Defensive Web Development: Protecting the Web from Political Uncertainty

The web, and by extension the makers of the web, are working in a time of uncertainty which quite simply has no precedent across any other industry. In the UK, as a result of the Brexit referendum, designers and developers face losing the legal basis for the freedom of personal movement as well as the freedom of the movement of data which has facilitated the very creation of the digital industry. In the US, the incoming (as of this writing) Trump administration threatens instability on a scale which has spurred many developers, including Matt Mullenweg and many Automatticians, to publicly pledge not to participate in the creation of databases of individuals which could be used to target them for unthinkable actions.

Quite simply, the ground below our feet is quaking, and there is no safety net below us.

As designers, developers, and the makers of the web, we cannot cross our fingers and hope it will all work out in the end. We must choose workflows and actions which protect our craft, as well as those who use the tools we make, from the consequences of political uncertainty.

This talk will detail web development and business practices which designers, developers, business owners, and agencies can adopt to protect their work and their data during these dark and difficult times. The toolkit will draw on existing and upcoming legislation, best practices, and the experiences of those who have gone before us and paid the price.

Those who attend the talk will be inspired to:

  • think proactively about self-defence and user protection
  • adopt protective workflows and business practices
  • as much as we hope it would never come to this, feel empowered to say “no”,
  • equipped to build in a safeguards, the day an unethical request arrives.

Radical times call for radical actions. Let us start now.




ANT MILLER: Okay, hi everyone, welcome back to track A, here in the glorious Rocket Room, we’ve got what I anticipate will be a very, very interesting, fascinating, at times a little bit scary, but I am assured you will also be inspired and it will help us all very greatly.

Our next speaker being Heather Burns, Heather asked me to make sure you know that Heather is not a lawyer and this is not legal advice, but I can tell you now it’s going to be very, very good advice. I first met Heather in Vienna, on that dark day after, well for many of us.

HEATHER BURNS: We don’t want to talk about it!

ANT MILLER: Okay!! On that day she gripped the issue and told us succinctly and clearly the sorts of issues we would be seeing across the UK and Europe in the wake of the Brexit vote, I still see people on the news and in the newspapers declaring these things as revelations when Heather at lined them clearly, with compassion and a degree of warning about things we can do about them, on the first morning after the vote. Listen carefully to what Heather has to say, she’ll keep it to 25 minutes, we’ll have a few minutes for Q&A at the end, we’ll get through this, Heather knows how to do it, Heather the stage is yours.

HEATHER BURNS: His rash fierce blaze of riot cannot last, for violent fires soon burn out themselves, sudden storms are short but small showers last long. This royal throne of kings, this scepter’d isle, this earth of majesty, this happy breed of men, this little world, this precious stone set in the silver sea, this blessed plot, this Earth, this realm, this England, is now leased out. England bound in with triumphant sea is now bound in with shame, inky blots and rotten parchment bonds, that England that was wont to conquer others, that England hath made a shameful conquest of itself.

There is simply no precedent for the territory that we, as professionals working in the digital industry find ourselves in. There is also no burying our heads in the sand about this. Decisions are being made about the policies, the regulations and the systems that you work in, that will impact the way you work.
Decisions are also being made about the tools that you make, decisions are being made which can hurt the people who use the tools you make. Decisions are being, even being made that will deliberately allow those tools to hurt people.

Whatever your political stance, whatever your beliefs, whatever side you are on, the fact is this: the foundations of the open web are under threat. In the UK Brexit and the withdrawal from European Union will mean the withdrawal from the European data protection regime, which we will stay in for a while, but what comes after that is unknown, that could end the freedom of movement of data, as we have known it. It will spell an end to the freedom of movement of tech talent, which has enabled you to get a job anywhere in Europe or for your European colleagues to come here, as they wish the withdrawal from the digital single market system of the European Union, will remove us from a trading market of £450 million for the digital interest and we are dealing with openly xenophobic and authoritarian people.

Under the Trump administration we are seeing, funnily enough, the end of data protection, what little US privacy and data protection is there is being chipped away, that will spell the end of the freedom of movement of data through the Privacy Shield regime. The end of the freedom of movement of tech talent we have all seen the horrific stories of a US engineer being asked to pull out her laptop and provide a binary tree to prove she was a software engineer. They are pulling out of the — the US is also dealing with openly authoritarian and xenophobic authoritarian currents, which have amongst other things resulted in mass personal profiling. At this time last year people would come up to me at conferences like this and ask me, Heather, how can I get to grips with that, what is the current status of the cookie law, I could help them, when you ask me a question like that you ask me to comply, I help people like you learn how to comply people now ask me questions like, “Shall I pull my business out of Britain”, shall I pull my business out of America, what can I do about my laptop on the assumption it will be searched by border control when I go to America. It hurts me when people ask me those questions, I can’t answer them, when you are asking me a question like that you are not asking me how to comply you are asking me what to believe, I can’t tell you what to believe. I can tell you what I believe, that is that you, as designers and developers, are people of extraordinary power and influence. You make the tools, you see the data, you know better than anyone what needs to be done to protect the people who have instructed, entrusted you, with their data.

So, in this talk I’m going to encourage you to think proactively about user self-defence and protection, to adopt protective workflows and business practices, to maybe just start to prepare you to face the challenges ahead.

So, first thing I want to do is to get you to think proactively, about self-defence and user protection. As I said regardless of what political stance you hold, or what you believe in, the fact of the matter is that people are now working in a climate of fear.

In the UK we have the digital economy though, which is enabling data sharing across government on a massive scale, ostensibly for things like fuel poverty, but also for things like sanctions and punishments. We have the Investigatory Powers Act, which is the surveillance law that left no less than Edward Snowden gob-smacked, amongst its provisions are mandatory back doors and hardware, mandatory back doors in hardware make the UK a no go place to do business. We are also seeing deportations, not threats of it, but actual deportations of grandmothers who have lived in this country for 30 years.

In the US, the list building has begun, people are being profiled. As we saw with the CIA WikiLeaks dump, there is back doors in hardware. A bit like here. We are seeing the deliberate right calculated removal of regulatory protection on things like what little US privacy and data protection regulation there is. We are seeing horrific things at border control, there was a diagram going around last week showing the searches you can now expect when you go through border control, I could not put that slide up because it would be a code violation.

We are seeing the deportations of children separated from their families, as the fulfilment of a campaign promise.

You have a responsibility to care for the people in the data. In order to do that, support your users and address their concerns you must overcome your apathy, I know that in digital you default setting is politics, not interested, law, not interested. You have [Inaudible] of thinking that, as Matt said in Vienna, you are the 1%. You can be a digital nomad, you can move to Europe, you can hop on a plane and flee somewhere elsewhere you don’t have to bother about the politics and regulations, guess what the 99% of the people that will never know the luxuries that you have, live with the consequences of the tools you created.

We are in hostile territory.

What you must do is adopt legal and technical defence strategies. You are sitting in this room are already at an advantage, because in Europe we have the over-arching data protection law. In the US there is no over-arching data protection law, it is piecemeal by sector or state, you may have heard that California has a really strict data protection law which is now under attack, but America, on a whole, does not have a system like we do in Europe and that is important. Because America is where a lot of your data is held and processed.

First thing we will talk about that you can adopt as a legal defence strategy, is GDPR, my whole year was going to be about GDPR, regardless of the political currents. It’s the general data protection regulation, this is the new European data protection over haul. We in the UK are going into this regardless of Brexit and we are going to stay in it for at least a few years. What comes after that, as I said, is a problem that is concerning a lot of us deeply, but for now we have a little bit to work with.

This is already on the books but it becomes enforceable on 25 May 2018, that gives you just over a year to get to grips with it and it’s going to take you that long.

This regulation replaces the existing European data protection regime, which is from, believe it or not, 1995, you know it here in the UK law as the Data Protection Act 1998, GDPR, is a much-needed update for the digital age, the existing data protection law we had was literally from the age of dial-ups and floppy discs. GDPR has new requirements on many, many things and I literally have given entire talks about this, but things you need to know about our accountability, you have to become accountable for and document all your data protection compliance, consent, you must secure and confirm consent from the people whose data you are using. There are really strict regulations on third-party data sharing, who you are passing your data to, whether it’s Facebook or a business partner. Data breaches, these become a bit more enforceable than they have been in the past. The individual rights that people have over their data, you must be prepared to meet them. The international data transfer system which we will talk about in a minute, which has been thrown into chaos because of Brexit and the Trump administration. For our purposes today, the key take away is PBD, privacy by design and data protection by design, that’s not quite it means now, it now means privacy by default. Going forward in your work, the websites, or apps, the data you take, the data usage, the ways you use it you must provide clear, transparent, standardised privacy notices, there are actually going to be templates that you can follow with icons and tables on, this is what data we’re collecting from you, this is how we are sharing and using it the days of your privacy policy being absolutely nonsense, worth less 30 page piece of legal written by lawyer are open, the PBD calls for data minimisation, the less data you have the less data is a liability, you have to think of it as a liability, reduce the amount of data you are collecting, reduce the amount you are storing, there will be mandatory deletion of data you have to be prepared to document, when do you delete the useless data, how do you delete it, prove it.

As I said increased accountability, you can no longer retrofit in data protection as an afterthought, you have to factor it in the minute you start planning the project. As I said, increased subject access requests, that is the rights that people have over their data. Third party data sharing. Data protection by default, you need to conduct privacy impact assessments, in fact you need to go back and do them right now for any data you are collecting. What are you collecting? Do you know? Where is it stored? Do you know? Do you really know what is on your website database? What are you doing with it? Secure passwords? HTPS.

Data retention deletion, technical and security accountability, being prepared for a data breach, when a data breach happens you now have 72 hours to report it to the information commissioner’s office, there is certain information they will require. You really don’t want to have to fly through that process by the seat of your pants, the morning you discover the data breach, you need to prepare in advance. Staff awareness, data protection privacy now becomes legally everyone’s problem it’s not your lawyer’s problem it’s not your manager’s problem.

Under the current data protection regime and the next one, privacy shield, is the voluntary agreement which is used by American companies to ensure they are complying with EU standards for EU data. In other word if you are doing business with a company in America they must agree to safeguard your data in there wild west regulatory systems as if it was still in Europe. Privacy shield has always been fragile and imperfect and the subject of ferocious debate it gives you what is called legal certainty. It may be invalided very soon. Many of the statements that Donald Trump has made in the past 6 week have all but invalided privacy shield. So that is one take away from today, do not assume the legal protection for your data going to the US. You do need to ensure that any US companies you do business with, whether you are passing your data to them or it’s even your main office, they are Privacy Shield compliant, that goes with any third parties you do business with. Make sure they are Privacy Shield compliant which makes sure they are complying with European data protection law.

The head of these matters at the EU is meeting with Donald Trump the at the end of this month to raise thee issues, stay tuned for further appalling developments.

There is a basic legal framework you can use right away that you really should be using any way to protect and safeguard your users’ data. But what if you don’t have one? What if you work in the United States. You can still use GDPR, a fantastic toolkit it’s better than nothing. But let’s go beyond that. This is a list I really like, this the Tor projects 10 principles for user protection in hostile states. Yes, we are working in a hostile state right now. First one, may seem completely counter intuitive to everything I have just said but do not rely on it to protect systems or users. Yes, you have the legal basis of GDPR, yes you may have California privacy law, don’t count on it. Assume it’s not there and take further steps.

