Digital Public Policy: New Priorities for Nonprofits

1 Introduction

The global Covid-19 pandemic has cast civil society’s dependence on digital data, systems, regulations, and policy domains into stark relief, but the shift has been underway for decades. Over time, individual nonprofit organizations and the sector writ large have moved their governance practices, organizational operations, and programmatic offerings onto software, hardware, and digital telecommunications systems. This shift has been episodic and often decried for being too slow. Still, it transformed the nonprofit sector from a space nominally distinct from corporate and government control into one tightly tied to, and increasingly shaped by, the commercial product design, market incentives, and government monitoring that bound digital systems. In turn, these systems are shaped by public policy domains, from consumer data protections to automated decision-making systems and artificial intelligence (AI), from intermediate liability laws to encryption and national security. As a result, these digital policy domains now bound and shape the whole of civil society.

In this research note, we argue that nonprofits – and nonprofit scholars – must urgently recognize and attend to these digital policy domains. To help the sector better understand the different ways digital policies matter to nonprofit organizations and their funders, we discuss findings from two of our recent reports. The first draws on focus groups and interviews conducted with nonprofit leaders, advocacy and infrastructure organization, funders, and scholars. The second is a media monitoring project focused on digital technologies, civil society, and the Covid-19 pandemic. With these two approaches, we shed light on digital policy issues that organizations within the sector identify (internal) as well as show how mainstream media (external) represents the role of nonprofits on digital policy issues. In both cases, we provide a typology of the ways digital policy issues matter to the sector. We conclude by providing an example of a successful, sector-wide advocacy campaign around a digital policy issue by focusing on the case of the 2020 SaveDotOrg campaign.

2 The Nonprofit Sector’s Digital Dependencies

The use of digital systems – devices (computers, mobile phones, networked printers), software (email, word processing, spreadsheets, CRM databases, mobile apps), and transmission systems (the internet, Wi-Fi, broadband) – permeates most aspects of organizational life. This is true for commercial businesses, governments, and civil society, including nonprofits and foundations. These systems are distinct from analog or physical systems in at least two ways that create what we call dependencies.

First, anything created digitally exists in multiple identical copies at one time. The financial documentation, for example, of a donation, the addresses and phone numbers of beneficiaries, and the payroll information for employees that an organization develops and stores on networked computers exists in copies on the servers of the organization and (or, if everything is cloud-based) on the servers of whichever commercial network the organization uses. For example, information created and stored in Microsoft 365, Salesforce, or Google documents exists on those companies’ servers and is accessible to those companies under contractual terms.

Secondly, information created and used digitally (such as in the example above), including all website, social media, photographs, videos, audio recordings, etc. that are generated and used by an organization are transmitted over the Internet via commercial providers of access (telecommunications or cable companies that provide broadband and Wi-Fi services). These providers also have access to the data transmitted and the data about the data (metadata). These commercial transmission networks and software service providers have many rules about what they can do with information on their systems (FTC 2021). By law, they must often share information with state authorities when requested. Those terms contractually bind the nonprofit customers, yet few nonprofit organizations recognize these relationships, take steps to negotiate different terms, or equip their boards of directors for these responsibilities. A telling example of such dependency – and the risks associated with it – was the 2020 data breach at Blackbaud, one of the largest vendors of grants management software to nonprofits, which led to lawsuits against Blackbaud and several of its nonprofit customers (Stiffman 2020).

All of this results in a situation where all the information that nonprofit organizations generate, use, collect, and store – all indications of their activities – is available to commercial vendors and government agencies. The nonprofit sector is dependent on these systems. These basic “mechanics” also apply to us as individuals when we use digital devices and to businesses and public agencies. However, the implications for civil society are particularly important because the sector understands itself to be somehow independent of governments and markets. In the digital sphere, the dependence on digital systems threatens to erase that independence. Nonprofit organizations that operate digitally, using systems as described above, are wholly encased within the commercial and government sectors due to their digital dependence. In pursuit of regaining some form of independence – some form of private agency over their actions – nonprofits need to engage in the public policies that shape how the digital systems operate.

The complexity of these dependencies and contractual ties is made more so by the very nature of the nonprofit sector. The sector is, by design, home to organizations on different sides of every social issue, be it vouchers for charter schools, gun rights, or educational reform. This pluralism extends to digital practices and policies as well.

There are, for instance, both nonprofit creators of and advocates against technologies such as digital apps for contact tracing. In addition, digital systems influence their users in several ways, only some falling directly under the purview of public policy. In many cases, it is the business practice and/or the actual design of the digital system (for example, the design and limits of grants management software, especially those elements that make it difficult to export data from one proprietary system to another) that influences organizational autonomy and control.

Similarly, social media companies’ practices for serving ads or showing organization pages affect nonprofits’ experiences and use of those platforms (Bhati and McDonnell 2020; Lee 2021). However, these generally fall into product design rather than public policy. The corporate nature of our digital ecosystem, then, means policy engagement will involve addressing both companies and public policy makers.

The entangled nature of corporate and government policy when it comes to digital systems creates even more layers of complication for the nonprofit sector. Many nonprofits rely on reduced cost or “free” versions of software, hardware, and internet connectivity. Partly, this happens because of the difficulty of raising philanthropic capital to cover operating expenses. By now, it is a truism that companies providing software at no financial cost are profiting from the use of the data captured by the software. Even organizations that understand this relationship see generally few options. They often lack the money to pay for more expensive, privacy-protecting software and have failed to seek other alternatives, such as purchasing collectives that might seek better contractual terms for users.

Organizational dependency on the “largesse” of corporate technology providers can make them hesitant to engage in public policy fights that might deter companies from providing those benefits. Outrage about this form of corporate capture was levied against the NAACP when they sided with telecommunications giant Comcast during battles over net neutrality.^[1] Corporate “tech for good” practices further extend the digital capture of the nonprofit sector (Ames 2019; Horvath and Powell 2020; Magalhães and Couldry 2021; Nothias 2020). Not only do nonprofits become dependent on the digital systems, but their dependence on corporate largesse may chill their willingness to speak out on digital policy issues.

3 Nonprofits and Digital Policy Concerns

Nonprofit and philanthropic leaders are aware of and concerned about a wide range of digital topics. In 2019, our Lab conducted 31 individual interviews with professionals in nonprofits, human services, data regulation, academia, and civil society advocacy to better understand their conception of digital systems and policy intersections (Bernholz et al. 2020). The interviewees came from Canada, the United States, European Union, and the United Kingdom. In addition, we held a total of twelve dedicated focus groups and workshops, independently and as part of other conferences across Europe, the United Kingdom and the United States. Members of the research team also engaged audiences on these topics in conference sessions at an additional 19 venues, resulting in 31 total sessions across the US, Europe, and the UK. The team also conducted desk research to understand the policy agendas of leading civil society and digital policy organizations in each geographic domain. In the US, for instance, it included reviewing the public policy agendas published by three national advocacy groups working on behalf of nonprofits in the US: The Council on Foundations, Independent Sector, and the National Council of Nonprofits. Appendix B in our report (Bernholz et al. 2020) provides details about our process including a list of participants in the research and focus group activities.

Methodologically, it was important to let the participants identify both the technologies and the policy issues that mattered to them. This allows participants’ concerns to come to the forefront, not the priorities or issues of concern to the researchers. We did this through a series of participatory activities in which the focus groups and interviews respondents generated lists of digital technologies and areas of policy they believed to be relevant to their work. We clustered individual answers into topical groups, resulting in seventeen distinct categories (Table 1). For example, answers such as Artificial Intelligence, AI, Machine Learning were grouped into a single category of AI. These are listed in alphabetical order; participants were not asked to rank them in any way. Once these domains were developed within each focus group, we moved on to issue-spotting exercises, an approach adapted from legal studies. Several short case examples, inspired by real news stories, were presented to groups of four participants, who worked together to identify issues raised – both positive and negative – by the technology in the case for the populations in the case (for example, proposals to use data sensing technologies for flood monitoring in areas with large numbers of unhoused people along the riverbanks). These small groups then worked together to identify potential actions from the perspective of their specific organizations, e.g. a housing group, a funder, and others. Collectively, each focus group produced lists of public policy domains, lists of technological concerns, and areas for potential action rooted in their own expertise. The research team compiled this data and analyzed it across the different focus groups.

Some of these are specific policy domains (copyright law or net neutrality) whereas others are types of technologies (artificial intelligence) or areas of concerns (personal safety, misinformation). Because there are often overlaps between the technology, the concerns it raises, and relevant public policy domains or public description of the issue we chose to preserve the language most often used by respondents. The diversity of the issues raised in these conversations, and the conflation of different types of technologies (AI, facial recognition) with different values or rights (expression, access to information) reveals two things: a high level of awareness and a great deal of confusion.

The breadth of this list, and the multiple possible relationships between items on it, allow for several observations about civil society, digital technology, and policy engagement and hint at a vast research agenda awaiting attention. Our first step was to distinguish which policy issues mattered to which clusters of nonprofits. There is some technology policy specific to an organization’s mission or area of work, e.g. education, the environment, or health care. We call these domain-specific policy issues. Immigrant rights groups, for example, often raised concerns about the surveillant nature of digital identity programs and the growth of remote sensors, such as closed-circuit cameras in public spaces. On the other hand, education groups raised surveillance concerns about the data collection practices of software makers whose products are used in schools. The shared concern is surveillance, although the source of such concerns stems from a different (although sometimes overlapping) set of technological activities, organizational practices, and domain-specific regulatory regimes. Here, there are opportunities for action on digital policies within each of these specific domains (immigration and education).

