Four ideas that the privacy business can borrow from the open source business
06 February 2019
Please let me know if the following makes any sense, and if so I'll turn it into a talk.
It's not a simple game of people vs. companies. In software, you don't just have evil "software hoarders" vs. cooperation-minded "users". There are way more players: OS vendors, hardware vendors, proprietary ISVs, developers of internal applications, and IT organizations. At least. I'm sure I forgot some. But the point is that they don't all have the same interests. Pretty much everyone who does software wants everybody else's software to be open source. So if you look at everybody's Core vs. Context, people will generally play nice in open source projects doing whatever their Context (or complement, if you want to look at it that way) is.
In user data, you've got the Five Armies: content creators and their publishers, companies trying to sell stuff (advertisers/sponsors/signalers), intermediaries (adtech/platforms), client-side developers (browsers/privacy tools), and fraud hackers. A high-reputation brand with a solid mailing list has completely different user data handling interests from a social platform—just like a network chipset manufacturer will have different open source interests from a proprietary OS vendor.
True believers aren't enough to build on. Some people are really fired up about Internet ethical and policy concerns, but most people would somewhat prefer the right thing, and telling them that you do the right thing makes them feel better about doing it and somewhat more likely to do it. But doing the evil thing is not a deal-breaker.
Loud complaints don't matter (much). Yes, the first open source release will include a license mismatch, or somebody's ssh private key, or it won't build without a tool you didn't include, or something. And somebody will complain. But the true believers are useful for QA to guide incremental improvement, not as gatekeepers to decide if you're in or out. (And if you fix something that someone is complaining about in a particularly annoying way, do it quietly. Eventually they'll make their complaint to a reporter who will check it out, find the fixed version, and start ignoring them.)
Hardly any company will get to 100%. Robert Penn Warren said it best.
Man is conceived in sin and born in corruption and he passeth from the stink of the didie to the stench of the shroud. There is always something.
Even companies that focus on open source have awkward corners where they can't Do The Right Thing, because reasons. And most of the code contributed to open source projects is done on the clock at companies that are also in the proprietary software business.
Just like IBM didn't need to have a plan to open source AIX in order to make a difference in Linux, companies don't need to have a plan to get clean of all surveillance marketing activity to make significant moves in the direction of user privacy. An insurance company might decide to remove third-party pixels from the pages linked to from existing customers' bills, to keep from leaking customer data—but keep social tracking pixels for some other pages for tracking conversions on a social campaign. Anyway, open source program offices are a thing. What about customer data protection offices?