Security is an important, but often overlooked feature when it comes to online giving. In big and small ways, security is a part of every part of the online giving experience.
When we first launched RaiseDonors, there was no way to pre-fill donation forms. Time went by and we evolved to allow for parameters to be passed in the URL to pre-fill the various fields on the donation page.
We’ve continuously made a commitment to reduce friction for the donor and for you, the organization.
(Read about reducing friction for your donors using pre-filled donation forms.)
At first, using URL parameters to pre-fill donations forms didn’t seem to cause any problems.
But then it occurred to us — Hey! This could be an asset to a bad person.
As a part of our mission to help you raise donors for your cause, security is always a top priority. So we made our pre-filled donation pages secure with a feature called “Encrypted Parameters.”
The Threat to You and Your Donors
Whenever a donor gives to you online, they have to input what Google calls PII, or Personally Identifiable Information.
Basically, PII is any piece of information that can identify a person. Google defines PII as:
Information that could be used on its own to directly identify, contact, or precisely locate an individual. This includes:
- email addresses
- mailing addresses
- phone numbers
- precise locations (such as GPS coordinates – but see the note below)
- full names or usernames
We reference Google because chances are you are using Google Analytics, right? (But even if you aren’t, the same principles apply).
A simple story to explain.
Let’s say you have a list of 10,000 donors you’re planning to reach with an email appeal. Your last campaign had good results, but you’re looking to increase the conversion rate on this campaign.
So you decide to get a bit fancier and customize the landing page by providing some url parameters (described and documented below).
And the beauty is, you can track all of this through Google Analytics reporting!
You specifically decide to help the donor by pre-filling in the donation page with the donor’s contact information. Great!
You send the email and monitor the activity.
Conversion rates are higher than before and donations are coming in!
You decide this is a new standard for your organization and so you modify your internal process accordingly.
This allows you to track the donor “hot spots” of mouse-activity through heat maps of your website. If a certain section or call to action button receives more clicks than another part of your website, then it will show up as hotter on the map.
For added measure, you decide to add Facebook pixel tracking so you can monitor the ad-budget in Facebook to know who is converting into donors.
So far, so good. Several months go by.
One of your staff runs a few custom reports in Google Analytics. They notice an odd trend.
The data in the reports contain URL’s that expose PII, Personally Identifiable Information.
How did PII get sent to Google Analytics?
How widespread is this issue? How can you permanently delete data from Google Analytics?
(By the way, it’s really difficult to permanently delete data from Google Analytics.)
Additionally, you may be in violation of Google’s Terms and Conditions (see section 7).
To fix this, you’ll need to roll up your sleeves and get creative with your “views” in Google Analytics. But that’s for another article.
And what about your own terms and conditions?
That is information that should stay with your organization alone and never shared with third-parties.
What if your donors found out their contact information was being shared in places that restricted it?
It’s now a compound problem requiring layers of attention.
But the situation gets even worse.
Another few months go by, and you get an anonymous email from “Alex”.
Alex is a malicious user (i.e. a hacker) who has been secretly working in the background. He’s a pro at identity theft. He makes his living by stealing other people’s identity.
The email from Alex explains that he has acquired contact information for 10,000 of your donors and “thought you should know”. More likely, he is asking for ransom money.
A bit far fetched? Not really. Think about it.
For the past 6 months, you have been sending the full contact information for all 10,000 of your donors through the internet.
Those URL’s contain the donor’s information in plain text. Even if the data has been sent over SSL/TLS, that doesn’t mean the data has been encrypted.
SSL/TLS only encrypts the transmission of the data.
Here are just a few creative ways Alex can harvest your donor’s contact information.
Third Party Services
Consider Google Analytics, the full URL with supplied parameters would be available in Google Analytics reports.
Consider how many plug-ins work with Google Analytics to scrape data and use it.
The URL with all of your donor’s data is available to browser extensions.
Who knows what browser extension your donor has installed or if they are in a public market place.
The browser extensions can collect the URL parameters and then share or sell that information to 3rd party sources.
The full URL links with all the information can get saved in browser history.
This means malicious code could sweep through a user’s browsing history and extract any information in the url (contact information, tokens, etc).
Other users of the same browser/computer could also view this information.
Donors may share the donation page link to social media not realizing what they are sharing: a donation form pre-filled with all of their contact information.
Now anyone on Facebook clicking that link has been exposed to that donor’s contact information.
And it’s on Facebook permanently.
This is why RaiseDonor’s social media sharing icons provide a clean url.
Anytime a visitor leaves your donation page and heads to any other website, the new website has access to the “referrer” header.
That means the site they land on will have access to all of the parameters in their previous URL.
Those parameters contain all of their PII!
This isn’t intended to be an exhaustive or complete list.
Fact is, hackers have more resources and time on their side than you do. That is their advantage.
Our aim is not to scare you. Our goal is to inform you.
Removing friction points and easing the process for donors to donate is the right way to go in raising more donors for your organization.
But as those friction points are removed, the door can be opened for malicious users to compromise your process and data.
So, should you stop? NO.
Should you discuss this as a team and evaluate your process and identify any threats and or risks?
What is RaiseDonors doing about this?
At RaiseDonors, we’ve developed technology which allows you to pre-fill the donation page with your donor’s information in an encrypted and obfuscated way.
We’re extremely excited about our new feature called “Encrypted Parameters,” which we’ll talk about in my next article.
In this coming article, I’ll dive deep into how URL parameters work and how encrypted parameters help keep donor information safe.
It will be a bit technical, but it will be invaluable for your web or IT department as they strive to keep your information secure.
Today, I just want to leave you with these important thoughts.
First, you need to use technology like RaiseDonors reduce friction in giving for your donors.
Second, hackers will always be looking for ways to exploit your technology so they can steal donor information.
And lastly, RaiseDonors is working every day to make your online giving platform as secure as possible so hackers can’t get to your donor’s PII.
If you have any questions, please let us know in the comments below. Until then, see you in the next article!
About The Author: Chris Mechsner
Chris is Co-Founder of RaiseDonors. He spends his days learning and implementing technology, security, and processes to help nonprofits do better online fundraising.
More posts by Chris Mechsner