A common situation in my life is the following: a small-ish organization consisting of somewhere from 3 to 50 people need some type of way to be reached as a group. The current solution is to have an email adress, normally with a password that is shared in some way among the trusted subset of members that need to be able to access the email directly.
The solution isn’t great for multiple reasons:
- Sharing a password among multiple people isn’t great, 2FA is tricky
- Most email communication are readable by the email provider, unless PGP is correctly used. For most people, PGP is non-trivial to use correctly, and meta-data will not be encrypted even with correctly used PGP.
But it has the following upsides:
- A single stable address to reach the group
- Communication is gathered in one place, searchable, possible to for multiple members to track communication with someone that has reached out.
- Easy to use from any device anywhere
Ideally we’d like all of these things: sensible access controls, some level of transparency within the org regarding who has responded to what messages, an address that is easy to share with people outside the group, minimal (meta)data accessible by the providers, and easy to use across devices.
How do you handle this? What would your recommendation be? I have considered setting up a Signal account, but having multiple signal accounts on a single device is non-trivial, as is setting it up on a new device, meaning that probably each group would need a single dedicated device, which isn’t super practical.
This is a reality of any software. Those requirements exists by themselves or in some combinations, but once you want them all, the difficulty grows exponentially.
The Sunbird model works. Their model isn’t that hard to replicate, and have the steps laidout for you to copy. However, it doesn’t offer some perks you want with limitations. For example, you can only have 5 devices linked to 1 Signal account. There is no 2FA, fine grained access control, nor audit log. The search functionality is not particularly good.
There are ways to overcome those limitations but you will need some tech savvy dude with proper security backgroud/training to design, implement, and manage that. It steps into semi-custom developement and integration, and be warned, it is hard to done right, especially anything with security.