In the last few years, American workers across multiple industries have unionized or mobilized collectively in an attempt to get better wages, demand accountability for sexual harassers in the workplace, push for real action to slow down climate change, and in general, change company culture.
The movement seems to be popping up everywhere: Amazon, Google, Gawker, Riot Games, Salesforce, Tesla, Kickstarter, Uber, you name it. In fact, approval ratings for unions among Americans are at the highest level since the beginning of the 2000s, according to Gallup.
As proud members of a union, we at Motherboard understand how important collective action is, and how challenging it can be. One of the biggest and perhaps most overlooked questions is: how do you form a union or organize a workplace walkout without tipping off the company that owns your computers and internet connection?
Whenever you use your company’s communications equipment, there is a risk that the company could find out about your organizing, giving it a chance to thwart planned actions or even retaliate against the organizers. Unfortunately, this is not hypothetical. At Hearst Magazines, the company launched an anti-union campaign to persuade workers to vote against the union. Google has fired employees who have been involved in organizing, and recently hired an anti-union consulting firm, IRI Consultants, to crack down on employee activism at the company. At the end of last year, Amazon threatened to fire employees who spoke out about the company's carbon footprint. Several employees involved in unionization at Kickstarter also lost their jobs.
Employees no longer have the right to organize using a company’s email system or the company’s Slack or equivalent chat system. The Trump administration's National Labor Review Board just ruled employers can crack down on workers who do so.
While there’s no silver bullet for these problems, there are ways to organize securely. We created this guide by talking to digital security experts, as well as workers involved in organizing at Amazon and Microsoft, about how to unionize or organize a labor action securely. Call it the Motherboard Guide to Labor OPSEC. Like any security guide, this advice is not comprehensive, and not all advice will be relevant in every workplace or for every situation.
It's also worth considering that some of the most powerful worker actions have not been done anonymously, and that there may be benefits to signing your name to an open letter, or speaking to the press as a named source, or giving a speech at a public rally. Every worker must consider their own situation and whether or not they are willing to take the risk of potentially becoming the public face of a workers movement.
Disclaimer: for the purpose of this guide, we are assuming a scenario where there is no union in place, and workers want to organize some sort of action or organize a union. Once there’s a union, there are more legal protections and much of the security measures here become redundant or unnecessary.
KNOW YOUR COMPANY
Before even thinking about what you should and shouldn’t do, or what tech you should or shouldn’t use, ask yourself: do you know your company?
In other words, does your company have a history of union busting, anti-workers policies, or general unfriendliness toward workers organizing or expressing concern? Or, on the other hand, has it historically been amenable to workers speaking up for their rights? It’s impossible to anticipate the future, but having a general idea of what you’re up against is the basis of what cybersecurity professional call threat modeling. This is the foundation of any good operational security—or OPSEC—plan.
As part of this effort, it may be good to figure out where your colleagues stand as well. As the workers organizing at Microsoft put it: “Get to know your fellow organizers!”
“It's easy to get caught in doing organizing work and forgetting to build relationships with the people you are closest to. This may uncover shared interests and new opportunities to collaborate,” the group told Motherboard.
At this point, it’d be very useful to also brush up on your company’s policies when it comes to accessing employee computers and phones. Take a look at your contract or the employee handbook: Is there any language about what the company can access? If so, take note of that and adjust you plan accordingly. Absence of this language doesn't mean that the company can't access your email or remotely control your computer, so it's best to be cautious.
Once you have a general sense of your company’s attitude and policies, it’s time to think about the tools you're using to organize.
AVOID COMPANY INFRASTRUCTURE
If we could condense this guide in one sentence, it would be, "Avoid company infrastructure." By that we mean computers, phones, printers, chat software, and email. But also avoid discussing labor actions in physical places like meeting rooms, cafeterias, or basketball courts.
That may sound difficult, but using company infrastructure to organize is risky and may tip off management about your upcoming organizing drive, open letter, walkout, or other labor action. It’s unlikely that your company is actively sniffing internet traffic or monitoring computers in real time for any chatter of forming a union or organizing some kind of labor action. But there are no guarantees.
“A lot of companies have at least minimal remote device management, which would allow IT to shoulder-surf at will, or otherwise view the contents of your company-provisioned computer,” said Harlo Holmes, a digital security specialist at the Freedom of the Press Foundation.
Of course, in this day and age, it may be impossible to get off the company’s grid completely, so let’s break it down a bit more.
COMPANY EMAIL & CALENDARS
This is the easiest way for your company to keep tabs on you. You should assume that IT and others in management have access to your corporate email. And even if they may not read it every day, they can probably comb through it after the fact. So avoid using corporate email at all costs. Recently, Google fired employees who were, in some cases, accessing corporate calendars that the company deemed unusual.
Every labor action should probably start with collecting workers’ personal contact info, such as a personal email address and cell phone number. Use those to communicate.
DON’T USE COMPANY COMPUTERS OR OTHER DEVICES
As Holmes warned, most companies have a way to access worker’s laptops and perhaps even their corporate phones. So try to avoid using them. Using a personal computer on the company’s WiFi is not as dangerous, but if you can, avoid that too and connect from home.
