Your autumn 2024 privacy conference talk challenge


Estimated reading time: 7 minutes
Privacy

When I retired from conference speaking, I meant it. It would take some wacky combination of a head injury and homemade vodka to ever get me up on a stage again. I’m too much older, too much wiser, and too cynical from having my privacy work pissed on by too many open source alcoholics.

Now don’t get me wrong, I miss those speaking years. I miss them a lot. I miss boarding a plane at 6 AM, I miss street food at midnight, I miss meeting communities, I miss teaching people, I miss the looks on their faces that said “oh my god I understand this now”, I miss meeting people who became friends, I miss being a part of something bigger, I miss being a part of something, at all. I got home from my last conference talk, unpacked my suitcase, three weeks later the pandemic hit, and that was that. The world stopped turning for me, and it hasn’t ever started turning again. I wish that wasn’t so.

But when my memories get too misty, or I wonder if it’s time to get the band back together, I also remember how it took me until the winter of 2021 to pay off my defaulted credit card bill from all the travel and accommodation I had to pay myself out of pocket, from those speaking years, when we conference speakers were told that those expenses were the costs of “volunteering”, by smarmy “full-time sponsored volunteers” on generous American salaries, benefits, and globetrotting lifestyles from a VC-funded corporation.

Like I said. Cynical.

But over the summer electoral pause, when I had a chance to dive into my reading pile, I found myself reading a set of material that got those gears turning in my head again.

Uh-oh.

This is a talk.

This is the stuff I used to do conference talks about! This is the stuff that conferences should be having talks about! Someone do a talk about this!

No sooner had I felt those gears turning in my head, though, did I remember why they rusted shut.

That doesn’t change the fact that this talk needs to be on every conference stage, right now. Even though there isn’t a single conference out there will accept the talk, now or ever, which makes it all the more important to give.

But even if those two things weren’t true, for an array of reasons, I am not the right person to give the talk.

I do know who is the right person, though.

It’s you.

Yes, you.

Let’s face it, if you’re still following this blog based on what I used to do, well over five years ago, you’re still interested in that stuff. By conference rules, that means you’ve just volunteered yourself for the job.

So here’s what I’m going to do. I’m going to have some fun with this.

I’m going to issue you an autumn privacy conference talk challenge.

First, I’m going to tell you who you are giving this talk to, and why they need to hear it.

Second, I’m going to give you the research materials you need to read.

Third, I’m going to list the people you need to discuss in the talk.

Lastly, I’m going to give you the points you need to address in your talk.

And then you’re going to make it into a talk. Slides and all.

And then you’re going to get it onto a conference stage, which will require putting yourself into the firing line.

At the very least, you’re going to be told to keep politics out of tech. You’re going to be told to stop hijacking the stage with your personal opinions. You’re going to be told that your talk’s topic threatens your project’s 501(c)(3) legal registration. You’re going to have the crypto-bro wing of your community get nasty and personal. You’re going to have a “full-time sponsored volunteer” spluttering a load of shite at you because they’ve been given orders that all talks need to be relevant to the ROI that the BDFL’s VCs want by Q4. You’re even going to experience some of those “full-time sponsored volunteers” harassing your personal friends to make sure you get the message.

Good.

…hold on, did you think you could just sashay your suburban white ass onto a stage and preach about data justice for the marginalised? Or maybe read out your peer-reviewed academic research paper? Or pop out of your corporate law office, pop into a conference, spit out a legal compliance update in legalese, dash back to the office, and collect your CIPP points? And that some benevolent corporate entity would pay for your travel and hotel on the way? Fuck you, pal. If you’re going to talk about this stuff, you’re going to need to commit to living it. Teaching about data justice by experiencing the power tactics of data injustice is the meta part of your privacy journey. You can’t do one without the other. You can’t speak it for 35 minutes, you have to live it for the rest of your career. You have to feel the exclusion and the discomfort and the hatred. That’s what privacy is about, every day, for the people who need it. That – standing with them – has to be where you stay long after the talk ends.

These are the battles worth fighting, this is the work worth doing.

(Seriously, did I teach you nothing all those years?)

So here’s your project. Have fun. Cause trouble. What will remain of us is love.

I only ask three things of those who accept the challenge:

One, is tell me what you learned about privacy.

Two, is tell me what you learned about how to teach it.

And three, tell me what you learned about yourself along the way.

Autumn 2024 conference talk challenge
Start here
First, watch this:

What's this talk?

Your talk is called Data After Dobbs: Protecting your users’ reproductive privacy while protecting your legal ass.

Yes, that title will cause some pearl clutching. It’s how you know you’re on the right track.

What is the goal of this talk?

There are policymakers who thought Parable of the Sower and The Handmaid’s Tale were instruction manuals, and it’s highly likely they’re about to come to power.  They think they’re carrying out orders directly from God, and they’re heavily armed.

So you need to help developers understand their obligations to protect reproductive health data, even if their work has nothing whatsoever to do with it.

You must explain how data is contextual, and that in the current political context, any data held either on or off a device can and will be used against you.

You must explain how defensive development practices can help the three categories of people most impacted by threats to reproductive health: anyone of any age who is biologically capable of conception, healthcare professionals, and activists and organisers.

To that end, you must explain how your audience – as developers and project managers – are now active targets, who should begin taking the same precautions as activists and organisers.

Finally, you must help developers and project managers to understand how to shore up their own defenses for when (not if, but when) a subpoena is issued against them, in bad faith, to acquire the data they hold about their users, or to charge them with aiding and abetting the critical reproductive health care that upsets those in ascendancy to power.

Reading material

If I’m a student again, then so are you. Please approach this list as a proper research project. You need to fall down these rabbit holes and follow footnotes, links, and resources to wherever they might take you.

Resources for everyone

Resources for developers and project managers

Resources on governance and censorship

News stories for essential context

Points to cover
  • Research, prepare, and give your talk as if it will be illegal to discuss in a year, because it might well be.
  • Contextual data risks to think about: google search data, purchase histories, Alexa/Siri voice records, street traffic data, ANPRs, electronic health care systems, public records, data brokers, geolocation outside healthcare clinics, the adtech trackers you put on your site to make some passive income, the background third party data, social media, marketing, and analytics trackers you put on your apps…
  • Discuss digital forensics extraction tools, such as the devices used by police to get data off phones and laptops. Think of how you can ensure that there’s no data to get off the device. Remember the basic universal data privacy principles I set forth in my book? E2EE, data minimisation, clear privacy notices and choices, and so forth. There’s a reason they’re universal. Especially in the US context, which has no universal privacy law a la GDPR.
  • Those universal principles will also help you when the subpoena arrives. You can’t hand over data that you don’t have.
  • What’s your continuity plan, by the way, for when Officer MAGA confiscates your work devices?
  • For people who are capable of conception, don’t you dare suggest that the solution is to use Tor, spin up a self-hosted open source solution, or delete your period tracking app. These suggestions are not just classic digital solutionism, putting the technology in front of the users’ needs. These suggestions completely fail to account for the fact that the users are in crisis mode, experiencing a critical health emergency, and are also at active risk of arrest and criminalisation. It’s your job to provide the digital safe space for them to think and proceed in. It’s not their job to build their own tools in crisis. Open source is a software license, not a means of achieving human agency.
  • Remember the rule of the imperial boomerang: all of the digital surveillance threats, and political means of criminalization, have existed for years, and have been actively used against marginalised, minority, and immigrant communities. Nice of you white people to finally show up and take notice now that it affects you, but do give some thought as to the role you play in the intersectionality of data justice for all, in the long term. Think of how you can support the work that has already been done, for years, by people who have always been criminalised for their identity. I said support it: not take it over or tell them how you think they should be doing it better, Karen.
  • If you can, share your own reproductive health story. You have to be brave for people who haven’t got there yet.

Header photo by Clicky Steve, WCEU 2017, Paris. Sigh.

The Author

I’m a UK tech policy wonk based in Glasgow. I work for an open web built around international standards of human rights, privacy, accessibility, and freedom of expression. The content and opinions on this site are mine alone and do not reflect the opinions of any current or previous team.