Last year I gave a talk about teaching the legal side of web development to a conference of professional educators, and afterwards, I wrote this:
Other professionals assume web development is an organised profession with a defined career path like theirs. It is very, very difficult for highly intelligent people working in law and academia, for whom their careers meant three or four years at university, a year or two at graduate school, a full-time position in a professionally structured company, and a clear path of career development, to understand that web development has none of that. They assume we learned certain things, in certain places, at certain times. They assume we receive certain things in the workplace. (They assume we have a workplace). They assume we receive refreshers, CPD, or ongoing training. They assume we are fed regular knowledge by a professional body. To professionals like those, the reality of being a web development practicioner, with no training, guidance, or support, is incomprehensible.
In recent weeks I’ve been seeing a lot of this cognitive bias in play. I’m seeing a lot of highly intelligent professionals who seem to think that improving online privacy is a matter of enhancing training and education that developers already have, or nudging them to pull their socks up where their compliance practices have slipped.
I respect all of these professionals and love working with them, so some tough love is called for here. Please don’t take this the wrong way, but when I see these biases being spoken, it makes me want to put my head in my hands and cry. You need to understand what 24 years of coding on the web, and several years of speaking with, writing for, and training development communities taught me about those professionals:
you can work full time on online privacy and still not actually understand it.
As I write in my upcoming book, the amount of developers and web practicioners who told me that my conference talks were the first training and education they had ever received on privacy, at all, anywhere, from anyone, ever, was terrifying. That is representative of the field as a global whole.
The overwhelming majority of web practicioners have no training, education, or guidance in online privacy.
Not one word.
Not one page.
Not privacy as a theoretical concept, not privacy as a legal concept, and not privacy as an ethical concept.
They don’t receive that training from their development communities. They don’t receive that training in their workplaces. They don’t receive that training in their education, assuming they had one.
Yet the bias I described in last year’s post leads many privacy professionals in law and academia to assume that they do, because that’s how their careers panned out. When online privacy goes horribly wrong, they assume there is a level of formative and professional knowledge which web practicioners have deviated from.
They never had that to begin with, and no one ever gave them the support they needed to get there.
So I’m seeing law professors talking about adding privacy ethics to the computer science curriculum. To which I would respond: why do you assume the people working with code are going through a university computer science course?
For that matter, what curriculum? The developers you need to reach probably came through a 16 week coding academy which taught code and not one word of anything else. Or they’re over 40, like me, and learned everything about code through right-click.
I’m seeing academics wanting to give talks to developers on how they are not meeting legal compliance. To which I would respond: why do you assume that they know what they are meant to be compliant with? Who do you believe they received that education from?
I’m seeing privacy professionals saying we need to rethink how we train technologists. To which I would say: why do you assume that technologists have any training?
I’m seeing data protection professionals wagging their fingers at developers to wise up. To which I would say: Good for you, but you’re pointing fingers, and not offering one hand up of the practical support they need to make you happy.
So let’s talk about what you need to do, as a full time legal or academic professional working in online privacy, if you want to get the message through on the ground, at the grassroots, and where it matters: to the people working hands-on with code, people whose career pathways are and always have been so divergent from yours that you, for all the letters after your name, will genuinely struggle to comprehend it.
Because that lack of understanding is standing between you, the makers of the web, and the people we build the web for.
So let’s get this straight.
You need to be prepared to commit to working on online privacy as a completely voluntary, unpaid, unfunded, unreimbursed, unsupported, unwanted, and unappreciated endeavour.
You need to be prepared to accept that you will be doing this work for the benefit of the open web and the people we build it for, and that this work will not benefit your career, your CV, your professional reputation, or your personal prestige in the slightest. Just the opposite.
You need to understand that you are entering a world where the schools you went to, the degrees after your name, the letters that follow the degrees, the institutions which employ you, and the works on your CV mean absolutely nothing to anyone, and
fuck you god help you if you think they should.
You need to get your feet under the table with open source privacy teams, in open source projects which aren’t too bothered about online privacy, and spend several years getting dirty in the trenches with them before you purport to give them a single word of academic or legal advice.
You need to be prepared to spend £400-£800 out of pocket on travel and accommodation, several times a year, to give privacy talks at software community conferences which don’t cover speaker expenses, to speak with fewer than 20 people in the Sunday morning hangover slot.
You need to be prepared to put weeks of work into those conference talks, where the only question you will get afterwards is “do we still have to do those cookie popups.”
Because the conferences you need to reach don’t cover speaker travel or expenses, you need to be prepared to stay in shitty little bedsits on the other side of the city from the conference venue, the kind where the toilet is in the shower stall, because that’s what you can afford out of pocket this month.