Workers involved in organizing at Amazon suggest keeping “any non-public organizing documents and conversations off your work computer.”
“Do not sign into accounts containing this information,” the group adds.
Workers organizing at Microsoft tell their colleagues not to “use the same phone for organizing as work stuff.”
“For this I just don’t work when I’m not at work,” a Microsoft employee told Motherboard in an email.
It’s not just the actual devices you should worry about, but also apps. The Microsoft workers warn people against using “corporate tools like text editors or note taking apps as you might leave a trace of your organizing work.”
Under no circumstances should you use the office printer. Office printers log who prints what, so if the company launches an investigation after a leak or worker action, chances are it will check who printed what.
USE ENCRYPTED APPS FOR COMMUNICATIONS
If you stay away from you company’s infrastructure, you’ll have already done most of what you need to secure your organizing activities. But, just in case, try to avoid Slack or other chat services that are not encrypted and don’t give you much control over what data is retained. Companies have the ability to read Slack archives, including DMs. It's also worth mentioning that, by default, paid Slack accounts retain messages indefinitely.
Alternative group chat apps such as Keybase and Wire not only protect your messages in transit, they also allow you to set messages to self-destruct after a set amount of time. This helps cover your tracks.
While we love Signal, the popular encryption app is not ideal for large groups who need to share documents, for example.
If you think asking your colleagues to use new chat apps may be a tough sell, it’s probably OK to stick to non-encrypted apps such as Facebook Messenger or even Google Hangouts (unless you work at Google!)
“Use appropriate tools for your circumstances. Facebook Messenger is a very accessible messaging app if you don’t work at Facebook, don’t use it on your work computers, and aren’t worried about conversations showing up in court,” workers involved in organizing at Amazon said.
The Amazon workers also warn of the possibility of your company monitoring your public social media accounts: “Make sure to lock down your social media accounts to make it more difficult for the company to map out who you know, what you’re doing, and what you’re talking about.”
This means pay attention to who you're friends with on Facebook, following on Twitter, and looking up on LinkedIn (you should always browse LinkedIn in private mode.) This is especially important if you plan to leak to the press: If you're leaking to the one reporter you're following and interacting with on Twitter, it's possible the company could trace information back to you, or at least consider you suspicious.
Even better, especially at the beginning of an organizing drive, try to stick to IRL conversations, ideally not on company grounds. This is not only the best way to pitch the action to colleagues but it’s also less exposed to snooping and is inherently ephemeral, as a representative from the Writers Guild of America, which represents VICE's editorial union, told Motherboard.
“Prioritize one on one IRL conversations,” the representative said. “This is not only the most effective form of communication in building support, but also the most secure.”
IF YOU'RE GOING TO LEAK TO THE PRESS
A carefully-placed leak or tip to the press alerting journalists of your unionizing drive or collective action may help your cause. If you're going to leak to the press, familiarize yourself with what the terms "on the record," "off the record," and "on background" mean.
If you reach out to or speak to a journalist, things you say to them are, by default, on the record. This means that the journalist can quote and use that information and attribute it to you with your name. "Off the record" means the journalist can have that information for their own knowledge, but can't publish it without confirming it with another source, and they can't attribute it to you. They are allowed to take that information and try to get someone else to provide it on the record, however. "On background" means different things to different people—often it means that the reporter can use the information in their article but not attribute it to you. Other people use it to mean "can be quoted anonymously." It's best to talk this through with the reporter before you share information.
You can discuss sharing information anonymously or doing interviews anonymously with a reporter. At Motherboard, we grant sources anonymity if their speaking to us would put them in physical or professional danger. We require our reporters to tell readers why we are granting a source anonymity; if the source could be fired from their job for speaking to us, we will often grant anonymity. We will know the identity of the source—more often than not, we need this information to ensure we are talking to someone who is in a position to know about the issue at hand—but we won't publish or otherwise reveal who the person is.
It is best to be clear with the reporter before you share anything about how you want the information to be used—if you say something "on the record," you cannot retroactively take it off the record. (This is to ensure that someone can't backpedal on information they've said that is in the public interest, but change their mind about). These conditions must be agreed to by both parties, so don't reach out to a bunch of reporters with information that you want to share "off the record" if those reporters haven't already agreed to go off the record with you.
Often, workers want to share internal documents, emails, memos, or other company materials with the press. There are several ways this can be done. The easiest is to take a photo of your computer's screen with the camera on your personal phone, and to share the image(s) you take as a disappearing message on Signal. Then, delete the image from your phone and potentially the journalist's number from your contacts and message history. You can also use SecureDrop. If anonymity is important to you, don't forward company emails that you intend to leak to journalists if you feel you could be fired for doing so.
This all may sound like a lot, but many of the tactics in this guide become second-nature with practice. Practicing general cybersecurity best practices is also recommended. For more, you can check out the Motherboard Guide to Not Getting Hacked.
Subscribe to our cybersecurity podcast, CYBER.