call +44 20 7096 1079


September 25, 2015 | Pam Cowburn

ORG launches Corporate Supporter Scheme

It has been ten years since 1,000 digital activists donated £5 a month to create Open Rights Group. As we approach our 10th anniversary, we now have over 3,000 paying members. Then, as now, ORG’s mission was to support the rights of individuals. Our core belief is that people have the right to control their technology, and we oppose the use of technology to control people.

Many organisations, and the people who work for them, also recognise the benefits of fair laws, transparency and an open and free Internet which benefit them, as well as citizens. A number of businesses have supported us for many years - for example, Bytemark provide our web servers and Andrews & Arnold are instrumental in the running of our Blocked project. Now, ORG has launched our Corporate Supporter Scheme to invite more organisations that believe in digital rights to support our work. We’re delighted to announce that the first businesses to become official ORG Corporate Supporters are Andrews & ArnoldGrit Digital and Valcato Hosting. We hope that many more organisations will join them.

There are many examples of shared areas of concern for individuals and businesses. One of these has been recent media speculation about Government plans for accessing encrypted communications. With issues such as this, the tech sector benefits from ORG calling for the right to encrypt our communications and online transactions. Equally, our campaigns can benefit from their support – not just financially – but by adding their voice to the debate. Getting the business perspective on Government policies and and technical developments will also help us to have more informed policy positions. After all, it is often businesses that have to implement Government policies and they are very aware of their flaws.

Human rights are at the heart of everything we do, so we will only invite companies and organisations that support our aims and values to become Corporate Supporters, and we won't, at any point, start promoting their products.

We'd like to thank our Corporate Supporters for helping to make ORG's work even more effective. If you run or work for a business that supports digital rights, you can find out more about our Corporate Supporter scheme here, or by emailing me for more information: 

[Read more]

August 21, 2015 | Javier Ruiz

Police body worn cameras raise security and privacy concerns

Concerns have been raised over the handling of footage from police body worn cameras.

Body worn camera CC-BY-SA 2.0 West Midlands Police

Sky has reported that UK police are using body worn cameras from the company, which automatically uploads the footage online. This company is a subsidiary of TASER, makers of the well known electric shock devices. Their piece says that questions have been raised about the safety and security of the footage, with shadow Labour minister for policing, Jack Dromey, asking for reassurances from the Home Secretary.

The criticism has focused on's use of third party cloud computing, Amazon Web Services. This has led to concerns about the location of the footage, and the possibility that employees of the companies involved could be accessing confidential information.

Looking at their stated security practices, seem to have taken some reasonable basic precautions, such as encrypting the footage during transmission and in storage. Encryption is particularly important in cloud computing, and not just due to concerns about access. The same mechanisms that provide resilience against data loss — e.g. multiple copies combined with the development of more persistent data storage technologies — make it very hard to ensure that data is ever fully deleted.

Destroying the keys to scrambled data would be easier than trying to securely wipe sections of multiple disks scattered around a global network of data centres.

In this context control over the encryption becomes critical, and this system may not be secure enough.’s approach to protecting the footage makes access very difficult for third parties, including Amazon (unless they also store the encryption keys in their systems). But is less clear whether employees of themselves can decode the encrypted footage. Strong end-to-end encryption where only police and their auditors can access the materials should be required.

In addition to these technical issues, there are other questions for Open Rights Group first learnt about their role in May 2015, and immediately contacted the company asking for information about their legal compliance with data protection. We received a reply from TASER stating that this it was a matter for the police forces involved:

"As you may expect, TASER International Inc as a company and also its international subsidiaries are well aware of the complex and variety of the issues surrounding data safety, data management, data transport and data protection laws.

Due to the fact that TASER does not write these laws, we comply with the highest world class standards of data safety. With regard to data protection, our customers are writing the specs. All we do, is providing software as a service. In other words, Taser works very closely with its customers to comply with local legal requirements and laws.

This being our very clear position, only our customers can answer your question."

