Heather Burns is a British tech policy and regulation specialist in data protection at Webdevlaw. She educates the profession on the policy issues which impact our work, inspire professionals to participate constructively in the regulatory process, and facilitate cooperation between policymakers and tech. She also works for WordPress core privacy & cross CMS privacy teams.
Prior to the GDPR law enforcement, she gave a speech at London WordPress Camp 2017 about ‘Protecting the web from political uncertainty’ that is still valid today. Let me transcribe you the content of this talk.
First of all, there is simply no president for the territory that we, as professionals working in the digital industry, find ourselves in. There is also no burying our heads in the sand about this. Decisions are being made about the policies, the regulations, the systems that you work in, that will impact the way you work.
Indeed, decisions are also being made about the tools that you make. Decisions can hurt the people that use the tools you make and deliberately allow those tools to hurt people.
Nonetheless, whatever your political stance, whatever your beliefs, whatever side you are on, the fact is this: the foundations of the open web are currently under threat.
Secondly, in the UK, Brexit and the withdrawal from the European Union as well as the European Data Protection regime will stay for a while. But what comes after that is unknown. And that could end the freedom of movement of data as we have known it. It will spell an end to the freedom of movement of tech talent, which has enabled you to get a job anywhere in Europe or for your European colleagues to come here as they wish. The withdrawal from the Digital Single Market System of the European Union will remove us from a Trading Market worth 450 Billion Pounds to the digital industry. And we are also now dealing with openly xenophobic and authoritarian currents leading to mass digital surveillance.
Meanwhile, in the USA, under the Trump administration, we are seeing, funnily enough, the end of data protection. The little US privacy data protection regulation is stripped away with this ’45’ Patriot Act ending encryption. That will spend the end of the freedom of movement of data and tech talent. We have all seen the horrific stories about a software engineer entering an US airport being asked to pull out her laptop and create a binary search tree.
Moreover, the US is withdrawing from the net neutrality protections that have enabled the free flow of information and commerce. The US is also dealing with openly xenophobic and authoritarian currents, which have resulted amongst other things in mass personal profiling.
Although I can’t tell you what to believe, but I can tell you what I believe.
Indisputably, I can tell you that as, designers and developers, you are people with extraordinary power and influence. You make the tools and see the data. You know better than anyone what needs to be done to protect the people that have entrusted you with their data.
Now, in this talk, I’m going to encourage you to:
- Think proactively about self-defense and user protection
- Adopt protective workflows and business practices
- Prepare you to face the challenge ahead.
1. Think ABOUT USER DATA PROTECTIOn
Regardless of what political stance you hold or what you believe in, the fact of the matter is that people are now working in a climate of fear.
UK – Brexit:
We have the Digital Economy Bill which is enabling data sharing across government on a massive scale, ostensibly for things like fewer poverty or sanctions and punishments.
We have the Investigatory Powers Act, which is the master law that left no less than Edward snowed in, god smacked. Amongst its provisions are mandatory backdoors in hardware, which makes UK a ‘no-go place’ to do business with.
We are also seeing actual deportations from grand-mothers who have lived in this country for 30 years.
US – ’45’:
Initially, the list-building has begun. People are being profile.
As we saw the CIA WikiLeaks dump, there are backdoors in hardware, a bit like in the UK.
Similarly, we are seeing the deliberate calculated removal of regulatory protection and horrific things at border controls, such as the searches you can expect.
We are seeing the deportations of children separated from their families at stall, as a fulfillment of a campaign promise.
Care for the people in the data
To support responsibly your users and address their concerns, you must overcome your apathy. I know that in digital your default settings are ‘politics and laws, not interested in’. You have the luxury of thinking that because you are the 1% by being a digital nomad. You can move to Europe, you can flee somewhere else. But guess what, the 99% of people who will never have the luxury to do that, will live with the consequences of the tools you create.
2. Adopt DATA PROTECTIOn WORKFLOWS
We are in hostile territory. What you must do, you must adopt legal and technical defense strategies. In Europe, we are at advantage as we have an overarching data protection law. In the United States, there is no overarching data protection law, It is divided by sector or by State. You may have heard that California has a very strict data protection law which is now under attack. But, America on a whole doesn’t have a system like we do in Europe. That is very important to know as America is where a lot of data is hold and processed.
For this, you can adopt as a defense strategy, it’s GDPR.
GDPR is a General Data Protection Regulation that has become enforceable on 25th May 2018. We, in the UK, are going to get into this, regardless of Brexit and are going to stay into this for at least a few years. What comes after that, as I said, is a problem that is concerning most of us deeply. But for now, we have a little bit to work with.
