call +44 20 7096 1079

Blog


September 20, 2013 | Jim Killock

Say no to the Nomitax!

This coming Monday, Nominet's consultation on a .uk domain ends. We are asking everyone to respond and say 'no'.

Nominet were told to stop creating new second level domains (like .co.uk or .me.uk) because they are a monopoly, and instead an independent consultative group decides when new .uk domains are needed. This group also decides who controls them, to avoid Nominet simply inventing new new second level domains (SLDs). This is important, as many people want to own all the domains potentially associated with their personal or company name. Only really new and non-confusing SLDs should be added, so that this problem is avoided.

Nominet have circumvented this attempt to stop them printing money and demanding new registrations from UK domain owners, by asking to allow anyone to own a top level .uk domain. This means you will now be faced with registering not just mydomain.co.uk and mydomain.org.uk but also, if you want to control the name, mydomain.uk – resulting in a windfall for the cash-rich Nominet, but plenty of problems for everyone else.

For instance, in the future, how will you know if someuniversity.uk is a real Univeristy, or just another commercial outfit posing as an HE estblishment? Will thelawcommission.uk be a government body, or a private entity?

Aside from this confusion, Nominet's consultation makes an extraordinary attempt to argue that it needs more cash because it operates in the public interest, so more cash means more public interest activities for the public.

This is the standard argument for a tax, not a new round of domain registrations. Nominet are not entitled to make such a tautologous argument, their public purpose is to provide a secure and trusted domain registry service.

If their new registry policy does not serve that – and they don't manage to argue that it does – then they cannot simply say that more cash for Nominet is a great reason to charge UK domain owners for new domains.

You can respond using their online form. You can also read their full consultation page and our response.

Say no to the Nomitax!

[Read more] (2 comments)


September 06, 2013 | Jim Killock

The security services are stripping us of basic Internet security

The latest revelations from the Guardian give good evidence of why they have recently been the target of government harassment, and also why this is entirely unjustified.

NSATheir reports of NSA and GCHQ attacks on fundamental Internet security really matter. These are the basics of trust on the Internet; they are the reason you trust your bank, your credit card payments or Virtual Private Networks not to leak this information to criminals, blackmailers or governments.

Thus the real impact will not just be about security, it is about economics.

Of course we all expect for NSA/GCHQ to try to break encryption systems from time to time, it's their job. The problems arise when they make us all vulnerable as a result.

From the Guardian article, it appears they use threats and secret orders given to commercial companies to insert backdoors that must now undermine our trust in very common software products. They covertly insert vulnerabilities that weaken security of technical systems for everyone, not just their targets.

The idea that this won't be abused by yet unknown parties can only be naïve optimism, plain stupidity or complete disregard for anything other than the NSA and GCHQ's mission.

How it works

This isn't about breaking the maths - at least not usually - it's about exploiting the 'joins' between the pieces of software, introducing flaws in the implementation of cryptology, and more general 'backdoors' to the communications, which don't rely on the cryptology. Schneier gives some good examples.

Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it's explained away as a mistake

The agencies seem to be doing this directly with companies and standards bodies, on a very wide basis. Many of the exploits are better thought of as exploiting software vulnerabilities.

Thus their strategy relies on people trusting big companies, or not paying attention to the work of standards bodies choosing security protocols.

However, the focus on what cryptographic weaponry the NSA and GCHQ might have in their toolchest risks distracting from the far more pressing problem of poor operating system and application security. When it is possible for teenagers to own botnets containing hundreds of thousands of compromised machines, why would spy agencies waster their time and effort on the hard problem of attacking cryptographic protocols? It is far easier to simply take control of their targets' computers. All the crypto in the world will not save you if there's a virus on your machine - and one thing we know for sure is that it is very easy to attack most computers. No speculation about esoteric mathematics is required to see the truth of that. As Snowden says:

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."

The weak point the agencies in practice seem to be using is software security, rather than crypto.

What this means: Economic and rights implications

Vulnerabilities and backdoors are open to anyone, potentially, to exploit. While the NSA and GCHQ may benefit, other foreign intelligence or criminal gangs could use some of the same exploits. For instance, VPN technology is relied on by businesses for security.

This pushes the whole policy outside of the realm of national security and into economics and competition, with important consequences for the UK government, given its role in the affair.

As long as the NSA/GCHQ surveillance scandal remained within the framework of national security, EU rules would make it the exclusive competency of member states. The UK could tell the European Commission to back off.

But given the clear economic implications for the wellbeing of millions of European citizens, it will be hard to argue that this remains a UK issue. We will have to push hard to get the EU to acknowledge this when so many of the member states are complicit. The others are not necessarily critical, either. Only the economic consequences are likely to help us make the EU take this up and investigate.

Our rights to privacy are important for many reasons, including as a back up to free speech. They are a bulwark against abuses of the state and a means to retain our personal freedom on a day to day level. But we know at times they can be compromised, for reasons of state security. Programmes like these, however, take matters even further than mass data collection, as they compromise our rights in a pervasive way without knowing who exactly might wish to remove our privacy and security. It is both a massive overstepping of government power, and simply irresponsible.

What we can do about it

Standards bodies seem to be one place where the security services have deliberately tried to introduce vulnerabilities. The Guardian say:

[a} secret document …shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006. "Eventually, NSA became the sole editor," the document states.

In the USA, according to Pro Publica the NSA Commercial Solutions Center invites vendors to submit their software for assessment, but this in fact seems to be a mechanism to compromise their products.

Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products and services to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.

There is a clear conflict of interests in allowing intelligence services to specify other people's security standards.

In the UK, the Communications-Electronics Security Group (CESG) approves communications technologies for government or people contracting to them. They are a civil arm of GCHQ: the rationale previously being that they should know about security. Their website lists several commercial certification products. Some of these are geared to companies trying to sell to government, but others are about simply giving approval to technologies and processes.

We have a simple question to CESG: have CESG approved any product that is known to be compromised by GCHQ or the NSA? And if they have, why should anyone take their security approvals seriously in the future?

They need to be made into fully transparent, public interest bodies that run independently of the security agencies, and perhaps government. Information Assurance and signals intelligence simply cannot be associated roles.

For yourself, use Open Source security technologies: if you can't read the code, you don't know how the software might actually operate. If the code is open, then it can be reviewed - if not by you, then by people you trust. Use transparent and interoperable encryption wherever you can, as Schneier recommends, to make it as hard as possible for the security services.

[Read more] (3 comments)


September 05, 2013 | Jim Killock

Nudge censorship: questions for ISPs and government

Back on 18 June, Maria Miller MP brought Internet companies to her office to talk about what can be done about various types of undesirable, offensive, adult or illegal online content.

d Vaizey, cc-by Policy ExhchangeA few weeks earlier, she wrote to some of these companies to shake them down, asking what money they could promise for an education campaign that nobody had specified, discussed or designed. 

Behind this was the Prime Minister David Cameron's wish to announce something in a forthcoming statement.

We all know about that statement; in it he announced Nudge Censorship plans and that all the major Internet companies are going to install network level filtering.

At the time that Maria Miller was meeting Internet companies, we wrote with Index on Censorship, Big Brother Watch and English PEN to insist that civil society organisations be involved in discussions about any kind of censorship – including nudge censorship. This is because the impact on free expression of unintended censorship is there whatever the original intent. Our concern is about content that is legal and that the government should not restrict.

These problems are of course much worse with the proposed "adult filtering". As we know, the categories of content will be extremely wide.

However, Maria Miller did not invite us to those meetings. At the time we heard that they were very heated, and dominated by Claire Perry MP, who works as advisor on these issues to David Cameron. As we know, she thinks problems with false positives are "a load of cock", which rather emphasises the need for groups like ours to be present to ask the difficult questions.

As the government had seemingly failed to look at the difficult issues, we sent twenty questions about implementation to the major Internet Service Providers. They concentrate on privacy, liability for mistakes, correction of mistakes, transparency for website owners, the set up process and what precisely is filtered other than http (normal website) traffic.

We asked the ISPs to provide us with answers last month. They have all promised us responses. We haven’t received any yet. BT say they will give us an answer today, we expect Virgin and TalkTalk's shortly and we are waiting to meet with Sky to discuss their answers.

