call +44 20 7096 1079


December 02, 2013 | Javier Ruiz

Brighton Crypto Party

Brighton had it own Cryptofestival on Sunday, with a mix of talks and hands on skill sharing in an inclusive family friendly atmosphere.

CC-BY-SA @limbicfish

Lego Panopticon - Image CC-BY-SA @limbicfish

The event was jointly organised with the Lighthouse, Brighton's leading digital culture agency. The day started with designer and social entrepreneur Aral Balkan. Aral explained the need for open technology to focus on the user experience, which he terms XO, design‐led / experience‐driven open source. He believes this is critical to stop the "digital feudalism" of Google and co. who offer "free" well designed services in exchange for our privacy. Aral is implementing this philosophy in an ambitious project to build a complete smartphone where the user is in control, the Indie Phone.

Our next speaker, Paolo Vecchi from commercial open source provider Omnis Systems, explained why data control is important to organisations. US based cloud services simply cannot provide any guarantees to their clients, who should look for suppliers of open source auditable technologies that fully comply with Europe's more stringent privacy laws.

I tried to recap what we have learnt from the Snowden leaks, with a focus on the activities of the UK government and its critical role in the global spy dragnet. I explained what ORG is doing to stop these abuses, including our legal case.

Icelandic software developer and activist Smari McCarthy proposed that we use ubiquitous data encryption to raise the cost of surveillance from it's current basement bargain price of 13 Cents USD per global internet user a day to something more reasonable. His contribution to this goal is developing a Gmail alternative, Mailpile, which he hopes to lauch in alpha at the beginning of next year.

The skill sharing session saw people split into small groups to focus on specific platforms and technologies. Most participants joined the groups on web browsers and mobile phones. Both kids and grown ups enjoyed the Lego Panopticon game organised by Maf'j Alvarez.

Duncan Campbell closed the day with a thorough overview of state intereference with privacy on the internet. Brighton resident Campbell is the investigative journalism hero who first broke the existence of GCHQ to the public, and was arrested and threatened with 30 years imprisonment.

[Read more] (1 comments)

November 28, 2013 | Peter Bradwell

Government touts backroom deals to block extremist websites

Why should we trust some backroom deal from a combination of civil servants, Internet businesses and law enforcement with decisions about what we are allowed look at and do online? The correct answer is we shouldn't.

david-cameron-cc-by-nc-sa-worldeconomicforumRumblings about a forthcoming announcement to block “extremism” and “terrorist” content began this summer. Then last month the Prime Minister made comments during Prime Minister's Questions about blocking extremism:

"We have had repeated meetings of the extremism task force—it met again yesterday—setting out a whole series of steps that we will take to counter the extremist narrative, including by blocking online sites."

Yesterday, in response to a question from Patrick Robinson of Yahoo! at a conference, Home Office Minister James Brokenshire confirmed that an announcement is "forthcoming". Amongst others, the Guardian are now also reporting on this.

The "Extremism Task Force", mentioned by the Prime Minister, was set up in the aftermath of the Woolwich murder and is due to report very soon. So one assumes this announcement will likely be related to that.

We don't know what this forthcoming announcement will be. We don't know what sort of content the Government want to see blocked, or why, and how much it extends beyond what already happens through the Counter Terrorism Internet Referral Unit.

There has been no public discussion about this so far. As far as we understand, no freedom of expression groups have been involved. The Guardian suggest the Government want to follow the Internet Watch Foundation (IWF) model, who supply Internet Service Providers (ISPs) with a list of child abuse material they then block.

But the Government's policy on extremism content can't just be that ISPs should block sites that have been classified as extreme by some secretive government body, without any court decision about a law being broken or any public, democratic discussion in Parliament about the process involved.

This should not be another drift towards vague, unaccountable and privatised Internet regulation. This sort of Internet regulation is about who decides what we - not just 'terrorists' - can look at and do online.

Once again we see that website blocking has become the go-to button for politicians to press when they need to be seen reacting strongly to the latest media outcry.

But website blocking is not an easy or effective option. Anyone who wants to look at blocked content will find a way to do so - it is fairly simple to get around any blocking for a start. It also, unhelpfully, adds an edginess to blocked material if those making or sharing it can say it is banned by the government. 

We also know that unrelated content gets caught by blocking systems. Extremist content is not easy to define. Moreover, as Big Brother Watch point out in their blog, law enforcement agencies can define words like extremism broadly enough to include groups like political activists or protestors who are not terrorists or seemingly breaking any laws. If law enforcement agencies are responsible for drawing up a list of sites to be blocked, it is not a huge stretch of the imagination to think that block lists would include material that is not illegal. By accident or abuse blocking powers are likely to lead to blocking lists featuring content that has little if anything to do with terrorism and national security.

More half baked policy making?

It looks like James Brokenshire and the Home Office are following a well trodden path with this approach. When it comes to the Internet the government seems to like voluntary arrangements in which they arm twist Internet service providers into doing what they want.

That spares the Government from having to deal with complicated issues like involving a court to prove a law has been broken, or a normal policy process that would involve public, democratic scrutiny of their ideas.

The IWF model for dealing with child abuse images is tolerated because their focus is such abhorrent and unequivocally illegal material. This model is not appropriate for less clearly defined content.

Maybe the Government will surprise us with their announcement. But we have seen that when it comes to Internet blocking the government has a tendency to prioritise making favourable headlines above a smart, effective policy fix. So fingers are crossed in hope rather than expectation.

[Read more] (5 comments)

November 26, 2013 | Ed Paton-Williams

Necessary and Proportionate: Support the 13 International Principles

In 2013, we learned digital surveillance by governments across the world knows no bounds.

Their national intelligence and investigative agencies capture our phone calls, track our location, peer into our address books, and read our emails. They often do this in secret and without adequate public oversight, violating our human rights.

We won’t stand for this anymore.

Necessary & Proportionate

Over the past year, 300 organisations have come together to support the International Principles on the Application of Human Rights to Communications Surveillance.

Today we're launching a global petition supporting the 13 International Principles alongside a range of international NGOs including Access, Chaos Computer Club, Center for Internet & Society-India, Center for Technology and Society at Fundação Getulio Vargas, Digitale Gesellschaft, Digital Courage, Electronic Frontier Foundation,, Open Rights Group, Fundacion Karisma, Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic, SHARE Foundation and Privacy International.

These thirteen Principles establish the human rights obligations of governments engaged in communications surveillance.

They've been developed over months of consultation between internationally-recognised technology, privacy, and human rights experts.

Can you join people from around the world to lend your name and support to the Principles?

The Principles make clear:

  1. States must recognise that mass surveillance threatens the human right to privacy, freedom of expression, and association, and they must place these Principles at the heart of their communications surveillance legal frameworks.

  2. States must commit to ensuring that advances in technology do not lead to disproportionate increases in the State’s capacity to interfere with the private lives of individuals.

  3. Transparency and rigorous adversarial oversight is needed to ensure changes in surveillance activities benefit from public debate and judicial scrutiny, this includes effective protections for whistleblowers.

  4. Just as modern surveillance transcends borders, so must privacy protections.

We'll deliver the petition to the United Nations, world leaders, and other policymakers who need to hear the voice of the people demanding an end to mass surveillance.

Please support the principles by adding your signature, and encouraging those around you to do the same.

[Read more]

November 25, 2013 | Javier Ruiz

Open government groups demand curbs on mass surveillance

ORG joins dozens of civil society organisations in asking governments that participate in the Open Government Partnership to start curbing disproportionate mass surveillance.

The current wave of open government programmes puts a heavy emphasis on the use of digital technologies - websites and smartphones - to deliver on transparency and accountability. In this context, it is particularly troubling that as many of these governments drive democratic engagement online, they are simultaneously tracking and analysing the behaviour of whole populations.

The UK has just hosted the Open Government Partnership summit, where dozens of governments from all continents launched commitments to improve transparency, engagement and accountability. ORG coordinated a session on surveillance that generated a lot of interest. You can see the video here:

The British government has been leading calls for more open data to improve transparency and accountability. The UK even launched an Open Data Charter at this year's G8 summit. Yet the UK is also at the forefront of global surveillance through its close partnership with the US. This inconsistency is unsustainable.

The joint statements calls on OGP governments to:

  • recognise the need to update understandings of existing privacy and human rights law to reflect modern surveillance technologies and techniques.
  • commit in their OGP Action Plans to complete by October 2014 a review of national laws, with the aim of defining reforms needed to regulate necessary, legitimate and proportional State involvement in communications surveillance; to guarantee freedom of the press; and to protect whistleblowers who lawfully reveal abuses of state power.
  • commit in their OGP Action Plans to transparency on the mechanisms for surveillance, on exports of surveillance technologies, aid directed towards implementation of surveillance technologies, and agreements to share citizen data among states.

We urge David Cameron to heed this call.

The full text of the statement is here.

[Read more] (1 comments)

November 20, 2013 | Jim Killock

Dear government, copyright reform – is it happening?

The Hargreaves Review was presented to government in 2011, with recommendations to modernise copyright: two years later, we are still waiting for the changes.

copyright - just when you thought it was safe to parodyThe recommendations it put forward, for instance for user rights to format shifting (ie, copy CDs to your iPod legally), archives, education and parody are modest but necessary. After two years and another consultation, the new 'exceptions' to copyright were proposed this summer. The government then ran a 'technical review' of the proposals.

We're now waiting for the final versions. The government appears to still be debating how and whether to proceed.

We've been here before – almost exactly four years ago. The last Labour government, after years of debate following the Gowers Review, bottled it. The exceptions were never put in place.

Parody seems to be a particular bugbear. Content lobby groups have tried to create doubt and fear surrounding a right to parody – yet it is obvious that nobody should be able to use copyright to suppress others from making a joke at their expense. Or indeed, in tribute.

We set up a website to campaign for a parody exception in 2011. We asked people to create parodies and submit evidence to the Intellectual Property Office.

We are pretty sure that the same pressure is going on now. Minister, these groups will say, there's no need to legislate for parody. There's lots of parodies – and we will give people a licence, at least most of the time, if people ask. And parody depends on a sense of the illicit, so it helps parody that it’s not really legal!

These are beguiling but bad arguments. People dislike legal risks, so avoid them. We also know plenty of people get caught up in disputes, even resulting in Youtube takedowns, when parodies are accused of copyright infringement. Such actions are an infringement of free expression, yet do no real harm to copyright owners. Many countries, including copyright hardliners like France and the US, have legal protection for parodies.

If you want to see the Minister get on with putting exceptions including parody into law, then please write to the IPO at and ask Lord Younger to hasten along with copyright reform!

[Read more]

November 18, 2013 | Jim Killock

Child abuse image policies risk looking like cynical manipulation

Today’s announcement from the government that they have ‘persuaded’ search engines to restrict search term results ‘associated’ with child abuse images may seem like common sense: after all, who can possibly object to measures that reduce the availability of such material? However, many child protection experts are questioning how useful this measure is.

claire-perry-cc-by-policyexchange.jpgThe government have promoted this as a victory, commanding today’s headlines. If David Cameron and his advisor Claire Perry are hyping a policy they know is of marginal importance, many people will be forced to conclude that the announcement is a cynical manipulation of parents’ fears in order to appear to be taking action.

Their argument is that a small number of potential child abusers first experience child abuse images through online search. They believe that this acts as a ‘gateway drug’ to further experimentation. They claim to have seen evidence of this, and have to our knowledge produced none. Perhaps they are right, perhaps not. But other figures, such as Jim Gamble, former head of the Child Exploitation and Online Protection Centre (CEOP) says on ITV’s website:

The way to deter offenders from raping, abusing, photographing, sharing or seeking out images of child abuse is to line child abusers up, in the dock of a court room. One of the main problems is that people can see that is not happening.

That is why public frustration often results in online vigilantes like Letzgo hunting enticing paedophiles to meet offline or actions by charities like Terre des Hommes who raised awareness of the problem by luring thousands of suspect sex offenders from their online nests to engage a virtual child.

This is where the government must pause, look at themselves in the moral mirror they hold up to others so often, and ask whether they are doing enough?

And before ministers hide behind the wall of recession and austerity consider this. Less than £1.5 million a year would pay for 12 regional child protection experts, supported by twelve training coordinators.

A police officer specialising in child abuse told PC Pro that the announcement is hype:

"I simply do not see people using Google, etc to search for child abuse," the source said. "It's too risky for them."

"We need more staff," the source added. "We have a nine-month backlog - that's not fair to victims."

A simple look at the numbers suggests that it may well be funding of CEOP and police that is causing a reduction in prosecutions. According to the Guardian:

The detailed statistics from the solicitor-general, Oliver Heald, show the number of child sexual abuse cases being referred to the Crown Prosecution Service by police forces across England and Wales has fallen by 28% from a peak of 13,018 in 2010-11 to 9,381 in 2012-13. This is the lowest level for more than five years and comes over a period when the number of such cases reported to the police has risen steadily to a record high of 18,915 in 2012-13.

We could also ask if funding for social services is adequate, or whether government is endangering lives very directly by failing to provide proper support.

Cameron and Perry learnt earlier this year that if they accuse companies like Google, Yahoo and Microsoft of aiding paedophiles, those companies are bound to take action. This spring, Google promised £1 million to the Internet Watch Foundation after Cameron accused Google of not doing enough. A few months later, Maria Miller asked how much ISPs could promise to give towards a broader education programme. In the speech Cameron gave in July, Cameron demanded further action from search engines, demanding “depraved” terms be removed completely.

What Cameron and Perry have learnt is that Internet companies are susceptible to pressure, and will take action when threatened. It doesn’t matter if the companies are at fault, or can only make a limited difference, but when accused of aiding paedophilia, they are certain to take action to limit the reputational damage.

The least that politicians need to do is to make sure we know that they are dealing with real problems, rather than chimeras. We don’t know, as we’ve seen no evidence, whether Google and Microsoft really will be able to make a difference by limiting search, or whether the actions are cosmetic. It’s worth remembering that Google and Microsoft have always removed search results, such as URLs or images, that are reported to them.

Politicians must do what they can, where they are directly responsible. If they claim to want to deal with paedophilia, then they should be prepared to announce funding to CEOP so that criminals are investigated and locked up: something Google and Microsoft simply can’t do.

In the absence of evidence and new financial commitments to law enforcement, Cameron and Perry risk looking like they are prepared to cynically manipulate the emotions of genuinely worried parents, purely in order to generate headlines. Victims should be worried that they may only be interesting while they provide easy media hits. Internet companies, too, will learn that they will be the targets of future shake downs by politicians who identify subjects of moral outrage.

None of this feels like good democratic governance. If this is the kind of politics some of our MPs think we want, then we should be prepared to call them out.

[Read more] (2 comments)

November 15, 2013 | Peter Bradwell

Sky's reply to ORG on default internet filters

In July we asked the main ISPs how they planned to implement the default internet filtering being mandated by the Government. Sky have now replied, and here you can read their answers.

Sky are the first Internet Service Provider to send us answers to all of our questions about their default filtering. We are waiting for responses from the others; they all promised us answers. So thanks to Sky for taking the time to go through the questions. High time for the others to finish formatting their replies and send them over!

This week Sky launched this filtering service (called 'Sky Broadband Shield') - one of the first changes since the Government’s summer push to get ISPs to do more to prevent children accessing ‘adult’ material. 

You can read Sky's answers below, which they prefaced with an introduction to their filtering system. Having read through the response, we remain concerned for website operators who may get caught by ISPs filters by mistake. More needs to be done to make sure those running websites can check whether their sites are blocked and can rectify any problem quickly. 

Sky confirm some basics too, for example that one filter setting will apply to all devices in a household, and that the age verification process will only involve using the account holders primary email address (avoiding any more onerous verification checks). Sky also say that they will not log blocking events or monitor or log traffic of users who have not opted in to the filtering.

We are perhaps most concerned about how they will deal with over-blocking, and their process for fixing mistakes. Some comments on what Sky have told us:

URL checks. Of the mobile operators, only O2 give people a URL checker to help people quickly find out if a site is blocked by their filters and what category it falls in to. Sky here imply there will be no such tool available from them. This is a real problem - website operators will want to know how each internet service providers categorise their site and whether they are blocked. They shouldn’t have to rely on reports from customers, and they certainly shouldn’t need to have multiple accounts just to constantly monitor if their sites are blocked. 

In our mobile Internet censorship report we recommended a cross-ISP URL checker tool. That seems like the only way to help website owners stay on top of whether their sites have been incorrectly caught by the filters.

Sky say they will deal with reports of mistakens in a ‘timely manner’. What is timely to a website owner who can’t reach their market or readers will likely differ from what an ISP will consider timely.

Oversight? As Sky say, it doesn’t seem like there is a body who will be monitoring or dealing with disputes or performance. There has been some talk about Ofcom taking on this role but details about how that will work are not clear.

We want more information about how ISPs will make sure website owners can check if their sites are blocked, and how they can quickly and easily get their sites off the block lists.

One of our motivations for asking these questions is that it seems the Government are not doing so. They seem far more interested in easy win headlines than preventing widespread over-blocking by the systems they are mandating.

There needs to be pressure from the government on overblocking, with independent monitoring of performance, to ensure website owners in the UK are not cut off from large sections of their potential market.

Let us know what you think of the Sky's answers, and any questions that come to mind having seen this response. 


Sky’s answers to Open Rights Group’s Questions

Sky’s new parental control product will allow customers to filter internet access across all connected devices.  The product is a DNS-based solution which will mean that IP addresses are not returned for hostnames serving content classed as falling within a category or categories that the customer wishes to block access to.  The technology does not rely on inspection of traffic.

To make this solution work, we will of course need to store the level of filtering desired by each customer. We will not keep a record of individual DNS queries during normal operation. The information on the choices customers have made about what content to filter is subject to stringent data protection measures.

In creating this solution, we have undertaken extensive testing and upgrading of our hardware to ensure that traffic is not slowed for both users and non-users of the service.  In fact, as a result of the upgrade, overall speed across the servers has improved.

To ensure that only relevant websites are within these defined categories, we have worked with the technology firm Symantec. They are world-leading experts in online protection and already work with many UK companies, including a number of mobile phone companies.
In the event that a site has been wrongly categorised, we have created processes for easy reporting and speedy resolution.

Twenty questions for ISPs on Internet filtering systems

A. On how the technology works

Under the Internet filtering system set up following discussions with the Government about online safety and child protection:

1. Is any traffic of users who are not opted in to filtering inspected and / or logged?

Answer: No

If so, is it logged in a way that links the traffic to a subscriber?

Answer: n/a

What logging will there be of blocking events? How does this work?

Answer: There will be no logging of blocking events for individual customers.

2. Is filtering applied to all forms of connection offered by the ISP (dialup, ADSL, cable, fast fibre connections etc)?

Answer: Yes, access filtering is applied at the network level regardless of connection.

3. Have you estimated the impact of the through-put of filtering technology on the speed of users' internet access (both for those who are opted in and opted out)?

Answer: Yes, there will be no negative impact to customers' throughput speed.

4. We are concerned about the impact on Internet applications in general as well as web traffic.

Does filtering take place only of HTTP traffic on port 80, or will other traffic be affected?

Answer: Filtering is applied for customers who take the product based on the hostname regardless of the application that is requesting it. There will not be any undesired impact.

What steps will be taken to avoid interfering with non-HTTP traffic on port 80, for example non-HTTP applications that use this port in order to bypass firewall restrictions?

Answer: n/a see above

5. What impact does the filtering have on end-to-end security measures such as SSL or DNSSEC?

Answer: Our product does not disrupt any end to end traffic security measures currently available such as DNSSEC and SSL in such a way as to introduce a security vulnerability.

6. Can you guarantee that your networks will not be susceptible to mistaken blocking as a result of using specific IP addresses for forwarding filtered traffic, for example as seemed to happen in a case involving Wikipedia?

Answer: Yes, because we are using hostname filtering.

7. Have you made any estimates on the impact of filtering systems on infrastructure upgrades?

Answer: Yes, this was a key consideration when choosing the platform for the product.

B. On setting up the filtering

8. Are users faced with pre-ticked boxes when choosing to activate filtering?

Answer: Yes

What is the impact on customers who do not have access to or who do not use a web browsers on a network such as a home broadband connection that is only used for Smart TV video on demand applications? (ie who will not be presented with a web-based set up screen?)

Answer: New customers would only be presented with an Active Choice if they connect via a web browser.

9. How granular are the available choices? Will a household be able to cater for:

a. Multiple ages or a variety of beliefs?

Answer: This is a network level filter which means that all devices in the household connected to Sky Broadband will have the same level of protection applied, as selected by the Sky account holder.

b. Can specific sites be unblocked by a user?

Answer: Yes

10. Have you done user-testing for your opt-in systems?

Answer: Yes, the experience and levels of protection available meet customers' expectations of simplicity and ease of use.

11. What information about the filtering is available at the point of sign up? Does it include:

a. Detailed information about what types of content are blocked, with examples?

Answer: Detailed information about the type of websites within each category is available during the sign up process and on

b. The providers of their filtering tools, if a third party is involved?

Answer: We will publish details of our 3rd party providers when our product is launched later this year (Update: Symantec was named as a provider of site classifications at launch.)

c. Information about the possible problems with and limitations of blocking, with information about how to report problems?

Answer: We will publish a list of FAQs which will include the extent to which web filtering allows users to control the type of content that is available in their property as part of an overall strategy of education and monitoring. We will also publish information about how to report problems with the product.

12. What age-verification processes will be in place? How will this work?

Answer: Sky Broadband is only available to customers aged 18 or over who will provide a primary email address at point of sale. Any changes to filters will be emailed to the primary email address.

13. Is a customer's decision not to activate filtering a one-off decision, or will it have to be periodically repeated?

Answer: Customers will be asked to make an active choice at the point they activate their Sky Broadband service and will not need to repeat this decision, however the customer can later choose to opt in.

C. On managing problems and mistakes

14. When a site is blocked, what information is supplied to the end-user about why and how it has been blocked?

Answer: The customer will see a "Page Blocked" screen which will tell them that the site has been blocked and the category that the website falls under.

15. Are there easy ways to report mistaken blocks, either over-blocking or under-blocking? Are these clear when users encounter a block?

Answer: Yes, the customer can access a form to submit a report which can be found by clicking a button on the "Page Blocked" page or in the "Contact Us" section of

16. Are there easy ways for people to check if URLs are blocked, and will this include a reporting tool for requesting corrections and reclassifications?

Answer: Customers will be able to report to Sky if they believe that a website has been incorrectly categorised and therefore filtered incorrectly. These requests will be reviewed by Sky and by our 3rd party providers before a decision is made on the categorisation.

17. How will complaints, from both your subscribers and from owners of sites that are blocked, be dealt with?

Answer: We will have processes to review reports of incorrect blocking. Those confirmed as being in the incorrect category will be re-categorised.

a. Are there plans in place to train customer service staff for dealing with these reports? 

Answer: Yes

b. Are there targets for dealing with mistakes in a timely manner, or estimates of how long responding to and correcting mistakes will take? 

Answer: Our processes will ensure that we deal with reports in a timely manner.

c. Will you share error reports and corrections with other ISPs?

Answer: We will share best practice with other ISPs.

18. Have you specified acceptable error rates to suppliers of filtering services? If so, what are they?

Answer: Our decision on the supplier of our filtering service included an assessment of categorisation accuracy.

19. Have you sought legal opinions relating to liability for incorrect blocks, including both false positives and false negatives?

Answer: Yes

Do you have plans to offer compensation for businesses harmed by blocking errors, for example when potential customers are unable to access the site?

Answer: Our processes will ensure that blocking errors will be resolved within a timely basis.

20. Are there or will there be systematic reviews of the effectiveness and quality of filtering, including reporting on problems and complaints? Is there a process for review and improvement? 

Answer: In line with all products we will monitor its effectiveness and review complaints.

Is there or will there be an ombudsman or other oversight body to handle disputes and review performance?  

Answer: No

[Read more] (5 comments)

November 09, 2013 | Jim Killock

Now talking is treachery

Which story will win out? Government and civil liberties advocates are arguing over what the real story is after the Snowden revelations. Is it the Guardian’s irresponsibility and their inability to assess the damage they are allegedly creating; or is it a story about the problems with mass surveillance?

The security services in Parliament claimed that the Guardian’s stories have led directly to discussions among terrorists to improve their information security. Sir Iain Lobban was most explicit, saying:

“we have actually seen chat around specific terrorist groups, including close to home, discussing how to avoid what they now perceive to be vulnerable communications methods or how to select communications which they now perceive not to be exploitable.

“The cumulative effect of the media coverage, the global media coverage, will make the job that we have far, far harder for years to come. There is a complex, there is a fragile mosaic as Andrew has said, of strategic capabilities that allows us to discover, process, investigate and then to take action. That uncovers terrorist cells. It reveals people shipping secrets, expertise or materials to do with chemical, biological and nuclear around the world. It allows us to reveal the identities of those involved in online sexual exploitation of children. Those people are very active users of encryption and of anonymisation tools. That mosaic is in a far, far weaker place than it was five months ago”

Their allies in Parliament, led by MPs Julian Smith and Stephen Phillips, have asked the Guardian to “acknowledge the devastating assessment” made by the intelligence chiefs, while the Home Affairs select committee has called the editor of the Guardian to appear before them in a month to answer these points.

The accusations mostly appear to relate to Operation Bullrun (USA) and Edgehill (UK) – programmes to create weaknesses in encryption tools that can be exploited by the NSA, GCHQ and others who are told or find them.

For Parliamentarians these are complex issues, so I would like to take a moment to spell them out.

  1. The Guardian has not concentrated on specific weakenings of technologies, under Bullrun and Edgehill, but the investment of time and effort.

  2. The Guardian did imply that Skype may be compromised – a tool that many of us use daily; such a weakness could have consequences for all of our personal computer security.

  3. The vulnerabilities are being discussed by private companies worried about the consequences for their own security or security products. Vulnerabilities can be exploited by anyone, not just the NSA or GCHQ.

  4. RSA Security were forced to withdraw a broken encryption method, related to use of random numbers, which had been leaving many commercial VPN products at risk. This has affected major UK companies.

  5. No doubt terrorists will be speculating about their personal security just as everyone else is.

The logic of this debate is that the Guardian sparking a debate about personal computer security—an activity that we and the government invest billions of pounds in—is tantamount to aiding terrorism, as terrorists will improve their security too.

The unspoken position of GCHQ is that they have a right to compel companies to give them ways to break into their software and all the installations and uses of them – not by targeting individual suspects, but in a blanket way.

This places everyone at risk. That is a question which deserves a public debate, but it also allows the security chiefs to make the argument that revelations the Guardian has made are ‘endangering national security’ as people try to identify what GCHQ have done, and fix it. From this perspective, when Google encrypt across UK private cables to stop GCHQ breaking in without permission, this will also be an attack on national security, as secret collection capacity diminishes. When RSA fixed their broken technology they will have made parts of the Internet ‘go dark’ and thus aided terrorism.

The problem of course is not the Guardian, but the decision to compel companies to work in a non-transparent, ubiquitous manner, sacrificing general security for the convenience of the security agencies. That to many people will represent the essence of an agency acting without effective supervision.

Some MPs will accept assertions that terrorists have benefited from the Guardian’s revelations, and fail to challenge the notion of pervasive intelligence gathering. By accepting GCHQ's demand to have access to the ‘whole haystack’ of Internet traffic, MPs agree that anything that reduces pervasiveness must of course endanger national security capability. That makes any discussion of national security methods, or improvements to personal security, a form of treachery.

The way out of this logic is to accept that individuals and companies have a right to data security. Once you remember that, then it is obvious that GCHQ’s methods need to fit back in with our normal, everyday objective of trying to minimise our online risks. That may mean that the secret services’ work may sometimes be harder, but it also means that everyone will be a lot more secure from common criminality.

[Read more] (6 comments)

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail