Early strikes on the Silicon Valley agenda
For too long, in the eyes of policy-makers and the market, these companies could do no wrong. We worked hard to bring down their halo. Since the 1990s, much of the industry has been pushing the boundaries of law and surveillance to advantage and abuse their own financial position. First it was within the exhuberrance of the dot-com boom, then in the second phase with the rise of search engines and portals, then within the Web 2.0 and social media craze, and now under the ‘fourth industrial revolution’ of exploiting personal data.
What we did
We constantly pressured companies to protect privacy, comply with data protection principles and law, and enable their users to assert control. We had to push companies to make clear their privacy commitments — early on we demanded Amazon and Google to clearly state their privacy policies. We pushed search engine companies to limit the retention of our search data. We scrutinised privacy policies and practices. We pressured internet companies to allow people to actually delete their accounts — which, for instance, resulted in eBay creating this capability. We worked with company officials to develop pressure internally for better practices and to publish transparency reports.
Where things stand now
The industry is ever more powerful, just as resistant to regulation, and is now in constant acquisition mode. The mood towards this industry has changed — Microsoft tried to own our identities with Passport. Google became synonymous with passing the ‘creepy line’ with its data-grabs in Buzz and Streetview WiFi. Facebook’s moving of the privacy goal posts has worn thin the patience of its users.
Even still some have taken positive moves, though often temporary. Google’s work on transparency and surveillance in 2009 was positive. Microsoft innovated on identity solutions that protected privacy. Apple’s moves on device encryption opened debates in 2016. But these firms need constant pressure to do the right thing. Otherwise they will too easily fall back to their data-voracious and insecure tendencies.
What we learned
Large companies are complex — the left hand knows not what the right bottom left tentacle is doing. Staffing at companies change, but the fundamental direction is set by the founders and investors. This means that even when positive buy-in is possible in one part of the organisation, it won’t be long before that is undone by another side and when someone moves on.
Ultimately, despite all the occasional pro-privacy rhetoric, only the threat of regulation truly affects their conduct.
Any form of cooperation with industry must be done with great care. While cooperation may create new opportunities for change, if the lines are unclear in any way, the cooperation must not proceed.
In 2007 PI was struggling to find ways to fund PI staff's salaries. PI's then-Director devised a consultancy model to engage positively with companies, through a separate company, 80/20 Thinking. Senior PI staff joined the initiative.
The consultancy's first client was Phorm, a DPI-based advertising system. PI did not clarify sufficiently the separation between PI and the consultancy. It was unrealistic to expect that the line wouldn't blur, considering senior PI staff were involved in both entities. Endorsements were claimed that only made it more confusing. The consultancy tried to do a Privacy Impact Assessment of the Phorm product, which it was not permitted to publish. Other privacy advocates were right to feel betrayed as individual PI staff members, who should have been campaigning against a surveillance-advertising system, were instead silent. Instead, known-PI staff members, acting in a separate capacity, were seen acting on behalf and in support of a problematic company. 80/20 Thinking closed operations. PI is now a registered charity.
What we are doing now
PI is investigating how industry generates data on us, beyond our control, to make decisions about us. We are calling for greater security over this data and these devices and services before they all betray us.
We continue to monitor and stress-test and harangue industry, and will seek regulatory action when they fail to respond.