The murky world of privacy advocacy.
It would have been nice to launch my blog with a positive article, but the issue of astroturfing has grown so much, that I could no longer ignore an issue which is attempting to destroy the work honest advocates are doing
The life of a privacy advocate is a difficult one for a number of reasons.
First of all, there are conflicts around every corner making it very difficult to make a living because primarily we support the public and the public don't pay. That means we only have a couple of other options available to earn a living:
- Have a web page where you can receive donations
This is what most of us would like to be able to do to support our work and pay our bills. The problem is the level of donations is usually very low and doesn't even begin to cover expenses let alone pay us a wage. If you consider the number of international events that a privacy advocate needs to attend every year in order to make a difference and keep up with what is going on, the cost for that alone runs into tens of thousands of euros just for flights and hotels, when you add event fees on top it becomes even more expensive. So whereas donations can supplement an advocates income, they are rarely enough to fund an advocate.
- Apply for public sector grants
It is true there are some options with regards to grants from the public sector - in Europe the EU Commission offer a number of grants but they are almost always project based and not for core work. Furthermore, there is stiff competition from companies and NGOs with dedicated grant administrators who know the rules and paper work very well (and trust me there are a lot of rules and paper work) - an advocate can quickly sink in the quagmire that is the Commission bureaucracy and then if they are extremely lucky they come through the other end of the process with part funding for a specific project, only to find they have little time left for real advocacy work. So generally, public sector grants are not suitable for an advocate, they are more suitable for NGOs and companies with the organisational infrastructure to weather the tempestuous application process. It would be great if there were more public sector grants available for core advocacy work, but that is unlikely to happen because it is difficult to qualify to fund managers.
- Apply to trusts, foundations and fellowships
In many ways the same issues exist on this front as public sector grants. The competition is very strong with existing NGOs all trying to squeeze as much out of these organisations as possible and similar obstacles with regards to bureaucracy exist as well. Furthermore, success tends to be based much more on who you know than what you do and you tend to find that the same NGOs receive funding from the same foundations on a year through year basis and trying to edge your way in is very difficult. Also, it is difficult to obtain funding for core work unless you already have an established relationship with these groups, so in reality there is little to no chance of a solo advocate receiving core funding through this avenue.
- A second job
This is an option I used for two years in an attempt to fund my work. When I finished my degree and decided I was going to go into advocacy full time, I still needed a way to pay my mortgage, feed my son, pay the bills etc. so I drove a taxi because it gave me the freedom I needed to travel when required and allowed me to work unsociable hours (night shifts) so I could focus on my advocacy work during the day. But after two years of working twenty hours a day it takes its toll, you can't really work effectively on two-three hours sleep a day so working as a full time advocate and trying to hold down a second job to fund it, really isn't a sensible option, not to mention the damage it does to your relationships.
This is the best option if you can find the work - the rates of pay are good which means you don't have to dedicate so much time to non advocacy activities. If you can find organisations willing to pay a retainer for being on their advisory boards, this is even better but it is rare and fraught with conflict as many organisations will try to use you just to have your name on their books in an attempt to launder their own immoral activities - in my first couple of years as an advocate, I was approached by over a dozen companies offering me very attractive remuneration for "working" with them (some six figures), I had to turn them all down on conflict of interests grounds.
- Corporate Sponsorship
This sounds like it should be a viable option but again it is fraught with conflicts and actually the main reason I decided to write this article as will become clear shortly. Although, it is not all doom and gloom on this front as there are more and more companies innovating to use privacy as a means to compete. Companies such as reputation management, privacy focused software and platforms etc. are springing up on regular basis. That said trying to get money out of them is again often difficult, they consider sponsorship as a form of marketing and they would rather sponsor large organisations and NGOs with more exposure than a lone advocate.
- Join an NGO
This is an option, one that I chose in fact, although I worked for three years for pretty much no pay (apart from one project) and it ended up costing me tens of thousands to cover my own expenses (working two jobs). My time with Privacy International was a period full of empty promises - always being told as soon as funds became available I would be put on salary - it never happened. I would love to tell my story about PI but I don't want to air my laundry in public - needless to say, I feel used and exploited, but I have moved on. You see the problem with working for an NGO is you have to deal with all of the issues above, because they will no doubt attempt to secure funding from all of the above methods. This means you face the same conflicts as if you were to try to source the funding independently but with the added obstacle of restrictions being placed on your work based on what is going to get the biggest headlines or is likely to bring in further funding.
So as you can see above, finding funding is very difficult and many organisations might well start with the best intentions and may even do some great work but eventually they all hit the funding issue head on and need to find a way to continue to exist - as such, most of them fall back on the corporate sponsorship option as it can substantially increase their budgets, which leads me to the point of this article.
So what happens when an organisation states that it is a privacy NGO yet they receive a large percentage of their annual budget from the very corporations they are supposed to be campaigning against? My observation is that those organisations become lobby groups for the very industry they are supposed to be opposed to - they become captured, in much the same was as we see regulators like the Information Commissioner's Office in the UK captured and start making arguments that are more supportive of bad industry practices than the rights of the citizens they are supposed to represent. Never before has this been more obvious than now, right here in Europe, during one of the most critical legislative climates of the last 20 years; when citizens' fundamental right to privacy is being re-tuned for the 21st century in the form of a new Data Protection Regulation - which is likely to come into force in 2016, 21 years after the previous incarnation.
As an advocate, I am always very aware that I have a very steep climb to reach the level of access to legislators, regulators and politicians that is afforded to the incredibly well funded corporate lobby. It is a significant problem and the lobbying issue doesn't just manifest in Europe, it is a global issue that is unlikely to be resolved under current political regimes. Currently, Europe is flooded with lobbyists representing the giant US based tech corporations who are absolutely terrified that the EU will pass a Data Protection Regulation which removes their ability to track and profile citizens' online activities without explicit consent. These corporations makes billions of dollars a year through the collecting, organising and selling of behavioural profiles of digital citizens and most of these citizens don't know it is happening or how many times they are bought and sold every day. These activities are completely covert and the mood in Europe is it has to stop, in fact our current ePrivacy Directive (European Directive 2002/58) already makes such practices unlawful, but the problem with a Directive is each member state can transpose their own interpretation of the Directive into their own national law - this leads to 27 different interpretations and enforcement regimes which allows corporations to forum shop - that is, set up their offices in a member state with the weakest interpretation of the Directive and weakest enforcement body/regulator.
A regulation is different, it is to all intent and purposes a law in itself, in that all member states must adhere to a single interpretation; this removes the opportunity to forum shop, helps to deal with the issue of captured regulators and scares the hell out of industry. It also makes industry desperate as they have to change the minds of the legislators, if they don't they will rapidly find themselves in a situation where they are forced to obtain consent to carry out these profiling and tracking practices, this will hit their bottom line and they will do anything they can to make sure this doesn't happen, include paying so called "advocacy groups" to do their dirty work for them using a technique known as astroturfing
Astroturfing (in this case) is where industry funds grass roots or advocacy organisations in order to push their message - using the reputation of these organisations as public advocates, to disguise the source of the message. In the case of Data Protection and Privacy, in my opinion we are seeing such activity from at least two major US NGO's - Center for Democracy and Technology (CDT) and Future of Privacy Forum (FPF).
Center for Democracy & TechnologyBetween 2011 and 2012 foundation funding for CDT shrank approximately 17% and industry funding flooded in to fill the gap but they also had around a 25% rise in annual funding based on 2010-2011. During this period, I have followed CDT's work very closely and attended several conferences where they have been speakers - and their message has become more and more industry friendly. They have been pushing for exceptions to consent requirements which would allow industry to effectively carry on with their current practices without consequence, both on a public policy agenda and the World Wide Web Consortium's (W3C) standardisation of Do Not Track (DNT). This came to a head this week when Justin Brookman, who represents CDT in the W3C Tracking Protection Working Group (TPWG) added clause 6.4 to the current draft compliance specification for DNT as follows:
6.4 Exception for Deidentified Data
If a third party receives a communication to which a DNT:1 header is attached, that third party may neverthess collect, retain, share, or use data related to that communication if the data is or has been rendered deidentified.
