Is Sensitive Data Safe At AAI?


When Bill Flavell joined the Board of Atheist Alliance International (AAI) he became the next person to fill the role of Secretary after me. At the time he spoke to many people very favourably about the job that I had done, but later he changed his mind. In particular, he was incredibly critical of the data security standards in place during the period when I was on the AAI Board, and he was adamant that as soon as he took over big changes were needed.

In the short video clip below, Bill Flavell makes that point directly to me during a video podcast.

Bill Flavell Criticising Data Security Under His Predecessors

The AAI members and the donors to AAI should then have been encouraged that data security while Bill Flavell was on the Board, would be a major focus. This was an issue that would receive his full attention, so that AAI would keep very sensitive data safe and secure. If one thing is obvious from the video clip above, it is that the approach to data security within AAI would represent the absolute best possible effort of Bill Flavell’s Board on that issue. In fact, it is now possible to check the record on their performance:

  1. The first thing that Bill Flavell did after taking over as Secretary of AAI, was to send an email to all members that accidentally shared all of their private and personal email addresses in public. A full copy of that email is available at the bottom of this page. I apologise for the several pages of redactions, but Bill Flavell did in fact improperly share in public many hundreds of private and personal email addresses.
  2. Next, Bill Flavell’s so-called Board lost the entire AAI database of members, supporters and donors. This included all personal details, such as email addresses, home addresses and personal phone numbers. After admonishing me specifically about data security processes in the case that a Director leaves the AAI Board, Bill Flavell’s Board was responsible for the largest ever data loss in the entire history of AAI, as a Director left the AAI Board. Amazingly, the people whose personal details were lost, were not informed.
  3. After losing every part of the AAI database as part of a comprehensive data breach, Bill Flavell then proposed a new grift whereby he would sell “Renunciation Certificates” to apostates for a “small charge”. The idea that Bill Flavell would create a database of people who could come to great harm if that data was ever exposed, drew a predictably angry response.
  4. During the recent purported AAI General Meeting, one self-styled Director on the so-called AAI Board, who was commenting about an individual AAI member said, “his membership was paid by a known critic and you guys have received the name.”. A full copy of the transcript from the EGM is available at the bottom of this page. The individual member in question had made their payment to AAI by credit card. It seems that the ongoing data security record of Bill Flavell’s Board involves proactively sharing the credit card details of his critics, without prior consent. This is in direct contravention of the published AAI terms and conditions, which state as follows:

AAI places great importance on protecting your personal information. We will collect only information we need to manage your membership, collect your payments and to help us provide the most relevant service to you, and we will use your personal information only for those purposes. We will take all reasonable steps to protect the privacy of personal information you give us. We will not sell, rent or disclose your email address or any other personal information to any third party unless required to do so by law.

Extract from AAI Terms and Conditions
  1. After the AAI General Meeting, Bill Flavell contacted OnlySky to insist that they “urgently redact” a name from one of their articles. He stated that this was because publishing the name was putting this person “at risk” and causing him to be “extremely afraid”. Once OnlySky had immediately applied the redaction, representatives of that publication informed Bill Flavell that their source for this information was a public page on the AAI web site, which had published this name under a photograph of the person. At the time of writing now three weeks later, Bill Flavell has still not removed the offending page from the AAI web site and it is still easily found with a simple Google search. As Michael Sherlock (a former Executive Director at AAI) commented, “This type of deadly sloppiness by a global charity, in an arena where vulnerable lives are literally on the line, must be immediately remedied.”. At the time of writing, it has still not been remedied.

No data security disasters approaching anything like this list ever took place under the watch of the previous AAI Board, before Bill Flavell took over. Notwithstanding how severely Bill Flavell has chastised his predecessors on this issue, his watch on the AAI Board has seen one data security calamity after another.

Consider a responsible activist, who happens to be in touch with a vulnerable apostate. Based on the circumstances where they live, that apostate might reasonably believe that they might be at risk if their loss of faith becomes widely known. Given the track record described above, could any activist in good conscience recommend that such an apostate should send their personal details to AAI?



Leave a Reply

Your email address will not be published. Required fields are marked *