The BigBrotherAward 2016 in the “Economy” category goes to the campaign platform change.org, represented by the Berlin branch of the US company of the same name, because it uses personally identifiable information of people who signed petitions for the company’s own business purposes in varied and non-transparent ways. Based on information about the petitions somebody signed, this company creates profiles e.g. on political opinion, position in society, social situation – and it uses these for its own profit. As a matter of fact, change.org is not a non-profit social movement in digital form, it is a commercial enterprise whose business model focuses on the use and exploitation of sensitive personal information as well as on trading e-mail addresses.
You know these e-mails: A close or not-so-close acquaintance sends us information about some issue or scandal and asks us to go to change.org and sign an online petition for or against it. These days, it could be about the right to education for Syrian children, about creating humane conditions for refugees waiting in front of the Berlin State Office for Health and Social Welfare (Landesamt für Gesundheit und Soziales, LAGeSo), or about secret lobbying in the German Bundestag (the lower house of parliament).
Sure, as a critical political person I sympathise with these causes and will be happy to support them with my electronic signature! Online, it’s super easy! At change.org, I just need to register once with my last name, first name, and e-mail address, and immediately I can have my say. The fact that details about my signature will be stored permanently is something I’ll put up with for the good cause. I would not know what else happens to my data because as always, I agreed to the terms of use and to the privacy policy without reading them. What could happen anyway on a site that boasts such positive things on its About page as
Our mission is to empower people everywhere to create the change they want to see, and we believe the best way to achieve that mission is by combining the vision of a non-profit with the flexibility and innovation of a tech startup.
To empower people and create change I want to see is just what I want. We all want change, don’t we? And it’s important to me that I can use change.org to further my causes and interests without cost.
Contrary to the progressive and social self-description on their website, change.org is not really an altruistic or non-profit organisation. As a case in point, take the funding model, which is “venture capital backed” even though the management stresses that investors have no influence on the operative business. Investors include powerful and famous industry greats such as Twitter co-founder Evan Williams, LinkedIn CEO Jeff Weiner, Ebay founder Pierre Omidyar, Bill Gates of Microsoft and the British entrepreneur Richard Branson.
Indeed, at first sight, the services of change.org are free for normal users. change.org does however make money with sponsored petitions whose initiators pay for the opportunity to display advertisements to users. And the price list for using all those e‑mail addresses goes to up to a bracket of US$ 250,000–500,000. The list of those who use change.org reads like a “Who is Who” of charitable organisations, from Médecins Sans Frontières via Oxfam up to Unicef. Greenpeace Germany attach importance to the statement that they have no business relationship with change.org. Change CEO Ben Rattray told major German news magazine “Spiegel” a few years ago that he wants to turn change.org into a world-wide brand for online activists, just like Amazon has become for book purchases.
All right, so change.org is a for-profit enterprise. But I don’t mind receiving petitions about similar issues after I have signed one. On the contrary, the more I learn more about the issue, the better.
Change.org’s handling of signatories’ data is problematic. Besides name, address and e-mail address, the corporation collects information about the petitions a person supported. Change.org grants itself permission to do so in its privacy policy.
The details collected allow change.org to gain insights about each individual’s political or societal affiliation or social situation, among other things. These insights enable change.org to offer targeted advertisements for other petitions, and thereby influence opinion-forming processes. Moreover, it can not be ruled out that change.org uses its knowledge about opinions and positions to give specific support to paid-for petitions.
Processing and using such sensitive personal data, especially information about political opinions, is forbidden by German and European data protection laws. This cannot be overridden by the declaration of consent used by change.org, which reads,
By signing, you accept Change.org’s terms of service and privacy policy, and agree to receive occasional emails about Change.org campaigns (you can unsubscribe at any time).
The same is true for people who create an account and are simply shown this note at the bottom of the login window:
By joining, or logging in via Facebook, you accept Change.org’s terms of service and privacy policy.
Neither declaration constitutes an effective basis in data protection law for processing and using sensitive personal information. This means for instance that by German and European data protection laws, change.org must immediately delete all information it holds about political opinions of petition supporters.
Similar considerations apply to the handling of personally identifiable information from “social networks” such as Facebook. From people who have an account there, change.org collects,
(…) your social media account ID and information shared with us via your social media account
In connection with social networks, change.org turns into a full-blown data leech that sucks up and holds on to any bit of information it can get.
Incidentally, signatories don’t even need to have entered their addresses themselves, because these are not verified with a confirmation link. So everyone could enter email addresses of anybody else, and these people would never even know.
Given so much disregard of applicable data protection law, it comes as no surprise that the current privacy policy of change.org does not meet legal requirements. On 6 October, 2015, the Court of Justice of the European Union (CJEU) ruled that the Safe Harbour Framework is ineffective – the so-called Facebook ruling (‘Europe v Facebook’). Ever since, data transmissions to the USA require new and stricter regulations, but change.org still refers to the invalid “Safe Harbor” Framework.
In other words: change.org did not even care to adapt its privacy policy to current jurisdiction in Germany and Europe. Instead, the corporation affords itself data processing practices with no basis in data protection law. A simple change of its terms would not do the trick anyway: even the new EU–US “Privacy Shield” does not offer sufficient protections against the low privacy standards in the US.
In terms of data protection law, nothing is going well at change.org.
The corporation’s website used to mention a Berlin office, but this text was removed. But the company still has directors and managers working in Berlin, and lately it advertised a “full-time” job in “Sales and Business Development”, “in close collaboration with Business Dev colleagues in Berlin”.
Well, but at least they use these addresses for a worthy cause. More justice, better protection of the environment – that’s not evil.
Careful there: change.org neither has a “human rights” or “environmental” agenda itself, nor is this corporation a “grassroots movement for a better world”. The personally identifiable information it stores primarily serves as a cash cow. To be honest, change.org should rename itself to change.com.
The services of change.org are open for all social and political tendencies. For example, in Germany this corporation has no qualms whatsoever about simultaneously promoting, under the keyword “refugees”, a demand to open the Balkans route and a call for the resignation of Chancellor Angela Merkel because of her welcoming policy. Anybody can pursue an agenda using change.org, and search for supporters. Oxfam just as well as Pegida (“Patriotic Europeans Against the Islamisation of the Occident”, a far-right anti-islamic movement in Germany) – as long as it generates lots of clicks. In contrast to other petition platforms, change.org does not have its own political agenda.
Change.org also allows petitions for conservative parties and organisations, such Sarkozy’s Republicans in France. Not necessarily because change.org shares these views – the explanation might quite simply be that the to right of the centre, the corporation’s address collection has not yet grown large enough. In the US, change.org placed job ads for a campaigner who was supposed to help expand the address collection on the political right by launching petitions or making contacts in those circles.
But all of these arguments don’t taint the positive and world-improving petitions running at change.org. Is it not even a truly and radically democratic approach to accept all causes and let the people vote with their signatures? Shouldn’t we emphasise this aspect instead of shaming this company with a BigBrotherAward?
Not at all. No matter what objective a change.org campaign may have – because of the corporation’s data collection mania there is always a risk that personal details of its signatories will be processed unlawfully and used for a totally different purpose. If you launch a petition, your name will be used to write to other users – that is, your will be held accountable for the corporation's business purposes, and your friends and acquaintances will be drawn into the reach of the data leech.
If you would like to launch an online campaign, you should choose a different platform. One that values data protection and will never use sensitive personal information for its own purposes.
Heartfelt congratulations on the BigBrotherAward 2016, change.org.
- Datenschutzbeschwerde immer noch unbeantwortet08 Jul 2019Update zu BBAs
Laudator.in
- (German) Expertise on change.org from a data protection legislation perspective by Thilo Weichert (former Data Protection Commissioner of the Federal State of Schleswig-Holstein):
- (German) Press release by Thilo Weichert on change.org [Content no longer available]
- (German) Open letter by Thilo Weichert to data protection official at change.org (PDF)
- Change.org, Enabler of Davids, Decides To Side With Goliaths Instead – October 23, 2012, By Jeff Bryant (Web-Archive-Link)
- Change.org Changing: Site To Drop Progressive Litmus Test For Campaigns, Say Internal Documents (UPDATE) – 10/22/2012, Updated Jan 16, 2013, By Ryan Grim (Web-Archive-Link)
- Why I Will Not Sign Another Change.org Petition, Ever – 10/24/12, By Karoli Kuns (Web-Archive-Link)
- Change.org sells out progressive movement – Wednesday Oct 24, 2012, By Raven Brooks (Web-Archive-Link)
- Progressives Decry Changes at Change.org – By Sarah Lai Stirland | Wednesday, October 24 2012 [Content no longer available]
- Twitter: Sven Sladek, @DerFizz – Dear @Change, I accidentally signed a right-winged petittion just by clicking on a link. (Web-Archive-Link)
- (German) article at news site Spiegel.de on change.org as a business, founder Ben Rattray and others: “Die Kraft der Klicks” (Web-Archive-Link)
- (German) article at newspaper site Frankfurter Allgemeine Zeitung on investment in change.org, 11 Nov 2014: “Große Investitionen in das Petitions-Portal Change.org” (by Ursula Scheer) (Web-Archive-Link)
- Forbes: The Business Behind Change.org's Activist Petitions (Web-Archive-Link)
- The Information Diet: Change Dot Biz [Content no longer available]
- Gemeinnützig? B-Lab: Benefit Corp vs. Certified B Corp [Content no longer available]