Today we are meeting with Ed Vaizey MP, the Minister at DCMS responsible for the Internet, to discuss these issues. That meeting is today: we will ask Ed’s officials whether they have considered any of the questions we have asked and explain why they are so important

[Read more]


September 03, 2013 | Jim Killock

Music industry try to revive the Digital Economy Act

There must be an election coming: the Prime Minister is listening to the demands of the music industry for new clampdowns on file sharing

According to the Drum, music industry group the BPI will sit down with him at a breakfast meeting on 12 September. 

Simultaneously, Internet Service Providers (ISPs) are being asked by the BPI to implement 'voluntary' letter writing schemes, including databases of alleged downloaders, at the behest of rights holder groups.

Such schemes will have the same problems they did some years ago when ISPs rejected the idea. The principle of harvesting data without consent is extremely hard to accept. Back in 2010, the European Data Protection Supervisor Peter Hustinx made it clear that he does not think it is reasonable or proportionate as an approach within EU law.

ISPs should be very cautious about being made to adopt a law enforcement and content curation roles: they risk their position as neutral providers of a network.

As ISPs take on increasing duties over what content flows over their network, then it becomes possible to argue that they should be liable for that content, in specific circumstances, for instance, if they had failed to meet certain policing duties. This is the approach that we were left with in ACTA; private policing in return for a "safe harbour" or limitation on liability.

There is also the question of cost. The BPI could today implement a letter writing scheme, by requesting customer details through the courts, and then asking them to prevent further downloading or risk court action. The costs would have to be met by the BPI in full of course, and that presumably is why the BPI is not keen to use this route. Yet no doubt their claims of economic damage will be very large. If the costs of infringement are really so high, why isn't the BPI able to make a positive economic judgement to pay for letter writing themselves?

Online music revenues are increasing. Companies are learning to adapt to file sharing, by making their films and TV shows available online quickly, when viewers want to watch them. Despite the rhetoric employed by the BPI and others during the DEA debates, it was not necessary to provide warnings and threats of legal action in order to entice people to use Spotify, iPlayer or Netflix. Rather, the content and the services had to be compelling, and then, unsurprisingly, people started to use them, and to pay, directly or indirectly.

The real lesson of the DEA is that it was not justified. Punitive measures in relation to copyright enforcement will always seem over the top, and smack of failing to appreciate how their businesses need to work for customers to provide great user experiences.

Why are the BPI going after heavy-handed enforcement measures? Why do they still insist they need them? It is beginning to feel like the BPI are simply having to justify their existence, and think this is a way of doing it.

[Read more]


August 15, 2013 | Ed Paton Williams

Open Data Update

August is proving a busy time for open data. There are several initiatives and consultations that end in the following weeks.

Postcodes licensing

Hundreds of ORG supporters joined many others, including Tim Berners-Lee, in asking minister Michael Fallon not to privatise the Postcode database. Our pressure was not enough to stop the sell-off, but we managed to get Fallon to offer an olive branch in the form of free access for “micro-firms”.

This is clearly not enough, and we need to continue reminding the government that the Postcodes are part of the core national data the government plans to open up.

We have an opportunity to raise this issue once again. There is a consultation on new licensing for the Postcode database.

The consultation closes at 5pm on Friday 20th September.

UK Transparency: National Action Plan for the Open Government Partnership

The UK government has published its second Open Government Action Plan, a multilateral initiative that aims to secure concrete commitments from governments to promote transparency, empower citizens, fight corruption, and harness new technologies to strengthen governance.

Civil society groups - including ORG - have been contributing to drafting this plan over the past few months. The process has been positive, but we feel that many critical issues are not included. These have been listed in the Annex.

The draft plan is available for consultation here. But a quicker way to engage is to simply comment online on this interactive platform.

Both channels are equally valid. Consultation responses will be analysed jointly by the Cabinet Office Transparency Team and members of the civil society network.

This draft plan is now open for consultation until 19 September 2013.

The plan will be presented at the OGP summit in London on the 31st of October. ORG is organising some sessions at the summit on privacy and surveillance, and we will keep you posted nearer the date. You can pre-register here.

