Explaining changes to how we treat your data, expanding how we campaign with you
We are changing our privacy policy... here's an explanation of why, and what we do.
- Engaging with the public and protecting their data at the same time is a top challenge at PI
- Our new public engagement platform 'Action.pi' works differently to the previous one but we still prioritise protecting and securing your data
One of the most exciting aspects of being a campaigning organisation today is developing new ways to work with people. We enjoy devising and testing new ways to reach and engage with people, hear their concerns, and channel their voices towards our shared adversaries.
It's also an exciting challenge to undertake all of this while protecting the people you are working with. This also means working to protect people's data.
At PI we think hard on this, and struggle openly in many of the right ways.
We know that security is hard. It means taking the time to consider from the outset how you will protect the data and the systems they reside on.
As advocates, we are always asking industry and governments: which people, what purpose, which data, and what protections will you apply? We ask those same questions of ourselves when we build our systems. And if you're unhappy with the answers we must be ready to start over again.
In 2017 we decided to do exactly that. We redeveloped our systems from the ground up, using our then-new security framework. We deleted our prior systems and the according data. And we asked what service can we responsibly run, and what personal data can we responsibly protect?
This meant we destroyed our 'mailing list' -- and notified 30,000+ subscribers that we were deleting their data. We invited people to join a new public engagement platform -- let's call it 'oldAction.pi' as we are about to retire it -- where they could sign up to learn about very specific aspects of our work.
That version of our public engagement platform separated out fundraising from signing up for mailings, however, and there was a reason for that. First, let's take a slight detour to explaining systems administration and control.
Phase 1: We hosted, we administered
In our early days PI prioritised hosting as many of our services as we could. That is, whether it's our internal/staff-oriented services (e.g. file system, project management) or our partner oriented systems (e.g. cross-organisation social networking), or public facing systems (e.g. website, Action.pi), we ran the network routing, the computers, the operating systems, the services.
This had the benefit that we were in near-complete control, inasmuch as we could secure the systems, monitor for compromise, and patch regularly. This was arduous but worthwhile. But if our office was rendered inaccessible, so much would be lost.
Phase 2: Others hosted, we administered
With time we began relying more so on other organisations to host our services. We expanded from our office-hosted services to our friendly-neighbourhood ISP, GreenNet, then to others with more capacity -- where they would run the hardware, but we would run the operating systems and the services within Virtual Machines ('VMs'). So they were hosted by others, administered by us. This meant the third parties could see connection-level data, i.e. IP address X tried to connect to PI's assigned server Y, but little else could be understood.
We maintained control of the services and the operating systems, i.e. the VMs, but these third parties ensured that the systems were working and data was coming in and going out.
We also began using 'cloud' services. These are the large providers who run computers across the world that are now the backbone of so much of the world's computing capability. Amazon (Web Services) and Microsoft (Azure) are leading companies in that market -- and yes they are the same companies we often work to hold to account. When we use their services we work to ensure that the data in the 'cloud' is encrypted at rest. Once we tested this mdoel, we began expanding use for services that require intense availability. It used to be "just" backups, which are encrypted on our servers before being uploaded. Then we ran Synapse (Matrix) in a VM. All messages exchanged are end-to-end encrypted, so the server only sees ciphertext, although there are now some secrets up there. As with any VM we run in the cloud, though it should be encrypted at rest, data will obviously be "clear" in RAM as it's running. We're relying on these cloud providers' infrastructure to keep that secure, at this point. With these select services, we have an assured level of reliability, with firm limits on their visibility.
Phase 3: Others host, sometimes we are all users
Some functionalities were impossible for us to host. Financial transaction processing was beyond our capacity -- we necessarily had to use third party payment services, for instance. Those companies, like PayPal and Stripe, are in control of the entire transaction. They make the promises about reliability, security, and data protection.
And in such systems, we are all users. Well, kind of. PI has 'company/business' level accounts that see all donations made to us and when.
Now, back to our story
So in 2017 when we rebuilt our systems the charity sector was finally receiving the scrutiny it deserves over treatment of donors and their data. Investigations exposed profiling of donors, combining data sets without donors' knowledge.
We wanted to resist any form of profiling (and still do), while making assurances about security and control. But equally, we knew that as a small charity we could not control the services nor suitably resource the security of people's financial data.
We therefore decided that we would separate out our public engagement 'Action.pi' from our public fundraising -- and we created a separate 'Support.pi'. Support.pi was practically an interface that we ran that connected donors to third party payment processors. We periodically deleted all the data that Support.pi collected, and received donation reporting from the third-party payment processors.
As a result, donors had zero engagement from PI. That is, if you made a donation, you got an automated thank you but you were generally sent to third parties, and never really heard from us again. We couldn't contact you and offer you other opportunities to get involved.
So we took some steps to build a better relationship with our supporters.
First, ask people to do more with us
Over the last two years we have been focusing a lot of energies on finding ways to work with the public. For instance, our petition last year around the Google-Fitbit case resulted in the European Commissioner on Competition engaging with our shared concerns. This proved to us that we could be a responsible campaigning organisation that could engage, listen, and channel people's voices.
That petition was enlightening for a few other reasons. We realised that our approach was limiting us in how we could engage with our supporters. Our technical choices meant that were not able to offer petition-signers a way to sign up to engage with other campaigns, receive mailings, or donate.
Second, build the systems
So while we cultivated a stronger campaigning spirit within PI and with our community, we needed to ensure we had the technical capacity.
We spent a lot of time looking at other systems and practices. We considered outsourcing to closed systems -- those would have limited our workload and in a sense, our liabilities. Often those systems prioritise either public fundraising over public engagement or vice versa, with varying protections against data exploitation. And we were uncertain we could confidently ask our audiences to engage with those systems if there were alternatives.
So we decided to work with a third party, UK-based and charity-focused Circle Interactive, to (sustainably) build upon an open-source public engagement platform (CiviCRM, that we have been using to date) to our specification. By choosing this path, we retain the control to administer the day-to-day user data, but the third party would be responsible for administering the virtual machine, maintaining, and importantly, securing it, including security patching.
We also need to ensure availability for a service that we hope tens of thousands of people will be using. For this reason, our new Action platform will be hosted on an encrypted VM under our Microsoft Azure account, running in a UK-based data centre. This means that we still retain a level of control even as we depend on third parties to help us provide this service, who are themselves required to adhere to legal protections for your data.
And that's our new Action platform: a service that allows for public engagement, mailings, donations, where PI maintains control over the personal data, a third-party provider administers the system and maintains security, and to ensure for availability, hosts the service in the cloud.
From a data perspective this also means a consolidation of the data our supporters provide us if they choose to create an account. We don't force users to do so and you can still take any action (donate, sign a petition, subscribe to mailings) by sharing only the minimum information (usually an email address). But by chosing to create an account, you offer us the possibility to better communicate with you.
Third, communicate the change
The challenge then becomes: can we communicate these changes concisely and comprehensively?
First, we updated our privacy policy to reflect these changes and how they affect people. We try hard to have a policy that is clear and meaningful.
Second, the concise communication is in emails we are sending to all current supporters, explaining what is changing and what is not.
Third, the more comprehensive communication is why we have this long announcement to explain our rationale and journey.
Fourth, attached to this piece is a PDF where you can see all the revisions between our old policy and the new one.
Doing it right is hard
We like to believe that we are leading by example (or as our techies say, eating our own dogfood).
Are we doing right by our supporters? We hope so. If you were already receiving our mailings, under our old 'Action.pi', nothing changes. If you are currently donating to us, nothing changes.
If you start donating to us or want to sign up to our campaigns, you will have more opportunities to choose to do things with us, and we are up front with you about what data we need, what data we would like you to provide, what we do to protect your data, and how you can leave and request deletion.
We hope you like it, and enjoy continuing this journey with us to demand change in the world.