Shared Ground, Separate Rooms

Your boundary-spanners came back from those meetings with something useful. Maybe it was specific — both groups have been showing up to the same school board meetings, or you’ve both been running food deliveries in overlapping neighborhoods and didn’t realize it. Maybe it was a complementary gap: their group has someone who understands municipal budgets, and your group has been trying to figure out how to read one for months. Maybe it was simpler than that — your spanners came back saying, “They debrief after every action. They rotate facilitation. They take security seriously. They feel like us.”

Whatever the specifics, you’ve got something the last chapter couldn’t give you: a reason to talk about how your groups will communicate. Not whether. How.

This is where I’m on more familiar ground. The inter-group trust work in the last chapter drew from organizing research that I studied carefully and honestly flagged as outside my core expertise. Network security architecture is closer to what I actually know. The principles here connect directly to the threat modeling and security practices from the journal — they scale differently across group boundaries, but the logic is the same. Security as care. Applied to the space between groups, where the most sensitive information lives.

---

The problem is straightforward to state and genuinely difficult to solve: your group has a security culture. You built it together during your work in Levels 1 and 2 — shared threat model, security champion, breach protocol, platform agreements. The other group may have built something similar, or they may have arrived at their own practices through different routes. The question isn’t whose approach is better. The question is: what information flows between your groups, what stays internal, and how do you communicate across the boundary without compromising either group’s security?

Most people’s instinct is to merge. You trust them, they trust you, so just add everyone to one big group chat and start coordinating. This is the instinct that gets networks compromised, and it’s worth understanding why before I give you the alternative.

In the Matrix, the resistance didn’t operate as one big organization. Each ship — the Nebuchadnezzar, the Logos, the Hammer — was a self-contained crew with its own mission, its own chain of command, its own operational security. Morpheus didn’t know everything the other captains knew. He didn’t need to. When his crew was captured, the damage was contained to what his ship’s crew could reveal. The other cells continued operating. The Wachowskis were drawing on the same organizational principle that has protected every durable decentralized network in history, from the French Resistance to the Underground Railroad to the Zapatistas: compartmentalization.

The word sounds like espionage. The practice is common sense. It means that each group knows what it needs to know to do its work, and sensitive information doesn’t flow further than it has to. Not because the other group is untrustworthy — because limiting information flow protects both groups from the consequences of any single point of failure.

The historical record on this is consistent enough to call it a rule: networks that share everything break when any node is compromised. Networks that compartmentalize survive.

---

The Underground Railroad understood this intuitively. Each conductor knew their segment of the route — the next safe house, the contact point, the timing — but not the full network. A conductor captured in Ohio couldn’t reveal the route through Pennsylvania because they’d never been told it. The compartmentalization wasn’t a sign that conductors didn’t trust each other. It was the structure that made the trust sustainable under pressure.

Alcoholics Anonymous codified the same principle differently. Each group is autonomous except in matters affecting other groups or AA as a whole. The groups share a common framework — the Twelve Steps, the Twelve Traditions — but internal group matters stay internal. A group’s struggles with a disruptive member or a financial shortfall don’t cascade through the network because the boundaries are structural, not personal.

The Zapatista autonomous governance system operates on nested independence — each community, municipality, and region makes decisions at the level closest to the people affected, and information flows upward only when the scope of the decision demands it. The resistance in Chiapas has sustained itself for over thirty years partly because no single arrest, raid, or intelligence operation can compromise the whole.

These aren’t identical systems. They operate in radically different contexts, with different risks, different scales. But the structural principle is the same: protecting the network means limiting what flows between its parts. And the emotional logic is the same too — this isn’t about distrust. It’s about ensuring that the trust you’ve built can survive the kinds of pressure that real coordination attracts.

I’m going to use the word compartmentalization throughout this chapter because it’s precise and because the alternatives — “information boundaries,” “need-to-know structures” — are either vague or carry their own baggage. But I want to be clear about what it means in this context. It means you decide together, explicitly, what categories of information flow between your groups and what stays internal. It’s a conversation, not a wall.

---

Here’s what compartmentalization looks like in practice for two groups that have decided to coordinate.

The liaison model. Each group designates one person as the communication bridge to the other group. Not a leader. Not a spokesperson. A liaison — someone responsible for carrying information between the groups according to the agreements both groups have made about what flows and what stays.