This regulation replaces the existing European data protection regime which is from, believe it or not, 1995. You know it here in UK data law act of 1998. GDPR is a much needed update for the digital age. The existing data protection law was from the age of dialogues and floppy discs.
GDPR has new requirements on many things. Things you need to know are:
- Accountability: you have to become accountable for and document all your data protection compliance
- Consent: you must secure and confirm consent from the people whose data you are using.
- Third-party data sharing: there are really strict regulations on third-party data sharing, who you are passing your data to, whether that’s Facebook or a business partner
- Data Breaches: these become a bit more enforceable than they have been in the past
- Individual Rights: you must be prepared to meet people’s rights over their data
- International Data Transfers System. This has been thrown into chaos because of Brexit and the Trump administration.
But for our purposes today, the key take-away from GDPR:
- PBD: Privacy by Design
- DPBD: Data Protection by Design.
That’s not quite what it means now. It now means:
a) Privacy by Default
- Going forward, in your work, whether it’s your website, your apps, what data you take, receive and how you use it, you must provide clear transparent standardised privacy notices. There are templates you can follow with icons and tables. The days of non-sense worthless 30-pages piece written by a lawyer are over.
- The PBD calls for Data Minimisation: the less data you have, the less data they can slur. You need to start thinking data as your liability. Reduce the amount of data you are collecting and restoring. There’s going to be mandatory deletion of the data. You are going to be prepared to document when and how you deleted this data. Did you delete it? Prove it!
- Increased accountability: you can no longer retrofit in the data protection project after a fault. You have to factor it in the minute you start creating a project.
- Enhanced subject access requests: that is the rights people have over their data
- Third-party data sharing
b) Data Protection by Default
- Privacy impact assessment: you need to start conducting privacy impact assessments right now. What are you collecting? Where is it stored? What’s on your website’s database and what you are doing with it? Secure passwords?
- Data retention and deletion
- Technical and security accountability
- Data Breach preparedness: when a data breach happens, you now have 72 hours to report it to the Information Commissioner’s Office and there is certain information they will require
- Staff awareness: data protection privacy now becomes everyone’s problem.
Under the current data protection regime, there is the:
c) Privacy Shield
- It is a voluntary agreement used by US companies to ensure compliance with EU standards for EU data. In other words, if you are doing business with a company in America, they must agree to safeguard your data in their regulatory system as if it was still in Europe.
- Privacy has always been fragile, imperfect but provides legal certainty.
- It may be invalidated soon and already is by Trump. Consequently, do not assume that your data is secure in the USA. You must ensure any US companies you do business with are Privacy Shield Compliant for the EU data protection law. That goes with any third-party companies you do business with.
If you live in the US or in a country that doesn’t have legal framework, you can still use GDPR. It’s a fantastic tool kit with a basic legal framework.
So, let’s go beyond that.
d) Technology in Hostile States: Ten principles for User Protection
- It may sound counter-intuitive with what I have just said but do not rely on the law to protect systems or users. Always take further steps.
- Prepare policy commentary for quick response to crisis. It means that digital professionals must be prepared to counter-act really stupid political arguments with coherent facts, figures and technical explanations, as soon as that crisis hits.
- Only keep the user data that you currently need. It’s GDPR. We can see that these working principles tie in to data protection law.
- Give users full control over their data. Users have the rights to ask the company the data they hold about them and to ask them to delete it.
- Allow pseudonymity and anonymity: Pseudonymity is data that has been separated from any personally identifiable information. Anonymity allows people to register anonymously. Do not put a Facebook social log-in on your site because everything those users are telling you is going to Facebook.
- Encrypt data transit and at rest.
- Invest in cryptographic R&D to replace non-cryptographic systems. It doesn’t really concern you if you are small company.
- Eliminate single points of security failure, even against coercion: Multiple layers of security like sandboxes, modularisation, voluntary surface reductions, risk privilege. What you are doing on the backend does really matter.
- Favour open source and enable user freedom: Advocate freedom to use, to share, to improve software.
- Practice transparency: share best practices, stand for ethics, and report abuse.
e) So, what can WordPress developers do on a practical level?
- Conduct Privacy Impact Assessments (PIAs): go to the Commissioner’s Information Office.
- Provide privacy gradients: It’s not on or off. Give people multiple choices about how much data they share with you.
- Check your external connection requests: we played around yesterday with the plugin called ‘Snitch’. That will tell you what all your plugins are doing.
- Don’t send/include personally identifiable data ‘home’: if you are using your plugin to phone home to check the version, that’s great. But if you see that such as and such user at this URL has an insecure blog, you are in trouble.
- Don’t send personally identifiable data to third parties.
- Enable data minimisation and deletion.
f) Yet, what can WordPress meetups do?
- Run a WordPress (WP) security clinic on: Plug-in security, data audits, https everything.
- Host a cryptoparty: where you bring your gadgets and learn as well as educate users on how to make them secure.
3. Prepare FOR DATA PROTECTION CHALLENGES
Now, I’m going to prepare you to face challenges by avoiding these pitfalls:
a) Avoid Digital solutionism
- Aka ‘we can solve this with an app’ to deal with the political disruptions.
- Digital solutionism is the ego-mania of the 1% that looks good for you but doesn’t actually solve the problem.
- The offline problems you are dealing with now do not have online solutions.
- Online tools are the means, not the end: Here are some example of tools that aren’t digital solutionism.
- Techresistance.org: These are originally American grassroots’ projects by digital professionals building tools that can be used for the next couple of years
- Tech-forward.com.pk: These are originally grassroots’ projects by digital professionals building tools that can be used to go through for the next couple of years
- Datarefuge.org: is where people are downloading and safeguarding data that the Trump administration is deleting such as the EPS data and Global Warming.
- Progcode.org: it’s a progressive coders’ alliance coming up with digital tools.
- Theyworkforyou.com / Mysociety.org: these come from UK and use a lot of Government open data but we really have nothing comparable to the level of digital activism that is happening in the US right now.
- Signing a petition.
- Saying ‘hey I signed this petition’ on social media.
- Signing a petition isn’t political activism. I can tell you that 95% of signed-up petitions are list-building exercises for fundraising/collecting money.
- Using an automated ‘email your MP’ message. That is the equivalent of spam.
- Political activism isn’t memes, hashtags and tweetstorms.
- Political activism is not speaking to your filter bubble.
On the contrary, what we need now is:
c) Meaningful engagement
- Engage personally with your managers and leaders about these issues.
- Engage personally with policymakers such as MPs, parliaments….
- Join open rights groups.
- Give numbers, figures, and the bottom line. They are interested in your uninformed opinion. Be factual.
- Be constructive and cooperative.
- Speak through industry bodies.
Here is a slide I really like. This can apply to any sorts of advocacy.
Beyond this, this graph will provide you with more details. Let me explain it:*
You’ve got the rubbish things at the bottom that you don’t do, which are really ineffective, i.e guilt, punishment (breaking the law, getting a fine). It doesn’t work.
As far as requirements are concerned, GDPR is coming and you need to comply. But I’m not trying to use it as a stick to hurt you with.
In regards to rewards, this isn’t a game. Don’t incentivise it!
Instead, enlighten and inspire your colleagues, your industry about these issues and about the way forward.
Even so, all these suggestions I gave you today assume that you have time for movement and work within your organization. Other than that, what happens if you don’t?
d) When the day comes
Then, what happens when you find out when the day comes that someone is expecting you to use the tools you created to hurt people?
And what about when you find out that the tools you have made are already being used to hurt people?
Besides, what if you become aware that the data you have control over has been compromised or misused?
Consequently, you must remember you have the responsibility to care for the people in your data and may be called upon to do something. You need to search yourself and may be prepared to refuse a Government request and to leak responsibly data. The most professional and ethical thing you can do in your career is drop a table. You may be called on to delete data and even may be called on to sabotage it.
e) You think that’s radical. It’s not. It’s called ‘ethical hacking’
Thus, let me introduce you to my new hero. So, anyone here from France? Do you know who this is?
Does anyone know what that is in the background? It’s a punch card. This was a fellow called René Carmille.
He was a punch card computer expert and a controller general of the French army in the 1940s, who ran the demographics department of Vichy and later the France’s national statistics service. Additionally, he looked after the technology behind the French census, which ran on punch cards.
Clearly, punch cards are wonderful in innocuous form of technology.
However, the Nazis came along. The punch cards running IBM technology became the means by which the whole holocaust was carried out.
So, what did René do? He sabotaged the census. Together with his team, they purposely delayed the census by mishandling punch cards and leaving stored layers of them in the backroom for 2 years. He also hacked his own machines. Column 11 in the punch card displayed the person’s religious status, so the Nazis could find out who and where all the Jews were. Also, he hacked the machines so that they couldn’t punch anything into column 11. Likewise, this worked for few years and they got him.
But what did it accomplish? This resulted in the deportation and execution of 73% of all Jews in the Netherlands because of his data sabotage and ethical hacking.
Finally, billionaires at tech companies do not change the world. The world changes through quiet dignified acts of civil disobedience. God forbid, when the day comes, when you have to make that choice, what legacy will your code leave to the world?