It is time for leaders in the the tech industry to double down on their Diversity and Inclusion efforts. It is time for leaders to say that they outright reject this racism, sexism, and bigotry and will not have it in their companies. The CEO of GrubHub, Matt Maloney, demonstrated exactly what I think CEO’s of tech companies need to do right now with a letter to his employees I’ll extract an excerpt from:

While demeaning, insulting and ridiculing minorities, immigrants and the physically/mentally disabled worked for Mr. Trump, I want to be clear that this behavior — and these views, have no place at Grubhub. Had he worked here, many of his comments would have resulted in his immediate termination. We have worked for years cultivating a culture of support and inclusiveness. I firmly believe that we must bring together different perspectives to continue innovating — including all genders, races, ethnicities and sexual, cultural or ideological preferences. We are better, faster and stronger together. Further I absolutely reject the nationalist, anti-immigrant and hateful politics of Donald Trump and will work to shield our community from this movement as best as I can. As we all try to understand what this vote means to us, I want to affirm to anyone on our team that is scared or feels personally exposed, that I and everyone else here at Grubhub will fight for your dignity and your right to make a better life for yourself and your family here in the United States. If you do not agree with this statement then please reply to this email with your resignation because you have no place here. We do not tolerate hateful attitudes on our team. I want to repeat what Hillary said this morning, that the new administration deserves our open minds and a chance to lead, but never stop believing that the fight for what’s right is worth it.

Matt received much backlash for this, because many folks never read the letter he sent and instead wrongly believed headlines that he’d called for Trump voters to be fired. However, Matt said exactly what needs to be said:

Hate has no place at his company. Comments similar to the ones Trump made will result in immediate termination. He and the company reject the nationalist, anti-immigration, hateful policies espoused by Trump during the campaign. He and the company will work to shield and fight for those in danger. If you do not agree with any of that, email your resignation. Hate has no place at his company.

These ideas are not revolutionary, and may seem like common sense to some. If you are sexist, racist, or bigoted and say hateful things, you’ll be fired. If you don’t want to work at a company that will fight for the safety of marginalized folks in danger, quit. And yet, because of this letter, Trump voters called for a boycott of GrubHub. GrubHub’s stock took a hit, to the tune of $300 million. We have officially come to the point in time when you have to, to borrow a phrase from Hack the Hood, put your money where your values are. It is time to openly express support for those who are marginalized and take whatever financial hit that causes your company.

The U.S. Government domestic spying apparatus was already attempting to gain access to customer data. Expect this to get much worse.

Of equal importance is making sure your apps and sites are secure. The Trump administration is quite fond of making lists of “haters.” Newt Gingrich has called for the return of the House Un-American Activities Committee. Trump will have the power of the entire U.S. Government domestic spying apparatus at his fingertips. Those nation-state level attacks aimed at “dissidents” will now come from the U.S. and will be aimed at countless American citizens, to determine if they’re engaging in “disloyalty and subversive activities.” Every company that handles messaging and communications on behalf of it’s customers or stores Personally Identifiable Information about its customers should be working on the following:

Adding or strengthening encryption of customer data in transit and at rest: Encrypting data ensures privacy (your data can’t be snooped) and integrity (your data can’t be tampered with). In the presence of nation state threats, which we know exist domestically (never forget “SSL added and removed here”) encryption is the only way to have any level of data protection online. Encrypt your customer data in-house and encrypt it end to end. There should be no point at which your customer data is stored or transmitted in the clear.

Encrypting data ensures privacy (your data can’t be snooped) and integrity (your data can’t be tampered with). In the presence of nation state threats, which we know exist domestically (never forget “SSL added and removed here”) encryption is the only way to have any level of data protection online. Encrypt your customer data in-house and encrypt it end to end. There should be no point at which your customer data is stored or transmitted in the clear. Adding two factor auth to all customer and employee accounts: People re-use passwords, it’s a fact of life. Once an account is breached in one place, don’t expect the U.S. Government to do some password dump looking for a payday. Expect them to use those passwords to gain access to other accounts on other sites. Protect your customers from this by adding 2FA to all accounts so access to an account requires more than a password. If you don’t have the engineering team to handle building 2FA into your product in house, talk to Authy, Auth0, or Instant2FA* (currently in closed beta, but I have a beta access code for you if you need one). Resist the urge to offer or rely on SMS as your second factor, since it’s trivially bypassed by cell companies who have already demonstrated their willingness to comply with government surveillance. Once you’ve implemented 2FA, vigorously encourage it’s use among your customers. Give them incentives to use it.

If your internal organization logins do not have 2FA (and they really must, for reasons I’ll get into below), talk to Duo, and make 2FA a requirement for all employee logins. In short, if customers have data on your platform that can be used to identify or target them, 2FA needs to move from “nice to have” to “must have.”

*Full Disclosure: My significant other is co-founder and CEO of Instant2FA.

People re-use passwords, it’s a fact of life. Once an account is breached in one place, don’t expect the U.S. Government to do some password dump looking for a payday. Expect them to use those passwords to gain access to other accounts on other sites. Protect your customers from this by adding 2FA to all accounts so access to an account requires more than a password. If you don’t have the engineering team to handle building 2FA into your product in house, talk to Authy, Auth0, or Instant2FA* (currently in closed beta, but I have a beta access code for you if you need one). Resist the urge to offer or rely on SMS as your second factor, since it’s trivially bypassed by cell companies who have already demonstrated their willingness to comply with government surveillance. Once you’ve implemented 2FA, vigorously encourage it’s use among your customers. Give them incentives to use it. If your internal organization logins do not have 2FA (and they really must, for reasons I’ll get into below), talk to Duo, and make 2FA a requirement for all employee logins. In short, if customers have data on your platform that can be used to identify or target them, 2FA needs to move from “nice to have” to “must have.” *Full Disclosure: My significant other is co-founder and CEO of Instant2FA. Locking down access to customer data: Remember those 1/5 people in your company who voted for Trump? Some might very well think this is a good time to shoot their shot to get into his good graces by feeding him information from inside the company, including customer data. I know we all like to assume good intent, but your assumptions of good intent could cost someone their life. Follow the principle of least privilege: if an employee doesn’t require access to customer data to do their job, then their account should not have privileges to access that data. If customer data is not already protected in this way, immediately require 2 human auth to access customer data. As in, to get access to customer data, a person needs themselves and someone else to log in to whatever tool you use for customer data access. If you’re not already doing this (you should be), ensure that monitoring for your databases that house customer data is in place, and keep an immutable audit trail of all access to those databases, in case there is a breach. If someone in your company accesses customer data, you should know it, and be telling people about it, immediately.

Remember those 1/5 people in your company who voted for Trump? Some might very well think this is a good time to shoot their shot to get into his good graces by feeding him information from inside the company, including customer data. I know we all like to assume good intent, but your assumptions of good intent could cost someone their life. Follow the principle of least privilege: if an employee doesn’t require access to customer data to do their job, then their account should not have privileges to access that data. If customer data is not already protected in this way, immediately require 2 human auth to access customer data. As in, to get access to customer data, a person needs themselves and someone else to log in to whatever tool you use for customer data access. If you’re not already doing this (you should be), ensure that monitoring for your databases that house customer data is in place, and keep an immutable audit trail of all access to those databases, in case there is a breach. If someone in your company accesses customer data, you should know it, and be telling people about it, immediately. Minimize the amount of customer data you collect: Practice good data minimization hygiene by reducing the amount of customer data you do collect to just that which you absolutely need. Think about every piece of data you collect about your customers and how it could be used against them. If you discover you’re collecting data you don’t really need but could cause significant harm for people, get rid of it. Once you’ve finished that exercise, ensure the data collected is purged once the intended use for it has passed.

Put your roadmap aside for a while, because whether or not you do the above things could be the difference between life and death for many of your customers, especially the marginalized customers.

Millions of people in the United States are potentially in danger. Those are your customers. Build for them.

For those who are looking for the “next great app” to build, you have a new mandate: protect those in danger who wish to stay, and help those in danger who wish to leave. Start building things that solve the following:

Funding passports for those seeking to leave the country

Determining which countries are best for those seeking asylum

Streamlining the process of moving to those countries

Match people who need protection with those offering it

Secure, private, and verified communications. (Please throw lots of your energy into improving Signal, which is open source.)

You get the idea. To summarize, there are now millions of people in the United States that are potentially in danger. Those are your customers. Build for them. If you can’t get funding to build apps like this, let me know and I’ll put you in touch with VC’s who want to do the right thing and be on the right side of history.

Lastly, tech industry, I and others need for you to have a great deal of empathy right now. I want you to think about how you’d feel if you truly felt the lives of your family and many people you love were in grave danger. Mortal danger. If someone who has built a career hating you was now in control of the country you live in. If you’re a straight person, imaged what it would feel like if someone who wanted you to be gay, by any means necessary, including torture, was now in position to set policies about your life. I want you to try to think about that…feel that. Really take about 30 seconds, right now, to try to feel what that feels like, if you’ve never been in that position before. I’ll wait.

⏲ ⏲ ⏲

Did you think about it? Did you feel it? Hopefully you now have a better understanding the terror, sadness, anger, and uncertainty many of your coworkers are feeling today. Many of us are unsure what next year will bring for us. Many of us are unsure if we’re even staying in this country. While you’re having discussions about how we’ve been here before, and we’ve just got to ride it out like we did for Bush, many of your coworkers aren’t sure if we’ll stay in the country, because vehement and vocal racism, sexism, and homophobia will be the norm in the U.S. Government. None of us have been here before. Perhaps our grandparents have. But we haven’t.

The reality for those of us that aren’t straight, white, men is that at best, our civil liberties are about to be eroded and at worst, well, there are many reasons Donald Trump and his administration invite Hitler comparisons. Know that this is what some of your coworkers are carrying around with them. Do not assume smiles or occasionally jokes are indicators that we are “ok.” We just can’t cry all day at work, so we smile and make jokes to get through, until the next day. We will repeat this until it becomes clear that it is time for us to go, and you won’t see those smiles anymore, because you won’t see us anymore.