Interview – Because online privacy matters, we need Heather Burns
Once in a while you attend an event and the speaker is so eloquent, so immersed in their talk, that you listen with an intensity that it out of the ordinary. Such was a talk given by the guest of the podcast today, Heather Burns. It was at WordCamp London in 2017, and I was in the audience.
The subject of that talk was The GDPR. Not a subject that you’d think could inspire intense concentration, but you’d be wrong. For me, it did. But it was not just the subject, rather it was Heather herself and the manner in which she spoke. It was well informed and powerfully delivered, and were I ever to do live speaking events, I would want to give the audience an experience like I got that day.
From the moment of seeing that talk, I’ve wanted to have Heather on the podcast to talk about privacy. Now, this is important, we’re not here today to discuss The GDPR, those conversations have, for the most part happened, and I’m sure that you’ve heard enough about it.
However, you have not heard enough about online privacy, it’s a subject that we all need to care about…
As a WordPress website builder you need to care so that your clients get the latest information; a site which adheres to the law and won’t open them up to possible legal action. Although this is not the primary reason that you should care.
As a human being and consumer of internet content, a participator in anything online, you need to care about privacy because your data, your identity, perhaps even ‘you’… it’s all up for grabs. If none of us think about privacy, then you can be sure that undesirable entities will misuse that data, and nobody really wants a race to the bottom where your privacy is concerned.
We begin our talk by trying to work out what privacy actually means, and it’s not as straightforward as you might think. Does this related to you, your data, the meaning of the data that you’ve uploaded? What about the interesting information that can be gleaned if someone could piece together a thousand unrelated posts or Facebook updates. Can we start to work out who you like, where you live, what you like to wear, what type of politics you lean towards or that you have a heart condition?
It feels like that’s where this is all headed. Without knowing it, we’ve allowed our data to become something that we’re all too willing to give away in exchange for access. Want free image uploads? Sure but we need to know what you look like and where you look the pictures. Want to be able to chat to your friends? Sure, but we want to scrape the text that you write and push ads at you. Want powerful internet search? Sure, but we’ll track that data and know all the things that you care about, and again, push ads at you. And now… want to be able to play songs on a speaker just by talking? Sure, but we’ll keep that data and tell you very little about what we’re doing with your actual voice pattern..
Did you ever explicitly sign up for that? I’m betting that the answer is ‘no’, but sign up you did, by clicking that benign little ‘accept’ button.
Now I know what you’re thinking. This is concern over nothing. These entities are harmless and they offer benefits that far outweigh the costs. Well, sure enough, the cost to you is usually $0.00, but that’s not the point. We have no idea where this is going and what value these entities can extract from our data. Perhaps they sell it to folk that you have never heard of, you know, the kind of folk who pay for election ads. Perhaps they keep it safe and nothing shady at all happens. Perhaps they get hacked and…
Wait… Heather has an unfortunate tale of what can happen when your data gets loose. It can literally threaten your life.
But what’s this got to do with me and you. We build WordPress websites and this is nothing to do with us. Heather thinks differently.
You remember those analytics tool that you installed on the site, the pixel that you’ve got going on to help your ads, what about the social sharing widget. It’s all in some little way adding data to the giant pool, and the web is quite literally awash with ways of making the pool of data held about you a little bit bigger each time you use anything connected to the web.
We need to think about this, but mostly we aren’t.
Thankfully Heather is thinking about this for us. She’s working on WordPress Core Privacy, trying to bring it front and centre. You remember WordPress 4.9.6? Well, that was the release that added some export options and some basic privacy settings into WordPress. Heather, and what would become the Core Privacy Team, were behind that.
It’s an ongoing journey and it’s hoped that in the future, multiple CMS’s are going to collaborate upon this important area and share resources in the future. Talking to the folk from Drupal or Joomla (et al.) could speed up the journey for all in an area where there is literally zero conflict of interest.
Perhaps in the future WordPress can push privacy because of the power that the platform leverages. It would be nice to have some kind of framework that plugin and theme developers could work on to ensure that (to the best of their knowledge) they were shipping code that resulted in code that did not violate privacy principles. Heather has made a few tentative steps on this journey too, but she (we’re) not there yet.
How would that be enforced / encouraged? Who knows, but just because we don’t know does not mean that we should not be thinking about it right?
Towards the end of the podcast we hear about how Heather thinks that privacy is not something that’s getting the attention it deserves. It’s largely done by a small band of volunteers, the ones who show up. She does not think that they get a fair crack of the whip, especially at live events where people are often looking for something new to hear about and become involved with. There’s work aplenty to do and, if any of the podcast has switched in your privacy radar, the links below are well worth exploring…
Mentioned in this episode:
The core-privacy team roadmap is https://make.wordpress.org/core/roadmap/privacy/
The core-privacy channel on Making WordPress Slack is https://wordpress.slack.com/messages/C9695RJBW
Core privacy team repo is https://github.com/wordpress-privacy
Draft plugin privacy audit workflow is https://docs.google.com/document/d/1R60_9SzeoAVDV7LZ6O5TT5Ppef9i3HL9nmT9oqI6SBs/edit?usp=sharing
The cross-CMS privacy team is https://github.com/joomla/cross-cms-compliance
There’s a great article about it here https://skrift.io/articles/archive/an-umbraco-privacy-health-check/
Heather’s own web site is https://webdevlaw.uk
Heather’s Brexit side blog is https://afterbrexit.tech
She’s on Twitter at @webdevlaw
Transcript (if available)
Nathan Wrigley: [00:00:00] Welcome to the WP Builds podcast, bringing you the latest news from the WordPress community. Now, welcome your host, David Walmsley and Nathan Wrigley.
Hello there, and welcome to the WP Builds podcast. My name's Nathan Wrigley, and this is episode number 154 entitled, because online privacy matters, we need people like Heather Burns. It was published on Thursday the 14th of November, 2019 just a couple of bits of housekeeping before we get stuck into the interview.
If you wouldn't mind heading over to WP Builds.com forward slash subscribe. There's a couple of forms you can fill out there. The gray one will get you onto our mailing list and all we do with that is send you notifications of whenever we put out a podcast episode like this or the weekly news that we do on a Monday.
The blue one though might be of more interest. Because the blue one is going to get you onto a very simple email list whereby I send you a plain text email. Each time I hear of a deal coming out, so a coupon code or a reduction in price for a certain amount of time. They're plain text emails, and obviously with black Friday around the corner, it might be good to have those things dropping into your inbox.
The title will be very self explanatory and you'll be able to decide from that. Whether or not you need to open it up or just just trash it. Also, on that page, you can find out about our Facebook group, 2,300 plus a WordPress's and you can subscribe to us on your favorite podcast player and things like that.
The other page I want to mention is WP Builds.com forward slash Black, and that is the page where I'm putting all of the black Friday deals. It's searchable and filterable, so you can decide, for example, I only want to see ones that have got 30% or more off, or ones that are to do with hosting or plugins or whatever it might be.
So go and use that page. It does actually help to keep the podcast going, and I'd be very grateful if anybody were to use that page. Indeed. That would be lovely. The other one to say is WP Builds, dot com forward slash advertise if you would like your product or service, putting in front of a word, press specific audience.
A bit like these guys did. The WP Builds podcast was brought to you today by the page builder framework. Do you use a page builder to create your websites? The page builder framework is a mobile responsive and lightning fast WordPress theme that works with Beaver builder, elemental, breezy, and other page builders with its endless customization options in the WordPress customizer.
It's the perfect fit for you or your agency. Go to WP dash page builder framework.com today. And WP feedback, our client communications, eating up all of your time. If so, check out WP feedback, a visual feedback tool for WordPress that's specifically designed to get you and your clients on the same page and you can check it email@example.com.
And page builder cloud work faster and your page builder of choice by reusing your cloud safe templates, import and export any layouts to any of your WordPress websites, page builder, Cloudworks with elemental BeaverBuilder, breezy Gothenburg, and many more. You can get a free trial up and running today at page builder, cloud.co and we do really thank our sponsors for helping us to put on the WP Builds podcast.
Okay. What have we got in store for you today? Well, we have Heather Burns. Heather Burns, as you will find out, is a privacy advocate. I first heard about Heather in 2017 when I attended WordCamp London, and I think to this date, she stands out as my, my favorite word. Camp talk just because of the, the intelligence that she brought to bear, the, the seriousness with which she dealt with the subject.
And I was actually in awe of everything that she said. She turned a very, I suppose, uninteresting topic, the GDPR into something that I was genuinely, genuinely interested in. And obviously, you know, with the, with the March of social media. And the, the, the predilection for, of all of us to be connected via our, our mobile phones all of the time.
I think privacy is supremely important. Heather takes it very seriously. She's one of the world's experts, I would say, in this field, and I would urge you to listen to this episode. I really think there's a great deal of value in it, and I hope that you enjoy it. Hello there. Thank you for getting to the interview parts of today's WP build podcast.
I'm joined today by Heather bones. Hello, Heather.
Heather Burns: [00:04:40] Good morning, Nathan.
Nathan Wrigley: [00:04:41] It is. It is the morning. It's a very hot morning that we're recording this on. And,
Heather Burns: [00:04:45] please clarify for listeners that today, is the hottest day ever recorded in Britain, is that right? As it is, yes.
Nathan Wrigley: [00:04:51] What's the temperature.
Heather Burns: [00:04:52] So this could be a very interesting podcast.
Nathan Wrigley: [00:04:54] We're going to talk about the weather. Yeah. No, we're not here to talk about the weather. We're here instead to talk about privacy. And I'm going to relate a little story about how I came across Heather and it, and it goes back to 2017, in WordCamp in London.
And I had not heard of, Heather before I confess, and I went along to her talk, which was. Well at that time it was all about the GDPR and why we should be caring about it and so on. And and it's fair to say that I think your, the way that you delivered that talk and the, the manner in which you presented it and the sort of forcefulness and the, I don't know how to describe it, you just, you really did blow me away. Quite genuinely. Your, your delivery was magnificent. So well done for that.
Heather Burns: [00:05:39] I still remain very proud of that talk. is one of those things, I don't know if anyone was ever going to conference talk has ever felt like this, but you watch the video later on and you think, how did I do that? Wow.
Nathan Wrigley: [00:05:49] Yeah. It was very, what was one of those afterwards was very much a sense of a, the knowledge that you had. It was very clear that you had. Research this and this was your, something that you were complete expert on, but, but also the manner in which it was delivered. It was very powerful and moving. And I, I, you know, I remember at the end thinking poor, that's, that's like ovation worthy, but, lest you are turning red. That's where I, that's all I heard of Heather. So Heather's background well perhaps you could explain your background. How is it that you come to be talking about privacy to me today.
Heather Burns: [00:06:23] Privacy is always been something I was very, very passionate about from a very early age. And this was in, you know, even before the dial up era when privacy was really a matter of data brokers and consumer companies aggregating ridiculous amounts of information on you. it's something I kept up with in my career as a web designer and developer and, maybe God, it's approaching 10 years now.
We were doing a WordCamp in Edinburgh. this was even before we had WordCamp rules. It was just that, that sort of very early days of our community. And, I had mentioned to the organizer that isn't, there's some like some sort of cookie law or something or else coming up. We should probably do a talk about that. And he said to me, thank you for volunteering. And I said to him, I can't actually say what I said to him, because there might be children listening to this, but that just set off doing that talk and doing the research just sort of began to set this up. Sort of spark off for me, and I started doing more speaking and writing and researching all these regulatory issues that impact us, not just privacy, other things as well.
And then I had a point of probably would have been around 2015 where I realized I actually enjoyed doing that a lot more. Then sitting through meetings with clients, asking them what color they wanted me to make the sidebar. So I, ditched web design and development all together and now focus exclusively on those sort of legal and regulatory issues.
I'm not a lawyer, nor do I want to be one, but you don't have to. And at the moment, I'm currently working pretty much exclusively in tech policy, which is the political side. I'm currently working with a buddy in London that does tech policy advocates advocacy on behalf of startups and scale ups.
So I'm helping to make sure that some of the. Opposed pieces of legislation and particularly in the light of Brexit, don't diminish and lessen the open web for all of us.
Nathan Wrigley: [00:08:21] Okay. Yeah. Okay. That's fascinating. I actually had made the assumption that, you had a background in law because of the, the technical detail that you, you said in your, your London 2017, 2017. Oh, can't say the word 2017 talk. but that's interesting. So it's something that you are genuinely interested in. It wasn't something that kind of like foisted itself upon you. You, you started to get into it and then discovered that you actually had a passion for it. this talk is going to be quite broad and rangy. So, you know, we'll go off and all sorts of directions, but I want to start with the generic things, not necessarily tied to WordPress. And so I suppose the, the first question is. What is privacy? I mean, we all know it in the physical sense. You know, we lock a door and we shut blinds and we make ourselves on available and so on. But I'm getting a handle on what that means online. I think it's quite difficult because it could mean so many things. So what are you thinking when you're thinking of online privacy?
Heather Burns: [00:09:17] There really are as many answers to that question as are people who you can ask. There's one, there's no one set definition. The American definition is privacy is the right to be left alone. The European definition is privacy is a fundamental, fundamental human right. and it's, again, it's hard to answer that question easily because we all have different cultural approaches to it. The in Europe. Are very serious about privacy.
It's less so in the U S in the U S it's more of in a consumerist sense. Whereas we see it more as a human right. So we would be best to narrow it down to the impact of our work as people who make things, we make things that take other people's data and use them. So privacy for us is about what information we take, what we do with it, and how we protect it.
Conversely, how we misuse and abuse it because it is not our data. And I firmly believe that it is not our data to own or abuse or misuse. It is other people's data that may be as innocuous as something about their purchasing records for their, your widget. But, and you sat through my 2017 talk through, you'll note, so you'll know this.
data can hurt people. Is he about what someone believes that it can be about what their sexual orientation is. Data can be about what their religion is, and these things, especially in our day in time, have become harmful. That 2017 talk, I was sort of, I felt like I was standing on a precipice talking about what ifs and now we're having, you know, ice roundups in the States, which include.
Native born us citizens. We're having issues here in the UK in terms of what is going to happen if we have a hard Brexit on people who have lived here their whole lives legally are no longer legal. We are living through very scary times. And no, not all of us will be dealing with those issues on those scales.
Some of us will just, it'll just be about protecting our customer data records or who signed up for our newsletter or anything. But we all need to be cognizant of the fact that the data we hold is about people. All data can hurt people. So whether that's a data breach over their finances or something even worse.
So what can he do to uphold privacy as a fundamental value of what we bring to the role of developers and designers.
