Heather Burns on being a privacy advocate in open source software (Part one)

Heather Burns is a tech policy and regulation specialist from Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on digital regulations and political issues, most specifically those that affect web development.

Heather is part of the core privacy team in WordPress.org, where she helped to create a suite of GDPR and privacy tools shipped to over 30% of the sites on the open web. Heather has also begun work on establishing a cross-project open source privacy coalition with the privacy teams from WordPress, Drupal, Joomla, Umbraco, Typo3, and other projects.

In this first of two interviews, we talk about Heather’s journey into the privacy space, what privacy means to her, how privacy has evolved in the past year and what it’s like as a privacy campaigner in the world open source technology…

Andy Baker: Tell me about yourself — How did you end up in the privacy space?

Heather Burns: I remember reading a book in high school about American consumer privacy, and of course this was before the mainstream web in the early 1990s. I learned things like how the photographer who barges her way into your maternity suite to take the first professional photo of your newborn is just a marketing front to get you on a dozen mailing lists while you’re still doped up on painkillers. For me, it really triggered offence at this sense of entitlement that anyone could presume a right to claim ownership over other people’s private lives, and I think the seed was planted.

Because of a longstanding interest in human rights, I read international politics in university, which is where I also started making web sites for clubs and for friends’ projects, that sort of thing — this now was the late 1990s, back when we were coding raw HTML in a text browser. That was the time in the web’s evolution that having a little a bit of knowledge was a dangerous thing, because in any job you ever had you were the one who ended up running the web site, which I did! After that, I started working in international cultural diplomacy in Washington DC but after a long series of events I became a freelance web designer in Scotland.

However, politics is one of those things that is in your blood and it never leaves you. I found myself doing a lot of speaking at conferences about the various bits and pieces of legislation that impact designers and developers around privacy and other matters. Then one day I had that moment where I realised I enjoyed that work a hell of a lot more than meeting with web design clients to talk about what colours they wanted for the sidebar. So, I chucked web design and now I focus on tech policy and regulation exclusively for digital businesses and policymakers.

In a way it’s all come full circle — first an interest in human rights, then a strong commitment to working on privacy, and then a career working on the open web. I guess I did become the human rights activist I planned to be when I was 15; I just do it in a very different way, and on a very different medium, than I thought I would.

AB: How do you think most people view online privacy?

HB: If you had asked me this question last January it would have been a completely different answer. Last January people were being very passive about online privacy. Most people would say things like, ‘I’ve always known people were taking my data’ and ‘I just don’t think I can do anything about it’; now people are waking up to the sense of privacy as a right.

It’s worth pointing out there’s a lot of cultural differences to be considered in that answer, because we in Europe have always considered privacy as a fundamental human right, whereas in the US they have not. I did a lot of speaking and engaging with projects last year on helping them to understand those cultural differences and you do have that moment when you physically watch the light go on over their head where they realise one, privacy is a right; two, I have a means to exercise those rights; and three, that also goes for the people who use the things I build.

AB: How do you view privacy yourself?

HB: I believe privacy is a fundamental human right; many cultures do, and others do not, but for me privacy is a right like the right to drink water and breathe fresh air. I believe people have the right to own their data. I believe, as with other human rights such as accessibility, that privacy needs to be built into projects from the ground up, and that it should be established within teams and companies as a fundamental value.

Privacy should not be a negative agitated response to legal requirements, which is how many projects view it — that sort of “just tell us what we need to do to comply and we’ll get some guys on it the week before” approach. Privacy has to be positive and proactive. It also needs to be grounded in an accountable framework or values statement — you’ve got to have something backing up what you say you are doing. For open source projects, it’s often a matter of defining what they mean when we talk about privacy — that’s the first step everyone’s forgotten all along! — then getting it clarified within project teams, so that we can get everyone in the project on the same page working together.

We all need to be working on these things together regardless of our cultural or legal approaches. The fact privacy is seen as a legal matter, and a barrier to innovation, works against us; people see these things as “we have to ask for consent because some Eurocrat is making us”. Well, no — you should be asking for consent anyway…

AB: The narrative around data privacy is hitting the mainstream. In what way has privacy evolved in the past 12 months?

HB: I did a conference talk last spring where I put a slide up of Marc Zuckerberg and thanked him from the bottom of my heart. I meant that sincerely, because the privacy scandals that we’ve seen on a weekly basis from Facebook alone have got everyday people thinking about the exploitation and misuse of their data. So thanks again, Marc!

Privacy is no longer a theoretical thing floating in the air. It’s now actually impacting people’s lives. Where this goes in 2019 depends on what regulation emerges from recent scandals, what roles projects play in shaping those regulations, and what sort of tools projects create to empower everyday people and consumers to take control of their data without having to become a coder or a lawyer on the side.

AB: The United States is still playing catch-up with Europe when it comes to large scale regulation such as GDPR. What are the key differences between the US and Europe around privacy?

