People responded with varying levels of interest and concern to my recent piece on privacy and “surveillance capitalism.” I do nonetheless intend to keep the issue of online privacy squarely in front of me as I go forward as a policy maker.
As a starting point, I have examined my own online presence to assure that I am fully respectful of the preferences of those most concerned for their privacy
As an elected official, I feel it is critically important for me, as your representative, to understand your interests and concerns as thoroughly as possible on a wide range of issues. That is why I publish regularly on the web and in the newspapers and seek feedback.
Like other politicians and like most market-driven companies, including most newspapers, I have been using Facebook, Google, and email marketing software (one of the industry leaders, MailChimp) to gauge reader interest in various topics. I have used those tools to help me better serve you by targeting information.
While I have included explanations of my use of those tools in my privacy policy, I am sure that few of my web visitors look at that policy. I have concluded that I should set a higher privacy standard.
Over the past few weeks, I have sought to eliminate all of the tracking tools that give me feedback about individual reader interests. The tracking tools record information about your online interactions with me. They feedback some of that information to me, but also share it with others for use in targeting advertising.
Specifically, I have removed and not replaced the Facebook Pixel, which allowed me to target Facebook ads to people who had viewed my website, but also fed Facebook a continuous stream of data about my site users.
I have replaced Google Analytics with Matomo Log Analytics, an open source product that uses server security access logs to show me which pages are being viewed, but does not link the logs to any other data sources which would allow me to identify individual site visitors.
I have replaced Google site search with DuckDuckGo site search, which does a nice job of finding relevant pages from my site, but does not gather information about your preferences.
Update, January 2021: I am no longer using DuckDuckGo for site search. I’m doing the site search entirely within the site, so there is no third party involvement.
Finally, I am moving off Mailchimp, the industry standard mail list manager that provides individual feedback on who among my constituents is opening and clicking on emails that I send.
Mailchimp was the hardest tool to part with — I am concerned not to annoy people by cluttering their inboxes with material they do not find helpful. As I spoke to people about email open and click tracking, some were completely unconcerned, being well aware that essentially all bulk email they receive includes tracking devices. But others felt the tracking to be mildly intimidating, especially given my position of authority. I don’t want any of my readers to feel at all intimidated.
I finalized my decision to leave Mailchimp when I reviewed their privacy policy. While they clearly do not share the email addresses that I trust to them, they do aggregate email open and click behavior about individuals across lists provided by other customers and reserve the right to share their findings with unspecified third parties.
Update, January 2021: Mailchimp’s current privacy policy, updated last November is clearer. It makes very clear it does not transfer email lists to third parties. It also makes clear that the click and open activity data it collects about people on my list is not among the data that it shares with third parties for advertising purposes. The data that it shares for advertising purposes pertains to people who visit Mailchimp’s website and people like me who use Mailchimp services, not to people on my list.
I have replaced Mailchimp with my own open-source WordPress plugin, WP Issues CRM, which resides at willbrownsberger.com and is not linked to any third parties. WP Issues CRM does not track opens or clicks.
I will not be flying completely blind. At least I will still have data about which pages on my website draw traffic. And I will continue to be guided by the feedback, both positive and negative, that people provide to me through many other more personal channels.
Update, January 2021: I concluded that I had to go back to Mailchimp. This is a compromise for me. Sending list mail through other channels, I ran into challenges delivering email. There are two kinds of challenges: The other channels that I could use impose limits on email send rate or total volume that are designed to stop them from being taken over by spammers. These limits can be managed, but with only a lot of technical attention. The harder problem is hitting spam filters on services like gmail — without using any kind of open tracking, it is impossible to know when this is occurring. Mailchimp and services like it handle larger volume but have built in controls to assure that they aren’t being taken over spammers and also use open tracking to identify messages that are being perceived as spam. Mailchimp’s current privacy policy appears to be improved as noted above.
I remain extremely grateful for that feedback. Please keep it coming at William.brownsberger@masenate.gov, 617-722-1280, through comments here or by letter at Room 504, State House, Boston, MA 02133.
If you are not on my new no-tracking email list, you can subscribe at this link.
Follow Up Survey
Method
I did an informal survey by emailing once to a sample of 2404 constituents on my mailing list sending them to a form asking their summary reaction to these privacy improvements. The email appears below:
Subject: Seeking your feedback on privacy changes |
I’ve made a lot of changes over the past couple of weeks to better protect your privacy as a recipient of emails from me and as a user of my website.
I’d really appreciate your quick feedback on this form: https://willbrownsberger.com/privacy-feedback/
Since I am no longer tracking email opens and clicks, I will more frequently be seeking your affirmative feedback on emails that I send.
All the best,
Quantitative Results
258 or 10.7% responded within 48 hours before the form was closed. Their responses broke down as follows.
N | % | |
I appreciate respect for my privacy. | 207 | 80.2% |
I assume I am tracked and I don’t care. | 26 | 10.1% |
I think it’s a waste not to track user behavior. | 10 | 3.9% |
Other (mostly ambivalence combining options) | 15 | 5.8% |
Total Responding | 258 | 100.0% |
Free Form Comments
Respondents could also offer free form comments. 68 respondents chose to do so. Most offered kind comments in general agreement with the change. Some of the more critical comments are excerpted below:
- Will, I don’t mind your collecting information from me if I’m on your site or providing input on something. My assumption is that it helps you do your job. Thanks!
- Pay more attention to real issues that impact our every day like the disaster that is the (temp) changes to the 71&73 pickup sports in HSQ. Someone is going to get hurt. Only the strong and aggressive can get on the bus and there are way too many people for the sidewalk space. Pay attention to working people issues not white tower issues.
- It’s thoughtful of you to be conscious of this issue, but I think progressive politicians having access to tracking data to gain intelligence with the goal of legislation to protect privacy is more important to constituents than denying yourself access to this data to make a point. You don’t have to become poor to fight for tax fairness.
- I do appreciate that you’re thinking deeply about the privacy issue and bringing your actions in line with your thoughts. This issue is also on my mind a lot at the moment, but more in connection with Google searches and Facebook activity (especially activity we think of as private, eg messaging). If I get a MailChimp email and click on the link, I think of it as a semi-public statement, and I’m proud to go on record as someone who reads your posts.
- I believe the horse is out of the barn on this issue and I feel my privacy is gone. No matter when I try to do 2 keep my privacy in check there are new ways to track US and to monitor our every movement. What happens in the highways in the stories in public buildings oh, so I feel I’m just giving up on the issue.
- I am a data analyst, and I currently work with medical data. We take privacy and protecting users’ data immensely seriously, and the strict requirements of HIPAA are very useful in enforcing that throughout the industry. In my last job, I worked with internet traffic data. The data was anonymized, and nothing I could have done could have helped me track someone down even if I wanted to (which itself would have been unethical, gotten me fired, and probably been illegal). Had anyone looked at what data they submitted (and which they agreed to submit), they may have felt weirded out by seeing it in one place, but that’s only because they can’t imagine themselves to be anonymous because it’s difficult to imagine. But it no more involved tracking them than putting a camera on Comm Ave involves tracking people walking down the street. When you don’t know who the person is, and especially when the data is aggregated, information that would be creepy for one individual becomes harmless in the agregate.
Tracking anonymous usage statistics for your own website is nothing compared to extensive data about an anonymous user’s browsing history which is nothing compared to an anonymous user’s medical history. I think you’re more than fine to track your website’s usage. Gathering data is the only way to make useful decisions. Every non-profit keeps track of who needs their services. Every business keeps track of their physical, in-store customers. The internet is just like real life, needing all of the same free speech protections, all of the same protections from government surveillance (your phone should be as secure from a police search as your mail), and all of the same ability to record your surroundings. The biggest issue with Facebook and Google is that they really do know exactly who you are, and they track far more data than users can meaningful consent to. Your website is nowhere near that scale to be an issue. - I generally don’t mind that my online activity is tracked for gathering marketing and political trends. Sometimes I’m happy to be tracked… I want market research and political research to gather information about what ‘someone like me’ cares about. Ideally, such research helps marketing & political consulting see past a few stereotypes and see the variety of people and what they care about. (For example – did you see the article from Bicycling magazine about stereotypes that bike shop employees have about who “”looks like”” a real bicyclist…. better market research could help break such stereotypes. Or break stereotypes about being religious/churchgoing and particular political points of view, or any other narrow stereotypes.) Generally I see most online tracking/research as OK, as long as it doesn’t become personal, such as anything that might affect my health/life/property insurance, or anything else about my personal finances and security. Of course I was upset about the targeted anti-Clinton messages during the 2016 election, but I think I was upset because it was a highly aggressive dis-information campaign, and not because it was a targeted campaign.
Discussion/Conclusion
The response rate is significant as compared to other responses from the list, but I have seen stronger responses on some other issues — the majority of those receiving the email were not motivated to respond. This confirms my impression that a significant subgroup of my constituents are aware of and concerned about “surveillance capitalism” but it is not, at this point, a central concern for the majority.
As I stated at the top of this post: I do nonetheless intend to keep the issue of online privacy squarely in front of me as I go forward as a policy maker.
Good work Senator.
Dear Senator Brownsberger,
Thank you for respecting our privacy. Reform across the cyber world is very much needed.
Best wishes,
Mark Berg
Will — appreciating this thoughtfulness and all the effort it takes to raise this from the bottom of a todo list. Privacy is something many say they care about, but few spend the time to actually protect it.
Thanks, Senator. I appreciate it.
One item I’m curious about is whether comments can successfully meet your new constituent criteria if posted over the tor network. I’ve been experimenting with this (and am again with this comment: perhaps it’s another for the digital dustbin), and I may see a pattern where comments behind tor don’t make it to the site. But I’m not sure. Maybe there’s a confirmation email not getting through my email provider’s greylisting involved instead.
I also half paranoically wondered if I was responsible for your observation triggering the stricter criteria that people were posting from all over the world. Maybe you saw my tor exit node happening to be in West Germany, Thailand, or where ever.
I find tor crucial here, since I don’t wish to broadcast who my favorite politicians are to my employer or my ISP. We lost that federal law that supposedly was protecting us from our ISPs.
Your comments are fine and are not screened by IP address. We do our best to limit comments in accordance with our participation policy, but that is done manually and sometimes we get behind.
Thanks, Will.
DuckDuckGo is a great tool; I’ve been using it for years. Their search shortcuts are super useful, and I find their results in some instances to be superior to Google.
Thanks, Will. Thanks also to other commenters for their ides and suggestions.
I don’t use social media. Facebook and Twitter have shown they are not to be trusted. You never know who will respond. They lack integrity.
Hi Senator. One other point to raise on the issue. Some people who care strongly about the issue will have already taken matters into their own hands. One poster mentioned the TOR network, but I don’t think that will maintain privacy on its own (just obfuscate their traffic). Personally, I direct all web traffic through a VPN, block some ads and trackers at the system level via a modified hosts file, and block ads, trackers, cookies, and questionable domains through a combination of uBlock Origin and the EFF’s Privacy Badger. This solution is still not perfect (I still haven’t figured out how to make my browser fingerprint non-unique) but it gets me most of the way there.
And yes, I recognize the irony of posting all that under my name online.
No irony. You choose what you post.
What browser do you use? Bravesays it helps on fingerprinting.
Thanks Will. I think your low response rate may be due to many people not understanding what privacy really means, and why it matters. I think at some point there will be a major incident that drives the point home, and suddenly everyone will be upset and clamoring for more control over their privacy. Until then, most people don’t understand the possible abuses, and aren’t motivated to act. Continuing education on the issues is important so the understanding gradually seeps in.
I agree with Michael above. I think many people don’t really understand the way data is collected and used about them. It is insidious and very hard to control. I fear we will have to wait for a large data breach or many more individual experiences to accumulate before this issue rises up. I think the European Union may be ahead of us on this issue but I haven’t researched it.
The EU is definitely ahead on this one. See this overview of the GDPR.
I think that is probably right — guessing that this becomes more broadly of interest over time.
Thank you.
Thank you for being proactive about stepping back from online tracking, and for thinking about surveillance capitalism policy.