You need to be prepared to learn how to teach privacy without the use of any academic papers, academic journals, or textbooks (which don’t exist, yet) for professional audiences that have never read any journals or papers in their lives, and sure as hell aren’t going to start today for the likes of you.
Oh, and you need to be prepared to learn how to teach privacy without ever discussing the l-word. Law. And god help you if you mention the p-word, politics.
For your own personal learning, you need to be prepared to ask people to give you favours like downloads of academic papers off of university networks, or resources out of paid membership clubs like IAPP, because paying out of pocket for planes, trains, and budget accommodation means you can’t afford organisational membership dues, much less an academic shibboleth.
You need to find out what it’s like to attend a data protection conference so that you can speak with a privacy lawyer about ways he might be able to support your development communities, only for him to zip out as soon as his talk is finished and then patronise you as some silly kid when you try to engage on social media.
Ditto for engaging in good faith with privacy academics and data protection professionals who look down on you as if you’re ambulatory dog shit, as they tut “ohhhh my godddd, where’s your fucking Ph.D?”
You need to be prepared to have to crowdfund to cover your out-of-pocket privacy expenses, and just maybe, the time you spend on privacy teams at a level equivalent to the national minimum wage, only to be accused of just wanting to do it for the money.
Ditto for the months of work you pour into funding and grant applications to support development communities to establish and strengthen privacy teams and initiatives, and when you don’t get the funding, it’s the projects you put in the application to support which accuse you of wanting to do it for the money.
(Years later you learn that the accusation was projection: the reason the project endorsed your funding application was because the project lead desperately wanted the funding grant to cover up her embezzlement, and you and your privacy work would have found yourselves squarely in the middle of that, possibly in a courtroom.)
While you’re experiencing that much of a learning curve in order to teach, you need to be prepared to have your work misconstrued, your character torn down, and your credibility attacked by aggressive, angry tech bro developers who associate the word “privacy” with foreign government interference in their personal freedoms, and see you as that government’s emissary.
So you need to balance that constant onslaught with spells of having to put aside privacy work for months at a time to plow through internal project dramas and soap operas which are preventing the privacy work from being able to go ahead, some of which inevitably drag you into them with the most ad hominem attacks on your character possible.
And so you need to be prepared to have everyone hate you – I mean, really, really despise every bit of you, personally – for what you do.
And you need to be prepared to man the fuck up, put your big girl pants on, grow another layer of skin, get back in that fucking room, and keep on doing it.
Because other people who will never know the privileges you take for granted aren’t just doing all of that already: they’re having to work twice as hard because people like you think you’re too good for that sort of thing.
Did all of that offend your sensibilities?
Because now you’re starting to get it.
So if you care about online privacy and want to make the web a better place, please take that advice as the tough love as it is. Otherwise, you’re fighting the wrong battle against the wrong ‘enemy’ with the wrong weapons.
I’ve never felt more of a need to give a standing ovation to a blog post, than after just reading this. Wow!
This will go straight into required reading for my ethics course Heather. Relevant for so many topics in web dev. https://t.co/On4eJlcj27
— @firstname.lastname@example.org (@axbom) July 5, 2020
You could search and replace "accessibility" for "privacy" in this article and it would be entirely correct.
(I have a slide outlining the assumption web devs are trained in accessibility, and the next slide just says in big letters: "No!") https://t.co/dLeb6AMYrs
— Alastair Campbell (@alastc) July 3, 2020
Great article – I was never educated about privacy *as a developer*, only *as a member of a larger team* which is where there is cultural glue strong enough to make a difference – hello principled leadership from @lukehohmann @PwC @ScaledAgile in my own career. https://t.co/lh66j2i14A
— John Hiemstra (@john_hiemstra) July 3, 2020
That was a really good read. Thank you! ✨
Made me think about all the things I wish developers had digged into, discussed and learned about before they take on their first professional project where it’s not unlikely that they will be working alone without proper mentoring.
— Kolombiken (@kolombiken) July 5, 2020
Excoriating but utterly on the nail. I’ll admit to having railed at web devs for being privacy-clueless. Harsh.
— Miss IG Geek (she/her) ?️? (@MissIG_Geek) July 8, 2020
Last year, I went looking for info on privacy-enhancing tech for a study and found a bunch of papers that seem to have been written on the assumption that, once the paper existed, *of course* the dev community would pick it up and implement it.
That is not how any of this works.
— Frank Wales (@fcw) July 8, 2020
This! Soo much this..
Even if you started with a recognised certification, or a Degree..
There's no formal requirement, _anywhere_, for employers to help keep up with Security / Privacy / Technology; No CPD requirement;
We're just expected to keep up. https://t.co/REm9zF0K8v
— Chris Hewitt (@chrish619) July 9, 2020