In compiling and comparing our three timelines, we identified a number of key commonalities that advocates and policymakers can use to identify or hasten a particular practice’s trend of adoption. Some of these represent steps that advocates can take, while others indicate signifiers that advocates should look for to identify opportunities that can be leveraged. Based on our case studies, the following milestones are the most common ingredients in a recipe for widespread adoption of a new privacy or security practice:
A Big Crisis. Each practice needed an initial crisis that highlighted the need for it, and in all three case studies, China prompted that crisis. The first major deployments of 2FA and transit encryption for web services were prompted by a major Chinese hacking campaign, while controversy over how U.S. internet companies were engaging in China was a key initial impetus for companies to offer greater transparency around government demands. Of course, the crisis won’t always be caused by China, or a nation-state for that matter. Nor (hopefully!) will advocates themselves want (or be able!) to generate such a major crisis. But advocates can keep their eye out for these crises as signs of opportunity to make change.
A First Mover. Each practice needed a major company to take that first trailblazing step to demonstrate that it could be done and to stoke the competitive fire between companies. In each of these case studies, that first mover ended up being Google, which by virtue of being the biggest and the most scrutinized player in the online services ecosystem often has both the capacity and the incentive to go first when it comes to new privacy and security practices. (Full disclosure: Google is one the many foundations, companies and individual donors that support OTI.) The takeaway for advocates is simple: pressure Google to be the first mover when you want to see a positive change and/or pressure its competitors to take the opportunity to distinguish themselves.
Another Big Crisis (or a Lot of Little Ones). Often, it’s a second crisis—the gasoline on the fire of the first crisis—that really puts the heat on and helps push widespread adoption to the next level. For both transparency reporting and transit encryption, Edward Snowden—and the international crisis of consumer confidence that his disclosures created around the U.S. internet industry and its role in the NSA’s surveillance programs—was the gasoline, after which adoption exploded. In the case of 2FA, there wasn’t one huge additional crisis but a bunch of smaller high-profile events, one after another—Matt Honan’s Wired cover story, the celebrity iCloud photo hacks, the hacking of President Barack Obama’s Twitter account, and an endless string of hacked email dumps—that served as logs on the fire.
Prioritization by Privacy Advocates. In each case, dedicated privacy advocates spent years keeping the pressure on companies to adopt these practices, often with the Electronic Frontier Foundation and activist technologist Chris Soghoian leading the charge. (Full disclosure: Chris Soghoian recently left his post as principal technologist at the ACLU to become a Congressional Innovation Fellow with TechCongress, a project hosted at OTI.) Indeed, on a range of issues, Soghoian and EFF were often the most vocal and consistent critics demanding that companies do the right thing. And in all these cases, that pressure—from a range of privacy voices—needed to be kept up for many years. The key takeaway for advocates: you’ll need to pick your battles carefully, and then prioritize the battles you’ve picked for up to a decade if you want to take a new practice from zero to widespread adoption.
A Sweetener. In some cases, rather than just being spurred by crisis or criticism, companies needed a carrot to complement the stick: a positive reason why adopting the practice will further their goals. For example, in the case of transparency reporting, the sweetener was that transparency reports were a strong platform from which to advocate for updates to the U.S.’s outdated law enforcement surveillance laws. Changing those laws, to ensure that the government gets a warrant before seizing emails and other private user content stored in the cloud, was (and is still) a top policy priority for the major online providers, and transparency reporting became a key ingredient in that advocacy. However, the most powerful carrots we’ve seen across all of the case studies are...
Scorecards to Prompt Competition. Everybody loves a gold star, and perhaps the most consistently successful tactic from advocates has been the use of rankings, scorecards, report cards, etc. Such efforts—most notably EFF’s Who Has Your Back and Encrypt the Web scorecards, and the OTI-affiliated Ranking Digital Rights project—serve to “thank and spank” the good and bad actors, respectively, and stoke competition between companies to see who can get the best grade or the most stars. In addition to competition over scores, there’s also competition over who will win the race to adopt a given practice. Often a batch of companies will implement or announce a practice around the same time, as everybody tries to keep up with each other in their sector, e.g., Verizon and AT&T rushing to be the first telecom to issue a transparency report or Google announcing its plans to encrypt its Android phones by default the day after Apple announced the same for iPhones. The lesson for advocates: adopt tactics that will harness or intensify companies’ competitive instincts.
Policymakers Using Their Bully Pulpits. Passing laws and issuing regulations aren’t the only ways policymakers can prompt the adoption of a practice. Sometimes, just keeping up persistent public pressure is enough. In each case study, there were policymakers who used their clout to focus public attention on the practice they were promoting and force it onto the table as a priority, whether it was the FTC regularly pressing companies to up their security game around 2FA and encryption, or powerful Senators like Al Franken or Chuck Schumer holding a hearing on the importance of transparency reporting or demonstrating in a coffee shop just how easy it was to hijack someone’s Twitter account due to a lack of encryption. If you want companies to change their own policies, you need public champions among America’s policymakers.
Standards for Companies to Meet. In the cases of transit encryption and 2FA, the early development of technical standards by bodies like the Internet Engineering Task Force was absolutely critical to spurring successful widespread adoption, a sign that advocates may want to engage more in such fora. Meanwhile, the lack of standardization in transparency reporting has arguably hindered the speed and usefulness of its adoption, which is why the creation of standardized reporting practices has recently become a priority for a range of stakeholders, including OTI, which has worked to address the problem through its Transparency Reporting Toolkit.
Technical Interventions. In several of the case studies, the deployment of a new technology to demonstrate the need for the practice or to ease its adoption played a critical role. For example, the (ethically dubious) release of the easy-to-use Firesheep hacking tool made a huge splash by demonstrating how trivially simple it was to hijack accounts on a wide range of popular services because they weren’t using transit encryption. Meanwhile, EFF’s HTTPS Everywhere plug-in tool made it easier for users to get the benefits of encryption, while the ambitious Let’s Encrypt project from EFF, Mozilla, and a wide range of partners, made it exponentially easier for sites to offer that encryption. Sometimes, a smart technical intervention—even a relatively small one—can have a huge impact.
These are the most obvious lessons that we were able to draw from our three case studies, lessons that we will be applying in the future as we continue to press more companies to do the right thing on more issues impacting users’ privacy and security. We hope you’ll find our case studies as useful as we did, and if you discover some key lessons we’ve missed—or have other practices on which you’d like to see us do case studies in the future—please drop us a line at firstname.lastname@example.org.