Once this understanding of digital policy within a specific domain begins to take hold, there is also the opportunity to bring together multiple types of nonprofits. The example above shows immigration and education organizations taking different technological paths to concerns about surveillance or privacy. As they learn more about the potential policy solutions, they will encounter a shared domain for policy action: the regulation of personal data. This somewhat circuitous route to a shared area of digital policy repeats across the different domains of nonprofit action. It offers one way to think about what digital policies matter across the sector, and it opens the door for diverse policy coalitions, or what we have called integrated advocacy.

Helping organizations and respondents identify their domain-specific policy concerns led to them identifying cross-cutting organizational concerns. For example, a performing arts organization and a civil rights group might have different concerns (or degrees of concern) about surveillance cameras. However, they found common ground on data security issues regarding the information that they captured and held on their constituents, including financial donors. The promise to protect that information and treat it carefully, and the dependence on the terms of service of cloud software providers, led both organizations to see their shared interest in data protection regulations and security practices. These are examples of what we call operations-specific policies. These policy issues also open the possibilities for cross-domain alliances and activity, as data security and liability regarding data breaches matter as much to Harvard University as they do to the Lower East Side Tenement Museum, two nonprofits bound together only by the breach of their shared data vendor, Blackbaud.

Many iterations of these cross-domain discussions also led to the identification of policy areas that mattered across domains of action and to the operational capacity of the organizations. For example, reliable, affordable access to the internet matters to nonprofits of all kinds for their own work and the people they serve. Participants reflected on how much they now rely on the web, email, social media, and messaging to organize and mobilize resources, reach their communities, and manage their own teams. This has only become more apparent since the pandemic sent organizations scrambling to work remotely and serve populations that could no longer gather in schools, libraries, community centers, or other public shelters. In this way, digital and broadband access is an example of a definitional policy issue; one that directly implicates one of the core values upon which civil society rely to thrive in democracies: access to information.

This complex mix of technologies and policies is different from previous policy agendas for civil society advocacy organizations and creates opportunities and challenges. Many domains of work – education, health, civil rights, the environment – have their own advocacy organizations and policy agendas. Several participants in our discussions noted the need for these associations to become more fluent in and active on relevant digital policies. For organizations that conduct advocacy on behalf of civil society, nonprofits, or foundations writ large, these digital policy items are both new and complicated. In the U.S., the policy agendas of the largest membership-driven, sector-wide associations focus on corporate and charitable law, tax policy, and encouraging civic participation. They do not (yet) speak to any of the digital policy domains noted by participants in our research.

4 Civil Society and Digital Policy During Covid-19

The Covid-19 global pandemic showed acutely the profound and many ways digital policies now matter to nonprofits. Governments and corporations around the world responded to the pandemic with various technological projects and emergency measures. Bluetooth-based contact tracing apps, the use of smartphone location data to enforce quarantine orders, and thermal scanning via digital cameras in the workplace illustrate the sorts of wide-ranging and rapidly spreading digital responses to the pandemic.

In 2021, our team published a report analyzing media coverage of these digital surveillance responses (Nothias et al. 2021). The report provides a content analysis of a dataset of 3735 stories published in 692 news sources over a period of one year. We analyzed several features of the media framing, including its evolution over time, its geographic distribution, and sourcing practices (who was quoted in news stories). We also highlighted the place of civil society in these narratives by looking at which civil society organizations appeared most often in the media and what roles they played vis-à-vis digital surveillance. A full version of the report, including detailed information about the data gathering and coding categories are freely available online (Nothias et al. 2021).

In this section, we draw on our report to further develop a typology of digital policies that matter to nonprofits. Here, we turn our attention away from how actors in the sector perceive the nexus of digital policy and nonprofits, and instead to how news coverage represents the role of nonprofits on digital policy issues. We focus on the first year of the pandemic – an unprecedented moment of heightened digital dependence – to expand on what we mean by domain-specific policy issues, operations specific policy issues and definitional policy issues.

One way in which digital policies mattered to nonprofits was in the specific domains of nonprofit action. Take the case of public health. The pandemic accelerated our collective reliance on digital technologies for public health contact-tracing. In Singapore, for instance, disease investigators relied on camera surveillance footage in local businesses, on digital financial records, and on a newly created application using Bluetooth data to determine if people had been in contact with people who tested positive. While health care data is governed by strict digital data protection protocols, the pandemic made clear that – in certain states of emergency—sharing personal health care data would be essential to protecting public health. To the extent that many institutional actors in the medical and public health sectors are nonprofits, policy questions around digital governance of health data are key to the domain of action of this part of the nonprofit sector.