He did this without any formal discussion or consensus on the issue and despite his claims to the contrary has been unable to provide any public logs of such a consensus - which is actually a formal requirement under the W3C Process Policy
Why is this clause controversial? For a number of reasons - first and foremost because it is completely incompatible with EU Directives (both the ePrivacy Directive and the existing Data Protection Directive) which both require consent for the collection and processing of personal data as outlined below:
ePrivacy Directive Article 5(3)
"Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."
Data Protection Directive (Directive 95/46/EC)
"(30)Whereas, in order to be lawful, the processing of personal data must in addition be carried out with the consent of the data subject or be necessary for the conclusion or performance of a contract binding on the data subject, or as a legal requirement, or for the performance of a task carried out in the public interest or in the exercise of official authority, or in the legitimate interests of a natural or legal person, provided that the interests or the rights and freedoms of the data subject are not overriding; whereas, in particular, in order to maintain a balance between the interests involved while guaranteeing effective competition, Member States may determine the circumstances in which personal data may be used or disclosed to a third party in the context of the legitimate ordinary business activities of companies and other bodies; whereas Member States may similarly specify the conditions under which personal data may be disclosed to a third party for the purposes of marketing whether carried out commercially or by a charitable organization or by any other association or foundation, of a political nature for example, subject to the provisions allowing a data subject to object to the processing of data regarding him, at no cost and without having to state his reasons;"
Consent is defined in Article 2(h) as:
"the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."
Furthermore, the whole point of developing a Do Not Track specification is to deal with the issue of behavioural profiling and tracking - not least as a means of creating a compliance process to deal with Article 5(3) of the ePrivacy Directive as quoted above. So to add a clause which is completely incompatible with the same Directive renders Do Not Track essentially impotent. But it gets worse, 6.4 effectively allows industry to carry on as before because they will simply say "we de-identify the data and use an anonymous identifier in our cookies" (those of you who think this is an oxymoron are correct) as justification to completely ignore a Do Not Track flag and collect/process the data anyway. But above all that, completely ignoring law and policy, from a purely moral and ethical standpoint, if a user sends a Do Not Track signal, that is an explicit choice, a message saying "Leave me the hell alone, don't track my activities!" quite why Justin Brookman thinks any organisation has the right to ignore such a explicit statement of choice, I don't understand - it shows complete contempt for the very people Justin and CDT are supposed to be protecting.
But this isn't the first time I have seen CDT behave in this way - when they were running the #PrivChat session on Twitter, they repeatedly pulled in "guest speakers" from industry - effectively giving them a marketing channel in what was supposed to be a debate on privacy, primarily populated by privacy advocates and academics - not surprisingly some of the corporations these speakers represented have since become CDT sponsors.
Future of Privacy ForumThe Future of Privacy Forum describes themselves as:
"...a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups."
Sounds like a wonderful group, but they are almost entirely funded by industry and I have been critical of their motives for a number of years; in fact since the release of a research paper titled 'Online behavioural advertising "Icon" study' funded by FPF which pushed the advertising industry's desperate attempts to stall legislative measures and allow them to "self regulate". There were a number of problems with the study, but the most significant being that there was no measure as to whether or not participants noticed and interacted with the icon without prompting - an issue which effectively rendered the entire study useless as a piece of serious research. This later became clear when TrustE released another research paper (link to follow, it is evading me presently) illustrating that approximately 0.06% of visitors to their test web sites clicked on the icon, yet other reports were and still are showing that over 70% of consumers are concerned about behavioural advertising/profiling (rather than cite multiple documents I will leave readers to simply visit TrustE's research papers page which has multiple papers on this issue).
But if ever I had any doubts about my concerns with regards to FPF they were completely squashed by their recent visits to Europe.
At 5pm on 23rd January at the Renaissance Hotel in Brussels, FPF held an event with the purpose of pushing a series of white papers at politicians and regulators:
- The Draft EU General Data Protection Regulation: Costs and Paradoxes of Explicit Consent
- The Definition of Persona Data: Seeing the Complete Spectrum
- Overextended: Jurisdiction and Applicable Law under the EU General Data Protection Regulation
All three papers are written for the specific purpose of lobbying against the draft Data Protection Regulation and represent the core arguments of US based tech corporations which make their money from the collection, profiling and selling of digital citizens' online activities. They had an impressive panel lined up for the event too:
- MEP Jan Philipp Albrecht, Rapporteur, General Data Protection Regulation
- Mr. Paul Nemitz, European Commission, Director, Fundamental rights and Union citizenship
- Ms. Bojana Bellamy, Director of Data Privacy, Accenture
- Ms. Julie Brill, FTC Commissioner
- Mr. Seamus Carroll, Chair of the Working Group on the Information Exchange and Data Protection (DAPIX)
- Mr. Peter Hustinx, European Data Protection Supervisor
- MEP Sophie in 't Veld, Vice-Chair, Committee on Civil Liberties, Justice and Home Affairs (LIBE)
- Mr. Jacob Kohnstamm, Chair of the Article 29 Data Protection Working Party and the Dutch DPA
- Ms. Gabriela Krader, Corporate Data Protection Officer, Deutsche Post DHL
- Mr. Peter Schaar, Federal Commissioner for Data Protection and Freedom of Information, Germany
- Dr. Rainer Stentzel, Head of Project Group, Data Protection Reform, German Federal Ministry of the Interior
- Dr. Wojciech Rafał Wiewiórowski, Inspector General for the Protection of Personal Data, Poland
Fortunately, I recieved notification of the event several days before and managed to alert a number of the panel members as to FPF's funding sources - it seems FPF were selling themselves to panellists as a privacy advocacy group without disclosing that they are in fact almost entirely industry funded; as a result their event was a spectacular failure. I was present and witnessed their floundering personally, in fact I even tried to ask a question and was promised by Omer Tene (who was speaking on behalf of FPF along with Christopher Wolf) publicly that I would be given the opportunity to ask my question in the second half - it seems they were so worried about what I was going to ask that in the end they decided to block my question completely. This showed their true colours and I received several comments from attendees and panellists after the event that they noticed the censorship and were less than impressed with FPF as a result.
This was a victory in my eyes and many others who were concerned about the event and FPF's astroturfing (it was the subject of international discussion on various privacy related email lists) and we managed to expose FPF for the industry shill that they are - but I have received more news in the last few days that FPF have made further attempts to push industry's agenda in the EU Parliament before and since their embarrassing session on 23rd January; these politicians may not have been as well informed as those present on the FPF event panel, and undoubtedly some of them will have been duped by this "Wolf in sheep's clothing" (yes Christopher that was a deliberate play on your name).
Furthemore, the W3C Tracking Protection Working Group recently had a change of Chairperson and the position is now held by Peter Swire - a senior fellow at Future of Privacy Forum who since his appointment has aggressively pushed the subject of de-identification raising questions as to his independence as he seems to be pushing FPF's agenda into the very heart of the Do Not Track specification. In fact he has devoted most of the last month's discussion to the subject and in Boston this week (today through Wednesday) at the Tracking Protection Working Group's face to face meeting, the agenda is dominated by discussion of de-identification.
The Charter for the group does not require a quorum in order for a consensus to be formally reached and despite numerous pleas on the public mailing list from civil society to postpone the event because of the severe weather in Boston, which is preventing them from attending the meeting - Peter Swire insists that the meeting will go ahead dominated by industry representatives who are sure to use the opportunity to make a formal consensus on 6.4 of the compliance specification discussed above. The timing is no accident, this is a very focused attack from all quarters with the goal of pushing industry interests into policy.
So what can we do about it? Who can we trust? Really all we can do is remain focused and ensure we expose the astroturfing whenever we become aware of it - as for who we can trust, to be honest, I don't know any more - so many of the groups I used to trust have become polluted by industry money and frankly it disgusts me to see these organisations working against the very people they are supposed to be protecting.
I wish this first blog post could have been more positive, but the reality is, here in Europe, we are at a very critical point. By the time the draft Data Protection Regulation makes its way through the legislative process and becomes policy, it is likely to have been 21 years since the last change - if we fail this time, we will probably have to wait just as long again before we get another opportunity to protect and enforce the fundamental rights of citizens. Industry knows this, which is why they are investing tens of millions of dollars into their lobbying campaigns to try and inject their toxic policies into the Regulation. We have to step up the fight because at the moment we are out manned, out funded and we are losing the war on privacy; the consequences should we fail, will be both long lived and dire.