call +44 20 7096 1079

Blog


November 26, 2014 | Elizabeth Knight

Lee Rigby murder should not be used as excuse for an increase in state power

Yesterday, the Intelligence and Security Committee (ISC) issued its report into the murder of Fusilier Lee Rigby in Woolwich. Despite cataloguing a number of failures, the report claims that the security services couldn’t have prevented Lee Rigby’s killing, while appearing to claim that Facebook could have.

The report showed that Rigby’s killers Michael Adebolajo and Michael Adebowale had appeared in seven different investigations by the security services and there were “errors in these operations, where processes were not followed, decisions not recorded, or delays encountered”.

Despite this finding, the ISC reserved its strongest criticism not for the intelligence services, but for overseas communications service providers. The committee referred to an online exchange between Adebowale and an extremist overseas, (discovered after the killing) in which Adebowale expressed his intent to murder a soldier. The committee concluded: 

“What is clear is that the one party which could have made a difference was the company on whose system the exchange took place. However, this company does not regard themselves as under any obligation to ensure that they identify such threats, or to report them to the authorities. We find this unacceptable: however unintentionally, they are providing a safe haven for terrorists.”

It is shocking and unreasonable to suggest that the company (un-named in the report but now named as Facebook) is responsible for any failure to prevent the murder. The suggestion appears to be that the company should have been trawling through the content of the communications of all of its users on a blanket basis on the off chance that one of them may be sending messages about terrorism. The ISC laments the fact that “none of the major US companies we approached proactively monitor and review suspicious content on their systems”. 

There are two suggestions: one is blanket trawling that would represent a hugely disproportionate interference with the right to privacy of all of the company’s users. It would have a chilling effect on freedom of speech online if individuals are unable to trust service providers not to snoop on their communications. It may also be contrary to the companies’ terms of service. 

ISC member Hazel Blears said yesterday that companies already proactively search and report illegal child abuse images and therefore by extension should be able to expand this to ‘terrorist content’. But it is not so straightforward. The former involves using hashes to tag illegal images, the latter would involve searching for keywords (killing? beheading?) and then making a decision about whether they have been written by someone who is a credible terrorist threat.

Facebook is right to regard itself as not being under any obligation to pro-actively identify this type of communication and report them to GCHQ. To place communications providers under such obligation would be to render them an arm of a surveillance state. 

A more reasonable approach could be to identify individuals that may be of interest to the security agencies - for example people who have drawn themselves to the attention of Facebook because they have posted extremist content, which has led to their accounts being suspended.

There are also clear legal mechanisms in place by which the security services can access the content of communications held by overseas companies. The first is by using a targeted warrant signed by the secretary of state under section 8(1) Regulation of Investigatory Powers Act (RIPA). The ISC appears to have accepted at face value the government’s claims that this method is ineffective because overseas service providers do not comply. In fact, just because overseas service providers may say they do not regard themselves as bound by UK does not mean they do not cooperate with UK requests. Their transparency reports suggest otherwise. For example, between January and June 2014 Facebook supplied data for 71.68% of requests from the UK government. The ISC’s statement that if MI5 had sought information under a warrant the company might not have responded is highly speculative. 

If the government is unable to access communications using a warrant, the appropriate mechanism to use is the established Mutual Legal Assistance Treaty (MLAT) between the UK and the US. The ISC suggests that the government believes using MLAT to be ineffective as it is too slow, does not apply to intelligence investigations and involves scrutiny of sensitive information by a US court. These are not insurmountable objections. Reform of the MLAT procedure should be a priority. 

Instead, the government is trying to pressure service providers to comply with its demands outside of any transparent legal process. Unregulated cooperation damages the rule of law. And importantly, if US companies have to comply with ad hoc requests from the British government surely they should also agree to demands for access to customer communications from the Russian and Chinese governments.

It is also notable that GCHQ’s vast TEMPORA programme, which allows the mass collection of external communications passing along fibre-optic cables between the UK and the US, does not appear to have helped them identify the communication. ORG is disputing the legality of the programme before the ECtHR. This is evidence that mass surveillance (as opposed to targeted surveillance) is ineffective as well as breaching our fundamental human rights. 

The findings of the committee accord conveniently with the recent rhetoric of Theresa May and GCHQ’s Robert Hannigan, who want to increase surveillance powers and bully Internet companies into agreeing to their demands.  The committee appears to have accepted this narrative unquestioningly. In addition, the decision to publish the the Counter-Terrorism Bill the day after the ISC report has been criticised by ISC members themselves.

It’s going to be very unlikely that people who are plotting terrorist attacks will be discussing them on Facebook, particularly now that we have had a public debate about this. Even so, this horrific murder should not be used as a political tool to pressure Internet companies to do what GCHQ wants.

This article was originally published in The Drum.

[Read more]


November 24, 2014 | Jim Killock

Blanket data retention does not come in “good” and “bad” forms

Yesterday’s announcement that mobile phone providers will be obliged to keep records of their customers IP addresses (and port numbers) came as no surprise. But what we need to remember is that all data retention should be subject to the same principles, conveniently outlined by the Court of Justice of the European Union.

These principles include that data retention should be targeted against a specific threat, confined by criteria such as a specific time or place. The new proposal, while being consistent with existing arrangements for ISPs in the UK, is another proposal for blanket retention beyond what is needed for business purposes.

In any case, this is a rather backward proposal, dealing with a problem that exists because the mobile companies continue to rely on out of date technology. To take a moment to explain: the Internet is famously running out of addresses (numbers that identify a point on the Internet – Internet Protocol version 4 (IPv4) addresses).

To deal with the lack of address space, mobile companies use a technology called "Network Address Translation" or NAT, which allows several devices to share the same IP address. Most people use this at home to allow two or three computers to use the ADSL or cable connection, However the mobile companies do this at a far greater scale called "Carrier Grade NAT" — and there will be hundreds of different people using the same IP address.

However, all of this technology needs replacing. It limits the usefulness of Internet connections, particularly reducing our ability to use peer-to-peer technologies. The government ought to be asking providers to invest in IPv6, rather than upgrading their current, limited technology, just for the purposes of further logging our movements.

Proposals for surveillance need to be justified not just because of the increased convenience for police, but on the basis that they do not intrude more than is necessary for specific criminal enforcement. This does not mean that all events should be logged and tracked at all times in order that police can always use a source of evidence for investigations. Yet rhetorically we know this is where the surveillance lobby has already arrived. As Jack Straw asked, how can data retention be limited on the basis of suspicion: the police are not “clairvoyant”, they cannot know which of us will need to be investigated in the future.

The problem with Straw’s argument is that if you accept it, then it is impossible argue against the destruction of any data, ever. Any of it might be useful to the police, so all of it should be kept. Maybe we should be obliged to retain our hard drives forever.

The choice is always between blanket, pervasive and excessively intrusive surveillance, where everything is collected, and proportionate, targeted collection where there is a possibility that sometimes something might go missing. However, in an age where data is generated at multiple points, by increasing numbers of services and devices, a lack of digital evidence should be the exception rather than the rule. Claims of data going missing should be treated with caution.

The important point in relation to new mobile IP data retention is that it suffers from the same problems as previous proposals. It is unbalanced and lacks any serious restraint. In order to get the principles right we need to examine the whole of the data retention question. Theresa May denied us that opportunity only months ago. Now she is seeking to press ahead, again with agreement of her coalition partners, who also need the opportunity to look at this question in the round.

Her calls for the Snoopers’ Charter, and building the surveillance regime piecemeal, has the effect of eroding the principle behind defining the basis of proportionate measures to retain data, and surreptitiously signing up Parliament to the idea that blanket collection is not necessarily a problem. MPs can place lines in the sand based on their sense of public concern, rather than the principles. Once the principle that blanket data retention is fully accepted, resistance to the Snoopers’ Charter will weaken, and MPs will turn to oversight as sufficient protection. 

