I Cannot Accept the Terms
Trying to be both Agile and Ethical on the ACLU’s Analytics team
If a few months ago I’d made a list of all the subjects I’d expect to discuss during the mundane process of demoing a new software as a service product, “Terrorist watchlists” would not have been on it. But in my first few weeks on the ACLU’s Analytics team, I realized that if I wanted to be able to try out new software, watchlists were the one subject I absolutely couldn’t avoid.
I was midway through an overenthusiastic speech about a team wiki that would fundamentally reshape our entire team culture when a teammate explained to me that the ACLU has an ironclad stance on one particular contractual clause that has crept into many software terms of service. The clause typically looks something like this: “I certify that neither I nor my users are named on any U.S. government terrorist watchlist”. If this clause is in a company’s terms, the ACLU absolutely refuses to do business with them under any circumstances because the certification is being made on behalf of the ACLU and implies that the ACLU checks its employees names against the watchlists, which it would never do. The wiki company about which I was so passionately rambling included this language in their contracts, and therefore was barred from use.
At other tech companies where my colleagues and I have worked in the past it’s a simple matter to read a blog post about some exciting new startup, sign up, and if you like it you can have your whole team signed up before your mid-afternoon matcha oat milk latte. However, one of the tradeoffs I quickly discovered upon joining an organization which is peopled by hundreds of civil rights lawyers is that there is exceedingly little institutional appetite for scrolling to the bottom of the sign up terms and hitting “accept”.
The most challenging aspect of dealing with this clause for the ACLU Analytics team has been that when we ask the representative of a vendor we are negotiating with if the clause can be removed from their contract, they usually tell us that they are legally required to include it, leaving us no other choice than to choose another vendor. So how did this “anti-terrorism clause” end up in so many contracts, especially in the contracts for products like kanban boards and productivity trackers that are seemingly a world away from The Global War on Terror? And are companies really legally obligated to include it?
When I initially set out to understand this subject, my intuition was 1) that the practice of including this language in a contract probably originated with the Patriot Act and the US’s heightened focus on terrorism following the events of September 11, 2001; and 2) that most companies were actually incorrect about being legally obligated to check their users against such lists. I turned out to be mostly wrong on both points.
I had the opportunity to sit down with ACLU’s COO Terence Dougherty to learn more about this subject, and he made it clear that watchlists are far from an invention of the 21st century. Laws have been on the books since at least the last quarter of the 20th century allowing the US Government to make watchlists of suspected (but not convicted) terrorists, and requiring businesses to refuse service to the people appearing on those lists. There are some First Amendment and regulatory exceptions (such as sharing academic information and providing humanitarian aid, and a business can get a license from the government to enter into certain transactions. Although businesses are legally required to not provide their services to terrorists, they are not required to include language in their contracts requiring their users to check their employees’ names against the lists. They can simply require that their users comply with all laws, since any company they are doing business with is already bound by that same law. Ultimately the ACLU’s policy against this language is not in place to question whether laws supporting these lists do exist, but rather raising the moral question of whether such laws should exist.
The ACLU’s internal board policy makes the case that they should not, stating “the criteria for inclusion on the lists are unknown, and may well be overbroad, inappropriate, and susceptible to arbitrary application. Sufficient mechanisms are not provided for challenging a person’s or entity’s inclusion on the lists, in violation of the right to due process. Second, many of the names on the lists are common names, so that the screening of names against the lists produces many false positives. Innocent people are thus stigmatized, and may be denied bank accounts, loans, jobs and apartments, among other benefits, because their names are similar to names on the government’s lists.” [ACLU board policy 530a]
I’ll admit that my first reaction to the ACLU’s stance against “anti-terrorism” certifications in contracts was, to be completely honest, annoyance. It is without question a hassle to review the terms for every new piece of software for this language, and it even slows down our team’s ability to deliver on other areas of critical interest to the ACLU. But after taking the time to understand the history and moral questions involved, I have come to agree with that policy. Moreover, in complying with it I get a small feeling of the ACLU’s particular brand of patriotism from choosing principle over convenience, even in what could be considered on first glance a small and inconsequential case. And that’s certainly not an emotion I expected to feel while choosing between SaaS products.
Thanks to Terence Dougherty, Sophie Beiers, Priya Pai and the rest of the Analytics team for their help reviewing this post.
I am a data engineer not a lawyer, and the opinions expressed in this article are my own.