Privacy Advocate Confronts ACLU Over Its Use of Google and Facebook's Targeted Advertising

Ashkan Soltani was the Chief Technologist of America's Federal Trade Commission in 2014 — and earlier was a staff technologist in its Division of Privacy and Identity Protection helping investigate tech companies including Google and Facebook

Friday on Twitter he accused another group of privacy violations: the nonprofit rights organization, the American Civil Liberties Union.

Yesterday, the ACLU updated their privacy statement to finally disclose that they share constituent information with 'service providers' like Facebook for targeted advertising, flying in the face of the org's public advocacy and statements.

In fact, I was retained by the ACLU last summer to perform a privacy audit after concerns were raised internally regarding their data sharing practices. I only agreed to do this work on the promisee by ACLU's Executive Director that the findings would be made public. Unfortunately, after reviewing my findings, the ACLU decided against publishing my report and instead sat on it for ~6 months before quietly updating their terms of service and privacy policy without explanation for the context or motivations for doing so. While I'm bound by a nondisclosure agreement to not disclose the information I uncovered or my specific findings, I can say with confidence that the ACLU's updated privacy statements do not reflect the full picture of their practices.

For example, public transparency data from Google shows that the ACLU has paid Google nearly half a million dollars to deliver targeted advertisements since 2018 (when the data first was made public). The ACLU also opted to only disclose its advertising relationship with Facebook only began in 2021, when in truth, the relationship spans back years totaling over $5 million in ad-spend. These relationships fly against the principles and public statements of the ACLU regarding transparency, control, and disclosure before use, even as the organization claims to be a strong advocate for privacy rights at the federal and state level. In fact, the NY Attorney General conducted an inquiry into whether the ACLU had violated its promises to protect the privacy of donors and members in 2004. The results of which many aren't aware of. And to be clear, the practices described would very much constitute a 'sale' of members' PII under the California Privacy Rights Act (CPRA).

The irony is not lost on me that the ACLU vehemently opposed the CPRA — the toughest state privacy law in the country — when it was proposed. While I have tremendous respect for the work the ACLU and other NGOs do, it's important that nonprofits are bound by the same privacy standards they espouse for everyone else. (Full disclosure: I'm on the EFF advisory board and was recently invited to join EPIC's board.)
My experience with the ACLU further amplifies the need to have strong legal privacy protections that apply to nonprofits as well as businesses — partially since many of the underlying practices, particularly in the area of fundraising and advocacy, are similar if not worse.

Soltani also re-tweeted an interesting response from Alex Fowler, a former EFF VP who was also Mozilla's chief privacy officer for three years:
I'm reminded of EFF co-founder John Gilmore telling me about the Coders' Code: If you find a bug or vulnerability, tell the coder. If coder ignores you or refuses to fix the issue, tell the users.

Read more of this story at Slashdot.