There was a call for comments ahead of this weekend’s scheduled panel discussion at WCUS on the autoupdates plan. I’ve been asked to respond to it from my perspective, so I will.
What’s the problem?
The autoupdates plan, as it has been described, and by my read, is incompatible with the latest draft of the EU’s ePrivacy Regulation, which is due to be finalised and come into force next year.
“Incompatible with” is diplomat-speak for “completely freaking illegal”.
While my expertise – for sanity’s sake – is in European and UK law, there is a strong case to be made for the proposal to be in violation of various local and national U.S. regulations on computer trespass and systems misuse. There will be many people in attendance at WCUS, including Rian Kinney, who will be able to speak to that.
A privacy impact assessment documentation process would have identified these issues, privately and before they entered the realm of public controversy, but introducing a PIA process into project development was literally laughed down last year when the core-privacy team tried to raise it.
What does the draft say?
That leaves two options for the project:
- The autoupdates plan can work within those future legal constraints, or
- The autoupdates plan can be in violation of them.
Can we get some clarification on this?
Through my day job, I do have the contacts in the EC team in Brussels behind the draft Regulation. In a healthy project situation I would be able to contact them to open a dialogue on whether the autoupdates plan will, in fact, violate the eventual Regulation.
But this is not a healthy project situation, so I can’t, and I won’t. There are two reasons for that.
The first reason is that I have not been granted the authority, and I do not hold a mandate, from the WordPress community, to act on its behalf in the policy sphere. Seeking clarification from Brussels isn’t like pinging someone a quick question in Slack. There are protocols you must follow first to earn your right to ask. It might take a few months to get a response back, and they’re probably going to want an in-person meeting. By definition, I would be bringing them a problem, not a solution, and they would prioritise the work as such. I am not funded or supported to contribute to WordPress for the privacy work I already do; I have no emotional or financial interest in expanding that to negotiating with policymakers as a charitable endeavour.
The second reason is that even if I had a mandate from the community and some sponsorship to spend my time on it, I would not be allowed to do so. The project leadership is very touchy about anything perceived as political. That’s not just a function of tech bro libertarianism. That is a function of the WP Foundation’s American 501(c)(3) legal registration forbidding any activity which could be construed as political lobbying. That, as ridiculous as it sounds, would include a Scottish woman speaking to Brussels on the project’s behalf.
Neither of those governance issues are, nor should they be, my problems to solve.
What I can do is point out how this plan risks a lot more than botched updates.
Please don’t ruin it for everyone else
I get it. I really do. The WordPress open source project is not interested in making its voice heard and influencing policy, or leveraging the power of 30% of the sites on the open web to being a force for good. It’s not interested in working within policy processes. It’s not interested in building relationships with policymakers. It’s a software project, and nothing more. That has been made crystal clear to me by the project leadership. I get that.
What I don’t get is where the WordPress project decided it has the right to ruin it for everyone else.
The project – whoever “the project” is – has made a political decision here: that’s to push ahead with a plan which is likely to put end users in violation of the law, and to do so knowing that the mantras of open source development will be used to ensure that no one within the project will be held responsible and no decision makers will be held accountable.
None of that will fly with policymakers for a minute. They’re going to want to know who made those decisions. They are going to want to know who approved them. They are going to want to know who wrote the code. They’re going to want to see the legal sign-off. They’re going to want to see the PIA.
And they’ll find two Make blog posts with hundreds of comments, two Tavern articles, this blog post, and some airy hand-waving about “open source freedoms” instead.
So if you want to set up open source development ecosystems as a whole for heavy-handed regulation and hostile scrutiny from policymakers looking for easy prey to take down, going ahead with the autoupgrades plan is a quick and easy way to do it.
Think very carefully about what you’re doing here.
Did you spot what’s missing?
Finally, on to the WCUS panel itself. The description for the panel uses words like responsibility, freedoms, and safety. The actual problem – legal – is not mentioned at all. Does this sound familiar? It should, if you follow my work. Framing the dialogue as a debate about rights and wrongs, rather than a mission-critical evaluation of the legal implications, is ethics washing.
If you need an introduction to ethics washing, Morten and I recently wrote a print article about it. We’re not permitted to redistribute it online, but we defined ethics washing as
What happens with ethics projects are devised and adopted in lieu of a healthy approach to legal compliance. These codes are rarely deployed to complement privacy laws and the rights they grant users; instead, they are often used to circumvent them.
We warned against ethics washing as a means of
Signall[ing] a belief in self-regulation, using arbitrary ethics as the constraint, rather than an adherence to an actual regulation using the rule of law as the constraint. Put another way, it is a declaration that a project, and the people who make it, are above the law.
I don’t want this panel to form part of an evidence trail – along with those Make posts and Tavern pieces – showing that the project thought it was. But until I see or hear differently, I’m looking at a project which is holding itself above the law while looking down at those who work to make it.
You have one shot to change that, and that’s the panel discussion.
So my advice to those of you participating in or attending the panel would be to leave the ethics washing at the door. Drag the l-word onto the stage, and address it face-first and head-on. Don’t leave the stage until you have a plan to solve it. Be as fearless as, well, I would be.
Because open source is counting on it.
Last we heard team leads were submitting the issue to the foundation’s legal, but we were informed the foundation isn’t responsible for the project, the issue was being reviewed by @automattic attorneys? What was their advice/position for the project on this issue? https://t.co/r4ID5uFA8o
— Rian Kinney, Esq. (@TheKinneyFirm) October 29, 2019
Just watched the "WordPress Automated Updates: A Panel Discussion" from #WCUS. That was an exercise in extreme frustration for me. That panel had my blood boiling a few times. How amazingly presumptuous are those people… They really do not get the risk and consequences.
— Stéphane Bergeron (@pixelyzed) November 2, 2019
We are people of enormous power and influence over the open web. I empower digital professionals to use that power wisely. I advocate for an open web built around international standards of human rights, privacy, accessibility, and freedom of expression. This is my personal site, and does not reflect the work or opinions of my employer.