HB: The thing I am proudest of in my work last year was creating a talk which addressed the different Transatlantic cultural, legal, and historical approaches to privacy. What I realised on the road in my GDPR work was that with all my training and study and experience, I had missed the fundamentals. I was standing in front of project teams and audiences assuming that they all l held the same common beliefs about privacy — but they didn’t. So what I had to do is go back and line up what we believe about privacy as we grow up, what we come to understand about privacy as development professionals working within diverse international projects, and what the person sitting next to you has experienced on that journey as well, which is probably the complete opposite of your experience.

We come to the table with very different understandings of what privacy is and where it applies, how it’s grounded, and how it works. For example, in Europe we have learnt the hard way historically — we’ve had genocides and holocausts — so the European approach to privacy is both a safeguard and a form of atonement. Whereas the US historical approach starts from a very different point — they have not had ethnic cleansing on the scale that we have had, but what they have had is a cultural approach grounded in both Puritanism and the belief in self-determination, which created a mindset of your business is everyone else’s business and the person sticking their nose in your business has the freedom to do whatever they want with your information.

There are various legal factors too — I could go on! — but the bottom line is that it has been a real privilege for me to help people, even working within the same team and on same line of code, to understand each other better. I explain the different approaches not to drive them apart but to bring them closer, because once they understand the backgrounds to their different beliefs and approaches, they’re empowered to work better together.

For me 2019 is going to be about taking that a step further — so now that you know where you’re all coming from, what are you going to do next? Let’s stop banging our heads against walls and make something that’s going to have an impact on the web. We should start with the basics — like working together to establish an open standard around privacy. If we’re going to say we’re going to work on privacy for a project what does that actually mean? Let’s start by stripping out any notion of privacy as legal compliance and take it all the way back down to proactive user protection based around a transparent and accountable set of standards.

AB: As a female privacy expert in the realm of open source software, you have come in for a lot of personal abuse from tech professionals and influencers. Could you tell me more about your experiences and how have you dealt with all this craziness out there?

HB: I’m not going to lie; it’s been hard going. It’s quite something to be contracted to type up a briefing for an actual lawyer saying, here’s a privacy and reputational risk to your project, and to map out the steps needed to put it right and to offer to do that work, and the response is they literally laugh at you. You start to question, is that because I’m a European female? I sometimes think the responses would be different if I was an American tech bro.

As we discussed earlier, there is antipathy at best, aggression at worst, towards privacy in some projects, because leaders and influencers think it’s about legal compliance and government interference. The thing is — it’s not about people in Europe telling you what to do, it’s about human rights and values. What disappoints me the most is when project leadership chooses not to respect privacy or to value the people who work on it; they see privacy as a barrier to innovation, and privacy teams as legal harpies. But then you go to other projects where they absolutely value the work and the teams from a values-based perspective and you realise, no, you’re not crazy.

In hindsight, my biggest disappointment about 2018’s work was that despite burning the candle at both ends supporting projects on their GDPR compliance journeys, very few of them were actually interested in GDPR as a toolkit for empowering users and protecting privacy. The vast majority were using GDPR as a marketing tool for PR campaigns which ended on the 26th of May. I find it quite sad when companies which have the resources, manpower and finances to develop innovative solutions, and commit teams and resources, which could really make a difference to online privacy, were mainly concerned with firing out an 800-word press release saying “we met the GDPR deadline, aren’t we great?”

That’s another area where leadership could make a difference, and I’d love to see that turning around this year too.

AB: How do you find approaching technology and web projects and teams, can there be some resistance?

HB: With all the resistance I get from project leadership you get the exact opposite from the actual teams. One project I’m going to focus on in 2019 is continuing to lay the foundation for a voluntary cross-CMS privacy team initiative. This was born out of a conference in Germany called Drupal Europe with almost 3000 attendees, and I think I had a beer or six with half of them. We had a group meeting set up by a fellow who was working on Drupal’s GDPR module, and there was myself representing WordPress, and we also had representatives from some of the smaller CMS projects in the room. It was really rewarding to be able to share our experiences on developing our privacy projects, both on the code and project levels, in a completely non-threatening, supportive and friendly environment. Yes, we take the absolute piss out of each other’s projects, but at the end of the day we’re singing the same song but in different languages.

What emerged from the conference was a proposal to establish a formal coalition for us, and representatives on all the privacy teams and projects, to keep that dialogue going permanently — to share experiences, to work in the open, and to support each other on what we’re struggling with. This could lead to things sharing code libraries and resources and even UX patterns, working together to develop open privacy standards, or collaborating on legal briefings to stay ahead of the laws coming a year down the road. When you’ve got people in a room working on projects that represent 70% market share, you have an obligation to work together for the benefit for the people who rely on the tools you produce, and the people who put data into those tools. The better we can support each other, the better we can improve privacy on the open web.

I’m really hoping we can get approval and funding for this project because I would love us all to sit again in the same room. Video chats are great, but sometimes you just have to all get together in one room, because that’s where the magic happens. Seeing committed open source volunteers wanting to break out of their own bubbles and work together makes it all worthwhile, and I can’t wait to see where we take it.

We’d like to say a huge thanks to Heather for taking part in our interview.