Heather Burns on designing for privacy & the data revolution (Part 2)
–– 17 Mar 2019
Heather Burns is a tech policy and regulation specialist from Glasgow, Scotland. She does a load of work on digital regulations and political issues, most specifically those that affect web development.
Heather is part of the core privacy team in WordPress.org, where she helped to create a suite of GDPR and privacy tools shipped to over 30% of the sites on the open web. Heather has also begun work on establishing a cross-project open source privacy coalition with the privacy teams from WordPress, Drupal, Joomla, Umbraco, Typo3, and other projects.
In part one we talked about Heather’s journey into the privacy space, what privacy means to her, how privacy has evolved in the past year, and what it’s like as a privacy campaigner in the world of open source technology.
In this part two we talk about how tech teams can develop for privacy, the data revolution, how consumers can get involved in the revolution and what the future may hold for privacy.
AB: What is the most important thing to remember when designing for privacy?
HB: I suppose what I’ve learned in the past year is that we’ve all been working backwards. We all started working from the perspective of “what does GDPR say we have to do to comply”. I see this with projects where you try to kickstart a dialogue about privacy and they say, “stop, just tell us what the law says we need to do”.
We need to stop approaching privacy as a negative reactive legal obligation, and to fix that we’ve got to back it up all the way to the beginning. We have to invest privacy into project governance and we have to invest privacy into our project values. We have to define what we mean by “privacy”, we have to get it into development guidelines, and we have to make privacy a fundamental a concept as we did with accessibility. Once you have those values and standards embedded in your project culture, when future legal requirements do come along such as CCPA and the ePrivacy directive revamp, your privacy work will go a lot easier because we won’t be working from a hostile perspective. 2019 is a great opportunity to get it right and if that means to take a little bit of time to stop working backwards, which we have a very good window to do right now, then so be it.
Andy: In what way would products and services look different in the future if the current model moves away from filling up databases with people’s data?
Heather: “Look” is the important phrase there. What’s amazing is that most people associate GDPR with those awful consent popups. I think it’s going to be important for projects and groups to work together on improving the user experience and backend data handling as well. However, I think we’ve done a pretty dreadful job of making a visual interface that people can use and understand.
One thing I would love to see in the future is more work on pattern libraries, perhaps working towards a universal visual language. I don’t see why UX designers are not sinking their teeth into challenges like this, using open projects like the IF data permissions catalogue of pattern libraries as a starting point. It baffles me that designers will battle over the border radius on a button, but helping to develop a visual language to help people take control of their data is not what they’re interested in.
Andy: How would a rise in personal data requests impact web development and tech projects on a whole?
Heather: I think it’s going to make us start being a bit more conscientious about the data captured in the first place, now that the penny is dropping that what data goes in must go out. Why does your app need access to your users’ contacts? Why does an app need to track your location? Why does your app need your microphone on? Why does your toothbrush track your location? Begin to ask yourself why. Recognise that what you call innovation looks a lot like surveillance.
Tap’s work is a great starting point for confronting users and companies too with the sheer volume of unnecessary data they are capturing and retaining. I was reading last week that someone’s Spotify data log contained a record of every click they have ever made in the interface, as well as the size and location of the interface window at all times. I mean, come on. That’s not actionable user telemetry, that’s deranged.
Andy: Do you think some technologists tend to think they are agnostic when it comes to developing for privacy? They feel they are not responsible for building a product that people use and sucks data?
I feel it’s a combination of two things. One there is an absolutely an arrogance in the tech sector which generally feels that we should “move fast and break things”, that we are special people above the law, and that the work we put into the world is a form of self-affirmation, users be damned. That is the view of a small but vocal minority.
However, the more pedestrian explanation is that the vast majority of businesses out there have been very badly guided. To give you an example of that, when I started my wee web design business in 2007 I went to Business Gateway, which is the publicly funded business startup service in Scotland. They are great for giving you brochures on VAT, HR, copyrights and trademarks, that sort of thing, but there was absolutely nothing on data protection or privacy. Not one word. When you are starting a business you are very green and your are torn in a dozen directions, which means you are only taking in what is in front of your face. If the state-funded startup service does not put it on your radar, it’s not going to cross your mind.
Fast forward twelve years later and now when you go to Business Gateway’s website they have a guide to GDPR for startup businesses. It’s there because I wrote it. I literally had to write the guidance that no one wrote for me.
So while it’s true that there is a small but vocal segment of our industry that is very hostile to the concept of privacy and legal accountability as a principle, I know for a fact that the vast majority of technologists out there have been very poorly guided. If you provide them with the support and tools and resources to put things right, they will be more than happy to do so.
Andy: I understand you do a fair bit of work for the WordPress.org privacy team, could you tell me a bit more about the work you do with WordPress?
Heather: There’s a phrase — “a rising tide lifts all boats”. Its absence is one of the things we confronted in the WordPress core privacy GDPR project, where the team was building tools from scratch. There had been other examples of tools that had been built by other projects ahead of ours, but we did not have the time or support to research those other tools and say what could we take from that. Going forward, we’ll certainly be looking at what we can learn from other projects and approaches.
There are many similarities between accessibility and privacy, and it’s one of the reasons the two teams get along so well. It often feels like a mutual support group, which perhaps it shouldn’t! Our teams work from the perspective that accessibility and privacy are fundamental human rights. If people can’t access your shiny new toy because it’s inaccessible, then they can’t exercise their privacy rights either. And we also deal with legal compliance issues, which makes us the teams no one likes. There’s so much we can take and learn from each other but I would really love for us to spend more time celebrating our victories rather than commiserating over drinks.
Andy: Where do you see things going in 2019 in the privacy space, and what are your plans?
Heather: In terms of privacy and GDPR, we all need to be looking at the ePrivacy revamp in Europe, and the growing shape of privacy legislation in the US, where there’s going to be a Federal standard or law, or both, put into play.
For us in Europe it’s all about Brexit, and as you’re probably aware, there is zero comprehension of what is ahead of us for the technology sector. There is no historical precedent for an entire sector being pulled out of the only regulatory framework that it has ever known, while losing the freedom of movement for the people who build the sector. I think it’s important for us to organise and speak up formally and politically in the right way through the right processes; I’ve got a side blog all about it at https://afterbrexit.tech.
Andy: What are they ways as a consumer you can get involved in shaping and joining this data revolution?
Heather: The best way to join the data revolution is to understand you have rights over the uses of your data. Every person has those rights, but it’s down to you to exercise them. You’re not passive, you’re not a victim, you have choices and options and you always have. Those of us on the development side will be doing our best to provide you with the tools to help you stay in control.
Andy: You do some incredible work and most of it goes unpaid, what keeps you going?
HB: Privacy means poverty, on top of the headgames and abuse. It’s not a field for people who want praise or money. But it’s the right thing to do, and persisting is not even a question for me. Did you know, a few months ago apparently there was a bet going around my open source community about when I would quit. I hear that and think, imagine if those people put their energy into shipping a track ticket. Giving up is not who I am, so I am in this for the long haul.
Andy: Good on you!
Heather: By the way, I’m running a half day workshop at PHP Yorkshire in April on implementing privacy into projects from the ground up. You should come. They have elephants in flat caps.