Nathan Wrigley: [00:11:36] so I'm trying to sort of get a handle on it. It feels as if, you know, obviously my, my physical body is kind of sacrosanct in law. You know, nobody can, if you like, touch me or hurt me in any way, or you could of kind of feeling that the data in some way represents that. It's, it's almost like, you, no matter where it has ended up accidentally or on purpose, it should be treated with in the same sort of sacrosanct way as if it were a part of your, your, your being almost.
Heather Burns: [00:12:06] That's an interesting way of putting it. You wouldn't do things to people's face that you do with their data. Yeah. Data is people. It's not data about people. It is people. Yeah. It's what their bank account details are, what church they attend, how many children they have, what disability their child has, who they voted for in the last election, what kind of car they drive, what's the IP address of the car to hack of the wifi.
Nathan Wrigley: [00:12:32] Yeah. It's an interesting area they get. Yeah. so obviously for, for, for privacy to be important, we would have to have, instances where the, the use of our data isn't benign. You know, somebody has decided to, to use this negligently or farm it on purpose and, and exploit that data.
Can you give us, a kind of like a, a broad overview of the kind of misuses. Which, which have happened. I don't know any points in the past. You could cherry pick anything, which, which you feel represents perfectly. Why do we need to protect it?
Heather Burns: [00:13:08] Goodness me. Where do I even start? okay. Okay. I'm trying to think of something that will not personally identify an individual who was impact. When I used to use, and it's very relevant to our, our work as developers. It's kind of an old example now. I'm sure there's other ones that would be more recent, but this is a really good example.
There was a pregnancy advice charity here in the U K and this was around 2012. So it was really before major CMS was, were really used in an, in a. Enterprise setting, but there was a pregnancy advice, charity, sexual health and pregnancy advice. And of course that phrase includes terminations and abortions.
That was one of the services they offer. So they had a website. for their charity, and it was not HTTPS. It was standard cheap off the shelf hosting. The CMS they use was not identified, but it was a rather old build. It hadn't been patched with any security upgrades. There were no admin passwords.
And there had been a lot of staff turnover at this particular charity, which meant there was nobody there who had been there when the website was built. So they had no institutional memory of how it worked and how it was built. Guess what happened? I mean, I even have to explain, I'm a anti-abortion activist hacked into the database.
In a matter of minutes cause it wasn't even protected and found that every contact form submission for the past five years inquiring about a termination was stored on the database. So that was women's names, addresses, and phone numbers, including many from Ireland, which of course at the time, yeah.
So he took that database table and went onto an antiabortion forum and announced he was going to post it. Hmm. It was a couple of thousand entries. I think it was something, I want to say 6,000 so that was a database of 6,000 women who would inquired about having a termination. So the police got him and that list was never published. I think he actually ended up doing some prison time, but when the, the data protection regulator came down on that particular charity, one thing they were very clear on is they did not buy any of the charities excuses that we didn't know this was happening. The regulator was very clear.
It was your job to know you had a responsibility to know that those contact form entries were stored on a database table. You should have known, you should have looked. You should've asked those questions. You should have secured the website. You shouldn't have been storing them all. You know, those contexts, form submissions should have been traveling through the site, not stored on it.
So that was a good example where, you know. It was always going to be someone else's responsibility and someone else's fault, and the buck had to stop with an example of where innocuous data stored on a table could have gotten people killed. That's obviously a very, very dramatic example and an extreme one, but we can all think of things like, you know, your purchasing records might be hacked.
What if you were a fan of certain products, you wouldn't want it to be public that you buy.
Nathan Wrigley: [00:16:24] Yeah.
Heather Burns: [00:16:25] Yep. I'm not gonna name them. the example I often see in a slide, the digital rights groups gives also about metadata because so much of what he hears about, well, they don't have the content of the message, but they have the content about the metadata. What does meta-data mean? Metadata means that you left a nightclub at three in the morning and you felt an HIV advice charity at eight in the morning.
Nathan Wrigley: [00:16:49] Yeah, yeah, yeah. It's perfect to the the, I think that was the, that was an absolutely brilliant example of the data being you, the, the Irish example, you know, the, the, the clinic example, because the. Although the, when you look at it sort of from a 10,000 mile high perspective, it might seem that that data is innocuous and it's harmless. What, what possible value could that be? So what that the database got, got taken over, but in the wrong hands, somebody with an ill intent taking that data and, and repurposing it and doing something nefarious with it, you can well see why we need to take this stuff seriously.
Just. Again, staying away from WordPress. Just let's say, for example, that I was to speak to my brother, who is not that technical. It doesn't really interest himself in any way to in privacy or technology. It doesn't really understand technology. Could, can you offer some sort of sensible default advice for the kinds of things that he ought to be doing.
So by that, I mean, you know, should he other, a bunch of Browser extensions, which he could install, which might help him out. Is there a, like a VPN that might be a good suggestion? Should we periodically be advising each other to expunge and remove our cookies from browsers that, that kind of thing. So, not particularly detailed, but, just some general advice for a nontechnical person.
Heather Burns: [00:18:08] I'd never tell anyone which configurations or setups or hardware or software to use. they're like fingerprints. They're unique to all of us. Yeah. But the general advice I always take is just assume your data is being misused and start from there.
My daughter was teasing me because she had to download a certain app for school project and I of course, took her phone and she's like, mom, you're looking at the privacy settings, aren't you? The first thing I do, the first thing I do with the poor things grown up with me. You know, she's, she's well-trained.
The first thing I do, any app is go into the settings and sure enough, it'll be set to maximum sharing for everything by law in Europe. It's supposed to plea, be setting a sharing off by default. So the first time, first thing I'll do when I'll set up an account is I'll go find the settings, go into the privacy, see what options are there.
Very often I keep having to do it because every time they ship a new version, they'll change it and they shouldn't be doing that. Yeah. It's always worth looking in any settings you have about a, what you've done. Consented to and what you haven't consented to, and that's really tricky because what happened with GDPR is a lot of applications started putting in settings to give you choices that you didn't have before.
One example is LinkedIn. If you haven't gone into your LinkedIn settings in ages, have a look. It's astonishing. They've given you lots of choices over what you're they're doing with your data in terms of who sees it, what advertiser. Advertisers had it, and you have those choices now and you have those options, but number one, you come to realize, what were they doing with my dad in the background the whole time?
And number two. If they're rolling these out as they occur to them, what have I missed? So it's really unfortunate that the onus falls on us to take the initiative to every so often pop into settings of an application or a site that we depend on and see, okay, what have they added in the spirit of being privacy conscious legal compliance that I didn't actually know about because they didn't tell me about it. And they're not going to tell you about it. It's not something they're going to tend to want to publicize.
Nathan Wrigley: [00:20:17] The, it reminds me, it's sort of analogous to a supermarket in that you go into the supermarket periodically and only to discover, to your dismay that everything has moved because the supermarket clearly have an incentive on making you troll around every shelf to find the tin of Beans that you need, and it's, you know, it's moved 12 times.
I, I have a constant struggle with certain, online social networks, shall we say, trying to find things and they've moved and they've added things and it's very unclear what the settings are. And so I kind of, I kind of, not really sure what's going on here. I'm just wondering if the whole privacy initiative, is it kinds of a reaction to these kinds of things. Are we worried about our privacy now because things have gone wrong in the past and it would appear that things are just going to go wrong in the future or, or are we doing this proactively to sort of stop things going wrong in the future? Or are we just playing catch up all the time? or are we, are we getting somewhere with privacy? Does it, does it feel to you like there's a light at the end of the tunnel and at some point in the future, the privacy people will be in charge and, or they'll be able to dictate to the, let's say, social networks in this case?
Heather Burns: [00:21:25] I mean, there's, there's a lot of us who, you know, have better things to do than say, I told you so for years. And it is becoming more mainstream because it's becoming real. Equifax. In America, basically, if you exist in America, Equifax had your data, over here, you know, Facebook, Cambridge Analytica. I'm sure a lot of us follow that really closely, you know, and how silly game quizzes became a means of throwing an election.
So it is becoming more mainstream because it is affecting people. This is it. Is there a light at the end of the tunnel? I think there is, but I think it's going to be a hell of a battle ahead. It greatly heartens me that the younger generation is becoming more privacy conscious. you know, my, my daughter has grown up offline.
I can count the number of photos I posted of her publicly. Over the entire space of her life. But that was a conscious choice that I made and her dad made. You know, I read some scary statistic that something like 90% of American children had an online presence before they're born.
Nathan Wrigley: [00:22:34] Good grief.
Heather Burns: [00:22:35] Because their parents think it's all cute and tweet to Instagram and Facebook profile, but someday that child is going to be a 41 year old woman. Who has no control over the fact that every photo of their life from literally the first ultrasound scan, everything they ever did, every movement, every milestone is online and their boss can see it and their partner can see it. Yeah. It's amazing how, you know, privacy isn't just a response to mainstream scandals.
It's a response to how we have dehumanized each other into data. Mm. And that we don't respect each other as human beings, as individuals. My daughter is not my property. She is not a part of me. She is a human being, and I have no more right to Chronicle her life online than I would have to Chronicle a stranger's child.
That's not for me to do. I believe that and I respect that. Yeah. It worries me that other people objectify the people around them. Yeah. And there's nothing privacy law can do about that. There's nothing WordPress can do about that. I think the change has to start from within.
Nathan Wrigley: [00:23:43] That's absolutely fascinating that you say that because you have the exact same opinion on me. I can count on no fingers whatsoever. The number of photos that I've posted of my children online consciously for the exact same reason that you just specified. I just think, they need to be able to. Like if they want a digital footprint, they need to establish that themselves. When they get to the age of, well, let's say 18 years old, that's where it should begin there should be an absolute zero trail of them prior to that. I mean, I don't even use their names online. I just call them like, boy, you Wong, you know, that kind of thing. And anybody who knows me knows.
Heather Burns: [00:24:19] It was the Atlantic. Where was it? It was really good piece about how our right for passage for young people now is when they're 12 or 13 and 14 and just for laugh, they Google their name and they discover that their parents have posted everything they've ever done in intimate graphic detail from the moment of conception.
And it's a moment of a fundamental break in the parent child relationship where the child realizes they cannot trust their parents.
Nathan Wrigley: [00:24:46] That's fascinating. Yeah. It's, it's like a massive, interconnected web of all of this stuff as well because you know, it, especially things like, well, it will stay on the subject of photos maybe for a moment. The, you know, the idea that somebody can tag me in a photograph and I know that there are options for me to kind of make that not possible. But again, it's the tyranny of trying to find where that option is to disable face recognition that, you know, it doesn't matter if I. Upload my own photos.
Somebody else possibly has uploaded photos of me and identified me. And so even people without, let's say a Facebook account, Facebook have plenty of data about you, whether you've got an account already and you know, you don't have to be using Gmail for Google to know a lot about your emails because just about everybody else's and your, your emails are going through their servers and being read by them.
And so I kind of get this feeling that. The, the technology has crept up on us and w w without really knowing and without authorizing the whole privacy debate and the, what's going to happen to our data these, these companies have, have, it feels a bit like a, I believe Jeff Goldbloom in, in Jurassic park.
Wow. I've never. Quoted Jurassic park. Here we go. He said something along the lines of, you know, nobody, we, we, we're constantly working out whether we could do something and nobody bothered to ask why we should or if we should do something.
Heather Burns: [00:26:04] So let's go back on, on, you know, the, the fact that we consciously don't upload information about our children or ourselves, it's not really relevant or necessary.
That doesn't matter. It's out of our hands. Let's go back to the LinkedIn example. When you go on LinkedIn, there's a little box in the corner of people you may know. And one day I saw a blast from the past there. It was an exchange student who went to my high school and I remember this cause I was like really young and had this mad girly crush on him.
You never forget your first year Oh home. I'm like, Oh my God. And then he's like you thinking, wait, how was he there? Because I. Don't list my high school anywhere. I don't, I am not connected to anyone I went to high school with. I basically got my car and screeched away and never looked at it.
and I also changed my name when I got married, but some algorithms somewhere knows what my name used to be and what high school I went to.
Nathan Wrigley: [00:27:07] It's just astonishing. Yeah. The, the, the web of interconnectedness and the intelligence that's brought to bear on this is astonishing. I'm sure we can all identify with that example things, quirky things popping up.
The, I mean, even in the form of advertising, you know, things that, you've just gone out and, I don't know. You're suddenly bizarrely searching for fishing rods or something. And, and. Boom. There they are. There's a plethora of fishing rods in your life, you know, adverts come left, right.
And center. But yeah, you're right. so again, I suppose the question is, did, are we, are we kind of reacting to this stuff that the, that these platforms, these data brokers have, have. Been able to get away with because nobody thought about it. or, or, or is this something that we, you know, I'm sort of trying to get to the, the question is, are we, have we allowed this to happen or has this just sort of happened to us?
Heather Burns: [00:27:59] I think it's both. I think we've, I don't want to criticize people, but yeah, we've been lazy. We've been complacent, and it doesn't necessarily They have to begin with leaving an Equifax data table. Unsecured. It starts at the minute we just put a fake Facebook pixel on our site because we read some marketing article that said, that's what you do.
It starts when we put Google analytics on our site because we read some article that said, that's what your post is supposed to do, and you never look at any of the settings are locked down in either things you're supposed to be using. It starts the minute we put some advertising. I'll go on our site through a plugin just to make a little pocket money on the side and don't realizing that we're now surveilling everyone who comes to their site.
And it starts for us on the development level when we don't think about these things and we don't think, how can we stop the data flowing into this from being misused?
Nathan Wrigley: [00:28:56] Hmm. Yeah. All right. It's amazing what we've given up, I think, and my, my take on it is that, a lot of these companies invented this technology and kind of thought, well, this would be good.
And I don't suppose there was any, any kind of criminality, if you know what I mean. Nobody was rubbing their hands together and rotating in a chair, stroking a cat, thinking, I'm going to take over the world. This is going to be fabulous.
Heather Burns: [00:29:20] One just got a job as the Downing Street chief of staff yesterday.
Nathan Wrigley: [00:29:23] Okay. Okay. So maybe, maybe they were, but the, yeah, I just, it feels from my point of view too, like we've kind of, we, we have been losing the battle and it's, it's, it's the, it. You know, it's kind of become the job of people like you to, to turn our heads and make us realize the calamities that are involved.
So maybe turning to word press for a moment, do you believe that WordPress is, has a good reputation in, in kind of like the privacy space? If I was to install a default version of WordPress right out of the box, no plugins, nothing on a, on a, on a hosting environment, which had been, you know, cool, conceived off to be as secure as possible and everybody's happy with that. Do you believe that? Where is WordPress a safe bet?
Heather Burns: [00:30:09] There's nothing wrong with it out of the book, but there's no such thing as an out of the box WordPress install. And this was the sort of dilemma that we had to wrap our heads around when we began the discussions that resulted in the creation of the core privacy team, which is that you've got core, you've got themes, you've got plugins, and you've got the millions of things.
That, every site administrator does. WordPress sites are like fingerprints. No two are alike. No two are constructed the same. No two have the same codebase. They're all taking, storing and sharing data in very different weights. We have no intention of making WordPress sites compliant with anything because we can't.
All we can do as a team is. Work on what we can work on to give site administrators, developers, and users the best possible base to start from the best possible choices and options and control so that we don't want everyday users to have to be developers to do this stuff. We don't want everyday site administrators to have to go to law school or become developers or both to have to learn this stuff.
We know that. We can make every plugin and core as legally and consciously privacy, privacy positive as we want. They're still gonna throw Google analytics and Facebook pixels into Bulla tracking and all that nonsense on it, but we can at least fight the corners that we can fight and. In that regard were succeeding very much.
Nathan Wrigley: [00:31:49] I'm just touching on that then. So just to be clear, if anybody's interested in this, you need to be going over to make.wordpress.org forward slash core forward slash tag forward slash core hyphen privacy. That was a lot to say, but I'll put it in the Stoneworks put it in the show notes. but, yeah, just wondering.
Over the last period of time, let's say, Oh, I don't know, six months a year or something. Can you, can you highlight something that you, that the team have been able to implement that you feel was a, a positive benefit to WordPress?
Heather Burns: [00:32:18] Should we do a little backup history?
Nathan Wrigley: [00:32:19] Yeah, that's great. Yeah.
Heather Burns: [00:32:21] I'll leave it in, but at winter 2017, that. Everyone said, okay, GDPR May, 2018 maybe we should get moving on this. There were a handful of people like me who had been saying for years, please can we get some coordinated action? Not because of GDPR as a legal obligation, but because GDPR is was as good as impetuses ever to bring privacy front and center.
My first GDPR talk was, it was meant to be a lightning talk. I'm at Vienna 2015 so my first GDPR talk was going to be 2015 but unfortunately we, the day before that talk, we voted to leave the European union. So I ended up doing a very different lightning talk. so it was, that was just, that was the date on the calendar when I tried to get the momentum going.
It didn't happen till winter 2017. So there was a teen started called, there was a core sub-team called GDPR, what was it called? I don't recall. I don't even remember. I've, I've looked at a lot of data, but anything, it was like GDPR compliance or something. So that was the focus to get it, to get tools shipped in for the May, 2018 compliance deadline.
if that is what it took to bring privacy into the core of the project, that's what it took. So a bunch of us began working together, Scrappy little band of heroes, developing a three tools which we put in to help administrators in their compliance journeys, which was an export tool and eraser tool and a privacy notice tool.
And we shipped them in version 4.9 0.6 which yes, was a minor bug fix release. I think it was the week before the deadline. Hooray. There was a bit controversy about that because some people were like, why did you just ship those tools at a bug fix? It wasn't up to us. We like many other things.
We're casualties of the Gutenberg numbering release. I have to say in any other project, shipping tools, that fundamental would have been, wouldn't have been a bug fix release, but that was beyond our control. So we shipped those tools and we kept the Slack channel. In making make WordPress open.
And we kept talking and we realized there was going to be other work to do, just bug fixes, enhancements to the existing tools. But we also realized there's going to be other privacy needs, not just legal, but what can we do to make privacy better? And beyond that, we really liked each other and we really worked well together and we had a good time doing it.
Nice. So we converted to a core privacy. Too. That's our name. Now, to emphasize the fact that we are not just about reactive legal compliance obligations, we are about a proactive and holistic view to privacy, and we're still going. we're in a bit of a load now. We shift quite a few. goodies and gadgets with T 5.2.
Yep. That's what it was. And that was such a monumental team effort that we've kind of been quiet since then. I think we're, we're, it's also the summer, so everyone's kind of half asleep. I think we're going to start in the next month gearing up for 5.3. We have a very ambitious roadmap of things we'd like to achieve and accomplish.
And part of that I think is going to be something we wanted to look at for a while, which is a consent and logging mechanism. Oh, okay. How do we, do this in a way that users can have control over all their privacy settings across all their, all the sites, configurations, plugins, and the same for administrators.
Joomla, our friends at Joomla already shipped that a year ago, so the work's been done, and we can talk a little bit about the cross privacy initiative later in this podcast. Joomla has already done that work. And are willing to support us in our journey about that. And, my friend Reese, Drupal published really wonderful blog post last week about how important consent in logging is going to be. And that was sort of like, okay, come on guys. Drupal's not it. Joomla's done it
Nathan Wrigley: [00:36:32] Can we just do it now? Okay. Yeah.
Heather Burns: [00:36:36] Yeah, yeah. Do you go on? Sorry. Please carry on. That's going to be what we're going to start looking at.
Nathan Wrigley: [00:36:42] So the idea would be a little bit like in the way that Gutenberg has been taken on by Drupal is the idea that the, these, the CMS platforms will coalesce to, to adopt a sort of universal standard, if you know what I mean, of things that they're going to have in their CMS is a, in order that they're, they're equitable.
Heather Burns: [00:37:02] So this is a little project we started last year. This was a really, really beautiful hold. My beer idea. couple of us were at Drupal, Europe in Germany, lost of tender and, droop. Drupal's very keen on cross-platform working. So there was a bunch of us from Drupal, bunch of us from Joomla, myself, from WordPress, from the privacy initiative.
And we went out and had the, that sort of hold my beer conversation about it was fascinating because we all talk about what we're working on, what we're not working on, what we'd like to work on, how our teams are structured, what resources we use, what challenges we faced. And it was like really quite obvious.
Like, why aren't we working together? Yeah. So we've started a little coalition of the privacy teams and initiatives from all the open source privacy projects. And as with core privacy, we're on our summer break right now. But, normally we have a weekly office hours every week where we talk about what we're doing, how we're doing it, what are we learning, what can we share?
Whether that's a lesson. Whether it's advice about navigating project governance or whether, whether it's something, you know, actually tangible, like a code library or a UX pattern resource. and when you see that someone, the really interesting thing is we've all done things that others haven't done.
So June was done consent logging. We haven't done that. We've done privacy notices. Drupal hasn't done that. So when it comes time for all of us to do these new initiatives, we can probably actually save several months of time. Yeah. Yeah.
I seen, how did you guys do it? What would you have done differently? What did you do well? How should we do this? What code library did you use? What pattern did you use? and that way we can really just get on with it. And as with core privacy, we really enjoy each other's company and have a fun time doing it.
Nathan Wrigley: [00:38:52] Yeah, I think that's such a nice initiative. I was, I was really. I was really delighted when you said that that was happening. That's wonderful. so in some respects, these other CMS is, are, are ahead. In other respects, there's things that we've done on the WordPress side of things that they haven't done it. I'm guessing that was just a product of, of expediency of the time of what you decided to prioritize. Not, not, a consequence of, no, we're definitely not doing that.
Heather Burns: [00:39:15] Absolutely, yeah. All of our teams are. We are the people who show up. Nobody on any CMS project is funded by any ecosystem company. We are all volunteers doing this on our own time and we've all had to get this work going in the face of.
You know, passive objections at bat at best, some really tough resistance at worst. So on a bad day, we're kind of like a mutual support group to each other for what we're handling in terms of project politics. But it's important to remember that we are, nobody is funded to do this. We are all doing this on our own time and initiative.
Nathan Wrigley: [00:39:56] Yeah, well, I'm sure we'd all like to thank you, at least for your, your participation in that. Just thinking about, you've mentioned earlier that there's no, every WordPress site is a little bit like a fingerprint. There's no two that are the same. largely I would say, because as soon as we get, WordPress, we install plugins and so on, and, you know, themes go in and all of a sudden everything's, becomes a tangled and difference to all the other WordPress sites.
Does WordPress have a role. In in, in forcing privacy, let's say settings or policies for plugins, whether they be on the repository or a premium plugins. Can WordPress leverage it's position and say, Nope, that's, that's disallowed. We would, we would like you to remove that and change it to this instead, or is it a bit more wild West?
We'll just have to, fingers crossed, read the read the documentation that comes with each plugin and hope for the best.
Heather Burns: [00:40:50] I would love for us to be seizing that mantle and running with it. We did have a little document about, support for plugin developers, that we all worked on in a Google doc and we published it in the.
Core privacy channel in it. Everyone's forgotten about it and it's nowhere. there's the plugin guidelines. We did get one of them changed last year, but there's only so far you can go on that. I think the biggest impact we could make, in terms of plugins wouldn't be in the guidelines.
It would be towards some sort of standard, like accessibility. we do have a proposed standard, which is the privacy by design framework. We use it in the core privacy team. I would love to see it being a pro project wide guideline, just like code standards, just like accessibility standards.
But let's perhaps knock into got into that particular drama. We did make a small change in the plugin repo guidelines last year ahead of GDPR. This was actually something I personally took the initiative on, and I work with Nicky Epstein on it, and we added one line to the plugin guidelines, which said that you are no longer allowed to claim that your plugin will make a website compliant and anything.
Nathan Wrigley: [00:42:10] Oh, nice. Yeah.
Heather Burns: [00:42:11] Whether it's GDPR or whatever, because there were a lot of plugins that are saying, you know, put this, plug it in, activate it. You're GDPR compliant.
Nathan Wrigley: [00:42:20] Yeah. I remember that.
Heather Burns: [00:42:22] It's not how it works. And again, it wasn't just accessibility. Privacy was accessibility. It was, there was one plugin that it was like, wizards. That you put in your information, like you were doing a Madlib and it promised to spit out a legally watertight business contract containing your details as if you could outsource your businesses contractual legal compliance to a random plug in you found in the repo. Yeah, so Mika did a scan and I think there were something like 1200 plugins in the repo claiming to make a website compliant in various legal matters, just just with a click.
So now you can say that your plugin assists with a compliance process, which it actually absolutely should do, or can provide a workflow for a compliance journey, which it absolutely could do. But if you're saying that your plugin will make a site compliant, you need to go back and change some things.
Nathan Wrigley: [00:43:24] It was interesting because I got, I derived that knowledge that you've just imparted from your talk. I was, I was, I was the ignorant mass, I'm afraid where you, the assumption being that if somebody makes this, claim that, that, you know, install this plugin and so on. Yeah. I kind of thought, well, on some level they lived on some.
Due diligence, but I'm delighted that I came to your talk because it made me reevaluate all that kind of stuff. And I've went from a position of trust, I suppose, to, to more distrust and more research is needed and so on. I was just thinking also about the things like the theme review team and their ability to say, well, this.
This particular theme, I'm sorry, we can't possibly put this on the repository because it, you know, in this case, and then this case, in this case, it doesn't, it doesn't meet up to the standards that, that are published in a widely available for everybody to read. And I was just wondering if maybe that's a route that could be taken.
You know, obviously the, the governance of that would be fraught with difficulty, but, you know, I'm afraid that you, this plugin is not suitable for the repository because of the policy. you know, it's not, it's not following the The privacy guidelines. You never know that might come around.
Heather Burns: [00:44:32] I mean, we do have, a tag we added in track for needs privacy review. and again, this is the sort of things we've been cracking as a core privacy team where you start to think, where else could we make an impact? And that was a suggestion. So now if you have a track ticket or something, if you tag it needs privacy review, we'll take a look at it.
Okay. but again, who we are is we are the people who show up. Yeah. We would love to have more support. We would love to have more members. It was really, I found it very personally sad that there were no privacy talks at WordCamp Europe this past two months ago, that only a month ago, a couple, a couple of team members submitted ones.
No, none were accepted. We had a little WP cafe session, which was, I don't know if you heard about that, but yeah, it was really, really good. I loved the cafe model much more than lightening talks. And we had a session where we talked about the team and what we do and maybe 20 people showed up and someone raised their hand.
He's a friend of mine and I swear I didn't pay him to say this. He said, you're the privacy team. Why are you in the corner over here? You should be in there giving a talk. And I said, well, I, I didn't know what to tell him. Yeah. You know, I don't, I don't have the answers for these questions of why, you know, the privacy team for the biggest open source project on the planet should have to fight to get their voice heard and have more than five people show up at office hours.
And I really hope that. There's a, there's a, a sea change in the project and in the community that we start getting people participating and bringing their talents and bringing their enthusiasm to the team.
Nathan Wrigley: [00:46:15] That's a, I think, I think you've put that very, very nicely actually. I, I won't ask the inevitable follow up question about, you know, how has have obstacles been put in the way you, we'll just, we'll just leave that one hanging. Maybe, unless you want to ask or answer that question.
Heather Burns: [00:46:31] I mean, I, I think we'd be deluding ourselves if we pretended that the team hasn't come in for an unusual amount of nonconstructive very personal criticism. And I'm not going to speculate on the reasons why. The fact is we still continue to show up every week to get the work done.
it would be wonderful if we had more support from the project leadership. I'm not going to hold my breath. It would be wonderful if we had more support from the community. I was really quite shocked by the amount of push back the team got from the community last year. Some of it was very, very harsh in that we were really quite.
Truly believed we were doing a positive thing for privacy, and there was a certain very vocal section of the community which saw us as these sort of eurocrat legal enforcers trying to tell people what to do and threatened people with the law, which is never what it was about. But unfortunately, those voices had much larger influence than we did, and it's sadly gotten worse since then.
That's not to say that there's that. Privacy stops being an issue, there's going to be things to deal with next year in terms of legislation as well as the code base to deal with. we just keep calm and carry on. You know, when they go low, they go high.
Nathan Wrigley: [00:47:55] Yeah.
Heather Burns: [00:47:56] But in terms of how long people are going to continue committing to doing that work in a situation where they have to come in, certainly I have for some really quite astonishing.
Attacks and abuse for it. I can't guarantee that. So there's things that everyone can contribute, whether they're a designer, whether a developer, please. We need designers and UX people because we make ugly stuff. some, some leadership would be good. What we need in this community is privacy champions.
Nathan Wrigley: [00:48:25] Yeah.
Heather Burns: [00:48:26] Beyond our team. I was really quite disappointed that, GDPR should have been seen as an opportunity for influencers in the community, including the major WordPress agencies to become privacy leaders. And it felt to me that they sort of almost saw it as a PR opportunity and a marketing thing so that they could market themselves, Hey, we've done GDPR stuff for the 25th of May and everyone forgot about it, including them on the 26 so we missed an opportunity there.
So I can't show leadership on my own. I would love to see other people stepping up to this.
Nathan Wrigley: [00:49:06] Do you, just before we carry on it, do you, do you have a, like is there a particular contact form or something that you could point us to? maybe I could leave something like that in the show notes. We could discuss that.
Heather Burns: [00:49:16] I'll give you the links in the show notes. We have a roadmap. Yeah, there's the tag. In core for what we do. we have a repo, which I should probably tie, tidy up. And of course we have our Slack channel. We have a weekly bug scrub and weekly office hours. We're recording this in July on the hottest day ever.
So don't jump in today looking for anything cause you're not gonna find it. But if you're listening to this on a cold, dark winter night, we've got work for you to do.
Nathan Wrigley: [00:49:44] Oh, nice. Okay. With that. I think that's a nice call to action. I love it. I'm going to change tactic a tiny bit, if that's all right, and I'm going to turn to the, the, the, what is probably 80% of the, the use of WordPress.
You know, people who install WordPress and they've never done it before. They're looking to put something online for themselves, their business, their thoughts and ideas, what have you, w what would be, what would be a good place for them to start? What kind of things would you recommend that they take a look at?
I'm thinking about things ordinary and. Perhaps not that widely talked about, but perhaps important things like privacy policies and so on.
Heather Burns: [00:50:21] So we shipped a privacy notice tool in four, nine, six. That will help you, create a privacy notice for your site. I personally prefer the term privacy notice to policy because policy brings up, brings to mind some sort of thick, dense legal ease thing.
The whole point of GDPR was to get rid of those legal policies written for lawyers by lawyers, which were actually contracts. If a privacy notice looks like a contract, that's because it is. It was the, the setting forth of an arrangement between you and the website. A privacy notice is about the website and you, it's about what they're doing with your data, what they're taking, what they're using it for, why they're using it, and what rates you have over it.
Because again, to get to back to the beginning of our conversation, privacy is about your rights over your data. So the average WordPress user will be able to use the tool we shipped to create a clear, plain English plain language. Non mumbo jumbo privacy notice that will help give their site visitors the assurance they need, that their data is being used properly and that they can exercise their rights over it.
Nathan Wrigley: [00:51:35] Okay. So playing languages is the key message that I'm getting out of that. It should be written in such a way that it reads without the need. So to have a dictionary close at hand.
That's my kind of trolling, actually, that's, that's my idea of fun. Yeah. So it was amazing to them how many developers who really should know better thought that privacy policies were about cut and paste, search and replace. Yeah. GDPR was about ending those days. And not before time.
Nathan Wrigley: [00:52:23] Do we, again, using the example of somebody, and, and in this case, let's take somebody who's not, not in WordPress for any kind of business purpose.
They literally trying to, have a conduit for their thoughts online. They want to write about their holiday or whatever it might be. D do they need to. For example, have a lawyer involved in these kinds of things. is there any, or should they just literally be writing it off the, off the cuff, and having a go themselves? Are there any requirements?
Heather Burns: [00:52:49] Not need a lawyer. Great. In all the, the buildup to GDPR, one of the. The hallmarks of what we came to call hashtag GDPR rubbish was anything said like check with your legal counsel. Cause that's a very American way of putting it. Yeah. The only thing you're gonna need a, an actual lawyer for is something like your contractual arrangements with third parties.
You do not need a lawyer to write a GDPR privacy notice if you're just a hobby blog or writing about your holidays, you know, use the tools we gave you. You probably need a lawyer if you're running a business anyway. Yeah. But this notion that you would need, these, the amount of people ahead of GDPR who said, I can't afford to lawyer to deal with this.
You don't need a lawyer. And if you do, it's to deal with the contractual third party arrangements you already had with your suppliers anyway, so you need a lawyer for certain things, but GDPR and privacy should not be one of them.
Nathan Wrigley: [00:53:48] Okay. That's good to know. That was my, that was my assumption and, but it's nice. Nice to hear it out loud. again, changing tack, just talking about big tech for awhile as opposed to kind of WordPress, do you, do you think you'll still be needing to bang this gong, about privacy in, let's say. Five or 10 years time. So fairly far into the future. Do you believe that the intentions of the social networks and all of these people are sucking up our data?
Do you believe they intend to change their ways and respect our privacy, or do you, do you just see a constant war of attrition, one side gouging the other, ad infinitum?
Heather Burns: [00:54:26] So not only will I be continuing to bang the gong in five and 10 years, but that will be the exact time to do it. Because to go to sort of my day job in tech policy, what we're seeing now is governments in the UK, in Europe, and certainly in the United States, which want to, crack down on the tech giants.
But what they're going to do is legislation, which goes for the big fish and catches us all in the net. Yeah, and that's why it's a, it's a frightening privileged to work in tech policy at this time that I'm doing it because I am looking, I can't really go into details, but I'm looking at confidential plans and drafts about how they want to publish a punish the tech giants.
No comprehension that it will take every small business, every entrepreneur, every startup down with it. Yeah. And a lot of those plans and proposals, and I've certainly been very public about some of the domestic ones in recent months are very anti privacy. They want to surveil everything. They want to collect everything.
They want to store everything. They want to censor everything. They want to limit everything. So we need to be mindful that it's not just big tech we have to worry about on privacy. It's governments and the government response to a lot of the abuses of big tech is to eradicate privacy equally, but in a very different direction.
Nathan Wrigley: [00:55:49] certainly it feels like where we are on the cusp of some reaction in terms of, you know, domestic government policy in the UK against this. We've got this, well, for want of a better word, this sort of Snooper's charter, which, which is being implemented. I know that across, across the pond in North America, they're looking at other things.
This stuff really, on the one hand, I'm, are, you know, an advocate of freedom and I love it. All of these possibilities. On the other hand, you know, there's the government saying, we need to be able to access your iPhone data. It's absolutely crucially important because, you know, crimes can be committed and the data is stored on the phone and we need to access this stuff.
So I sort of see it from both points of view, but my, my gut feeling is I always want, I always want to be able to maintain my own privacy and encrypt things should I need to.
Heather Burns: [00:56:34] I've got a tab open in my browser, which is from a U S political site, and the headline is attorney general, William Barr. Warren's encryption allows quote criminals to operate with impunity.
Nathan Wrigley: [00:56:45] Yeah. That's an easy thing to say
Heather Burns: [00:56:48] Over here in the UK where we're looking at the online harms framework. Yeah. Which would be about restricting and censoring content, which is a, which is perfectly legal but harmful right now.
The framework about what you can say on the internet is within the rule of law. They want to take it out of the rule of law and make it subjective. So we are in, I don't, I'm not being chicken little here. We are in very scary times for the open web, which will impact everyone with a WordPress site.
Nevermind a Drupal site or a Joomla site. Anyone who lives or publishes to the web is going to find the sands under them are beginning to shift very, very fast. Again, I'd get into some of the discussions we have on the political front lines, but some days it feels like we are keeping the open web open with duct tape.
Nathan Wrigley: [00:57:39] Yeah, that's, that's my feeling. Yeah.
Heather Burns: [00:57:42] It'd be wonderful if projects like WordPress could, as I've been pleading for years on the deaf ears, sadly, to leverage their voice as 34% of the open web to speak up on things like intermediary liability, things like encryption, things like. A censorship and take downs of content.
And you know, the, the, the draft online is how online harms framework would've put making WordPress Slack under government surveillance in case someone said something nasty. That is really the sort of legislation we're dealing with here, allegedly to punish the tech giants. But take everyone's privacy down with it.
So I would love, love, love to see the WordPress project waking up and showing up for the fight.
Nathan Wrigley: [00:58:28] It feels to me as if a lot of the, a lot of the policy makers are not technologists, and that they simply have a kind of a misunderstanding of the debate itself. You know, they don't, yeah.
Heather Burns: [00:58:38] Well, like what I've come to understand working with them is because they're not technologists. They worked by the lowest common denominator. The worst thing they hear about something is what they assume about it. So there was the thing lost, or with 2017 that you know, there was like one Jihadi blog on a wordpress.com site. So the home office came to believe that that is what WordPress was about.
There was a recent example where, you know, the reason that Slack channels would've been in the online harms framework, and I did this is a dispatch from the front lines. apparently there was one corporate Slack somewhere in the UK where two complete idiots were swapping child abuse images on company time.
When a policy maker hears that because they don't know what Slack is and they don't use it, that's what they assume Slack was about.
Nathan Wrigley: [00:59:29] Yes.
Heather Burns: [00:59:30] So it's our job as technologists, as the makers of the web, to show up and explain that when you put in this punitive legislation on Facebook, on Google, because of the one horror story you've heard about a couple of complete idiots, this is the impact you're actually having right.
On everyone else, and it's a privilege to show up for that fight. But I wished to God I wasn't showing up for it alone.
Nathan Wrigley: [00:59:57] How do you, how do you combat the, the idea that, you know, something encrypted is just on lawful, you know, I mean, obviously we've got an incredible array of tools, which an encrypted chat and documents and so on, and it seems, yeah.
That they're even going after this. You know, the, there seems to be a swathe of legislation around the corner saying, let's, let's literally make encrypted information against the law.
Heather Burns: [01:00:23] I mean, the short and sweet answer to that is that to ask a politician if he would consent to your private WhatsApp group being encrypted, or listener to aren't aware. The UK government actually runs on very catty private WhatsApp groups. That's where all the plotting and backstabbing take place. So if they want to. Unencrypt your WordPress website. First, they've got to consent to making their WhatsApp chats public.
Nathan Wrigley: [01:00:49] That said, lovely insight. That's a perfect, that's a perfect way to sort of sum it up. Yeah, it does seem like scary times. It kind of feels like we've had this really privileged period of time. You know, the last 15. Especially in the last 10 years where these technologies will come enabled so much amazing stuff to happen.
You know, the, the, the opening up of the world, the fact that I can chat to you and you're nowhere near me. and, and so on. It's just wonderful and I want it to keep going in a sort of free way. I want to support organizations that, that do this. And probably on some level that was, that was one of the reasons why I chose WordPress because of its free open source nature. Do you? Yeah.
Heather Burns: [01:01:26] My goal right now is to make sure that. People still have a web to put a WordPress website on. Yeah. You know, democratizing publishing is not just about making it possible for as many people to download the software as as they can. Democratizing publishing is making sure they can publish.
They can say they can install software, they can make their opinions heard, they can start up a business because all of those things are under threat right now. And if we truly believe in democratizing publishing, we need to prove it.
Nathan Wrigley: [01:01:58] Yeah. W one of my fears as well as that in a, in a bid to sort of make the, make the web, surveillance will, that's not a word, but you know, that will end up with kind of a, a whole, a whole bunch of different internets.
We'll have the American internet and the Chinese internet and the British internet, and all of a sudden. Getting things to, to North America will be difficult cause it'll have to have to pass through various servers along the way and which we'll inspect it. And, I just think it's one of the greatest inventions of all time, the internet and you know, the structure of it, the freedom of packets to be shifted around without, without being inspected, without being wait, Wade OPERS to their worth.
So Netflix has the same writers I do on my WordPress site. I just think that's a lovely technology, a beautiful innovation that ought to be kept alive.
Heather Burns: [01:02:43] Yeah. And. I'd love to have more people fighting with me. Yeah. Not fighting with me, but fighting next to me.
Nathan Wrigley: [01:02:50] Yeah. That, that's, I think that's the message from this, from this conversation is that, you know, you've heard how there's arguments.
I mean, I, I can't disagree with a single one of them. I, I've loved everything that you've said. but it sounds like it's you, you have a little bit lonely in that corner. And you need, you need some people who've got the same thoughts, to reach out to you and, and, and join the, join the fights, for want of a better word.
Heather Burns: [01:03:14] And you thought this was just going to be a talk about cookie up,
Nathan Wrigley: [01:03:17] right? It was going to be about cookies. Yeah. We didn't even mention cookies like we got right to the end and didn't pension cookies. Is there a Israel, I know we mentioned earlier about the, the core privacy group and how you might get in touch with.
I'm with you via that. if, if you wish to, I'll give you a minute now to, to say what you like, which could, for example, include things like your email address or a, or a contact form URL or whatever. Should people be inspired by what you've said and want to want to help you out.
Heather Burns: [01:03:48] So I will share all of the big long links to all of our core privacy team resources as well as the cross CMS privacy project in the show notes, if you want to get in touch with me personally, I am on making WordPress Slack as Heather Burns.
My website is web dev, log.uk and that is also my Twitter handle, web dev law.
Nathan Wrigley: [01:04:09] Okay. That's perfect.
Heather Burns: [01:04:10] Oh, and just, just because I am really sad and need a life. I have a side blog called after brexit.tech where I monitor what Brexit will mean for the policies, regulations, which govern how we work on the web in the UK.
Nathan Wrigley: [01:04:26] Oh, another N like we could have, we could start a new, a new episode right there. Couldn't make it whole compensation. Heather, Heather Burns. Thank you so much. I've really enjoyed chatting to you. Absolutely. Absolutely brilliant. Thanks very much.
Well, there you have it. I hope that you enjoyed that episode.
I hope you can also see why I was very much beguiled by Heather Burns. I think she's a truly fabulous speaker. I think we need people like Heather who are interested in all of our privacy because if nobody is interested in our privacy, then I think it's a foregone conclusion that, yeah. We probably won't have any in a digital world.
And so the important work that she's doing, I would urge everybody to take seriously and maybe even go and join her and see if you can help out in some way. Fabulous episode. The WP Builds podcast was brought to you today by page builder cloud. If you want to dramatically speed up your WordPress websites workflow, then check out page builder cloud.
It securely saves all your templates to your own cloud. You can then reuse them on any other website in seconds. Page builder cloud works with element or BeaverBuilder brizy, Gutenburg and many more, but it's not just for page builders though. You can save your contact forms and ACF labs to get a free trial today at page builder, cloud.com.
And by WP and UP. One in four of us will be directly affected by mental health related illness, WP and UP supports and promotes positive mental health within the WordPress community. This is achieved through mentorship, events, training, and counseling. Please help enable WP and UP by visiting WP and dot org forward slash give.
Okay. I hope that you'll join us next Thursday for another podcast episode. If not, perhaps you'll join us on Monday when we released the weekly WordPress news and at 2:00 PM UK time, we've got our live news as well, where I'm joined by some special guests that can be found firstname.lastname@example.org forward slash live.
And do remember, go to WP Builds.com forward slash subscribe and get yourself on the list so that I can alert you about the deals, which will be on our black Friday page forward. Slash black. As every week we do, I'm now going to fade in some dreadful cheesy music to cheer
you up and say, bye bye for now.