The Tor project second principle is prepare policy commentary for response to crisis. This means you are digital professionals must be prepared to counter really stupid political arguments with coherent facts, figures, and technical explanation, as that crisis hits. Whether it’s we want to build a database of Muslims or we want to build a data of everyone who is gay who has entered our homophobic little state in the past year and we’re going to do that with Facebook. What technical and political argument could you come up with to demonstrate why that is wrong? The tor project third principle is only keep the user data you currently need, that GPPR, right away we see this working principles actually tie into data protection law. Minimise the data, delete the data, data storage, retention become a liability. Give users full control over their data. That’s GDPR again, individual rights subject access requests, the right to have a company send you all the data they hold about you the right to ask them to delete them data.

Allow pseudo-anonymity, and anonymity. Pseudo-anonymised data I will pronounce that are, the is data that has been separated from any identifiable information such as telemetry. It could be assembled back with the identifiable data later on but nights protected allow anonymity. If you have got a website that is contentious allow people to register anonymously, do not put a Facebook social log in on your site. To save time, because everything those users are telling you is going to Facebook. Encrypt data in transit and at rest, GDPR again, please come back to this room at 2 o’clock where Chris Wiegman is doing a talk on encryption, the technical bits saves me a lot of time thank you.

Invest in cryptographic R&D eliminate single points of security failure, even against coercion. How we all laughed aft the hipsters when. Multiple layer of security, vulnerability service reduction least privilege. What are you doing on the back end that really matters. Favour open source and enable user freedom you are WordPress users, hooray, you do that already. Advocate the freedom to us, to study, to share and to improve software. Practice transparency, share best practices, stand for ethics and the abuse, that means design systems that make abuse either impossible or evident or evident you can see that abuse happening. Share that information, with your networks educate people on how you are doing it, response report any instance of abuse. Something that WordPress developers do on an absolutely practical level. Conduct privacy impact assessments, go to information commissioner office website for information on how to do that. Please start thinking in terms of privacy as a gradient it’s not an on or off, give people multiple choices about how much data they share with you. Check your external connection requests, we have played round with plugin yesterday called Snitch, that will tell you what all your plugins are doing when they are phoning home. You may be surprised. If you your plugins send data home, don’t include personally identifiable data in it. If you are using your plugin to phone home to checked version that’s great, but if you are sitting there you can see that such and such user at this URL has an insecure blog you are in trouble. Enable, don’t send personally identifiable data to third parties, enable data minimisation and deletion. What can your WordPress Meetups do? Here some idea, one a WordPress security clinic for one of your Meetups. Talk about things like plugin security, talk about things like auditing what data you have on your database because you will probably be shocked. Https everything, get people to install a certificate then bring everything up-to-date. Another fun thing is host a cryptoparty, does anyone know what that? It’s where you bring your gadgets and learn how to make them secure then you charge everyone who now has secure gadgets to go out and educate someone else.

Now, I want to prepare you to face whatever challenges may lie ahead. Here’s what I don’t want you to do. First digital solutionism, that means ok, we have got political problems let’s make an app and we’ll fix them. Digital solutionism is the egomania of the 1%. It’s about locking yourself away in your sexy little studio there isn’t out some nice little app that’s really good for you, but doesn’t actually solve the problem. Offline problems we are dealing with now, don’t have online solutions. Any online tools you build to deal with this political disruption, must be the means and not the end.

Here’s some example of some really good tools that achieve that.,, thee are American grass roots Brexit by digital professionals building tools that can be used to get through the next culpable of years. is where people are downloading and safeguarding data that the trump administration is deleting such as the EPAs data on global warning. A progressive coder alliance is coming up with digital tools. They are all American in here in the UK we are really sparse, we have which use a lot of Government open data. We really have nothing comparable to level of digital activism happening in the US right now, maybe you are the ones to change that. Here’s another thing I don’t want to see you doing. Clicktivism I invented this word by the way, what is this word, I signed a petition. Hey everyone, I signed a petition. Big deal. Signing a petition is not political activism I can tell you that 95% of the petitions you sign, are actually list building exercises that organisations use so they can ask you for money.

Same goes for using an automated email your MP service, you may have used these, take it from my MP’s own mouth she ignores them that is the equivalent of spam.

Political activism is not means hashtags and tweet storms political activism is not speaking to your little filter bubble.

What we need now is meaningful engagement. You need to engage personally with your managers and leadership about these issues. I know some of you may feel like you are rebels working against your own company, I have spent so many month explaining to people you know the whole data protection regime is change in, yeah, not our problem. It’s frustrating! Because they think you are trying to create a job for yourself and you will, but just keep pushing. You need to engage personally with your policy makers, go to your MP’s surgery. I have gone to my MP’s surgery and met her struck up and acquaintance with her, now she is helping me to get through some of the digital issues we’re dealing. I am also engaging with the Scottish Parliament right now, in person real people they have cot my number we know each other my face go to your MP’s surgery because for God’s sake an MP was murdered last year doing her surgery and every single MP turned up to their own surgery the next day. Join open rights group which is the UK’s digital rights organisation. When you’re engaging with people on these issues when it’s your management or an MP, give them numbers, give them figures, give them the bottom line. They are not interested in uninformed opinion’s they are not interested in you venting your spleen, they are not interested in your riding a high horse, they need to know the actual impact. Do you research, collect your anonymised big open data, get your facts and figures right. Be constructive and co-operative. Work with them. They are there to help you. We also need to talk about speaking through in does story bodies, we’re creating one in Scotland right now because Brexit Indyref2, we have got a lot of digital political issues to get through, we’re going to do it the prop way. Here’s a slide I really like I have stolen this from the accessibility community, this is the web project for motivating accessibility change. This can apply to any sort of advocacy, so it’s the rubbish things at the bottom that you don’t do, which are really in effective. Guilt and punishment. You are hurting people. You are breaking the law. You’re going to get a fine. That is the sort of nonsense which is driven me to work in this field in the first place. It does not work. Talking about requirements, GDPR is coming you need to comply, yeah that’s honest but I am not trying to use it as a stick to hurt you with. Rewards, this is not a game, ok, don’t in incentivise is you will not get a pat on the head for being fully GDPR compliant. Enlighten and inspire, you need to enlighten and inspire your industry, your colleagues about these issues the and about the way forward, I hope I have done that for you today. But, all the suggestions I have given you assume you have the luxury of time and movement and organisation. What happens when the day arrives when you don’t. What happens when you find out that someone is expecting you to use the tools you have created to hurt people? What happens when you find out that the tools you have made are already being used to hurt people? What if you become aware that the data you have control over, has been compromised or miss used? I implore you to remember that you have a responsibility to care for the people in your data.

You may be called upon to do something. You need to search yourself and be prepared to refuse a Government request. You need to be prepared to responsibly leak data. Responsible in a way that does not compromise the people in it. The most professional and ethical thing you may ever do in your career, is drop a table. You may be called on to delete data. You even maybe called upon to sabotage it. Think that’s radical? It’s not. It’s called ethical hacking. Let me introduce you to my new hero. Does anyone know who this is? Anyone from France? Does anyone know what that is in the background? It’s a punch card. This was a fellow called Rene Carmille, he was a punchcard computer expert and the comptroller general of the French army in the 1940s. He ran the demographics department of Vichy, and later France’s National Statistics Service. He was in charge of the technology behind the French census. Which was run on punchcards. Punchcards are wonderful innocuous form of technology. Then the Nazis came along. The punchcards running IBM technology, become the means by which the Holocaust was carried out. What did Rene do? He and his team purposefully delayed the census by mishandling the punch cards, even left boxes and boxes of them, oops, in a back room unprocessed for two years.
He also hacked his own machines, column 11 in the punch card was where religion was noted, so the Nazis could find out where all the Jews were, he had the machines not punch anything in column 11, this worked for a few years, they got him. They got him and he burned in the ovens of Dachau for it, what did that accomplish. 73% of all Jews in The Netherlands were executed, only 25% of French Jews were. The world is not changed by billionaires at tech companies, the world is changed through quiet, dignified acts of civil disobedience, God forbid when the day comes when you have to make that choice, what legacy will your code leave for the world. Thank you. [Applause].

ANT MILLER: Questions from the floor please.

FROM THE FLOOR: Thank you for sharing all of that with us. I understand what you are saying about everything kind of being our responsibility as the people that implement and develop these things, I would like to know what are our more practical responsibilities under the GDPR towards clients, so in a situation where, so far as I currently understand it, data protection is my client’s responsibility and I’m responsible for implementing the mechanisms for that, does GDPR give me a responsibility advising and ensuring that my clients are implementing GDPR responsibility.

HEATHER BURNS: You are not legally response for your client’s anything. However, was listening to the WP tavern podcast on the train down, they do the bit that end where they talk about new plug individuals, there is a new add on to contact form 7, which will save all your contact form submissions in a separate database, that apparently exists for GDPR, you do not save all your contact form submissions in a single database, you minimise and delete them, does everyone remember the pregnancy advisory Act, five years’ worth of contact form submissions from women who wanted abortions containing names addresses, that they didn’t know were on a database, you are not legally responsible for your client’s GDPR protection, if you are building a tool for them which is say, retaining all data contact form submissions indefinitely and they get hacked, that can bounce-back on to you. So, what you can do is really engage with them, when you are building a website for a client, build privacy in, we talk about where do you want your side bars, what colours would you like? We don’t talk about, now you have asked for a contact form that’s requesting this as mandatory, you want this, what data protection measures are you taking. Don’t be afraid to push that. At least you can say you tried.

ANT MILLER: Just her.

FROM THE FLOOR: I was a bit confused from that last question, it sounds like you were saying it isn’t our responsibility to comply with data protection, my understanding is that the minute you have a form on your website that takes personally identifiable information, you need to be registered as a data handler and you are regulated.
HEATHER BURNS: Under GDPR the mandatory registration goes, it’s no longer required, that’s going, that’s one of the things that’s making — I’m not trying to scaremonger anybody, but a key resource for money [Inaudible] data breach fines will be a way to do it. So, if you are currently collecting that sort of data yes you should register, that goes as of next May.

ANT MILLER: Further questions from the floor? I would just like to share an observation, quite — we’re very lucky working with WordPress that we have a platform that has got a very flexible internationalisation approach, quite a few people here might well be producing sites that either, perhaps on a Multisite network or maybe just through various translation plugins, offer services across multiple markets, international markets, would you have a general guidance for how we should think about the architecture of WordPress sites when we look at, like WordPress sites, when we look at multiple jurisdictions, we talk about Britain, America, are there other jurisdictions around the world that are particular interesting, or have quirks around them.

HEATHER BURNS: Australia might want to get to grips with that, that’s the only one coming to mind on stage. The other point with Brexit, you have a single market and you have 27 complicated, digitally active countries, working in a single market and that goes. If you are looking for resources, specific resources like, I’m going to be doing this in Mozambique, what is the privacy law there, I can point you to the resources if you need them.
ANT MILLER: That will be handy I’m sure, I’m sure people will know them. You are on the web and Twitter, we shall go there and thank you, that was I hope inspiring, I know perhaps a shocking, but I think we are all a little better for having you share your insight with us, it’s a hope a safe hope, that we have the potential to save other people’s lives beyond this room, thank you very much indeed Heather, it’s been an honour. Thank you very much. [Applause].

We now break for lunch, there are sessions back here after lunch, I have to be honest, I’ve completely forgotten, see you after lunch.