We pressed the issue — without further reply — asking specifically about their compliance with legal requirements for the transfer of personal information to an organisation based outside the EU. This normally requires that the organisation hosting the data can assure that the information will remain protected to a similar level as if it had never left the EU. We received a response from TASER International in the Netherlands, but is based in the US and it is unclear who exactly has received the data. Legal assurances can be achieved through contract clauses, or in the case of US companies, via the “safe harbor” scheme arranged by the US Dept. of Commerce. It appears that may be using Amazon’s EU cloud servers, but in itself this is not enough to provide assurances.

The police statements asking for assurances about the destruction of the data from the pilot — quoted in the article — are quite worrying, as they imply that the police may not have a legally binding agreement for how the data is handled. We expect the Information Commissioner will be looking into this.

The use of CCTV is regulated under the Protection of Freedoms Act 2012. The Surveillance Camera Code of Practice pursuant to the Protection of Freedoms Act 2012 provides operational guidance to public authorities, but is thin on body worn cameras.

The Information Commissioner has also published guidance on CCTV, with a specific section on body worn cameras. This tells police that the footage should be stored “in a way that remains under your sole control”, which may not be the case with TASER.

The use of police body worn cameras is a thorny issue. It could have some positive effects from a civil liberties perspective. Continual recording would mean that all of a police officer’s daily activities would be recorded and they would be fully accountable for their actions. But it would also mean that many members of the public, who are not involved in crimes, would be captured on film and this would be an unnecessary intrusion on their privacy.

If cameras are under the control of the officer, selective recording could lead to accusations that video footage is misleading, has been taken out of context, or deliberately manipulated to secure a conviction.

But constant recording could have perverse effects and remove the ability for police officers to use their discretion. If they were wearing cameras, they might feel obliged to pursue minor infractions, which they might deal with differently otherwise.

A particularly problematic aspect is wearing cameras at demonstrations. This may deter heavy handed dispersal tactics by the police – or provide evidence of them if they occur. But cameras would also give the police a visual record of everyone who attended a particular demonstration. How might that footage be used afterwards? Could facial recognition software be used to identify people to keep a note for future demonstrations or investigations?

Given the appetite for footage of real criminals being arrested, there are also risks of videos being leaked, hacked or shared inappropriately and this would be a severe breach of privacy.

[Read more] (3 comments)

August 05, 2015 | Jim Killock and Maxine Chng

Should file sharers face ten years in gaol?

New proposals to make online copyright infringement a criminal offence risks punishing users who share links and files online more harshly than ordinary, physical theft.

The IPO has recently started consultation on proposals to increase the maximum prison sentence for criminal online copyright infringement to 10 years, aiming to match sanctions for online copyright infringement with physical copyright infringement. The rationale behind this is that similar offences should attract similar penalties, regardless of the platform used in committing the crime.

Although ORG agrees with IPO's rationale that the online environment should not confer less protection, IPO's proposals are problematic. The existing offence is outlined in section 107 of the Copyright Designs and Patents Act. It can be brought against both criminals who deliberately infringe copyright by operating filesharing services and also against people who share links and files without the intention or knowledge that it would actually prejudice the copyright owner.

The IPO is suggesting that people can be sentenced for up to ten years for online copyright infringement that “affects prejudicially” a copyright holder. While this may sometimes be appropriate, the underlying offence is very broad, and requires no intent on the part of the offender. There is no separation in the offence between different kinds of infringement, which opens the possibility of non-literal copying, such as excessive quotation or incidental use, being the subject of these offences. 

We are particularly worried that this could lead to heavy handed punishments for individuals who are sharing files, who may have no intent to harm or cause damage. While such people should be seen as committing a civil offence, they should face more appropriate punishments. By means of comparison, ten years gaol is longer than the maximum penalty of seven years for physical theft, which requires actual intent.

Commercial infringements “In the course of a business” can be much more reasonably targeted by harsher sentences, but here too there are risks as there is no easy way to distinguish between a legitimate business making mistakes and one seeking to abuse the copyright of others for profit.

