154 - Because online privacy matters, we need people like Heather Burns

Interview - Because online privacy matters, we need Heather Burns

Once in a while you attend an event and the speaker is so eloquent, so immersed in their talk, that you listen with an intensity that it out of the ordinary. Such was a talk given by the guest of the podcast today, Heather Burns. It was at WordCamp London in 2017, and I was in the audience.

The subject of that talk was The GDPR. Not a subject that you'd think could inspire intense concentration, but you'd be wrong. For me, it did. But it was not just the subject, rather it was Heather herself and the manner in which she spoke. It was well informed and powerfully delivered, and were I ever to do live speaking events, I would want to give the audience an experience like I got that day.

From the moment of seeing that talk, I've wanted to have Heather on the podcast to talk about privacy. Now, this is important, we're not here today to discuss The GDPR, those conversations have, for the most part happened, and I'm sure that you've heard enough about it.

However, you have not heard enough about online privacy, it's a subject that we all need to care about...

As a WordPress website builder you need to care so that your clients get the latest information; a site which adheres to the law and won't open them up to possible legal action. Although this is not the primary reason that you should care.

As a human being and consumer of internet content, a participator in anything online, you need to care about privacy because your data, your identity, perhaps even 'you'... it's all up for grabs. If none of us think about privacy, then you can be sure that undesirable entities will misuse that data, and nobody really wants a race to the bottom where your privacy is concerned.

We begin our talk by trying to work out what privacy actually means, and it's not as straightforward as you might think. Does this related to you, your data, the meaning of the data that you've uploaded? What about the interesting information that can be gleaned if someone could piece together a thousand unrelated posts or Facebook updates. Can we start to work out who you like, where you live, what you like to wear, what type of politics you lean towards or that you have a heart condition?

It feels like that's where this is all headed. Without knowing it, we've allowed our data to become something that we're all too willing to give away in exchange for access. Want free image uploads? Sure but we need to know what you look like and where you look the pictures. Want to be able to chat to your friends? Sure, but we want to scrape the text that you write and push ads at you. Want powerful internet search? Sure, but we'll track that data and know all the things that you care about, and again, push ads at you. And now... want to be able to play songs on a speaker just by talking? Sure, but we'll keep that data and tell you very little about what we're doing with your actual voice pattern..

Did you ever explicitly sign up for that? I'm betting that the answer is 'no', but sign up you did, by clicking that benign little 'accept' button.

Now I know what you're thinking. This is concern over nothing. These entities are harmless and they offer benefits that far outweigh the costs. Well, sure enough, the cost to you is usually $0.00, but that's not the point. We have no idea where this is going and what value these entities can extract from our data. Perhaps they sell it to folk that you have never heard of, you know, the kind of folk who pay for election ads. Perhaps they keep it safe and nothing shady at all happens. Perhaps they get hacked and...

Wait... Heather has an unfortunate tale of what can happen when your data gets loose. It can literally threaten your life.

But what's this got to do with me and you. We build WordPress websites and this is nothing to do with us. Heather thinks differently.

You remember those analytics tool that you installed on the site, the pixel that you've got going on to help your ads, what about the social sharing widget. It's all in some little way adding data to the giant pool, and the web is quite literally awash with ways of making the pool of data held about you a little bit bigger each time you use anything connected to the web.

We need to think about this, but mostly we aren't.

Thankfully Heather is thinking about this for us. She's working on WordPress Core Privacy, trying to bring it front and centre. You remember WordPress 4.9.6? Well, that was the release that added some export options and some basic privacy settings into WordPress. Heather, and what would become the Core Privacy Team, were behind that.

It's an ongoing journey and it's hoped that in the future, multiple CMS's are going to collaborate upon this important area and share resources in the future. Talking to the folk from Drupal or Joomla (et al.) could speed up the journey for all in an area where there is literally zero conflict of interest.

Perhaps in the future WordPress can push privacy because of the power that the platform leverages. It would be nice to have some kind of framework that plugin and theme developers could work on to ensure that (to the best of their knowledge) they were shipping code that resulted in code that did not violate privacy principles. Heather has made a few tentative steps on this journey too, but she (we're) not there yet.

How would that be enforced / encouraged? Who knows, but just because we don't know does not mean that we should not be thinking about it right?

Towards the end of the podcast we hear about how Heather thinks that privacy is not something that's getting the attention it deserves. It's largely done by a small band of volunteers, the ones who show up. She does not think that they get a fair crack of the whip, especially at live events where people are often looking for something new to hear about and become involved with. There's work aplenty to do and, if any of the podcast has switched in your privacy radar, the links below are well worth exploring...

Mentioned in this episode:

The core-privacy team roadmap is https://make.wordpress.org/core/roadmap/privacy/
The core-privacy channel on Making WordPress Slack is https://wordpress.slack.com/messages/C9695RJBW
Core privacy team repo is https://github.com/wordpress-privacy
Draft plugin privacy audit workflow is https://docs.google.com/document/d/1R60_9SzeoAVDV7LZ6O5TT5Ppef9i3HL9nmT9oqI6SBs/edit?usp=sharing
The cross-CMS privacy team is https://github.com/joomla/cross-cms-compliance
There’s a great article about it here https://skrift.io/articles/archive/an-umbraco-privacy-health-check/
Heather's own web site is https://webdevlaw.uk
Heather's Brexit side blog is https://afterbrexit.tech
She's on Twitter at @webdevlaw