Getting Internet Companies to Do the Right Thing

Our mission here at the Open Technology Institute is to make sure that you, and everyone else around the world, has access to an internet that is both open and secure. Often, achieving that goal relies on convincing major internet companies to do the right thing—to flip the right switches or make the right policy and design decisions to better protect their millions or even billions of users. Which naturally raises the question: how do you get companies to do the right thing?

Over the few months, OTI has been working on a new project to answer that question about how best to make change in the future, by looking to case studies in the past.  We’ve studied three positive privacy and security practices that have been adopted by internet companies over the years—first by a few companies as an innovative new practice, then as a best practice by more companies, and finally as an established standard practice by most of the industry—so that we could chart the different events and influences that helped make that widespread adoption possible. Our hope was that by looking across several cases, we could identify what types of political, technical, and social interventions were most likely to help spur widespread change at the industry level, and could maybe even provide a roadmap for future advocates to follow.

Specifically, OTI’s new “Do The Right Thing” project has mapped the key milestones along the road to adoption for three major privacy and security practices that have now become standard in the internet industry: (1) publishing transparency reports that detail government demands for user data, (2) encrypting web traffic by default (as of the end of last year, over half of all web traffic is now encrypted!) and (3) offering two-factor authentication (2FA) to better guard your online accounts against unauthorized intruders. We urge you to check out the details of all three of these case studies, each with its own graphical timeline charting the myriad events that played into each practice’s adoption. Their are unique lessons to be learned from all three stories. However, there were also many major shared elements between them, which we’ve described below.  Think of them as the most common ingredients in a recipe for change when it comes to improving internet industry practices, the first ingredient being...

A Big Crisis. Each practice needed an initial crisis that highlighted the need for it, and in all three case studies, China prompted that crisis. The first major deployments of 2FA and transit encryption for web services were prompted by a major Chinese hacking campaign, while controversy over how U.S. internet companies were engaging in China was a key initial impetus for companies to offer greater transparency around government demands. Of course, the crisis won’t always be caused by China, or a nation-state for that matter. Nor (hopefully!) will advocates themselves want (or be able!) to generate such a major crisis. But advocates can keep their eye out for these crises as signs of opportunity to make change.

A First Mover. Each practice needed a major company to take that first trailblazing step to demonstrate that it could be done and to stoke the competitive fire between companies. In each of these case studies, that first mover ended up being Google, which  by virtue of being the biggest and the most scrutinized player in the online services ecosystem often has both the capacity and the incentive to go first when it comes to new privacy and security practices. (Full disclosure: Google is one the many foundations, companies and individual donors that support OTI.) The takeaway for advocates is simple: pressure Google to be the first mover when you want to see a positive change and/or pressure its competitors to take the opportunity to distinguish themselves.

Another Big Crisis (or a Lot of Little Ones). Often, it’s a second crisis—the gasoline on the fire of the first crisis—that really puts the heat on and helps push widespread adoption to the next level. For both transparency reporting and transit encryption, Edward Snowden—and the international crisis of consumer confidence that his disclosures created around the U.S. internet industry and its role in the NSA’s surveillance programs—was the gasoline, after which adoption exploded. In the case of 2FA, there wasn’t one huge additional crisis but a bunch of smaller high-profile events, one after another—Matt Honan’s Wired cover story, the celebrity iCloud photo hacks, the hacking of President Barack Obama’s Twitter account, and an endless string of hacked email dumps—that served as logs on the fire.

Prioritization by Privacy Advocates. In each case, dedicated privacy advocates spent years keeping the pressure on companies to adopt these practices, often with the Electronic Frontier Foundation and activist technologist Chris Soghoian leading the charge. (Full disclosure: Chris Soghoian recently left his post as principal technologist at the ACLU to become a Congressional Innovation Fellow with TechCongress, a project hosted at OTI.) Indeed, on a range of issues, Soghoian and EFF were often the most vocal and consistent critics demanding that companies do the right thing. And in all these cases, that pressure—from a range of privacy voices—needed to be kept up for many years. The key takeaway for advocates: you’ll need to pick your battles carefully, and then prioritize the battles you’ve picked for up to a decade if you want to take a new practice from zero to widespread adoption.