Public Administration Select Committee calls for evidence on open data

The Public Administration Select Committee (PASC) of the UK Parliament is conducting an inquiry into statistics and open data in Government, with a focus on the progress of the Government in implementing its Open Data strategy. This is part of PASC’s programme of work on statistics and their use in government.

Further information is available here. The deadline is 12 noon on Tuesday 3 September 2013.

HMRC consultation on data sharing

HMRC wants to be able to share more non-identifying information, including general and aggregate data as well as anonymised data sets. HMRC also seeks views on proposals to share VAT registration data, either publicly or under controlled conditions for specified purposes, for example, credit rating.

There are concerns that the proposals don’t go far enough from an open data perspective, and may end up simply funnelling valuable public data to large data brokers such as Experian that already know a lot about us. There are also obvious privacy risks involved in any mass sharing of anonymised data.

The consultation closes on 24 September 2013.

Data sharing is looking to become a big issue in the near future. ORG had a meeting with the Law Commission on this topic in July. They are planning to consult on changing the legal grounds for data sharing within government. Currently, departments have to prove the sharing serves a specific purpose linked to their mission. The proposals will make sharing the default.

[Read more]


August 14, 2013 | Lee Maguire

Virgin and Sky blindly blocking innocent sites

The blind over-blocking of innocent sites by UK ISPs apparently continues.

As reported by PC Pro, the systems implemented by both Virgin and Sky to stop access to websites blocked by the courts appear to be blocking innocent third-party sites with apparently little or no human oversight.  For example the website http://radiotimes.com was reported to have been blocked.

In order to understand why this specific issue happened, you need to be familar with a quirk in how DNS is commonly used in third-party load-balanced site deployments.

Many third-party load balanced systems, for example those using Amazon's AWS infrastructure, are enabled by pointing CNAME records at names controlled by those third-party systems. For example www.example.com may be pointed at loadbalancer.example.net.  However, "example.com" usually cannot be directly given a CNAME record (CNAME records cannot be mixed with the other record types needed such as those pointing to nameservers and mailservers). A common approach is to point "example.com" to a server that merely redirects all requests to "www.example.com".

From forum posts we can see that it's this redirection system, in this specific case an A record used for "http-redirection-a.dnsmadeeasy.com", that has been blocked by the ISPs - probably a court-order-blocked site is also using the service - making numerous sites unavailable for any request made without the "www" prefix.

These incidents strongly suggest that the opaque approach to website blocking by ISPs, and the apparent lack of oversight, has the potential to be hugely damaging to the internet. Open Rights Group calls for greater transparency in this area, beginning with making the court orders available for public inspection.

[Read more] (6 comments)


August 09, 2013 | Lee Maguire

Website blocking measures lead to inadvertent censorship

A technical decision made by Sky in implementing website blocking has lead to the blocking of news site TorrentFreak

TorrentFreak reports today that Sky is currently blocking access to their site. Not as a deliberate act of censorship, but as an entirely predictable by-product of its system for complying with court-ordered website blocks.

When the owner of EZTV (a site ordered blocked on the 25th of July) automatically pointed UK visitors to torrentfreak.com, Sky's blocking system (which from court documents we believe to be codenamed "Hawkeye") apparently automatically added TorrentFreak's IP address to its blacklist.

Inadvertent denial-of-service by pointing DNS records at innocent third-parties is an entirely predictable possibility for anyone attempting to implement blocking systems. If this explanation for blocking proves to be the case, we'd be extremely surprised if the possibility had not occurred to the engineers responsible.

Open Rights Group continues our call for more transparency in the ways these blocks are performed, including access to the orders that would presumably limit the legal scope of blocking. If merely blocking the handful of sites that have received blocking orders in the past 12 months results in collateral damage (such as the blocking of promobay.org) we hold little confidence in the ISPs being able to implement David Cameron's default network filtering plans without causing significant disruption.

[Read more] (4 comments)


August 09, 2013 | Javier Ruiz

Tackling “thorny issues” of open government at the OGP London summit

A look at some of the tricky issues and tensions in open government being discussed at the upcoming OGP summit.

