How Fake News Got Personal. Setting the Record Straight

How Fake News Got Personal. Setting the Record Straight

My mother's family are all from Aberdeenshire where I spent the best part of my childhood. We would relocate our company to Scotland in a heartbeat if it stays in the EU.

So, I was not happy when a "digital law specialist" from Glasgow, Heather Burns, published my personal data and spread false information about me. Here’s what happened:

I was startled one morning a couple of years ago by a tweet from Burns, (aka @idea15webdesign at the time, now also @webdevlaw) in which she had published my personal data without my consent, in the form of a screenshot of one of my private Twitter list titles.

She then proceeded to slag me off for “disrespecting” her.

Well, I hadn’t. Burns, (I guess) mistakenly assumed that because she saw my list title as she trawled through the “Referer" header log on her Wordpress blog, that she, herself, must be be on my private list "underhand people".


Understand, Heather, that seeing a title of a Private Twitter list when you trawl through your Wordpress “analytics” does not mean YOU are on that list. It simply means that someone who IS "on the list" has tweeted a link and, that link was to one of your blog posts and someone, me in this case, clicked on that link, probably before even realising it was a link to your website.

Be aware also, that my private twitter list "underhand people" could feature competitors using underhand tactics, sneaky lobbyists, be a joke in the office, a list of very best buddies, third cousins twice removed, or just the easiest list to plonk interesting tweeters in, because it happened to be at the top of the page etc.

Who knows?

Not you! 

YOU simply have no idea. You did not have my consent to publish my personal data, in the form of this list title, let alone delve into my private space, and go on to broadcast your misinformed speculations about my private life. 

I wrote a short open ended reply to Heather at the time in the hope she would realise her mistake, remove it, and even perhaps (I’m an optimist after all), apologise, or at least just STFU

Apart from a follow up tweet, "liked" by lobbyists Coadec, (so daft it actually made me laugh out loud), I thought she had.

How wrong I was!

About a year later, she made a false accusation of slander obviously referring to me (to anyone reading her previous tweets to me), undermining my reputation as a privacy advocate, in a piece she got published on a highly regarded and popular US blog. It was based on no evidence whatsoever, only that one incorrect assumption.

In the post she advanced her thesis on why the industry needs to grow up and professionalise.

I couldn’t agree more, Heather. Your paragraph entitled “now it gets personal” is a good place to start.

Being on a high profile site the post was widely re-tweeted and linked to, particularly among her Wordpress community. When I matter of factly pointed out her mistake on Twitter, she replied with a string of abusive slurs and accusations.

Shortly after this ugly tirade, I complained to the original US publisher who, after quickly reviewing the facts, removed the piece from his site. 

Heather Burns lost no time in posting it on her own Wordpress blog, adding an unpleasant rant against him, and implying that he had "banned" it because of its "controversial" content, rather than that she had made a false and damaging statement, and abusive, untrue and defamatory remarks.

What did she expect the guy to do? Wait around to see if he got sued just to prop up her ego?

Why would Burns want to churn out this garbage after a whole year, when she could easily have sought the advice of academic and WordPress associates who could surely, if they had a mind to, have pointed out the obvious technical and legal facts, even if they had escaped her?

Well, whatever her motivation, Burns was obviously miffed when it was taken down.

I have never met Burns, or intereracted with her, other than on Twitter.  I have never removed any of my few Tweets to her, so our entire interaction is publically available.

Today I simply asked her to provide the ICO "reports" she mentioned that stated complaints about tracking were "bunk". She immediately responded with another diversionary rant, attacking me personally, and wrongly suggesting that I "repeatedly threatened to sue [the publisher]" over her piece, and obviously identifying me again.

In fact I had sent a single direct Twitter message to the publisher, Jeffrey Zeldman, asking him to remove only the defamatory paragraph, with a single statement that I specifically did not "want to be forced to get legal about this", and not even saying with whom.

Jeffrey asked for clarification which I sent in an email, without ever mentioning legal action again. The piece was then promptly removed in its entirety (not what I had asked for), after which I replied thanking him and offering to write an informed article about European Data Protection law.

While I would never publish correspondance with others without their consent, especially not selected extracts, Jeffrey has my permission to publish our communication about this in its entirety if he wants to.

By assuming my list was "about her" and reacting, and continuing to react, in this way Burns has obviously caused damage to me, and by extension, to our company.


                         YOU REALLY COULDN'T MAKE IT UP

What really beggars belief, is that she has continued to link to the piece containing disinformation to argue for why a professional body representing digital workers is urgently required.

Recently, Burns and others who also linked to her false statements, appear to be setting up a body to represent digital workers, one member stating that Heather Burns has "made the case" for this, with a link to the article.

WELL NO THANKS HEATHER!  I need your representation like I need a hole in the head. Count me out!

As a female founder and developer I have found you more abusive and destructive of my hard work to help clean up the digital economy and provide data subjects with real choices, than anyone, man, woman or dog I’ve interacted with, on or off twitter.

Having my personal data publicly dissected by you, being lectured on how I should live my life (as if you knew), and having motivations & behaviour falsely attributed to me was like a visit from the thought police.

Your unfounded public accusation via Twitter that I have an "enemies list" with all its negative connotations and your Orwellian suggestion that if I don’t want this figment of your imagination published, I shouldn’t have a "private list" (thought police or what?) based on nothing but your inaccurate interpretation of a logged Referer header, is deeply offensive.

You accused me on twitter of, amongst other things, having "bat shit conspiracy theories" Well that’s news to me! If anyone is aware of them perhaps they can enlighten me. I’d love to hear about this wild and wacky side of my personality!

Perhaps the truth is that what could be passed off by some as conspiracy theories a few years ago, have, since the Snowdon revelations, and the exposure of disinformation on the internet, associated in particular with Brexit and Trump, come to be seen for what they are: privacy concerns that any rational person would have, and a lot more people are now keen to embrace.

None of Burn's Wordpress pals, or others who regularly engage with her on Twitter, has to my knowledge, publicly questioned whether in fact Heather Burns had been "slandered" or "disrespected" etc. or asked whether, quite the reverse, she has made false accusations, damaging to a self funded human rights focussed privacy company, on a post calling for for the "professionalisation" of my industry. 

Hundreds of people (many of whom should have known better) have retweeted this misleading piece, and many more have linked to it or re-published it. Well thanks but no thanks. 

I really did not want to write this post. I have other things to do with my time, but Burns' behaviour on twitter today is not worthy of the respect of a body representing workers and micro businesses in the web ecosystem. Her obvious connections with businesses, some very large, based on the WordPress project suggest that she might be more approprately employed representing their interests.

I am sure that many of those wanting to professionalise the web industry are good people but seeing this misinformation about me being repeated as part of the launch of a group is a step too far for me to remain silent.


This damaging activity would not have been possible had Twitter fulfilled its duty to safeguard the personal data it collected (a legal requirement under the 7th Data Protection Principle), and kept the title of my private twitter list, err, PRIVATE.

Anyone with a modicum of common-sense understands that someone’s private Twitter list is personal data. It is safe to assume they consider it sensitive personal data which is why they decided to make it private. This obviously includes the title of the list. It is not intended to be shared with the public. Twitter should therefore have made sure that when Burns trawled through the headers in her Wordpress log, my private list title didn’t show up. They could have done this by implementing a very simple procedure i.e. using the "noreferrer" attribute.

Burns would not then have mistakenly computed:



 Several references have been made to this Twitter problem, going right back to at least 2009,

This abuse was not what I signed up for @jack, I really hope you get your act together and fix this. Exposing private list titles is a very obvious privacy breach that has probably been wide-spread, and unlike some of your more complex privacy problems is easy to fix.

Spontaneity is intrinsic to the enjoyment and value of Twitter. Imagine a world where only people with the skin of a Rhino inhabited, social media  …..Oh wait, we’re heading that way now…

A more serious false accusation. 

Follow up 27/09/2017

Yesterday (26/09/2017), Heather Burns "followed" me for the first time on Twitter, and immediately "blocked" me after tweeting a serious false allegation about me. This was clearly an attempt to deny me the opportunity to refute her preposterous smear.

On the 9th September one of my Twitter followers liked 3 of my tweets about web analytics in relation to the e-privacy directive. She asked if we could carry on the conversation offline so I sent her my email address by DM. She replied on the 14th Spetember with an email request for in depth explanation of not only the points I had raised on analytics, but also a broader explanation of EU data protection and about our products and customers.

I was too busy at that point to write what would have to have been a lengthy reply and, not wanting to seem as if I was ignoring her, replied to her tweet about a company supplying web services to the third sector, which she was visiting with Heather Burns, to point out a discrepancy between what the company's literature said and their actual practice around analytics. The company in question replied graciously thanking me for my input, however Heather Burns launched another personal attack repeating the lie that she had "endured 5 years of cyberstalking and harassment" from me, when actually it is she who has been harassing me, and saying she "will not tolerate your harassment of my clients" , when in fact I had no idea the company was her client, and I was not harassing the company - just pointing out an important inaccuracy. Moreover, on this occasion, she followed up with this latest false, serious and damaging accusation:

As well as publishing a selection of Urls from her weblog, pretending this is evidence of me "trawling" her blog, she effectively accused me of forging an email to a law firm while purporting to be her.

This is an outright lie, I have never forged any email, and have never contacted this firm, or have any interest in her involvement with them, whatsoever.

"and whoever it was has a grudge against me and an odd habit of capitalising the letter R"

The only evidence she offers to support her ridiculous allegation is that I capitalised the letter "R" in the term "Referer Header" in a tweet, because this is, she alleges, an "odd habit" of mine and similar to the way the term "Regulator" was capitalised in the email in question.

In fact I have no such habit. As anyone with a modicum of web technical knowledge knows the HTTP request header "Referer" is always capitalised, 1) because it is common practice to capitalise the names of HTTP headers, and 2) because the header name was originally misspelled by its inventors, so capitalistion is used to indicate this is not an inadvertent mispelling.

Moreover, I do not "hold a grudge" against Burns. I simply point out untruths when I see them, especially if they relate to privacy and fundemental human rights, and I have no intention of stopping that.

Falsely accusing someone of forgery is a serious matter which can obviously be the subject of legal action.




[1] When someone posts a tweet, which contains a link to a webpage URL, Twitter turns it into a clickable link using their “link shortener” When anyone clicks this link a web request is sent to and the request contains meta data  (the HTTP Referer(sic) header) that shows the web location of the page the link was contained in. The server then forwards the web request to the original URL

[2] When a private twitter list is viewed, the list title is contained within the URL of the page, i.e. if you look at a private list called “MyPrivateList” the page URL (shown in the “location bar” of your browser) will be

Twitter could easily have stopped this from happening by implementing a simple procedure (using the “noreferrer” attribute), but they didn’t. Even though, in most circumstances, Twitter’s server strips out the Referer header before forwarding the web request, in this situation this was clearly not done, perhaps because of a bug in Twitter’s forwarding software. This has though, according to tweeters going back to 2009 been an ongoing issue.

Check out our other blog posts