Similarly, the reliance of nonprofits on digital technologies for day-to-day operations became evident during the pandemic. A recurring example in media coverage was the use of teleconferencing software Zoom. As nonprofits organizations like schools and universities turned to Zoom early in the pandemic, it rapidly became clear that privacy risks and surveillance concerns had not been taken enough into considerations in this move. By late March, the FBI issued a warning about online classrooms being hijacked (zoom bombing) by individuals using threatening language and showing pornographic and/or hate images (Setera 2020). In subsequent weeks, further security vulnerabilities were uncovered including: a bug allowing malicious actors to take control of a mic and camera of a Zoom user; the email address, photos and LinkedIn profile data of users being accessible to malicious actors via several features; and thousands of personal videos (featuring personally identifiable information) being viewable on the open Web (Hodge 2020).

Most stories in our dataset provided examples for a third digital policy domain that falls under the broad umbrella of mass surveillance. Civil society voices appeared in over half of the stories we analyzed (55.7%) to raise concerns about the long-term implication of digitally-enabled surveillance for civil liberties. For instance, stories about China largely focused on how the country’s public health response to the pandemic both relied on, and contributed to expanding, the state’s ever-growing digital surveillance system which includes a growing variety of data points (geolocation, health, biometric, financial most notably). This finding resonates with a broader historical arc about digital technologies, democracy and civil society – one that moved from the era of “liberation technology” (Diamond 2010) to the age of “surveillance capitalism” (Zuboff 2019). A decade ago, civil society was often heralded as a key partner in developing and embracing digital civic technologies. Today, civil society plays an increasingly important role in raising concerns and awareness about the societal harms of data-centric technologies (for a comprehensive overview, see Dencik et al. 2022).

Leading the charge in stories raising concerns about expanding digital surveillance were a set of largely Euro-American civil society organizations with expertise at the intersection of digital policy and human rights. The most prominent ones were the ACLU, Human Rights Watch, Amnesty International, the Electronic Frontier Foundation (EFF), Privacy International and the Surveillance Technology Oversight Project (S.T.O.P). These results point to the growing coalition and interactions between digital rights groups – like EFF, Privacy International and S.T.O.P–and more traditional civil society organizations, in particular human-rights focused ones, like Amnesty International, Human Rights Watch and the ACLU. In our earlier report, we described this as the “core” of digital civil society: “existing alliances and organizations where expertise cuts across digital policy and social issues” (2020, 21).

This organic alignment of diverse civil society organizations reveals the definitional nature of the issues at stake. By definitional, we mean that digital systems shift the ties between nonprofits, governments, and markets at the sector level. In other words, they influence the boundaries of the sector itself. The sector is built upon implicit values and explicit rights, including access to knowledge, assembly, association, participation, and pluralism. Where regulations of digital systems implicate these values and rights, it is, by extension, of definitional interest to the nonprofit sector writ large. In this case, digital surveillance could be understood as a definitional policy issue with implications for foundational values (such as privacy and freedom of assembly) that make civil society flourish in democracies.

5 The Future of the Nonprofit Sector’s Digital Policy Agenda

For decades, tax policy has shaped the outer boundaries of the policy agenda for the nonprofit sector.^[2] In this note, we argued that digital policy issues matter existentially to the sector writ-large and thus deserve greater attention from scholars, funders, and nonprofit leaders and policymakers. Drawing on two recent reports, we aimed to show that digital policy impact not only the operations and domain of action of nonprofits, but the fundamental values upon which the sector relies and thus deserve sector-wide engagement (in the same way as tax policy does).

In closing, an example of a successful, sector-wide advocacy campaign around a digital policy issue, the SaveDotOrg Campaign, is illustrative of both the depth of nonprofit digital dependencies and the breadth of potential action. The SaveDotOrg campaign was a global effort led by civil society technology organizations (NTEN), digital rights groups (the Electronic Frontier Foundation), and more than 800 other organizations. The campaign was a response to a proposal by ICANN (the global internet governing body) and the Internet Society (ISOC) to sell the registry of “dot org” URL addresses to Ethos Capital, a private equity firm. Concerns immediately arose about the potential for price gouging and the control such a sale would give to a private company over the digital addresses of nonprofit organizations.

The nonprofit organizations that joined the effort to “SaveDotOrg” came from around the world. They included associations of foundations, environmental groups, educational organizations, legal aid providers, mental health counselors, libraries, museums, art promoters, civil rights, public health, medical research groups, and digital policy and rights groups. Building alliances across all those domains is hard; on this issue, their shared digital “address” brought them all together. This note argued that there are many additional digital policy issues that matter across the full spectrum of civil society, which, consequently, means that the opportunities for future advocacy and coalition work on digital policies are numerous, diverse, and existential. The breadth and implications of the sector’s digital dependencies necessitate that scholars, nonprofit leaders and policymakers urgently expand the sector’s policy agenda to include the regulatory domains defining digital spaces.