The role has specific characteristics that matter:

The liaison is someone reliable and consistently available. Inter-group communication can’t depend on someone who disappears for two weeks and then resurfaces. The other group’s liaison needs to know that when they send a message, someone will see it within a reasonable window.

The liaison can represent the group’s position without freelancing. This is harder than it sounds. In a conversation with the other group’s liaison, it’s tempting to agree to things, offer things, commit to things on behalf of your group. The liaison’s discipline is to say, “I’ll bring that back to my group” rather than making decisions the group hasn’t authorized.

The role rotates. Monthly or quarterly — whatever cadence works for your groups. Rotation serves two purposes: it prevents the liaison from becoming a bottleneck or a de facto leader, and it gives multiple group members experience with inter-group communication. If one person becomes the permanent bridge, the groups’ relationship lives in that one person’s hands. That’s a single point of failure, and you’ve already learned what those cost.

Indivisible’s statewide coordination structures discovered this through practice. As local groups began coordinating across states, the networks that designated liaisons between local groups and statewide structures — one or two representatives per group, meeting regularly with clear mandates — built durable coordination. The structure let thousands of autonomous local groups share information, coordinate actions, and respond to shared opportunities without any single group needing to know the internal workings of any other. When individual groups experienced internal problems — leadership turnover, burnout, local political setbacks — the statewide network continued functioning because the liaison structure contained the disruption rather than transmitting it.

The groups that tried to coordinate without intermediate structure — everyone talking to everyone, no designated channels, no agreed-upon information boundaries — found that communication became noise. Important messages got lost in general chatter. Sensitive information leaked across contexts it wasn’t intended for. The Indivisible guide to statewide structures eventually formalized what the effective state networks had built organically: designated liaisons, consistent meeting cadences, and clear agreements about what information flows at which level.

---

Once your liaisons are designated, they need a secure channel. This is the operational layer.

Create a Signal channel for the two liaisons. Just the two of them — not a group with all members from both groups. Configuration mirrors what you already know from the journal: disappearing messages enabled, notification previews turned off, Safety Numbers verified in person. The “in person” part matters more here than it did for your internal group chat, because the liaison channel carries inter-group coordination. If the Safety Numbers don’t match, the channel isn’t secure. Verify them at one of your boundary-spanner meetings, face to face, before using the channel for anything sensitive.

This is the channel where operational coordination happens. Meeting logistics for joint activities. Shared information about community events both groups might attend. Updates on joint projects. The liaison channel is purpose-built — it exists for inter-group coordination and nothing else.

Each group keeps its internal channel exactly as before. Your group’s discussions about member concerns, internal disagreements, personal check-ins, security incidents — all of that stays in your internal channel. The liaison doesn’t carry internal information outward unless the group has explicitly decided to share it.

The structure creates natural compartmentalization without anyone having to make ad hoc decisions about what’s secret and what isn’t. Internal matters flow internally. Coordination matters flow through the liaison channel. The boundaries are structural, not personal, which means they hold under stress in ways that personal judgment calls don’t.

---

But the structure only works if both groups agree on what goes where. This is why the next step isn’t operational — it’s conversational.

Your liaisons need to conduct a shared threat model conversation. Not merging your group’s threat model with theirs — mapping the overlap. This is a different exercise than the individual and group threat models from the journal. You’re not asking, “What are my risks?” or “What are our group’s risks?” You’re asking: “What risks does our coordination create?”

The questions that matter:

Where do our groups’ activities create shared exposure? If both groups have been showing up to the same school board meetings, are you creating a pattern that connects the two groups publicly? If you coordinate a mutual aid delivery together, does the coordination itself reveal information about either group’s membership or capacity?

What information about our coordination, if exposed, would create risk? The fact that two groups are talking to each other might be unremarkable — or it might not, depending on your context. The content of your coordination — who’s doing what, when, where — is almost always more sensitive than the existence of the relationship itself. But both matter.

What stays internal to each group? Membership details. Internal disagreements. Individual members’ personal situations. Your group’s specific security vulnerabilities. These are not the other group’s business, not because you distrust them, but because the principle holds: information that doesn’t need to flow between groups shouldn’t flow between groups.

This conversation will feel awkward. You’re sitting down with people you’re building trust with and talking explicitly about what you won’t tell each other. That awkwardness is a feature. Groups that don’t have this conversation end up sharing everything by default — the merge instinct again — or sharing nothing and coordinating inefficiently because no one knows what’s safe to communicate.

---

Inter-Group Information-Sharing Agreement

After the shared threat model conversation, write it down. Both groups keep a copy. This is an information-sharing agreement, and it doesn’t need to be formal or legalistic — it needs to be clear. Here’s a template:

Information that flows between groups (through the liaison channel):

• Joint action logistics — meeting times, locations, division of responsibilities
• Shared community intelligence — public meetings, events, local developments that affect both groups
• Coordination requests — “We need help with X” or “We’re planning Y, would your group be interested?”
• Public-facing information about joint activities — what gets shared with the broader community

Information that stays internal to each group:

• Membership details — who’s in each group, how to contact them individually
• Internal group dynamics — disagreements, interpersonal conflicts, decision-making processes
• Individual members’ personal information — addresses, workplaces, family details, personal situations
• Group-specific security details — your specific threat model, your security vulnerabilities, your breach protocol details

Information that requires explicit consent before sharing:

• Contact information for any individual member (requires that member’s consent)
• Details of any security incident (requires affected group’s consent)
• Anything involving a specific person’s identity, circumstances, or situation (requires that person’s consent)

The consent category is the one people forget, and it matters the most. In the course of coordination, one liaison might learn something about a member of the other group — someone’s having a hard time, someone was at a specific event, someone has a particular skill that would be useful. The default should be: don’t pass along information about specific people without their permission. This isn’t bureaucracy. It’s the security-as-care principle applied to the space between groups, where individuals are most vulnerable to having their information travel further than they intended.

Review the agreement together after your first joint action — you’ll learn things about information flow that you couldn’t have anticipated in advance. Adjust it. The agreement is a living document, not a contract.

---

There’s one more scenario these notes need to address honestly, and it’s the one nobody wants to talk about: what happens when something goes wrong with the other group.

I want to frame this carefully, because the wrong framing breeds the paranoia that destroys networks faster than any external threat.

Most security incidents between groups aren’t infiltration. They’re mundane. Someone from the other group mentions your joint activity in a context that wasn’t agreed upon — at work, on social media, to a friend who wasn’t supposed to know. Or someone leaves a group on bad terms and takes information with them — information that now crosses the boundary between groups because the departing member knew about the coordination. Or a group’s security practices slip — disappearing messages get turned off, a member starts using an unsecured channel for sensitive discussions — and the liaison notices.

These aren’t betrayals. They’re the ordinary friction of human coordination, and the protocol handles them.

The Denver movement during the summer of 2020 shows what happens when these ordinary frictions meet the absence of any protocol at all.

Mickey Windecker was a paid FBI informant — a violent felon recruited to infiltrate the racial justice movement in Denver after the police killing of George Floyd. He arrived driving a silver hearse, presenting himself as a radical activist who’d fought with Kurdish forces overseas. Within weeks, he’d maneuvered into a position of influence across multiple activist groups. He recorded conversations. He pushed protesters toward increasingly aggressive actions, including discussions of assassinating the state’s attorney general. He employed snitch-jacketing — accusing legitimate movement leaders of being informants to undermine their credibility and sow distrust.

Windecker succeeded not because he was sophisticated — his cover story was outlandish enough that some activists suspected him early on. He succeeded because the Denver movement had no boundaries between groups. No liaison structure. No information-sharing agreements. No protocol for assessing new people’s trustworthiness over time. He moved freely across organizational lines because no organizational lines existed. When activists began suspecting him, the accusations circulated chaotically — some people heard warnings, some didn’t, some thought the warnings themselves were snitch-jacketing. The absence of structure meant that suspicion couldn’t be investigated through any legitimate channel.

The result: multiple arrests, including one activist convicted on weapons charges after Windecker pressured him into buying a gun. Activists reported lasting trauma and a pervasive climate of distrust that fractured relationships for years. One activist described Windecker as having “started poking holes through everything” just as relationships and bonds were beginning to strengthen.

The lesson is not about informants. Most groups will never encounter an informant. The lesson is about what happens when coordination has no structure — when there are no boundaries between groups, no agreed-upon channels, no protocol for raising and investigating concerns. The same structural absence that let Windecker move freely would also let mundane security problems — a careless social media post, a bitter departure, a sloppy communication practice — cascade across the entire network.

The protocol for raising concerns between groups is direct and grounded in the same blameless approach from the journal’s breach response:

If your liaison notices a security concern with the other group — a practice that seems careless, information appearing in unexpected contexts, a pattern that doesn’t feel right — the conversation happens liaison to liaison. Not as an accusation. As a question: “We noticed X. Can we talk about how our groups handle Y?”

If the concern is about a specific incident — information was shared that shouldn’t have been, a member’s identity was exposed, coordination details appeared in a public context — the blameless breach protocol applies. What happened? What information was exposed? What’s the realistic risk? What do we adjust? The goal is to fix the problem and update the agreement, not to assign fault.

If the concern is persistent and unresolved — the other group’s security practices are genuinely inadequate and they’re unwilling to address it — you have the option of limiting what flows through the liaison channel. Reduce the categories of shared information. Slow the cadence. You don’t have to sever the relationship to protect your group. You can narrow the channel.

And if the concern is serious enough — if you genuinely believe the other group has been compromised or that coordination with them puts your members at risk — you close the liaison channel. This is a last resort, and it should be a group decision, not an individual one. But the compartmentalization you’ve built means that closing one channel doesn’t destroy everything else. Your group’s internal security is intact. Your practices continue. The damage is contained, because you designed the structure to contain it.

This is what the Nebuchadnezzar’s capture looks like in practice. Not a catastrophic network failure. A contained disruption that the rest of the network survives.

---

I want to close with something about the emotional weight of this chapter, because I’ve just asked you to sit with some uncomfortable ideas. Compartmentalization can feel cold — like you’re building walls instead of bridges. The compromised-group protocol can feel paranoid — like you’re planning for betrayal instead of building trust.

But think about what you’re actually doing. You’re building a structure that lets two groups coordinate safely, sustainably, and with clear expectations. The information-sharing agreement isn’t a wall — it’s a door with agreed-upon rules for when it opens and closes. The liaison model isn’t a bottleneck — it’s a bridge designed to carry the weight of real coordination. The compromised-group protocol isn’t a plan for betrayal — it’s a plan for the ordinary, human reality that things sometimes go wrong, and that having a plan for when they do is what lets you trust the structure.

Security as care. You’ve practiced it inside your group. Now you’re extending it to the space between groups — the space where networks are built or broken.

---

Challenge

Establish a secure inter-group communication architecture with the other group:

1. Each group designates a liaison. Discuss the role with your full group first — the characteristics that matter, the boundaries of what the liaison can and can’t commit to, the rotation cadence you’ll use. Choose someone reliable, available, and disciplined about representing the group’s decisions rather than freelancing.

2. Your liaisons create a shared Signal channel. Just the two liaisons — not a merged group chat. Configuration: disappearing messages on (set a timer that works for both groups — 24 hours or one week are common starting points), notification previews off, Safety Numbers verified in person at your next boundary-spanner meeting.

3. The liaisons conduct a shared threat model conversation using the questions in this chapter. Where does your coordination create shared exposure? What information about your coordination would create risk if exposed? What stays internal?

4. Together, write an inter-group information-sharing agreement using the template above as a starting point. Adapt it to your context — the categories should reflect what your groups actually share and what actually needs to stay internal. Both groups keep a copy.

Document the agreement in your field journal. This is your first piece of network-level documentation — a shared protocol that both groups have created together. It won’t be the last.

---

The first thing your liaison is likely to share through that new channel — once the architecture is in place and both groups have agreed on what flows — is something practical. A community event both groups should know about. A local development that affects you both. Maybe a question from their group about something your group has experience with.

Pay attention to the shape of that first exchange, because it will tell you something about what coordinating with this group actually feels like in practice. And pay attention to what comes up in the liaison channel that neither group could have anticipated — the shared concern that’s bigger than either group expected, or the complementary capability that suggests you could accomplish something together that neither group can do alone.

That conversation — what could we do together? — is what the next chapter is about. But you’re not ready for it until the channel is working, the agreement is signed, and both groups have experienced the reality of communicating across a structure that protects them both.

Build the architecture first. The coordination follows.

---