The Journal of Things We Like (Lots)
Select Page

In the aftermath of the Cambridge Analytica fiasco, Facebook was pummeled by legislators, regulators, and advocates around the globe for their poor privacy practices stemming from the way the company seemed to prioritize growth and profit over other all else. As one small part of a multipronged defense, the company hired four prominent privacy advocates, former fierce critics of the company. The early evidence suggests that these four—and other likeminded Facebook employees—haven’t had much success reorienting the company. As one data point, two years after they were hired, Frances Haugen blew the whistle on how Facebook had not done enough to weed out misinformation, combat threats to democracy, and protect vulnerable teens, again due to a relentless pursuit of growth. To be fair, the Haugen story isn’t only or primarily a privacy fiasco, but it belies the idea that good people in positions of authority have helped the fix the company from within.

This isn’t just a Facebook story. Every large technology company employs people who profess to be privacy advocates in positions of authority, yet their collective efforts do not seem to have had done much to alter the troubling trajectory of their employers’ products and services. Ari Waldman, the deeply interdisciplinary privacy law scholar from Northeastern University, has written a vital and important book investigating why bad privacy outcomes occur at firms that employ well-meaning and well-trained privacy professionals. Drawn from dozens of interviews with software engineers and privacy professionals from many technology companies, Waldman presents a compelling and distressing picture, revealing the way companies constrain the influence of privacy-focused employees, repurposing their work toward serving data extractive goals, eventually redefining privacy law itself in narrow, compliance-focused terms.

A trained sociologist and legal scholar, Waldman conducted 125 interviews over four years and insinuated himself into product design meetings, industry conferences, and company breakrooms, revealing a rigorous and detailed description of the way privacy is subverted and denied inside these companies. The work builds on and pays due credit to the groundbreaking qualitative work of Deirdre Mulligan and Ken Bamberger, the famous “privacy on the ground” study from a decade ago, even as Waldman offers a respectful corrective, pushing back on many of the sunnier conclusions of the earlier work.

Waldman’s conclusions are layered and sophisticated and hard to do justice to in a short review. Technology companies deploy a “coercive bureaucracy,” multiple strategies designed to limit privacy reforms and to disempower privacy professionals. One key mechanism of the coercive bureaucracy is “managerialism”, borrowing from Julie Cohen (who in turn borrowed from Judith Resnik and others), meaning the cynical transmutation of laws like the GDPR and CCPA from obligations designed to protect consumers into narrow compliance measures focused on limiting liability and deflecting regulator attention, in some cases essentially inverting these laws to require nothing that might impede the company’s growth and revenue goals.

Managerialism is but one tool of the coercive bureaucracy, and Waldman identifies too many others to list comprehensively, but to highlight a few: privacy gets redefined to being about giving users control over their personal information. (Chapter 2 is an amazing primer of the vast literature making this argument.) Privacy gets translated into narrow, codeable targets, such as finding new places to apply encryption. Privacy is what you outsource to growing armies of GDPR and CCPA consultants.

Although Waldman has written a book for scholars, it will also prove useful to privacy professionals who might recognize the disconnect between the hard work they are doing and the poor privacy outcomes their companies are producing. Chapters 5 and 6 read like how-to guides for stuck privacy professionals, building from the micro to the macro. At the individual level, Waldman surveys the subtle, small “traps” that companies use to constrain the influence of their workers, such as the “expertise trap,” which siloes people into narrow lanes of expertise, or the “access trap,” the belief that advocates should choose their battles rather than complain about every privacy transgression lest they be cut out of the decisionmaking loop. Waldman’s book will help those living inside a coercive bureaucracy spot, and maybe resist, the mechanisms constraining their work.

Ultimately, Waldman does not believe that individual awareness and resistance will be enough. Chapter 6 is a broad call to action, if not revolution, to recruit privacy professionals into a new movement, one that might serve as a “counterweight to corporate power,” the chapter’s oft-repeated mantra. He outlines fixes for privacy discourse, privacy law, and privacy organizing, to help us find new ways to break coercive bureaucracies. He makes several explicit calls to the labor movement, at one point calling for the formation of a new union of privacy workers.

There is so much I like (lots!) about this book. It provides deep, rich, and rigorously gathered empirical data about the forces that keep privacy at bay inside technology companies. It synthesizes these observations into compelling explorations of the mechanisms at play. It engages deeply and efficiently with multiple vast literatures, making it a readable and concise recommendation for newcomers to the field. I have recommended Chapter 2 to anybody still under the thrall of the consent-and-control model of privacy law; Chapter 3 to the staff working for state regulators drafting privacy rules; and the entire book to those trying to operationalize Julie Cohen’s theories. It offers multiple concrete prescriptions on how we might do better, ranging from the narrowly practical to the audaciously ambitious. It does all of this in crystal clear prose, studded with quotes and conversations from the empirical work, and suffused throughout with the considerable humanity of the author. It’s a welcome and rightful new inductee into the canon of privacy law, a must-read for students, scholars, policymakers, and privacy professionals.

Download PDF
Cite as: Paul Ohm, Why Bad Privacy Happens to Good People, JOTWELL (November 2, 2022) (reviewing Ari Ezra Waldman, Industry Unbound: The Inside Story of Privacy, Data, and Corporate Power (2021)), https://cyber.jotwell.com/why-bad-privacy-happens-to-good-people/.