The Open Government Partnership summit in London is gaining momentum, as evidenced by the growing engagement from civil society organisations. The OGP is reaching an important milestone, with the closure of its first cycle of country commitments and independent assessments.

The summit will be an inclusive space where governments can announce inspiring projects and collaborate with civil society. But this does not have to mean shying away from tackling difficult questions around open government.

Last week, UK civil society organisations held a meeting to discuss the summit. One proposal was making these areas of potential conflict explicit by creating a specific track for “thorny issues”. This would show the OGP is a confident process that takes these matters seriously.

The following areas would be suitable for inclusion. Some have already been proposed as a concrete session, while others are just an idea looking for more partners:

1. Transparency and private public services

Private companies have an important role to play in many of the areas covered by the OGP, such as the extractive industries and fiscal transparency. But this session will focus on the increasing provision of public services by private companies.

These companies tend to be excluded from “Right to Information” laws. Where there is information available, this is normally limited to narrow terms of contract delivery, making it difficult to assess overall performance and value for money.

2. Openness and privacy

Open data and transparency programmes can have privacy impacts, which could also lower acceptance and engagement from citizens. From a different perspective, we may also find that privacy can be used as an excuse to hinder transparency.

In some cases these tensions will involve personal data that is published in the public interest, such as subsidies, taxes, registers, judicial documents, etc. Another potential conflict is the publication of data from public services - schools, hospitals, welfare, etc. This kind of data is normally “anonymised”, but there are growing concerns about the risks of re-identification of individuals by combining different data sources.

An international workshop on this topic will have to analyse how to balance diverse regulatory approaches with upholding fundamental principles on privacy and the protection of personal data.

Privacy International and Open Rights Group are coordinating this session.

3. Surveillance and national security

The recent confirmation of the existence of mass internet surveillance programmes by several industrialised nations is a game-changer that brings into question some of the assumptions that have underpinned the relations between open government, surveillance and national security.

Few will question that there is a role for secrecy and special powers. But the blanket exemptions for national security from most transparency programmes and right to information laws may have gone too far. In some countries there is no basic information on the legal basis of surveillance programmes, or the size of their overall budget. Many civil society organisations are demanding more targeted surveillance and better accountability.

More fundamentally, we may need to revisit the unspoken presumption in open government circles that there is no need to justify collecting increasing amounts of data on citizens because eventually something good will come out of it.

Open Society FoundationsOpen Rights Group and Tactical Technology Collective are coordinating this session.

4. Protection for whistleblowers

There are growing concerns that despite an increase in commitment to openness, many OGP countries are actually ratcheting up the persecution of whistleblowers. Besides several high profile cases withinternational resonance there are many less known cases throughout the world.

Several organisations, including OSF, have expressed interest in organising sessions on this important topic. Please get in touch.

5. Citizens’ rights, practical tools and government commitments

Groups involved int he OGP have alternative approaches to openness. This has been characterised in simple terms as involving on one side Right to Information veterans, who have focused for a long time on getting government to implement legislation. One the other side would be Open Data activists that, instead of driving policy, develop practical technology solutions to provide access to public information. Of course the reality is a more complex. Nowadays most people in the field will agree that transparency and accountability require both laws and tools, plus citizen engagement and infomediaries.

There are concerns, however, that the OGP may be skewing this balance with its focus on voluntary commitments by the executive branches of government that lack legally enforceable mechanisms. The problems arise when the same governments that propose national plans with excellent aspects are simultaneously weakening Right to Information legislation or the role of civil society.

The Campaign for Freedom of Information are coordinating this proposal.

The proposals above are all in a shared online document that attempts to collate all the sessions proposed by civil society groups. Please add the details of any proposals you are developing to that spreadsheet, and get in contact with anyone who is developing an idea you would be interested in supporting.

It is important to get international collaborations to shape the sessions. Particularly, let us know if you know of any government representatives from your country who are coming to the summit and may be interested in participating in these panels.

There is a growing consensus that the summit should reflect the diversity and multistakeholder nature of the OGP. A criteria for acceptance into the programme should be that panels are gender balanced and include representation from the majority world.

The deadline for presenting complete proposals to the OGP summit team is the 1st of September.

This blog was also posted to the Open Government site.  

[Read more]


google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail