Just spoke to a group of ISPs at the UK Network Operators Forum conference about ORG (Ian spoke about data retention), and from the audience came a very important question. What about Scotland?

Scotland has a different legal system, different legislation and its own parliament, so that means a whole different group of people we need to be talking to. We are keen to be inclusive, and didn’t intentionally leave Scotland out, but we’ll need to find our counterparts there. We are talking to Digital Rights Ireland already, but I am not aware of a similar group in Scotland (or Wales or Northern Ireland, for that matter.)

If you know whom I should be talking to, point them out to me. Meantime I shall put some feelers out to try and find the right people.

Privacy International have put together an excellent open letter to all members of the European Parliament, addressing the current proposals on communications traffic data retention. It begins:

Dear Members of the European Parliament,

We would like to take this opportunity to address you regarding the current proposals on communications data retention. As you are well aware, both the Council and the Commission have put forward proposals on data retention. It now appears that the policy is finally shifting to the first pillar away from the third. This does not mean that the policy has improved. Despite many edits over the last two years, both the Council and the Commission proposals continue to be invasive, illegal, illusory and illegitimate.

These proposals continue to require the collection and logging of every telecommunication transaction of every individual within modern European society. Almost all human conduct in an information society generates traffic data. Therefore traffic data can be used to piece together a detailed picture of human conduct.[1] Under the various proposals, this data will be kept for between six months and four years.

There are clear challenges for these proposals with respect to the European Convention on Human Rights, the European Charter on Fundamental Rights and national constitutions. The case still has not been made that retention is necessary in a democratic society.[2] The claimed need for harmonisation is premature at best and challenges democratic process.

The letter, which is well worth reading, has been endorsed by:

• Association Electronique Libre, Belgium
• BBA Switzerland
• Bits of Freedom, the Netherlands
• Chaos Computer Club, Germany
• Computer Professionals for Social Responsibility - ES, Spain
• Digital Rights, Denmark
• EFFi, Finland
• Forum InformatikerInnen für Frieden und gesellschaftliche Verantwortung, Germany
• Foundation for Information Policy Research, UK
• GreenNet, UK
• ISOC-Bulgaria
• Open Rights Group, UK
• Privacyblog.net, Slovenia
• Netzwerk Neue Medien, Germany
• quintessenz.org, Austria
• Stand.org.uk, UK
• Statewatch, UK
• Stop1984, Germany
• Swiss Internet User Group, Switzerland
• VIBE!AT, Austria

On her website, Baroness Sarah Ludford MEP worries that there has been no serious cost-benefit analysis of the UK’s data retention proposals for Europe, and calls on other MEPs to question the necessity for such ’sloppy’ legislation:

“[S]torage of everyone’s phone, email and website use is costly as well as a massive invasion of privacy and increase in state surveillance, so the threshold for justification is a high one.”

“I am still worried by the absence of a serious cost-benefit analysis. Assertions are made about the need to keep records for a considerable time, but the evidence is thin. No decent rebuttal has been delivered of the case for a short retention time plus specific ‘freezing orders’ for communications records of suspects.”

“Since we will have the leverage to do so now, MEPs must probe the real necessity for invasive measures. Whilst EU-wide cooperation is crucial to stop terrorism and organised crime, Member States should first end cross-border turf wars and actually implement cooperative arrangements they’ve signed up to.”

data retention, Baroness Sarah Ludford, MEP, Europe, Open Rights Group, ORG

Yesterday’s Guardian ran the story of the wrongful arrest of David Mery on its front page, a story he’s written up in a lot more detail on his site.

‘LONDON (Reuters): - A London underground train station was evacuated and part of a main east-west line closed in a security alert on Thursday, three weeks after suicide bombers killed 52 people on the transport network, police said. A Transport Police spokeswoman said Southwark station was closed and Jubilee Line services suspended between Waterloo and Canary Wharf in the east London business district.’

This Reuters story was written while the police were detaining me in Southwark tube station and the bomb squad was checking my rucksack. When they were through, the two explosive specialists walked out of the tube station smiling and commenting ‘nice laptop’. The officers offered apologies on behalf of the Metropolitan Police. Then they arrested me.

At first glance, this doesn’t seem like a digital rights story, but a civil liberties story. And up to a point, it is. It’s an absolute disgrace that someone can be arrested in the UK on the basis of having a rucksack, wearing a rain coat, and behaving in an entirely normal way on the London Underground system. It’s imperative that we protest such kneejerk reactions by the police in the strongest possible terms, and that we let our MPs know that we do not accept that this sort of regime is necessary for the safety and welfare of the nation.

But this isn’t an ORG matter, right?

Wrong.

This becomes a digital rights matter because the data collected by the police about David Mery is now sitting in the police database - his DNA, interview recordings, photograph, fingerprints, name, address, and whatever other details they take. Let’s get this straight. David was arrested for no discernible reason, having committed no crime and, in fact, without there having been a crime for him to have been arrested on suspicion of. The charge of ’suspicious behaviour and public nuisance’ is a ludicrous accusation, considering that he was doing what the rest of us do every day: waiting for a train.

David was released without charge, but his data wasn’t. (Neither was some of the stuff that the police took from his flat.)

2005-08-31 Wednesday
09:00 I arrive at police station to surrender to custody as required by bail, and am joined by solicitor five minutes later. We are invited into a small room by a plainclothes police officer a further few minutes later. The officer tells us that it’s ‘NFA’ (no further action), explains that this means that they are dropping the charges, and briefly apologises. The officer (DS) in charge of the case is away from the station so the process of clearing up my case is suspended until he signs the papers cancelling the bail and authorising the release of my possessions. The meeting lasts about five minutes.

I send letters to the Data Protection Registrars of the London Underground, Transport for London (replied on 2005-09-05 that the ‘retention period for recording of stations is fourteen days’), the British Transport Police and the Metropolitan Police. The first three letters ask for any data, including CCTV footage, related to the incident on July 28, while the final one is much more generic asking for any data they have on me. They all have forty days to respond.

2005-09-08 Thursday
I talk to my solicitor about ensuring the Police return all my possessions, give us all the inquiry documents (which they may or may not do) and expunge police records (apparently unlikely to happen).

The solicitor sends a letter to the officer in charge of my case asking him to authorise the release of my possessions and forward us a copy of the custody record, and conveying to him how upset I am.

[...]

Under the current laws the Police are not only entitled to keep my fingerprints and DNA samples, but apparently, according to my solicitor, they are also entitled to hold on to what they gathered during their investigation: notepads of the arresting officers, photographs, interviewing tapes and any other documents they collected and entered in the Police National Computer (PNC).

The police have absolutely no reason to retain any data on David, but I fear that the chances of him being able to get his police records deleted are nil. Other than recording that he was wrongfully arrested, I see no good reason why they should retain his DNA, fingerprints, photographs etc., but reason seems to be increasingly absent from the way that security is handled in this country.

We will be keeping in touch with David to see what happens.

A while back, when we first started talking about setting up ORG, I thought it would be a good exercise to explore the existing digital rights landscape in the UK. I wanted to create a mindmap which would allow me to see visually relationships between the various organisations working in this area (even if only very peripherally), and I based my map on work already done by Jo Walsh.

Unfortunately, events overtook me before I got to finish it, as you can see:

You can get the full-sized image from Flickr.

It really is a very much unfinished work, and I need your help to fill in all the gaps. For each organisation I need the key people, the issues that organisation addresses, and their website URL. Please leave info in the comments, rather than email me directly, so that then everyone can see what’s already been found.

Right, over to you!

i was so caught up in the conference I was at last Friday that I entirely failed to notice that we were in The Register, on data retention. As were ETNOA:

The European Telecommunications Network Operators’s Association (ETNOA) called on UK Home Secretary Charles Clarke and his fellow ministers to engage in fuller discussions with industry.

Michael Bartholomew, a spokesman for the organisation, said the case for the compulsory retention of communications data had not been proven, and argued that tracking data for unsuccessful calls would be extraordinarily expensive, with operators having to make system changes costing in the region of £108m each.

“We think this is a rather unsophisticated approach to a complex problem,” he told The Guardian.

Good to see other people getting vocal about it too.

data retention, Charles Clarke, Open Rights Group, ORG

A transcript of James Boyle’s remarks on the public domain, copyright and Creative Commons, given at the Association of Research Libraries 146th Membership Meeting, May 26 2005. James calls for more evidence-based thinking on intellectual property issues, something that is currently sorely lacking.

Here’s another remarkable thing about intellectual property policy over the last 10 or 15 years: it is almost evidence-free. People criticize the FDA about Vioxx. But if we were doing FDA drug approvals the way we approved intellectual property expansions, this is how the process would go. The drug company would say, “This is my friend. He took the pill and he feels better.” Or sometimes even, “This is my friend, he needs to take a pill and he thinks it will make him better.” And then they would offer a model about as complicated as a picture of the person with a mouth and the pill in their stomach and say, “See?” That’s about as data-intensive as things have been.

What if we had a test case where two regions adopted different intellectual-property policies, and we actually had evidence showing how these policies worked? Well, we actually do have such a case—in the area of database protection. In Europe, there is strong database protection under both copyrights and sui generis database rights. Many European governments also claim some kind of copyright over databases. And there is the idea that institutions, such as the Ordnance Survey or the weather companies, should recover their costs by charging users. The US tradition is totally different. In the US, there are no rights over data or unoriginal compilations of data. Any text produced by the government is free from copyright and passes immediately into the public domain. As for government-funded data, it is produced and distributed to the public with the idea, remarkably, that taxpayers have already paid for this, and shouldn’t have to pay for it again.

Now, we actually have some good evidence about the effects of these different approaches. The United States database industry is considerably larger and more thriving, and has higher rates of return, than the European database industry. In fact, at the moment when Europe introduced sui generis database rights, there was a short one-time spike as database producers raced into the market, but then growth rates returned to previous levels, and many companies left the market. And when did Reed Elsevier and Thomson enter the legal database market in the United States? It was after a case called Feist, which said that facts, and unoriginal compilations of facts, were uncopyrightable. That is to say, European companies chose to come into a classically public information field in the United States after they had found out, for sure, that they could get no copyright in unoriginal databases. Yet, even without database rights, they’re getting high rates of return. So, we have evidence showing that less protection has been better for innovation than more protection. But you could spend days listening to arguments about database rights, and you’d never hear these facts mentioned.

(Via Open Access News.)

Open Rights Group, James Boyle, public domain, digital rights, copyright, Creative Commons, copyleft, general public license

Kevin Marks uses Lakovian frames* to explain what’s wrong with DRM to five different audiences, of which the first two:

Computer Users: DRM turns your computer against you

I know sometimes it seems like your computer has it’s own agenda, when it refuses to print or copy or find your documents. DRM does this on purpose. It is designed to stop you copying and pasting, printing and sharing things. I don’t think you want this.

Computer Scientists: DRM will fail through emulation

One of the basic precepts of Computer Science is the Church-Turing thesis, which shows that any computer can emulate any other one. This is not theory, but something we all use every day, whether it is Java virtual machines, or CPU’s emulating older ones for software compatibility.

The corollary of this is that code can never really know where it is running. For a rock solid example, look at MAME, the Multi-Arcade Machine Emulator, that runs almost any video game from the last 30 years. The games think you have paid a quarter when you press the ‘5′ key.

I like this sort of comparative re-framing of debates. It provides for a variety of different viewpoints, acknowledges that there’s more than one way to think about these issues and allows you to hit one very big bird many times with several well-framed stones.

* ‘Frames‘ are a way of presenting information or rhetoric that is sympathetic to a specific audience’s paradigm. George Lakoff applied frames to political communications thus illuminating how language is used by politicians to very subtly reinforce their point.

Had an hour-long conversation with Karen Gomm from ZDNet UK yesterday, which resulted in this piece about ORG and data retention (page 2, page 3). A snippet for you:

The Open Rights Group wants to take on Charles Clarke over ID cards and telecoms data, and help develop fair-use rights for digital content

A digital rights organisation, the Open Rights Group (ORG), has been formed to tackle European and UK legislation which could threaten digital and civil freedoms.

ORG will serve as a hub for other cyber-rights groups campaigning on similar digital rights issues and follows in the footsteps of the US group Electronic Frontier Foundation (EFF).

Louise, James and myself spent a good chunk of time yesterday going through the Memorandum of Association and the Articles of Association. They are basically the documents that explain what the Open Rights Group will be doing and how, and are a legal requirement for incorporating a company, which we will need to do in order to be able to take donations and act as a non-profit.

It’s one of those tasks, though, that puts the ‘argh’ into ‘tedious’. And talking of tasks, here’s what we’ve achieved so far:

1. We’ve found free office space in central London for the next six months, which is a significant coup because it’s going to save us a lot of money and provide us with valuable resources.
2. We’ve taken advice on the best legal form for the organisation to take - a company limited by guarantee - that will both protect members and give them a voice.
3. We’ve obtained and are going through boilerplate constitutional documents: the Memorandum and Articles of Association.
4. We’ve got a name, (and boy, was that time consuming!), and have checked Companies House regarding such a name.
5. I’ve set up this interim blog on my own hosted server to keep you as informed as possible as what’s going on and are making arrangements for a permanent home for our online presence.
6. I’ve personally bought domain names, although I can’t cover all variations because my budget’s not big enough.
7. We’ve been drafting roles and responsibilities documents for the Interim Board, Interim Advisory Council and Interim Executive Director.
8. We’ve been hunting out potential supplementary sources of funding and have some good leads there.
9. We’ve been trying to track down pro bono professional advice regarding things like incorporation.
10. We’ve investigated the costs of different methods for gathering donations.
11. We’ve been looking at potential free venues for holding plenary and other meetings and have started planning the first meeting.
12. We’ve been fielding press requests for information, including BBC Radio 5, BBCi, Channel 4 Despatches, ZDNet, and the Washington Internet Daily.
13. We’ve been looking into best practice on governance of not-for-profit organisations.
14. We’ve been consulting other not-for-profits to find out about the pitfalls that we need to avoid, particularly in terms of the legalities and organisational issues.
15. I’ve been invited to speak at three conferences on digital rights issues (details to be confirmed - I’ll blog them when they are).
16. We’ve been doing preliminary research into the various digital rights issues that we may be covering.
17. I’ve been doing research into the ‘digital rights landscape’ - who’s doing what in digital rights.
18. We’ve been gathering volunteers - people who have emailed us to offer their help.
19. We’ve drafted an initial campaign plan.
20. We’ve been thinking about things like communications plans, website development plans, volunteer plans, future strategy etc.
21. We’ve drafted a preliminary budget.
22. We’ve been in close liaison with the EFF (beyond our contact through Danny and Cory), as well as speaking to members of FIPR, the FFII, No2ID, Citizens Online, CDR, STAND, UKIF and UKNOF.

Of course we still have a lot to do, including (and this list is by no means in exhaustive or in any sort of order):

1. Finalise the Memorandum and Articles of Association, and have them checked by a lawyer.
2. Decide on the financial Standing Orders
3. Incorporate.
4. Find a bank and open an account.
5. Open PayPal account.
6. Set up membership processes and follow up on the pledge.
7. Finalise the organisation structure to provide accountability, transparency and expert input.
8. Write job descriptions for the Board and Advisory Council members, and the Executive Director.
9. Decide how we will decide who is doing what going forward.
10. Pursue funding opportunities.
11. Decide on types of membership.
12. Design processes for membership decision making and financial control.
13. Investigate Data Protection as regards the membership database.
14. Set up an appropriate membership database.
15. Find out legal requirements for everything from insurance to Health and Safety to employment law to contracts.
16. Register with the Inland Revenue.
17. Communications plan.
18. Campaigns plan.
19. Find pro bono experts.
20. Benefactor management plan.

OK, so that gives you a taster of what we’re spending our spare time doing, and what we still have to do.

If you happen to be, or know, a lawyer willing to work pro bono with experience in setting up a non-profit company limited by guarantee, please contact us. We would also like to speak to a pro bono accountant if at all possible, and someone with expertise in Data Protection Act compliance.