The Privacy Pledge

Corporate and government attacks on human rights to privacy, security, and liberty are increasing across the globe, and technology plays a central role in extending their reach. Technology can empower and grant freedoms to us all, but increasingly our online data is empowering data brokers, surveillance companies, and government agencies to discriminate against minorities, surveil populations , and exploit our human rights.

We can stop abuses of our data by demanding that elected officials protect our right to privacy.

In the aftermath of the Cambridge Analytica controversy, people around the world are demanding organisations and governments take steps so that everyone can choose the services that protect their privacy and security.

Tech employees are pledging to work inside their organisations to push them to do the right thing, whilst civil society organisations are calling on elected officials to commit to protecting citizens’ rights to privacy.

1 – Ensure Users Have Access to and Control Over Their Data

We need to know that we are in control of our personal information. Organisations must commit to meaningful transparency, including providing users full access to all data collected, and a list of all parties given access to that data.

Users must have full control, which includes requiring explicit opt-in consent, over the retention, sharing, or use of their information, including all data sharing with third parties. Auditing procedures must ensure that shared data is used consistently with the users’ preferences.

Users must be guaranteed an easy and free way to download all the data held about them in a standardised, open, and usable format. Users must be allowed to delete their entire account and permanently eliminate their data from your servers if they choose to, except when prohibited by law.

2 – Protect Our Data

We use the Internet to communicate about nearly everything, from banking to politics. Adopting best practices to secure this information, including offering independently audited end-to-end encryption by default, is essential. The use of an organisation’s products and services, including APIs, by developers to collect information about customers and users without appropriate consent for third-party commercial tracking or governmental surveillance purposes must end.

Victims of a data breach or contract violation, must be notified promptly if their information has been compromised or shared without their consent.

Updates to products and services must be implemented when necessary and users must receive an end-of-life announcement when services will cease to be provided. Users must be proactively informed and warned when partner organisations fail to keep products updated.

3 – Limit the Data You Collect

Data can last forever and harm people in unpredictable ways. The best way to guard against that harm is to not collect or store it.

Stop collecting and storing information that isn’t necessary for the product or service.

4 – Ensure All Communities Receive Equal Protections

Algorithms are not neutral by default, and can easily reflect or exacerbate historical biases. Policies must not further or exploit discrimination and unequal treatment.

From the development stage onward, the impact of products on various communities, including those that have been historically discriminated against, must be evaluated.

Testing the impact of the product or service when possible or when concerns about such effects have been brought to light must be immediate. Avenues for outside researchers to evaluate bias or discriminatory impact of the product or service must be available.

Information that is vulnerable to misuse, including information about immigration status, political views, national origin, nationality, or religion, must never be collected unless it is required by law or strictly necessary for service provision.

5 – Resist Improper Third Party Access and Support Pro-Privacy Laws

Supporting strong legal privacy protections can both protect users and earn their respect. Voluntary requests for data in non-emergency situations should be refused. Overly broad, questionable, and illegal efforts to surveil users, in the courts and in the public sphere, must be resisted as much as possible.

Businesses and non-government organisations must contribute to the broader conversation about government access to private data by publishing transparency reports detailing requests from governments to the greatest extent allowed by law and by providing notice to individual customers or users whose records are sought or obtained by the government unless barred from doing so.

Government agencies must be equally as transparent, and enable auditing of all exchanges, processes and procedures that involve personal information, while keeping the information itself private.

Organisations that engage in policy debates should support laws that enhance user privacy, including laws that require a warrant before the government can demand information about users, and support reforms that curtail mass surveillance.