nature of digital data, information breaches from individual organizations can serve as open doors to breaches across organizations and whole sectors. The limited ability of nonprofits to protect information they gather online - even when they outsource the service to third party vendors (who struggle to stay in front of malicious hackers) - makes not just the nonprofits and foundations vulnerable but also their affiliates and partners.

security experts can will tell you what to do to protect your web and digital assets. I think about this more from the programmatic and human side. Too often I see foundations and nonprofits choosing to collect information from people just because they can. It's easy to ask for addresses, phone numbers and email addresses, even when you don't need them and may not know why you would use them. It's easy (and cheap) to store that information somewhere online. And it's easy to forget about it.

We need to shift our organizational mindsets about collecting information from those we serve. We should stop  thinking about information collection as an "all you can eat buffet," where the ease, speed and price of collecting and storing is so low that "more is better." Commercial websites have habituated us to assuming that we have to trade our data (address, birth date, email, phone number and so on) for access.  That's a value exchange and a type of transaction that nonprofits simply don't need to perpetuate.

Any organization that doubts its ability to ensure that it can protect your digital information (i.e. ALL honest organizations) should approach the collection of information with great care. Given our human propensity to re-use passwords we should even consider whether requiring passwords for public access to nonprofit websites makes any sense. Our users will most likely use the same password they use everywhere else, we won't be able to protect it, and - oops - there goes that breach. Rather than the "all you can eat buffet" approach to user information, let's shift to "don't let your eyes be bigger than your stomach." In other words - don't ask for what you don't need. That way, you won't need to worry about having it and losing it. (Or being subpoenaed for it - more on that elsewhere)

Nonprofits bank on trust and integrity. We need to shift our digital behaviors to reflect this when it comes to collecting, storing (and possibly losing) information from those with whom we work.

Data, Work, and the Social Sector

(photo from

Organizations that support nonprofits in the U.S. are quick to point out the contribution these organizations make to the economy. $1 trillion in assets, $2 trillion in revenue, 10% of jobs or GDP - the economic impact of the sector is used as evidence for all kinds of arguments. 

The data behind these numbers, and the methods for calculating them, have typically come from government filings of labor statistics, tax records, contracts, and charitable giving and are crunched by research institutes, scholars, and advocacy groups.

Like every other sector, there are new data sources coming online that may add to our understanding of the social sector. Today, LinkedIn announced its EconomicGraph Challenge - an opportunity to use the company's data on jobs and job openings to ask new research questions. This is exciting and I hope a good number of researchers jump in to ask new questions (or add the data to existing research projects) about the social sector.

Some things I'd like to know:
  • What's the turnover rate of people working in nonprofits?
  • How do salaries really compare for jobs with similar titles in nonprofit, commercial and public settings?
  • What can we learn about professional "sector hopping?" What patterns can be seen in how people move from nonprofit to commerce to public sector jobs (and back) over time?
  • How long do nonprofit chief executives hold their jobs?
  • What professional profiles are nonprofits looking for in terms of board members (LinkedIn for Good facilitate volunteer openings)
  • What might these data show about volunteering, interning, and getting a paid position?
  • How do jobs and job titles compare across countries?
  • What do these data show us about organizational structures around the globe?
  • What types of networks can we see between specific nonprofits and specific universities?
  • What types of networks can we see between board members of nonprofits and companies? (or nonprofits and government agencies?)
  • What skills are nonprofits actually hiring for? 
  • Can we predict skills gaps from these data? Can we identify educational and job training opportunities?
  • What questions do you have?
The LinkedIn Challenge is an an example of the emergent phenomenon of "data philanthropy." This is the practice of giving access to specific data sets for specific purposes (in contrast to opening data sets for broad unrestricted use. This will come to bear on the same types of nonprofit research above when government contracting and grants data goes open). Corporate-owned data becoming more available to the social sector (and about the social sector) is one element of digital civil society that we're thinking about at the Digital Civil Society Lab. The policies and practices by which the data are shared and the ethical challenges of making these data sets available for research are the issues of greatest interest to the Lab itself.

I'm hopeful that lots of research proposals will flow in that will put LinkedIn's data to use to better understand what work is in the social sector and how the social sector works.

Proposals for the research are due by December 15. Details are here. Challenge rules are here.  I am not affiliated with LinkedIn or its challenge. I'm encouraging students and researchers at Stanford (and, via this blog posts, anywhere else) to consider the challenge.

Ten Innovations in Global Philanthropy

Thrilled to see this new report from New Philanthropy Capital - Ten Innovations in Global Philanthropy.*

(photo and report:

One of my partners in the upcoming Blueprint 2015 - betterplace lab - is featured as one of the innovations. Check out their incredible work from the lab around the world - and be sure to get the Blueprint 2015 (Free from Grantcraft) when it goes live in December.

Also very proud to see PoweredByData from on the list. I've been saying all year that Canada is the world leader when it comes to using open data for philanthropy and nonprofits. Be sure to check out their work.

On the transparency side the NPC authors chose Glasspockets from The Foundation Center. A great example and worth a look.

Be sure to get the report.

*Full disclosure: I was one of many people interviewed for the report, but had no role in writing, vetting, choosing, producing.

Ethics of Data Conference - First Quick Summary

The #Eod14 Conference was a huge success. Thanks to all who participated. We're still decoding, transcribing, and following up so a more formal synthesis is still to come. But in the meantime:

The conference encouraged real work. One and one-half days of small group sessions, filled with the 100 participants, yielded (at least) the following: 

   The curriculum for a class on building trust in conflict situations being taught at Stanford this quarter
   A "responsibility for harm" checklist
   A framing document on different types of consent - (being carried forward by
            Responsible Data Forum and others)
   A prototype for analyzing the ethics of algorithms
   A 24 month "urgent issues" idea set
   A research agenda (the Digital Civil Society Lab will move some of this forward)
   At least one book proposal
(the Digital Civil Society Lab will try to help move this forward)
   Specific opportunities for commercial data firms to develop consistent policies for
            sharing data with researchers and nonprofits  
   Mock-up for nonprofit Terms of Service agreements to align with their missions
(being carried forward by Responsible Data Forum and others)
   Two(!) draft codes of ethics for data in civil society
   A set of tools for making ethical decisions across the data lifecycle
   A data "badger" for ethical management of data in civil society
   A matrix for locating use cases within and across sectors
   A process for data scientists and nonprofits to articulate and document
            the ethical choices they made in building apps, making visualizations or analyzing
            data sets
   100 people from universities, nonprofits, policymaking, and a variety ofdigital data/media companies creating 100! new relationships 

The actual materials will be shared in a variety of ways, including here and on the conference website

Blog Posts by Participants

Heather Leson

Christopher Wilson

Summary document on conference (forthcoming)

If I missed something, let me know. More soon!

Apple's Watch and the Ethics of Data

Apple made big news this week with the announcement of its new phones with mobile payment built in and it's new watch, which seems to be a platform for everything from telling you the time to heartbeat sharing (?!)

Much has been written by privacy experts, tech geeks, health policy wonks, and financial gurus about all the new stuff this new OS and device are bringing.

Personally, I appreciated the Cupertino company's doing such a fabulous job of sending a signal that  digital civil society has arrived. (And just in time for our conference on the Ethics of Data - how perfect!)

Here's the signal, in case you missed it. Apple made a big deal about how it can protect your private financial and health data, which the watch and phone will help you collect and manage. They explained how the phone/watch will/will not store your data, how it can be shared, and who will have access to it.

The following language is from Apple's own developer guide - (the rules of the road for the people creating the apps that will make the watch do more than its Casio forebears)

"27.4 Apps may not use user data gathered from the HealthKit API for advertising or other use-based data mining purposes other than improving health, medical, and fitness management, or for the purpose of medical research (emphasis added)"
My question? Medical research by whom? Harvard? (nonprofit) The Centers for Disease Control? (government) Pfizer? (Commercial company) Citizen scientists in their garages? (none of the above)

Medical research is done by businesses, government, and nonprofits. They each operate under separate rules. Some have clear institutional structures and review processes for doing research on humans. Some make sure they have your consent to be included in a study or a publicly reported "finding," others, well not so much.

The New York Times read the above developer guide and interpreted it as if reserving use of the data for medical research was in some ways protecting our privacy. From their Thursday story:
"Apple has made it clear to developers of health apps that it wants to protect privacy. Last week, it updated its guidelines for app developers, stating that apps working with HealthKit, Apple’s new set of tools for tracking fitness and health statistics, may not use the personal data gathered for advertising or data-mining uses other than for helping manage an individual’s health and fitness, or for medical research."
But here's the thing - letting the data be used for "medical research" without specifying by whom and under what conditions doesn't protect you in the least.

It's like saying only "book lenders" will have information about your reading habits. Book lenders include your local library, which has been protecting reader information from prying eyes for decades, and Amazon, which uses your data...differently.

The point is we have different expectations for different kinds of organizations - public, commercial, and not-profit - and we hold them, socially and legally, to different standards of transparency, accountability, and trust. Data cross all those lines (and those lines are already rather blurry). As they celebrated in Cupertino, it's clear that we have entirely new tools for collecting, storing, and sharing our data. We need new rules - especially if we want to maintain the trust and integrity of the nonprofit sector.