A Sweetener. In some cases, rather than just being spurred by crisis or criticism, companies needed a carrot to complement the stick: a positive reason why adopting the practice will further their goals. For example, in the case of transparency reporting, the sweetener was that transparency reports were a strong platform from which to advocate for updates to the U.S.’s outdated law enforcement surveillance laws. Changing those laws, to ensure that the government gets a warrant before seizing emails and other private user content stored in the cloud, was (and is still) a top policy priority for the major online providers, and transparency reporting became a key ingredient in that advocacy. However, the most powerful carrots we’ve seen across all of the case studies are...

Scorecards to Prompt Competition. Everybody loves a gold star, and perhaps the most consistently successful tactic from advocates has been the use of rankings, scorecards, report cards, etc. Such efforts—most notably EFF’s Who Has Your Back and Encrypt the Web scorecards, and the OTI-affiliated Ranking Digital Rights project—serve to “thank and spank” the good and bad actors, respectively, and stoke competition between companies to see who can get the best grade or the most stars. In addition to competition over scores, there’s also competition over who will win the race to adopt a given practice. Often a batch of companies will implement or announce a practice around the same time, as everybody tries to keep up with each other in their sector, e.g., Verizon and AT&T rushing to be the first telecom to issue a transparency report or Google announcing plans to encrypt its Android phones by default the day after Apple announced the same for iPhones. The lesson for advocates: adopt tactics that will harness or intensify companies’ competitive instincts.

Policymakers Using Their Bully Pulpits. Passing laws and issuing regulations aren’t the only ways policymakers can prompt the adoption of a practice. Sometimes, just keeping up persistent public pressure is enough. In each case study, there were policymakers who used their clout to focus public attention on the practice they were promoting and force it onto the table as a priority, whether it was the FTC regularly pressing companies to up their security game around 2FA and encryption, or powerful Senators like Al Franken or Chuck Schumer holding a hearing on the importance of transparency reporting or demonstrating in a coffee shop just how easy it was to hijack someone’s Twitter account due to a lack of encryption. If you want companies to change their own policies, you need public champions among America’s policymakers.

Standards for Companies to Meet. In the cases of transit encryption and 2FA, the early development of technical standards by bodies like the Internet Engineering Task Force was absolutely critical to spurring successful widespread adoption, a sign that advocates may want to engage more in such fora. Meanwhile, the lack of standardization in transparency reporting has arguably hindered the speed and usefulness of its adoption, which is why the creation of standardized reporting practices has recently become a priority for a range of stakeholders, including OTI, which has worked to address the problem through its Transparency Reporting Toolkit.

Technical Interventions. In several of the case studies, the deployment of a new technology to demonstrate the need for the practice or to ease its adoption played a critical role. For example, the (ethically dubious) release of the easy-to-use Firesheep hacking tool made a huge splash by demonstrating how trivially simple it was to hijack accounts on a wide range of popular services because they weren’t using transit encryption. Meanwhile, EFF’s HTTPS Everywhere plug-in tool made it easier for users to get the benefits of encryption, while the ambitious Let’s Encrypt project from EFF, Mozilla, and a wide range of partners, made it exponentially easier for sites to offer that encryption. Sometimes, a smart technical intervention—even a relatively small one—can have a huge impact.

We hope that these and other lessons from our case studies will help advocates, and their allies inside of the internet industry, continue to make positive changes that increase the openness and security of the internet. We at OTI will certainly be applying these lessons to our own work, and will be looking for other cases to learn from. So, if you discover some key lessons we’ve missed—or have other practices on which you’d like to see us do case studies in the future—please drop us a line at dotherightthing@opentechinstitute.org.