Achievement: Early strikes on the Silicon Valley agenda
For too long, in the eyes of policy-makers and the market, these companies could do no wrong. We worked hard to bring down their halo. Since the 1990s, much of the industry has been pushing the boundaries of law and surveillance to advantage and abuse their own financial position. First it was within the exhuberrance of the dot-com boom, then in the second phase with the rise of search engines and portals, then within the Web 2.0 and social media craze, and now under the ‘fourth industrial revolution’ of exploiting personal data.
What we did
We constantly pressured companies to protect privacy, comply with data protection principles and law, and enable their users to assert control. We had to push companies to make clear their privacy commitments — early on we demanded Amazon and Google to clearly state their privacy policies. We pushed search engine companies to limit the retention of our search data. We scrutinised privacy policies and practices. We pressured internet companies to allow people to actually delete their accounts — which, for instance, resulted in eBay creating this capability. We worked with company officials to develop pressure internally for better practices and to publish transparency reports.
Where things stand now
The industry is ever more powerful, just as resistant to regulation, and is now in constant acquisition mode. The mood towards this industry has changed — Microsoft tried to own our identities with Passport. Google became synonymous with passing the ‘creepy line’ with its data-grabs in Buzz and Streetview WiFi. Facebook’s moving of the privacy goal posts has worn thin the patience of its users.
Even still some have taken positive moves, though often temporary. Google’s work on transparency and surveillance in 2009 was positive. Microsoft innovated on identity solutions that protected privacy. Apple’s moves on device encryption opened debates in 2016. But these firms need constant pressure to do the right thing. Otherwise they will too easily fall back to their data-voracious and insecure tendencies.
What we learned
Large companies are complex — the left hand knows not what the right bottom left tentacle is doing. Staffing at companies change, but the fundamental direction is set by the founders and investors. This means that even when positive buy-in is possible in one part of the organisation, it won’t be long before that is undone by another side and when someone moves on.
Ultimately, despite all the occasional pro-privacy rhetoric, only the threat of regulation truly affects their conduct.
What we are doing now
We are looking at how industry generates data on us, beyond our control, to make decisions about us. We are calling for greater security over this data and these devices and services before they all betray us.
We continue to monitor and stress-test and harangue industry, and will seek regulatory action when they fail to respond.