In all cases, there is scope for exaggeration and misconception of the scale of damage being created. Online infringement is hard to estimate and damages are often assumed to be much higher than in cases of physical infringement. It is therefore much easier for an individual to appear to be “affecting prejudicially” the business interests of another, and find themselves accused of committing a criminal offence with a very long possible gaol sentence. This is inappropriate.

Anne Muir's case from 2011 illustrates exactly the dangers of parity as proposed by IPO. She admitted to distributing copyrighted music files worth up to £54,000 using a filesharing application. Lawyers claimed that she uploaded files to build her self-esteem. She did not financially gain: while she certainly sounds misguided it seems unlikely that she should be regarded as a hardened criminal.

There are already criminal sentencing options that are tough enough to deal with organised online copyright infringers. The Federation Against Copyright Theft has on previous occasions carried out private prosecutions under the Criminal Justice Act 1987's common law conspiracy to defraud. This offence fetches a maximum sentence of 10 years – the same as physical copyright infringement. It is also not difficult to obtain conviction for conspiracy to defraud under Fraud Act 2006. All that must be proved is false representation, a failure to disclose information or abuse of position. Intention to defraud is not at all required.

For example, in 2012, Anton Vickerman was sentenced to 4 years imprisonment for allegedly causing losses of up to £198 million. He had been operating an illegal streaming website called "SurfTheChannel". Compare this with the defendant in R v Hatton (2008), who was sentenced to 18 months imprisonment for pirating 20,000 DVDs.

People committing crimes should be punished, and copyright should be supported by enforcement. However, copyright should be subject to the same kinds of standards as other crimes. As this offence stands, it is much stricter and harsher than other kinds of crimes, and therefore risks bringing copyright into disrepute should individuals be prosecuted and threatened with long gaol sentences for non-commercial misdemeanours. We are therefore asking for the sentence to be left as it stands.

The offence itself, to infringe "otherwise than in course of a business to such an extent as to affect prejudically the owner of the copyright" needs to be removed or modified to exclude non-commercial infringers, or introduce notions of intent to harm alongside qualifications to measure the kind of harm being targeted. Once this is done, longer setences targeted at commercial infringers may be justified.

The IPO's consultation closes on 17 August 2015, 11.45pm. You can respond by using our online form


[Read more] (3 comments)

July 28, 2015 | Maxine Chng

Answers needed from the Copyright Police

The City of London Police's Intellectual Property Crime Unit (PIPCU) has been the subject of controversy following take-down notices sent to overseas domain registrars. We believe they need to strengthen their commitments to due process, independence and transparency.

The City of London Police's Intellectual Property Crime Unit (PIPCU) first became operational in 2013. According to PIPCU's website, the unit is aimed at tackling serious and organised IP crime committed using an online platform. The unit is publicly funded by the Intellectual Property Office.

A few months into PIPCU's operation, there was an international controversy regarding easyDNS. PIPCU had sent notices to the Canadian-based domain registrar, requesting them to take down an alleged copyright infringing website, but without court orders. easyDNS refused to comply and had even initiated a Transfer Dispute Resolution Process against another registrar who complied with PIPCU's request and refused to allow three of its domains to transfer away to easyDNS. The National Arbitration Forum decided in favour of easyDNS, recognising that allowing a registrar to withhold transfer based simply on a law enforcement agency's suspicion and without judicial intervention gives way to potential for abuse.

PIPCU also runs Operation Creative: a partnership with UK's advertising industry and rights holders, formed to prevent websites from providing unauthorised access to copyrighted material. Specifically, Operation Creative seeks to disrupt their ad revenue streams.

Because of public concerns, ORG started corresponding with PIPCU in December 2013, asking for clarification on several matters:

Due process
PIPCU has been making take-down requests without a court order. This sidesteps the legal safeguard of due process which requires the state to respect all individual rights. The authority to compel the take-down of websites is a significant power because it censors the internet. It decides what kind of information people may provide or receive. A court order is necessary to ensure that these decisions have not been made arbitrarily and to check that the party carrying out these requests have the proper legal basis to do so.

PIPCU claims that its operations are fully independent. However, this may be threatened in relation to Operation Creative. As part of this operation, private right holders are able to influence PIPCU's activities by identifying and reporting the alleged copyright infringing sites to PIPCU. PIPCU then takes action, sending take-down requests to domain registrars. These registrars are then requested to redirect the IP address of these websites to a notice displaying links to paid commercial alternatives. This situation is concerning because Operation Creative's members are able to enjoy greater market power compared with businesses that are not involved in PIPCU's partnership initiative. It is puzzling why certain businesses should receive free advertising.

Although the officers from PIPCU will evaluate the strength of the evidence reported against the websites, it is unclear what guidelines advise PIPCU's decisions. PIPCU has told ORG that sites must have satisfied the criminal standard of proof in order for action to be taken, but this is a technical legal concept which is unclear to the public. Instead, it is necessary to publish clear criteria which are easily accessible by the public, especially since the same infringing activities are capable of being treated either as criminal or civil.

Also, PIPCU currently does not publish its Infringing Website List, but shares it amongst Operation Creative members only. We think that the public should not be kept in the dark about decisions that detrimentally affect the type of information they are able to share and receive.

We have written to Commander Head of PIPCU, stressing these concerns. Our series of correspondence can be read here:

[Read more] (1 comments)

July 22, 2015 | Maxine Chng

UK Court rules DRIPA unlawful

Last week, the High Court ruled that the Data Retention and Investigatory Powers Act 2014 (DRIPA) was inconsistent with EU law.

The successful judicial review was brought by Liberty, represented by David Davis MP and Tom Watson MP, with ORG and PI acting as intervenors.

The case was originally presented as a human rights challenge, but the central questions that were examined in court concentrated on whether or not the powers conferred by DRIPA were compatible with EU law. These were questions that ORG brought to the court. In answering this question, Lord Justice Bean and Mr Justice Collins confirmed that EU law, as set out by the Court of Justice of the EU in the case Digital Rights Ireland (DRI), is indeed applicable to UK law.

The High Court ultimately found that DRIPA was incompatible with EU law and referred to two Court criteria laid down by the CJEU in the DRI judgment. Firstly, DRIPA failed to provide clear and precise rules regarding the access to and use of the retained communications data. Secondly, DRIPA does not make prior review by a court or an independent administrative body a mandatory requirement for access to the retained data.

Although it is now clear that the DRI judgment applies to UK law, not all of the CJEU's demands have been accepted by the UK courts. One of the remaining issues is that the retention of data should be restricted to a particular time period, geographical area and/or persons. However, the High Court thought that such a restriction would be completely impractical. According to the High Court:

“The CJEU cannot have meant that CSPs [communication service providers] can only lawfully be required to retain the communications data of “suspects or persons whose data would contribute to the prevention, detection or prosecution of serious criminal offences”. Such a restriction would be wholly impracticable. Rather the Court must be understood to have held that a general retention regime is unlawful unless it is accompanied by an access regime which has sufficiently stringent safeguards to protect citizens’ rights set out in Articles 7 and 8 of the Charter.”

This makes way for general retention practices which may be over-broad. We should note that the CJEU in DRI was specifically concerned about the proportionality of any interference with the rights guaranteed under the Charter. It is difficult to see how such general retention powers can be proportional, given that they affect even persons for whom no evidence exist to suggest their involvement in serious crime.

The High Court ruled that a general retention regime must be accompanied by an access regime, whereby there must be prior review by a court or an independent administrative body.

An access regime is necessary to ensure that the access to and use of such data is strictly restricted for the purposes such as national security, defence and public security. However, an over-broad data retention practice may not be counteracted simply with a narrower access regime. This is because broad retention practices create a large pool of personal information that can still be preyed upon by those who are not authorised to access it. Data retention in a generalised manner also creates a chilling effect, capable of undermining the freedom to information as users' distrust of the internet as a means of communication grows.

The High Court has also opened the question of UK's authorisation regime for data requests. The CJEU judgment requires independent prior review for access to retained data. This judgment does not address personal data held by telecoms companies for business purposes or with consent from users. The access regime for personal data retained or just held is provided under RIPA, which allows for self-authorisation by the police. It would be highly impractical to run two separate access regimes for retained and other personal data. Now that the court has flagged this matter up, the Parliament has the opportunity to reconsider the access regime as a whole.

The High Court's judgment is very welcome as it asserts the supremacy of EU law which has properly considered the retention and protection of data. A similar question with regards to the general retention of data has also arisen in Sweden, with their courts asking the CJEU to clarify if:

“Retention [may] nevertheless be permitted where access by the national authorities to the retained data is determined as described below; security requirements are regulated as described below; and all relevant data are to be retained for six months … and subsequently deleted…..?”

This issue is still ongoing as the CJEU's final opinion is yet to be seen. Worryingly, the CJEU may not hear from civil society intervenors. Similarly, we can expect the UK government to appeal the decision and perhaps request a reference back to the CJEU. Meanwhile, other countries – including Belgium, the Netherlands, Germany, Austria, Bulgaria, Romania and others have removed data retention from their laws. So far, their police seem to be detecting crime without major complaints.

[Read more] (1 comments)

July 14, 2015 | Jim Killock

RUSI review adds to consensus for reform

The RUSI review offers few surprises, and has turned out to be less a trailblazer, and more an indication of what the security establishment believes the agencies might accept.

Their Panel included three former senior security staff, and RUSI are themselves very close to the UK’s defence and security apparatus. Thus the tone of the report was always likely to address the concerns of GCHQ and the Foreign Office before those of civil society. Martha Lane Fox, Ian Walden and Heather Brooke will have had a tough job to help produce a relatively balanced report that does at least go some way to address wider concerns.

RUSI follows reports from the Independent Reviewer of Terrorism Legislation, David Anderson, and the Intelligence and Security Committee, so makes reference to many of their ideas. The RUSI report does less well than Anderson Report in one very key regard: it does not set out the need for human rights courts to set the boundary between “bulk collection” and “mass surveillance”. It is hard to say that bulk collection should never take place (it might sometime be necessary and proportionate) but it will rarely happen in isolation. Combined with processing and profiling, it is hard to see GCHQ’s activities as anything other than mass surveillance.

The reason that all of the reports have strained to avoid calling out the government on mass surveillance comes in two parts. Firstly, the ISC, Anderson and RUSI are to different extents insider voices. Anderson has been the most independent and critical, but is playing the role of a reviewer, not a human rights court. He has maximised his ability to make constructive criticism, and advance sound ideas of reform, but stepped back from making the most serious challenges, leaving this question to higher powers, in the form of the courts. The ISC published a report which mixes justifications with good ideas for change, but is less critical than Anderson. RUSI falls somewhere between the two.

The important thing to note is that consensus is emerging on many areas, especially around the need for much stronger oversight and clearer laws. All the reports focused on the need to rewrite RIPA, as essentially incomprehensible. Anderson and RUSI talk about merging the fractured Commissioners to ensure that their role is strengthened. All three want better means for individuals to seek redress through the Investigatory Powers Tribunal and to appeal if it rules against them.

Anderson opened up the call for judicial warrants for interception, and RUSI has come some way to accepting this idea. Both RUSI and Anderson back the idea of international treaties to govern data requests (called Mutual Legal Assistance Treaties, or MLATs) as a key mechanism for gaining access to material needed in investigations.

RUSI is silent on the question of new powers of bulk collection and analysis that we are expecting to be proposed for the police in the proposed Investigatory Powers Bill this Autumn. RUSI focuses on technical oversight and improving national police strategy and training.

Theresa May however has indicated she wants the powers she was denied when the Snoopers’ Charter, or Communications Data Bill was dropped. The ISC stopped short of demanding these powers in their report, and Anderson said that any such capabilities needed to be preceded by a clear operational case, which he had not seen. However, after the recent atrocities in Tunisia, the Home Office will likely sense an opportunity to push Labour towards a consensus for new powers, even if they are entirely unrelated and unlikely to help. Labour should simply apply the tests that Anderson has placed in front of them: what problem are the capabilities actually supposed to be dealing with and at what cost?

RUSI’s report no longer has the political clout stemming from its original association with Nick Clegg as Deputy Prime Minister. The benchmark for reform is the Anderson report, as it was commissioned through Parliament, and Labour claim it as their concession for backing the emergency DRIP bill. If we expect the government to seek cross party consensus, then we should be looking to Anderson to persuade Labour and independent-minded Conservatives of the kinds of change they should be looking for.

[Read more]

July 10, 2015 | Jim Killock

Caspar Bowden

We’d like to express our sorrow at Caspar Bowden’s passing, and to note some of his very remarkable achievements over the last few years. Caspar has been an active member of our Advisory Council since joining it in October 2013 and helped us greatly with our views on surveillance policy, security and European data protection.

Among his contributions to ORG were a series of lectures he gave prior to the PRISM revelations, where he pointed out the gaping holes in US legislation that could allow bulk collection and access to US corporations’ data vaults. At the time, he was pretty much the only person in Europe making these points, cogently and loudly.

Caspar also condemned the holes in European data protection legislation that made US political surveillance impossible to resist. He was consistent in showing the flaws in data transfer rules that would make Europeans’ data rights increasingly impossible to protect. On all these points, Caspar has been setting the agenda, and pushing harder than the Commission or US governments would like. Doing that puts you in a lonely place, and often does not win you friends, but his analysis and assessment of the importance of these points has been shown by events to be correct.

Caspar helped ORG with our work on the Snoopers’ Charter, which is the bastard child of data retention, itself one of his career long fights. He wrote in his chapter on data preservation for our report, explaining how data retention was being combined with collection and analysis:

The Home Office has the Olympic chutzpah to call the apparatus for data-mining all this information a “Filter”, and to justify it in the name of human rights. It says that by connecting up a virtual database (to hunt for arbitrary patterns of suspicion in all the data), they won’t have to build a new central database. But the point is the untrammelled power to hunt through every private life with the tools of military intelligence … It ought to be obvious that continuously recording the pattern of interactions of every online social relationship, and analyzing them with the “Filter”, is simply tyrannical.

Those kinds of observations are what made him an inspiration to campaigners and activists in the digital rights movement.

Caspar, you’ll be missed.


[Read more]

July 09, 2015 | Maxine Chng

DRIPA challenge in court today

The challenge to DRIPA brought by David Davis and Tom Watson was discussed in court today, as the government sought to refer key questions to the EU courts.

Last year, Tom Watson MP and David Davis MP representing Liberty, brought judicial review proceedings to challenge the Data Retention and Investigatory Powers Act (DRIPA). Earlier this year, ORG and PI were granted permission by court to intervene and made points about European law. Initially focusing on a question of compatibility with the European Convention on Human Rights (ECHR), the proceedings now concentrate on DRIPA's conformity with EU law, particularly Article 15 of the ePrivacy Directive.

Generally, the ePrivacy Directive provides for the individual right to confidentiality, erasure and anonymity of one's communication data. Article 15 sets out an exception, whereby Member States can restrict those rights when “necessary, appropriate and proportionate” to safeguard, among others: national security, defence and public security. ORG and PI highlighted in our interveners' submission that the Courts of Justice of the European Union (CJEU) in Digital Rights Ireland (DRI) had already set out the requirements that domestic law must follow in order to comply with Article 15.

Since then however, the government had requested for a reference from the CJEU to clarify how the DRI decision affects UK law. A hearing was held at the Royal Courts of Justice on Thursday morning to determine if the request for reference should indeed be granted.

The government claimed that the CJEU's decision in DRI was in relation to a different legal context, as it was made in reference to the Charter of Fundamental Rights of the EU. On the other hand, the current case tests DRIPA's compatibility with the ECHR or ePrivacy Directive.

Liberty opposed the government's request for a reference, concerned that a reference from the CJEU would only delay the judicial review proceedings. They contend that the relevant principles of EU law are already clear and have been fully considered by the CJEU in DRI. The court agreed and rejected the reference request. A draft judgment is expected to be issued next week.

[Read more]

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail