Contributors to WordPress’ core Privacy component are collaborating on a V2 roadmap to address broader privacy and data protection issues that fall outside of legal requirements. The group organized at the beginning of the year to work on GDPR-specific objectives but has since expanded its scope to tackle concerns that are not attached to any specific piece of legislation.
The Privacy team meets weekly and has approximately a dozen contributors who show up regularly to work on tickets and issues. The working V2 roadmap identifies a list of common international privacy concerns, such as data minimization, data integrity, transparency and notice, and contributors will explore their impact on a few core focus areas:
- Core privacy features
- Gravatar privacy controls
- Embed privacy controls
- Plugin privacy
- For administrators
- For developers
- Consent and logging
- WP-CLI support
- Multisite support
The team has agreed to use a Privacy by Design (PbD) approach, which uses a proactive framework to anticipate privacy issues before they are a problem for the user.
Privacy team contributors are also monitoring two specific pieces of legislation that may impact WordPress site owners in 2019 – the US California Consumer Privacy Act (CCPA), and the EU ePrivacy Directive overhaul. They plan to examine specific requirements once that information is available and will assist site owners in reaching compliance.
New Privacy Working Group to Facilitate Collaboration across Open Source Communities
At Drupal Europe 2018 a group of WordPress and Drupal contributors met to discuss the possibility of welcoming teams from major open source projects to work together on shared concerns. WordPress Privacy team contributor Heather Burns attended the first test run of the working group in the Open Source Lounge at the conference.
“For the working group we have the big three – Drupal, WordPress, and Joomla – and we also spoke with representatives from the smaller projects like Neos and Typo3,” Burns said. “We’re all dealing with similar issues but from different approaches.”
Burns said one of the goals of the working group is to push the idea forward that privacy is a common, positive, proactive value which can be taught and shared across projects. Members will discussion questions like whether privacy fixes belong in core or modules, how privacy notices pull information from different plugins and modules, and what laws are coming up that would require open source CMSs to build in some functionality in advance.
“It’s a way of pooling resources, code libraries, and briefings, as well as giving us a forum to share experiences,” Burns said. “For example, we’re going to arrange for Drupal’s privacy lead to give a live video demo of their GDPR tools to our core group, and we’re going to do the same for them.”
The privacy working group is being set up through the Drupal community structure and members are in the process of coordinating some funding. More information on funding will be available in the next few weeks.
Privacy Contributors Seek to Change the Perception of Privacy to a Positive, Proactive Value
In addition to collaborating across the broader open source community, the privacy working group endeavors to educate their communities on the inherent value of privacy instead of simply focusing on the consequences of companies being forced to pay a fee if they don’t meet legal obligations.
“We’re very keen to also shift the perception of what privacy is, and that it’s not just seen as being about negative legal obligations for GDPR, CCPA, etc.,” Burns said. “We want people to think of privacy like accessibility: just the right thing to do for user protection.”
Burns speaks about privacy at WordPress and Drupal conferences and how projects can have differing cultural, historical, and legal approaches to privacy. Cultural barriers to the recognition of privacy as a core value is one of the privacy team’s biggest challenges in advocating contributions that respect and protect users’ rights.
“What I’m proudest of this year is helping people to understand each other better,” Burns said. “We all come to the table assuming we share the same cultural, historical, and legal views of what privacy means and what role it should play, when the truth is there are wildly different views held even within project teams.
“To paraphrase that awful quote, we don’t know what we don’t know. What I do is help people to understand where we’re all coming from and what we don’t actually know. From there, I define what a healthy approach to privacy should involve outside reactive legal obligations, using a methodology derived from a number of international frameworks and treaties on privacy. It’s a matter of inspiring people to realize that as open source project contributors, we are people of enormous power and influence over privacy on the web. The actions we take within our projects, however small, can help to protect people from those who would use their data to hurt them. That’s the most important thing any developer can ever do.”