- About Archives
- About SAA
- Careers
- Education
- Publications
- Advocacy
- Membership
April 28, 2025 Building Digital Resilience Event Notes:
Panelists:
Jessica Walton - CyberPeace Institute - J
Dr. Brian L. Evans (speaking for himself as a private individual) - Professor of Electrical & Computer Engineering and President of the Texas American Association of University Professors (AAUP) - B
J: Think of it like a tree. Sit down and draw a tree with three main branches:
What am I trying to protect?
From whom?
What happens if that protection fails?
This will look different for institutions versus individuals, and also vary by person.
Factors include identity, whether you are marginalized, whether you are an activist, and whether you work with sensitive materials. These are different threat models, no two trees will look the same.
For personal risk assessment:
Identify your assets.
Consider how you communicate: what is private and what information you post publicly.
Ask what the threat could be, who would want your information, and how they might use it.
Focus on the potential personal impact.
For institutional risk assessment:
Ask the same core questions, but on a larger scale.
Consider what you are holding on behalf of others (donors, collections).
Think about the threat surface: the number of vendors you work with, how much information you share, staff turnover, and the devices you use.
Most threats occur due to human error, such as weak passwords. Understanding good digital hygiene and digital safety accounts for roughly 90% of cybersecurity.
B: Risk assessment depends on your employment. If you are part of the government, you are subject to open records requests, so it is important to understand what you need to retain and what you do not.
For personal risk assessment, consider what information is worth putting in writing. At work:
Use only work platforms.
Enable two-factor authentication.
Use official university platforms.
Maintain a clear separation between personal and work accounts and devices.
Many of us either work with or are members of marginalized communities that are under renewed attack, specifically around DEIA initiatives. Are there specific safety strategies we should be more aware of?
J:
DEI work and history collection have increasingly been under threat, both publicly and privately. This includes documentation related to immigration, reproductive health.
Knowledge about digital harm has not kept pace with the scale or speed of these threats.
Audit your communication platforms. Be cautious about discussing sensitive topics on platforms that may be accessible or monitored.
Use end-to-end encrypted platforms such as Signal is currently one of the safest options for discussing sensitive topics.
Think carefully about who appears in your records. Consider how donors’ willingness to be named in collections may change under increasing scrutiny or risk.
B:
For work communication, there is no guarantee of privacy, whether you work in a public or private institution. Anything on a work device can potentially be accessed by your employer. Assume that anything you put on a work device can be obtained.
Many apps are not secure. One major vulnerability is that AI features are often enabled by default without explicit consent. Turn off features like Siri, search assistants, and similar tools. Information collected by AI can be gathered and transmitted off your device.
Since Meta took over WhatsApp, data can be collected and used; WhatsApp is no longer considered safe for sensitive personal interactions.
Turn off AI features in Signal as well.
Proton Mail is a secure email service based in Switzerland; email remains within the Proton system and is encrypted.
Be aware of your state laws regarding recording conversations. For example, in Texas, anyone can record conversations unless an employer faces civil penalties for doing so.
Operate with the assumption that conversations may be recorded when speaking with others.
Join groups and build alliances to share information and protect one another. Employee unions and advocacy groups can provide collective protection. Success often comes through partnerships, solidarity, and collaboration across groups and members.
How do you separate your professional digital identity from your personal one, especially if they’ve been intertwined for years?
B:
All work activities stay at work; all personal activities stay at home. University identity remains on work devices; personal devices and accounts are used only at home. Keep the two strictly separate.
Enable two-factor authentication for every login.
On personal phones, turn off Wi‑Fi and Bluetooth to reduce the risk of intrusion into personal data.
Workplace Wi‑Fi can be used to access or screen personal devices, and activity may not be protected when using institutional networks.
Use Signal for secure messaging.
J:
Use Proton Mail, Proton Cloud, and Proton VPN. These services are based in Switzerland, which has strong data protection laws that are unlikely to change.
Work and personal devices should be completely separate—no crossover for work accounts on personal devices or vice versa.
Data can be accessed and potentially used against you if identities are merged.
Firefox is a relatively privacy-respecting browser and a solid option for general internet use.
Maintain good social media hygiene and be intentional about what you share publicly.
Hardware security keys for laptops can help protect sensitive materials. When traveling across borders with devices, hardware keys offer additional protection because the key cannot be accessed by someone attempting to view your data.
Overall risk increases significantly when professional and personal digital identities are not separated.
What are digital strategies to help safely do advocacy work?
J:
Using caution is protective; self-censorship is corrosive and not what we want. Caution looks like intentionally switching communication to safer platforms (for example, moving a conversation to Signal) and clearly signaling to others where sensitive discussions should happen.
Self-censorship means not talking about an issue at all. Censorship is a loss and many forms of censorship are already being imposed on us. Do not censor yourself.
For the archive community, Silence is not neutral. As advocates for marginalized communities and stewards of collections, silence has consequences.
Adopt cybersecurity practices as part of advocacy work. Risk mitigation should be top of mind, possibly more than feels comfortable.
Organizations such as CyberPeace and nonprofits like Cyber Collective can help advise on digital safety and security.
Use digital resilience to speak more, not less—but do so safely.
B:
Documentation stored on personal devices is now vulnerable to both internal and external threats.
Consider joining multiple organizations that have access to specialized or civil liberties lawyers.
Advocacy groups to be aware of include:
ACLU
FIRE (originally formed out of ACLU work)
NAACP
These organizations can help respond to censorship, issue warning letters, advocate publicly, and, when necessary, pursue litigation.
Documentation is critical. Record when censorship or suppression occurs. Self-censorship benefits those creating the harm; we should not do their work for them.
Anticipatory obedience (changing behavior out of fear before anything happens) prevents documentation of censorship, which makes it much harder to challenge legally.
Fear is a tool often used to suppress advocacy and documentation.
Lone Rangers / Solo Archivists
Many solo archivists do not have access to unions or formal institutional support.
Seek out external unions, professional organizations, and rights-based organizations that align with your work and values.
Working alone means that responsibility for security largely falls on you as an individual.
While this can be isolating, it also means you only need to assess and manage risk for yourself, not an entire institution.
Make sure you are confident in your cyber hygiene practices, including secure communication, password management, and device security.
Google is not secure for sensitive work, and Gmail should not be considered a secure communication platform.
AI systems often run in the background, tracking activity and could use your data for advertising and data profiling
Common mistake related to digital security: reusing passwords across multiple accounts.
Not using a password manager. A password generator with an encrypted master password reduces the need to remember individual passwords and significantly improves security.
Be cautious when using Google Drive. If you store content in Google services, it should be assumed that the data can be accessed or viewed. Always keep that risk in mind when deciding what to upload or store there.
| Attachment | Size |
|---|---|
| Diversity-Committee-DigitalResilience_April2026_Resources.pdf | 86.84 KB |