I have spent the past year writing about data security for social impact work. The framework is straightforward: understand what data you hold, encrypt what is sensitive, minimize what you collect, control who has access, and build in accountability mechanisms.

The CIA triad (Confidentiality, Integrity, Availability) provides the foundation. You protect data from unauthorized access. You maintain its accuracy. You ensure it’s available when needed. You layer on modern principles: authentication to verify users, least privilege to limit access, defense in depth so that one failure doesn’t expose everything.

For social impact organizations working with vulnerable populations, the field argues for heightened duty of care. “Do No Harm” means treating data breaches not as reputational risks but as potential threats to real people. Rigorous data minimization: collect only what is essential, because every additional data point is risk you’re carrying. Human-centered risk assessment: evaluate based on potential for real-world harm to individuals, not just to the organization.

The framework assumes that good security protects vulnerable people. Encryption keeps communications private. Access controls prevent unauthorized disclosure. Secure systems create safety.

These principles are well-established in international agricultural development and humanitarian contexts. The threat model is consistent: protect data from those who shouldn’t have it. Hackers. Malicious actors. Unauthorized disclosure. Data breaches. The assumption is that if you secure your data properly, if you prevent unauthorized access, you protect the people behind it.

Last week I filmed ICE detaining someone here legally from my window. The framework I described above addresses some of what the Minneapolis ICE resistance faces: hackers trying to breach Signal groups, infiltrators trying to access data and undermine organizing. And there’s another threat present that the framework doesn’t address. The threat isn’t just unauthorized access. It’s a threat of physical seizure of the device that holds the data, legal or not, happening faster than courts can determine, physical detainment, whether legal or not, and physical violence or even death, justified or not. The risk isn’t only that documentation might be stolen by someone without authority. It’s that documenting itself, lawful and constitutionally protected observation of law enforcement, is now something the FBI has announced it’s investigating.

Standard data security assumes you’re protecting data from unauthorized access. But what happens when powerful actors claim authority to seize it, whether or not that authority is legal, and enforcement happens so rapidly that legal challenges can’t keep up? When the question of whether a seizure was lawful only gets answered in court months later, long after the damage is done? When documentation itself becomes grounds for investigation?

This is a different threat model entirely. The framework addresses unauthorized access. What happens when the threat is authorized seizure, counter-surveillance, intimidation, and physical violence by actors with claimed legal authority, all happening faster than courts can intervene?

The question this piece explores is whether data security frameworks built for one threat model (unauthorized access by hackers and bad actors) can address a fundamentally different one (authorized seizure and counter-surveillance by powerful state actors). Whether tactics developed in humanitarian contexts facing- similar threats can transfer to domestic organizing. And what “data security” even means when documentation is both the risk and the only accountability mechanism that exists.

The Minneapolis Threat Model

Communities have been exercising their constitutional right to observe law enforcement in public spaces for weeks. Standing outside schools during morning drop-off. Monitoring courthouses. Watching for enforcement vans. Recording when ICE shows up. Making sure no one is taken without someone knowing, without someone documenting, without someone bearing witness. And someone to take care of the cars that are abandoned, often dangerously in the middle of the streets. This cannot happen without witnesses.

The state is surveilling community surveillance. The FBI has announced investigation of encrypted communication used for organizing. Federal authorities watch the watchers1. The threat is explicit: if you document enforcement, if you coordinate that documentation, if you use secure tools to protect it, you are under scrutiny.

And everything moves faster than the law. ICE raids happen without judicial warrants. Devices are seized and accessed before legal challenges can be filed. People are detained before lawyers can respond. The chilling effect works whether or not any prosecution ever follows. The question of whether any of it was legal gets answered months or years later, long after the organizing has been disrupted and the witnesses silenced.

The framework I described above addresses some of what these communities face: hackers trying to breach Signal groups, infiltrators trying to access data and undermine organizing. Standard threats that encryption and access controls help mitigate. But there’s another threat present that the framework doesn’t address. The threat isn’t just unauthorized access. It’s a threat of physical seizure of the device that holds the data, legal or not, happening faster than courts can determine. Physical detainment, whether legal or not. Physical violence or even death, justified or not. The risk isn’t only that documentation might be stolen by someone without authority. It’s that documenting itself, lawful and constitutionally protected observation of law enforcement, is now something the FBI has announced it’s investigating.

This creates a surveillance environment where watching runs in multiple directions, but power runs in only one. For an administration that ran on the idea of small government, this is an extraordinary expansion of state power into the most basic civic activities. Watching. Talking to your neighbors. Knowing your rights. Helping someone exercise theirs. These are not radical acts. They are the ordinary functioning of a society where people look out for each other. The fact that they now carry risk is not a sign that communities have become threatening. It is a sign that the state has decided community itself is the threat.

The question is: how do you create accountability through documentation when documentation itself makes you a target for counter-surveillance by actors with power to seize, detain, intimidate, and harm, all before courts can determine whether any of it was legal?

What Humanitarian Contexts Faced

The Minneapolis threat model isn’t unprecedented. Humanitarian organizations have operated in contexts where powerful actors surveil vulnerable populations, where documentation puts people at risk, where violence targets those who bear witness.

Under the Ethiopian People's Revolutionary Democratic Front (EPRDF), the ruling coalition that governed Ethiopia from 1991 to 201Ethiopia operated what researchers documented as pervasive state surveillance. The government's 'one-to-five' system assigned volunteers to monitor five households each. Neighbors reported on neighbors. The informants were state-affiliated. The people being watched had no power to refuse, no recourse when information was used against them. The formal system has weakened since 2018, but the legacy of distrust it created shapes how humanitarian organizations navigate data collection to this day.2

The United States is building something similar. DHS Secretary Kristi Noem has championed federal tip lines and online forms as tools for citizens to report “suspicious activity” to ICE and CBP3. She positions this reporting infrastructure as public safety, encouraging neighbors to watch neighbors and report what they see to enforcement agencies. The mechanism is voluntary rather than assigned, but the structure is the same: state-encouraged citizen surveillance where information flows upward to enforcement, where the people being reported have no way to know who reported them, no recourse when tips lead to detention, no protection from neighbors who decide their presence is “suspicious.”

Somalia presents different challenges. Monitoring organizations were among the first banned and the most directly targeted. When humanitarian workers documented needs, tracked outcomes, observed what was happening, they became targets4. Armed groups didn’t want witnesses. The documentation was dangerous not because it was insecure, but because making invisible violence visible made documenters threats.

Humanitarian organizations in these contexts have developed tactics to navigate the threat:

Key informant interviews with people who had fled. Instead of documenting directly in dangerous areas, organizations interviewed people who had recently left, asking about the settlement they came from. The information was secondhand but the sources were safer.

Phone interviews where networks allowed. Remote contact reduced physical presence in areas where observers were targeted.

Remote sensing. Satellite imagery, aerial surveys, methods that gathered information without putting people on the ground.

Triangulation of sources. Multiple partial accounts that could verify each other without any single source being exposed.

Minimal written documentation. What had to be written down was kept secure, encrypted, with access tightly controlled. Much was kept oral.

Protecting source identity. Any documentation that could identify who provided information was either never created or destroyed after the essential information was extracted.

The principle in both contexts was the same: understand who has power to harm, minimize exposure, protect sources, never create documentation that puts vulnerable people at additional risk.

These tactics worked because of something fundamental about the work humanitarian organizations were doing. They were documenting TO CREATE REPORTS FOR DONORS. They were assessing need, tracking outcomes, demonstrating impact. The documentation served accountability upward, to funders and headquarters. It didn’t serve accountability of the powerful actors creating the threat.

This meant workarounds were possible. You could document indirectly. You could interview people after they fled rather than while they were still in danger. You could use remote methods. You could minimize what was written down. The learning could still happen. The accountability to donors could still be maintained. The essential work of assessing humanitarian need didn’t require direct observation of the actors causing harm.

The powerful actors (government informants, armed groups) were the threat TO PROTECT AGAINST. Not the subject OF accountability. Humanitarian organizations designed their data security to keep information away from those actors, to make sure documentation didn’t expose vulnerable people to further harm.

Everyone understood who the threat was. No one pretended that surveillance by state informants or armed groups served accountability. No one suggested that being watched by those with power to harm you made you safer. The surveillance was recognized as oppression, and data security practices were built to navigate around it while still accomplishing the essential work.

What Transfers and What Doesn’t

Some tactics from humanitarian contexts transfer directly to Minneapolis organizing.

Secure communication. Signal and other encrypted messaging apps protect the content of coordination. Just as humanitarian organizations used secure channels to communicate in surveillance states, Minneapolis communities use encryption to plan and coordinate without exposing the substance of their organizing.

Minimal written records. Humanitarian organizations learned to keep oral what could stay oral, to document only what was essential, to destroy records after information was extracted. Communities watching ICE can do the same: debrief after actions without writing down who was where, what was seen, who participated. The learning happens through conversation. The patterns are recognized collectively. The knowledge stays distributed rather than centralized in documents that could be seized.

Pattern documentation without identifying individuals. Humanitarian workers tracked displacement patterns, nutrition trends, security incidents without naming specific people. Communities can document enforcement patterns (where raids happen, what times, what tactics ICE uses) without creating records that identify who was taken or who witnessed it.

Protecting source identity. Never create documentation that could identify who provided information. If someone reports an ICE van in their neighborhood, that information can be shared without recording who saw it first.

Triangulation. Multiple partial accounts that verify each other without any single person being exposed as the sole source of information.

These tactics help. They reduce risk. They make organizing more secure without eliminating the organizing itself.

But there’s a fundamental difference that limits how much humanitarian tactics can transfer.

Humanitarian organizations documented TO CREATE REPORTS FOR DONORS. They assessed need, tracked outcomes, demonstrated impact. The documentation served accountability upward to funders. It didn’t serve accountability OF the powerful actors creating the threat. This meant workarounds were possible. You could interview people after they fled rather than while they were in danger. You could use remote sensing instead of direct observation. You could document indirectly. The essential work didn’t require being present when harm happened.

Minneapolis communities document TO CREATE ACCOUNTABILITY OF ICE. The documentation doesn’t serve accountability upward. It serves accountability of the powerful actors themselves. And this requires direct observation. You cannot hold ICE accountable for constitutional violations without witnessing those violations. You cannot document what ICE does without being present when they do it. You cannot create transparency without being visible as a witness.

This is the crucial difference. Humanitarian tactics assume you can accomplish your essential purpose while minimizing exposure to the threat. Minneapolis organizing cannot. The exposure is required. Being seen as a witness is the point.

When communities film ICE taking someone, the act of filming is what creates accountability. The presence of witnesses changes how enforcement operates. The documentation that someone was here, that they were taken, that it happened this way, this is what makes the action visible rather than invisible. And visibility is the only accountability mechanism that exists.

You cannot do this remotely. You cannot do this after people have fled. You cannot triangulate your way to accountability without anyone being present. The observation must be direct and it must be seen.

This means some risks cannot be mitigated through tactics alone.

If you film enforcement, your device could be seized. If you coordinate through Signal, you’re now under FBI investigation. If you stand as a witness, you become visible to counter-surveillance. If you document constitutional violations, you become a target for actors claiming authority to seize your documentation and detain you.

Humanitarian tactics help reduce these risks but cannot eliminate them. You can minimize what you write down, but you still need your phone to film. You can protect identities in documentation, but you cannot hide that you were the one standing there with a phone out. You can use encrypted communication, but that very encryption has been flagged as suspicious.

The question humanitarian contexts didn’t have to answer is: what do you do when the act of creating accountability inherently exposes you to the powerful actors you’re trying to hold accountable, and those actors have authority (claimed or actual) to seize your devices, detain you, and disrupt your organizing faster than legal protections can be invoked?

Humanitarian data security could say: minimize documentation, protect sources, document indirectly. That was sufficient because the purpose of documentation didn’t require direct observation of the threat.

Minneapolis can use those tactics to reduce risk. But it cannot eliminate the core exposure: to create accountability requires being present, being visible, being seen as a witness. And that presence is what makes you a target.

The framework question remains: when documentation is both the risk and the only accountability mechanism, what does data security even mean?

Part 2 of this series will explore what metadata reveals even with encryption, the specific challenges of device seizure, and the impossible calculus communities face when every security measure has costs that might undermine the accountability work itself.

Join Anthralytic’s subscriber chat

Available in the Substack app and on web

Join chat

Leave a comment

Share

Anthralytic is a social impact strategy and evaluation studio that helps mission-driven teams clarify and amplify their impact.

4

https://www.criticalthreats.org/analysis/al-shabaab-and-the-challenges-of-providing-humanitarian-assistance-in-somalia