That is why we need a full debate about the whole question of data retention, in the light of the CJEU judgment. The effects of that judgment on UK law are not yet fully understood, but David Davis MP and Tom Watson MP, as well as ORG, are seeking to challenge the existing data retention regime.

 

[Read more] (2 comments)


November 12, 2014 | Florri Burton

3 days to go till ORGCon2014

Countdown to ORGCon2014. We look forward to all our wonderful sessions and gathering of supporters this coming weekend!

We are all busy getting ready for ORGCon2014 this weekend. Tickets are unfortunately now sold out! We're sorry if you didn't manage to get one this year, but we can let you know that the sessions are being filmed and can be found on the ORGCon website post-event.

ORGCon2014 is all about debating civil liberties and the Internet. The clock is ticking until the general election 2015, now is the time that we can make a real difference, take action for our human rights, and meet together as a community.

ORGCon2014 is the biggest event in the UK which focuses on ethical issues of the Internet and technology. As well as the campaigns that we are working on like "Don't Spy On Us!" "The Department of Dirty" and "Blocked!" we also showcase and support other key topics and campaigners in the field: TTIP, open data, big data, Facebook privacy settings, online stalking, party politics on the Internet, child protection and more. It's also a place for ORG members, activists, students and everyone unabashedly enthusiastic about human rights and technology to come together to participate in great discussions and sessions.

DAY 1

We are delighted to be running a session on Day 1 chaired by our Communications Director Pam Cowburn on 'Surveillance, Whistleblowing and the Media', with Jodie Ginsberg CEO of Index on Censorship, Rachel Oldroyd Managing Editor of the Bureau of Investigative Journalism and investigative journalist Duncan Campbell participating. It's going to be great to get the insider perspectives from these fantastic journalists on the role of whistleblowing post Snowden. How does surveillance interfere with the right to free speech and confidentiality between journalists and their sources? And how does RIPA fit in with all this?

As an intern, I am thrilled to be attending ORGCon2014. However, I have no idea how I am going to choose which talks to go to, they all look brilliant. I'm sure many of you are having the same problem! Check out our speakers for the weekend.

Yet I will say that I am excited to hear a fresh perspective on the infamous 'Nothing to hide, Nothing to fear' line, particularly Merrick Badger's experiences and work on Campaign Opposing Police Surveillance. I am especially interested in the undercover police infiltration of protest groups and the ways in which police were almost expected to have sexual relationships with women they were investigating. For me this raises issues of the gendered way in which states enact their security policies.

DAY 2

This year we are running a second day at ORGCon2014, promoting the chance for you to really get involved hands on, as activists and local groups members. We are running sessions on campaign skills like how to win a long term campaign, how to get media coverage, and how to campaign with your MP and MEPs, not to mention our hack spaces and top tips on how to run local groups.

This second day is really all about engagement and participation, in an inclusive space. This will give the chance for those with a passion for digital rights and campaigning to further develop their skills, with the help of some experienced individuals.

We're looking forward to meeting you face to face, and hearing your thoughts on how to take action.

In a time where our human rights are being eroded by tighter controls on the Internet, censorship and mass surveillance, providing a space for these discussions and participation, and furthering your campaigning skills is more important than ever.

It's our first time running a second day of our annual conference, and we look forward to working with you to shape this new side to the event.

To those of you who have already bought a ticket, joined ORG or who have registered to volunteer thank you so much for your support, and see you Saturday!

Here's to having our best ORGCon yet!

[Read more]


November 11, 2014 | Javier Ruiz

ORG and Privacy International publish guidance on privacy and open government

Digital rights organisations provide guidance to governments on positive steps around privacy and data protection to be considered in open government programmes.

Open Rights Group and Privacy International have worked with the Transparency and Accountability Initiative to develop a new chapter on Privacy and Data Protection in the Open Government Guide, which will be officially launched at Open Up on November 12th.

The new chapter provides a menu of commitments that governments could adopt in their next OGP Action Plans, each supported by standards and country examples. The ‘illustrative commitments’ are not prescriptive, but ideas that governments can adapt to local circumstances in order to enhance existing protections.

Open Rights Group has long advocated for privacy to be addressed in this context as one of the thorny issues that will make or break the credibility of open government.

However, it is important to avoid the trap of false choices. Privacy and data protection tend to be placed against openness and security. But as ORG's advisory council member Tim Davies put it in a recent blog, this is the wrong approach. Privacy is the basis of both openness and security.

Open government promotes a fully engaged citizenry enabled by technology to participate in the decisions concerning their lives. But this can only lead to a more sophisticated understanding of data, including privacy, surveillance and security.

Our colleagues at the Open Government Partnership Paul Maasen and Su Muhereza have established that privacy is not yet at the heart of national plans for open government.

This situation cannot last much longer. Technology companies are changing their systems to cope with the new demands for privacy and control over information. For example, Apple and Google are starting to encrypt phones by default. Governments committed to openness will have to demonstrate they take privacy seriously. The new privacy chapter in the Open Government guide is a good place to start.

The recommended steps we propose in the guide are clustered around four key areas:

Steps to secure the basic foundations for privacy. This includes both positive legislation on data protection and repealing requirements which prevent anonymity by phone and internet users.

Measures to empower individuals to stay safe and protect personal their own information. This might include public education as well as innovations to give citizens control of the personal information held by institutions such as banks and telephone companies.

Specific protections related to security and intelligence services. Commitments here start with publishing clear and transparent laws on intelligence gathering powers, and go onto publishing annual reports about surveillance and interception of communications.

Steps to integrate privacy into the design of open government programmes. This starts with considering privacy early in the conception stage, establishing processes for assessing how personally identifiable information is collected, used, shared, and maintained and incorporating ‘privacy by design’ principles.

You can read the chapter here.

[Read more] (1 comments)


November 06, 2014 | Ed Paton-Williams

GCHQ are plunging into the privacy debate.

Writing in Tuesday's Financial Times, the new director of GCHQ Robert Hannigan, called for "greater co-operation from technology companies" to stop terrorists and criminals groups using online services as their "command-and-control networks of choice".

His words completely ignored the Snowden revelations that showed the immense surveillance powers and access to our data that GCHQ has. Instead of talking about GCHQ's apparent habit of collecting the entire British population's data rather than targeting their activities at criminals, he thought he would try to frame the debate as about GCHQ needing more help from technology companies.

David Cameron has come out in support of Hannigan's comments. Hannigan's statement is the latest in a concerted campaign by the Government and the intelligence agencies to bolster support for their surveillance powers.

Even Nick Clegg, the leader of the Liberal Democrats - who traditionally have a good stance on digital rights issues - said he supports blanket collection of data.

And Theresa May and the Home Office are so obsessed with surveillance, they want to scupper the Department for Culture, Media and Sport's plans to let us use our mobile phones on every mobile network; a plan that would increase connectivity and support the UK economy.

This is a big debate. And if we value our privacy from Government surveillance, we're going to have to fight for it.

That's why ORG's spent the last two days pushing back against Hannigan's comments in the media.

We've appeared on BBC TV news and Radio 4 and been quoted in the Daily Mail, The Telegraph and The Guardian. We also wrote a comment piece in the Independent.

Can you help us with the fight by giving us £5 a month?

ORG is playing a huge part in fighting for our privacy by making sure that GCHQ and the Government don't get to push through more surveillance powers unopposed.

We're already holding the Government to account in the courts by taking them to the European Court of Human Rights to challenge GCHQ's practices and oversight and intervening in a case on DRIP - an Act forcing ISPs to retain our email and web data that Parliament rushed through earlier this year.

We'll also be trying to force privacy and digital rights onto the agenda of new MPs at next year's election. We'll hold lots of local debates with Parliamentary candidates in the run-up to polling day in May. And we've got plans for helping ORG supporters to challenge candidates that knock on their door.

But Theresa May and David Cameron will be running their election campaign from precisely the opposite angle. That's why it's so crucial ORG has the resources we need to stand up to them.

Join ORG today so we can keep fighting back against GCHQ's invasion of our privacy.

When you join ORG you'll get a free ticket to our annual conference ORGCon on 15 and 16 November in London. We've got fantastic speakers and we're focusing on surveillance including a talk on what big technology companies are doing about mass surveillance.

[Read more] (1 comments)


November 06, 2014 | Jim Killock

The courts should decide how much privacy we're entitled to - not GCHQ

 

In his first public statement since becoming Director of GCHQ, Robert Hannigan yesterday described the likes of Facebook, Twitter, Google and Apple as, 'the command-and-control networks of choice for terrorists and criminals,' and called on them to give 'greater co-operation' to the intelligence services. It is a surprising challenge to these companies, given how much GCHQ relies on them for our data.

Edward's Snowden revelations that the NSA and GCHQ were monitoring our personal calls, texts, emails and webchats did not just damage the credibility of the US and UK governments but also the tech companies who to varying degrees had been complicit in sharing our data. But even when they weren’t handing data over, the TEMPORA programme meant that information from their networks was hoovered up anyhow through the tapping of fibre-optic cables.

Companies responded by encrypting data in transit. By doing this, they are forcing our intelligence agencies to use court orders to make requests for data. To our knowledge, tech companies don't refuse these requests when they are made legally – so when Hannigan calls for 'better arrangements' it is unclear what he really means.

In any case, the debate over acquisition of data, in which politicians like to talk of the Internet “going dark”, takes place in a world where data and records of our phones, flights, emails, photos, movements and heartbeats are proliferating. We should be highly skeptical of claims that data is difficult to get hold of.

There are at least five ways that GCHQ can acquire data to investigate terrorists (plus foreign governments, companies, climate change negotiators, human rights activists and EU officials).

Firstly, they can collect all the data off the wires. As we noted, this is becoming harder, as encryption is more common.

Secondly, they can weaken our encryption methods, by adding backdoors, so they can always decrypt things. The problem with that is it means organised crime can find the backdoor, and they can steal our credit card details, passwords, and everything else that we want to keep safe.  The Snowden documents suggested that the NSA and GCHQ have tried this, which, if true, is deeply irresponsible.

Thirdly, they can find ways to break into computers, phones and routers. They find this a lot easier than you might think and invest a lot of money in it.

Fourthly, they can seize your computer and demand any passwords.

Fifthly, they can go to a company like Google or Facebook with a legal order or warrant.

The problem is that GCHQ and the NSA don’t want personal security to get in the way of them looking at our data: they want banks of computers to check on everyone to make sure you don’t pose a threat to them. That is what bulk collection and analysis means, though they daren’t spell it out that way. Instead, they talk of “needles” being separated from “innocent hay”.

They will claim that they need to find every criminal and terrorist at the press of a button, and to do this, they must break encryption, and seize all of our data secretly. Even if that were true, the cost is enormous. It threatens the personal security of our online activity and leaves us vulnerable to criminal activity.  It also gives the intelligence services unrestricted powers to monitor our communications continuously. Perfect surveillance is a kind of omniscience that most people would not trust ordinary mortals with.

Hannigan is right: privacy is not an absolute right but that does not mean it should down to GCHQ or tech companies to decide just how much privacy we are entitled to. That should be down to our courts and judges. We expect that GCHQ will nearly always be able to get what they ask the courts for. This may not be everything they want to get hold of but democracy and freedom mean that government agencies don’t get to have all of the information, all of the time.

This article was originally published by The Independent.

 

 



[Read more]


October 18, 2014 | Richard King

Hacking for your digital rights

On 4 October, twenty people got together for a digital-rights hack-day at Mozilla's community space in Covent Garden. Find out what happened and how you can help take the projects we started further.

The day was all about planning and prototyping hacks to help defend digital rights directly, raise awareness of ORG's issues, support our campaigns with evidence and make ORG more accessible to everyone. It was also a great way to bring together and celebrate our technical community, which has gone from strength to strength this year.

Here's a run-down of the hacks, ideas and prototypes people came up with on the day:

You can also check out a few photos of the day on Flickr.

We're really excited about the creativity and viability of all these ideas - and we want to support the community to bring as many of them to fruition as we can. If you're inspired by any of these projects and would like to help take them further, please introduce yourself on the technical volunteers mailing list, or drop by our IRC channel to say hello. You can also find us on github.

If you fancy joining us in person, grab a ticket for ORGCon (15-16 November), where on day two we'll be holding another day-long hack-fest as well as workshops and other sessions on digital-rights activism. We will also be running a session at the Mozilla Festival (24-26 October) looking at how to build on blocked.org.uk - please come and say hello if you get the chance.

Happy hacking!

Updated on 31/10/14 to include a link to the github page for the "kickstarter for election candidates" hack.

[Read more]


October 14, 2014 | Ed Paton-Williams

TTIP's threat to our privacy and culture

TTIP (the Transatlantic Trade and Investment Partnership) is a trade agreement currently being negotiated behind closed doors between the United States and the European Union. The agreement is supposed to "increase trade and investment" but there are significant concerns around its potential negative impact on democracy, the rule of law, innovation, culture and privacy.

Many activists are concerned that TTIP will lower regulations that protect us - for example, environmental and food safety laws. TTIP could also lead to the opening up of public services, like those provided by NHS, to US companies - who would be able to sue the UK government if they believe legislation would lead to a reduction in their profits.

NoTTIP Demonstration - Open Rights Group placards

TTIP - pronounced "tee-tip" - is just one of many international trade agreements. Very few of them are well-known and the acronyms for them can get a little bewildering. One thing that is common to many of the recent agreements is Europe and the USA pushing for measures that would jeapordise our digital rights. We need to be vigilant against the threat that TTIP poses for our privacy and culture.

A (relatively) well-known trade agreement is ACTA (the Anti-Counterfeiting Trade Agreement). The EU, the USA and nine other countries negotiated ACTA between 2007 and 2010. ACTA made Internet providers legally responsible for copyright infringement on their network. To determine whether their users were infringing copyright, providers would have been strongly incentivised to carry out deep, intrusive surveillance on all of our Internet usage, regardless of whether we had actually infringed anyone's copyright. This would have been an enormous invasion of our privacy. Thanks to huge public protests across Europe, the European Parliament rejected ACTA in 2012 with a 92% majority.

Another trade agreeement that is currently being negotiated is the TPP (Trans-Pacific Partnership). The USA is working on the TPP with twelve countries in the Asia-Pacific region. Leaks of the intellectual property (IP) chapter show that the USA is pushing for very restrictive measures on IP that would invade privacy and impact upon freedom of expression, beyond even those in ACTA.

The EU and Canada have just finished negotiating CETA - pronounced "see-tuh" - (the Comprehensive Economic and Trade Agreement). The 2009 leak of a draft IP chapter of CETA revealed extensive European demands for Internet provider liability, strict rules on technical restrictions on media that we buy and longer copyright terms. Europe wanted a more repressive IP framework that would have put the interests of major content owners above the need for innovation, culture and privacy.

There is good news though. Those measures have been dropped in the final CETA text. As Canadian academic Michael Geist points out, one of the likely reasons for this is that Canadian negotiators wanted to keep the relatively consumer-friendly copyright reforms that Canada introduced in 2012. TTIP negotiations will not have this moderating force with regards to the IP provisions.

Discussions on IP in TTIP are at a relatively early stage and the relevant chapter has not been leaked. There are, however, reports of USA negotiators asking for measures in TTIP to encourage Internet firms to bypass the rule of law and voluntarily police IP themselves "in good faith". This could mean (mainly American) companies voluntarily removing content, blocking websites, demoting search results or witholding payments without the normal checks required by legal processes. US law being implemented on a global scale by US companies is not something we should accept.

The USA and Europe have a history of proposing extremely restrictive IP measures. We must stop TTIP from invading our privacy and inhibiting our culture and freedom of expression. As the defeat of ACTA shows, we can defeat undemocratic trade deals. We will be watching the TTIP negotiations closely to make sure our fundamental rights are not threatened.

[Read more] (1 comments)


google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail