call +44 20 7096 1079


September 26, 2013 | Peter Bradwell

Culture Committee copyright report one-sided and simplistic

This morning the Culture, Media and Sport Committee published its report into how to support the creative industries. While it is a wide-ranging report, on copyright reform there is plenty to be disappointed about.

Today the Culture, Media and Sport Committee published a report called 'Supporting the creative economy.' (pdf version) Jim and I gave oral evidence to the Committee in January, and submitted written evidence last year.

Overall the Committee's report is a fairly disappointing and unimaginative piece of work. They offer a view of copyright that is too simplistic, one-sided and which effectively tries to reduce the debate to whether you like the creative industries or not. They thus ignore the wider impact of new technology on citizens as creators and participants in culture, and on how markets for cultural goods can now function most effectively. 

From our initial look over the report, here's a few of our more specific concerns and thoughts. 


Carelessness with privacy concerns

We were surprised to see the Committee dismiss the privacy concerns around targeted advertising, saying:

“The Advertising Association’s evidence goes on to express deep concern about draft EU Data Protection Regulation “which could damage direct marketing, internet advertising, and the UK economy both off and online”. Increasing use is being made of personal data to target online advertising better. While concerns around this have prompted reviews of data protection legislation, we do not think the targeting of appropriate advertising—essential to so many business models — represents the greatest threat to privacy.”

As far as we can tell, the Committee fail to look in any way at how targeted advertising works, how it collects information, or at the rules governing how companies can use and share our personal information. They've taken the opinions of the advertising industry as given. It's one-sided and analysis-light – which help demonstrate more general flaws with the report. 

We do not control when the gadgets and services we use leak information about us. The rules about what companies who get that data can do with it are woefully inadequate. For example, health and fitness apps on our phones or wristbands share all sorts of data about us to companies whose privacy policies can be unclear, and who face some pretty lax regulation. This is one reason so few people trust the businesses we deal with online.

The Data Protection Regulation is currently being discussed in Europe and could help give people control over their data. But there's a very real danger our rights will be ignored, due to intense lobbying from advertising and technology groups. This is despite the revelations over the summer that once data about us is shared, security services have some fairly unaccountable powers to access most if not all of it. 

The Committee appear entirely uninterested in or unaware of these important questions because a trade group for one of the industries affected told them it might damage their interests. This is an unhelpful time to be so cavalier. 


ORG's work and the importance of freedom of expression online

We were also surprised and rather delighted to see that the Committee acknowledges our work promoting freedom of expression online. 

As a small, independent organisation we rely on the financial support of concerned individuals. So if you are new to us and worried about Parliament's consistent failure to understand how technology should work for individuals and support our human rights and civil liberties, please consider joining


Bashing Hargreaves and copyright reforms

Looking at the copyright reforms kicked off by the Hargreaves Review in 2011, the Committee say:

“Following all the evidence we have received, we think Hargreaves is wrong in the benefits his report claims for his recommended changes to UK copyright law. We regret that the Hargreaves report adopts a significantly low standard in relation to the need for objective evidence in determining copyright policy. We do not consider Professor Hargreaves has adequately assessed the dangers of putting the established system of copyright at risk for no obvious benefit.”

This conclusion is unfair and somewhat inaccurate. First of all, it seems to focus on the Hargreaves report itself, which is to ignore the work that has gone into the implementation of the report's recommendations since, including the reviews and oversight that have gone alongside that work. For instance, the Committee don't mention the BIS Committee Review into this very issue last year, which concluded something very different:

“A considerable amount of high-quality work on policy development has been undertaken in the year since the Hargreaves Review. It will be important to maintain that momentum alongside the more rigorous approach to policy formation that Hargreaves recommended. Conclusions are near to formation in many areas, and the Government should press ahead with measures to implement new policy in those areas as soon as possible. We recommend that the Department act swiftly to bring in legislation to that effect.

169. While we recognise that the Government is undertaking a major reform in a complex area, changes are both necessary and urgent.”


We welcome the Intellectual Property Office’s reassurances that more detailed analysis is on-going and trust that it will pursue that work and act on external criticism of data and methodologies. We also agree that the involvement of the Regulatory Policy Committee as an independent auditor of economic analysis is a sensible policy development.”

The BIS Committee mention the Regulatory Policy Committee (RPC). Their remit is to provide independent advice to Government on the quality of analysis supporting new regulations.  The RPC members include Ian Peters, the Chief Executive of the Institute of Internal Auditors and Jeremy Mayhew, chair of the Audit & Risk Management Committee as a non-party Common Councilman on the City of London Corporation. 

The RPC have reviewed a number of the proposals for exceptions, giving a 'green' status to the copyright exceptions for private copying, parody, archiving and preservation, for disabled people, for text and data analytics, and exceptions for educational use. 'Green' means the Committee “have no significant concerns with the quality of analysis and evidence presented. We make suggestions where we think the IA could be improved to deliver greater clarity or to aid understanding. A Green rating means we judge the IA to be ‘fit for purpose’.”

The work of the RPC, as far as I can spot, is mentioned zero times in the CMS Committee report. 

The reforms proposed by Professor Hargreaves and now being implemented by the Government, which are roundly criticised in this report, are actually modest and long overdue. A number of independent reports have recommended similar steps. That includes the Gowers Review in 2006, which came to strikingly similar conclusions. The recommendations for new copyright exceptions made in that review were never followed up. 

Richard Hooper CBE, who with Ros Lynch ran the recent work looking at the feasibility of a copyright licensing Hub, said in his oral evidence to the Committee that the reforms were reasonable and the Government should get on with implementing them:

What I would say to this Committee is we have had five years of to-ing and fro-ing on the issue, and if this Committee can get the laws sorted out, get it done, then we can start focusing on the really important issues, otherwise a huge amount of energy and time and lobbying is going to be spent on this for the next five years.

I think that the Government has come up with, by and large, very sensible recommendations on orphan works, extended collective licensing, codes of conduct for collecting societies and exceptions.

He repeated such thoughts in a speech to the London Book Fair, in which he said:

We have spent years first with the Gowers Review and then the Hargreaves Review discussing and debating changes to copyright law. The current proposals are broadly sensible, with the exceptions not being too widely drawn."


So the new proposals have been repeatedly exposed to consultation and review. They are modest, narrowly drawn and address some clearly defined needs. The Government should ignore this distraction and continue with their implementation.


The Digital Economy Act

There is a welcome acknowledgement that the Digital Economy Act suffered from a lack of debate in Parliament and was rushed through.  We also welcome the concerns that the Committee recognises the problems with public wifi, although they offer no solution or recommendations on how to do this.

Here's what they say:

"The delays in implementing the DEA are thus by no means all attributable to the Government: the legal action by BT and TalkTalk certainly contributed. As, perhaps, did the haste with which the presaging Bill was originally rushed through Parliament with relatively little debate in the House of Commons. We acknowledge that the DEA has its limitations; for example it is not applicable to mobile devices and there needs to be greater clarity over the situation of public Wi-Fi. We recognise, too, that effective enforcement of copyright is likely to focus more on targeting illegal activities on a commercial scale—on “following the money.”

It's a shame that the Committee still have faith that the Act is worth pursuing, and it's a shame that the Committee support the possible voluntary arrangements for a new three strikes regime. That is to ignore all the important questions about standards of evidence against alleged infringers, data protection and rights of appeal that led the Digital Economy Act itself into such trouble. 


Ignoring what's already being done to provide good evidence

It is also unfortunate that having stated again that objective evidence is important, the Committee fail to mention any of Ofcom's work researching copyright infringement and who those that claim to infringe are. It tells us lots if interesting things, such as those who say they infringe copyright also say they spend the most on legal content. This is despite ORG mentioning the Ofcom research in our oral evidence to the Committee. 

Incidentally this was paid for by the IPO, who the Committee claim are on some anti-copyright crusade. 

Somewhat bizarrely, the Committee call for the IPO to include more research into piracy in its annual report. The recent Ofcom research was their last in a series of reports, which has ended because the money from the IPO has run out. Having praised the effort to produce useful numbers, nobody at the launch event could offer solutions to how the research would continue and where funding would come from. The Committee could have looked at how to encourage and get funding for independent, robust evidence. But they did not do this, or seem aware that Ofcom have been doing such research and that it was funded by the IPO.

The report also fails to mention research into the effectiveness of three-strikes regimes, the most recent of which concluded that there "is little to no evidence that graduated responses are either 'successful' or 'effective'." 

'Robust evidence-based policy' seems to basically have come to mean 'evidence I agree with and which helps support the conclusions I have already arrived at'. 

[Read more] (2 comments)

September 20, 2013 | Jim Killock

Say no to the Nomitax!

This coming Monday, Nominet's consultation on a .uk domain ends. We are asking everyone to respond and say 'no'.

Nominet were told to stop creating new second level domains (like or because they are a monopoly, and instead an independent consultative group decides when new .uk domains are needed. This group also decides who controls them, to avoid Nominet simply inventing new new second level domains (SLDs). This is important, as many people want to own all the domains potentially associated with their personal or company name. Only really new and non-confusing SLDs should be added, so that this problem is avoided.

Nominet have circumvented this attempt to stop them printing money and demanding new registrations from UK domain owners, by asking to allow anyone to own a top level .uk domain. This means you will now be faced with registering not just and but also, if you want to control the name, – resulting in a windfall for the cash-rich Nominet, but plenty of problems for everyone else.

For instance, in the future, how will you know if is a real Univeristy, or just another commercial outfit posing as an HE estblishment? Will be a government body, or a private entity?

Aside from this confusion, Nominet's consultation makes an extraordinary attempt to argue that it needs more cash because it operates in the public interest, so more cash means more public interest activities for the public.

This is the standard argument for a tax, not a new round of domain registrations. Nominet are not entitled to make such a tautologous argument, their public purpose is to provide a secure and trusted domain registry service.

If their new registry policy does not serve that – and they don't manage to argue that it does – then they cannot simply say that more cash for Nominet is a great reason to charge UK domain owners for new domains.

You can respond using their online form. You can also read their full consultation page and our response.

Say no to the Nomitax!

[Read more] (2 comments)

September 06, 2013 | Jim Killock

The security services are stripping us of basic Internet security

The latest revelations from the Guardian give good evidence of why they have recently been the target of government harassment, and also why this is entirely unjustified.

NSATheir reports of NSA and GCHQ attacks on fundamental Internet security really matter. These are the basics of trust on the Internet; they are the reason you trust your bank, your credit card payments or Virtual Private Networks not to leak this information to criminals, blackmailers or governments.

Thus the real impact will not just be about security, it is about economics.

Of course we all expect for NSA/GCHQ to try to break encryption systems from time to time, it's their job. The problems arise when they make us all vulnerable as a result.

From the Guardian article, it appears they use threats and secret orders given to commercial companies to insert backdoors that must now undermine our trust in very common software products. They covertly insert vulnerabilities that weaken security of technical systems for everyone, not just their targets.

The idea that this won't be abused by yet unknown parties can only be naïve optimism, plain stupidity or complete disregard for anything other than the NSA and GCHQ's mission.

How it works

This isn't about breaking the maths - at least not usually - it's about exploiting the 'joins' between the pieces of software, introducing flaws in the implementation of cryptology, and more general 'backdoors' to the communications, which don't rely on the cryptology. Schneier gives some good examples.

Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it's explained away as a mistake

The agencies seem to be doing this directly with companies and standards bodies, on a very wide basis. Many of the exploits are better thought of as exploiting software vulnerabilities.

Thus their strategy relies on people trusting big companies, or not paying attention to the work of standards bodies choosing security protocols.

However, the focus on what cryptographic weaponry the NSA and GCHQ might have in their toolchest risks distracting from the far more pressing problem of poor operating system and application security. When it is possible for teenagers to own botnets containing hundreds of thousands of compromised machines, why would spy agencies waster their time and effort on the hard problem of attacking cryptographic protocols? It is far easier to simply take control of their targets' computers. All the crypto in the world will not save you if there's a virus on your machine - and one thing we know for sure is that it is very easy to attack most computers. No speculation about esoteric mathematics is required to see the truth of that. As Snowden says:

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."

The weak point the agencies in practice seem to be using is software security, rather than crypto.

What this means: Economic and rights implications

Vulnerabilities and backdoors are open to anyone, potentially, to exploit. While the NSA and GCHQ may benefit, other foreign intelligence or criminal gangs could use some of the same exploits. For instance, VPN technology is relied on by businesses for security.

This pushes the whole policy outside of the realm of national security and into economics and competition, with important consequences for the UK government, given its role in the affair.

As long as the NSA/GCHQ surveillance scandal remained within the framework of national security, EU rules would make it the exclusive competency of member states. The UK could tell the European Commission to back off.

But given the clear economic implications for the wellbeing of millions of European citizens, it will be hard to argue that this remains a UK issue. We will have to push hard to get the EU to acknowledge this when so many of the member states are complicit. The others are not necessarily critical, either. Only the economic consequences are likely to help us make the EU take this up and investigate.

Our rights to privacy are important for many reasons, including as a back up to free speech. They are a bulwark against abuses of the state and a means to retain our personal freedom on a day to day level. But we know at times they can be compromised, for reasons of state security. Programmes like these, however, take matters even further than mass data collection, as they compromise our rights in a pervasive way without knowing who exactly might wish to remove our privacy and security. It is both a massive overstepping of government power, and simply irresponsible.

What we can do about it

Standards bodies seem to be one place where the security services have deliberately tried to introduce vulnerabilities. The Guardian say:

[a} secret document …shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006. "Eventually, NSA became the sole editor," the document states.

In the USA, according to Pro Publica the NSA Commercial Solutions Center invites vendors to submit their software for assessment, but this in fact seems to be a mechanism to compromise their products.

Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products and services to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.

There is a clear conflict of interests in allowing intelligence services to specify other people's security standards.

In the UK, the Communications-Electronics Security Group (CESG) approves communications technologies for government or people contracting to them. They are a civil arm of GCHQ: the rationale previously being that they should know about security. Their website lists several commercial certification products. Some of these are geared to companies trying to sell to government, but others are about simply giving approval to technologies and processes.

We have a simple question to CESG: have CESG approved any product that is known to be compromised by GCHQ or the NSA? And if they have, why should anyone take their security approvals seriously in the future?

They need to be made into fully transparent, public interest bodies that run independently of the security agencies, and perhaps government. Information Assurance and signals intelligence simply cannot be associated roles.

For yourself, use Open Source security technologies: if you can't read the code, you don't know how the software might actually operate. If the code is open, then it can be reviewed - if not by you, then by people you trust. Use transparent and interoperable encryption wherever you can, as Schneier recommends, to make it as hard as possible for the security services.

[Read more] (3 comments)

September 05, 2013 | Jim Killock

Nudge censorship: questions for ISPs and government

Back on 18 June, Maria Miller MP brought Internet companies to her office to talk about what can be done about various types of undesirable, offensive, adult or illegal online content.

d Vaizey, cc-by Policy ExhchangeA few weeks earlier, she wrote to some of these companies to shake them down, asking what money they could promise for an education campaign that nobody had specified, discussed or designed. 

Behind this was the Prime Minister David Cameron's wish to announce something in a forthcoming statement.

We all know about that statement; in it he announced Nudge Censorship plans and that all the major Internet companies are going to install network level filtering.

At the time that Maria Miller was meeting Internet companies, we wrote with Index on Censorship, Big Brother Watch and English PEN to insist that civil society organisations be involved in discussions about any kind of censorship – including nudge censorship. This is because the impact on free expression of unintended censorship is there whatever the original intent. Our concern is about content that is legal and that the government should not restrict.

These problems are of course much worse with the proposed "adult filtering". As we know, the categories of content will be extremely wide.

However, Maria Miller did not invite us to those meetings. At the time we heard that they were very heated, and dominated by Claire Perry MP, who works as advisor on these issues to David Cameron. As we know, she thinks problems with false positives are "a load of cock", which rather emphasises the need for groups like ours to be present to ask the difficult questions.

As the government had seemingly failed to look at the difficult issues, we sent twenty questions about implementation to the major Internet Service Providers. They concentrate on privacy, liability for mistakes, correction of mistakes, transparency for website owners, the set up process and what precisely is filtered other than http (normal website) traffic.

We asked the ISPs to provide us with answers last month. They have all promised us responses. We haven’t received any yet. BT say they will give us an answer today, we expect Virgin and TalkTalk's shortly and we are waiting to meet with Sky to discuss their answers.

Today we are meeting with Ed Vaizey MP, the Minister at DCMS responsible for the Internet, to discuss these issues. That meeting is today: we will ask Ed’s officials whether they have considered any of the questions we have asked and explain why they are so important

[Read more]

September 03, 2013 | Jim Killock

Music industry try to revive the Digital Economy Act

There must be an election coming: the Prime Minister is listening to the demands of the music industry for new clampdowns on file sharing

According to the Drum, music industry group the BPI will sit down with him at a breakfast meeting on 12 September. 

Simultaneously, Internet Service Providers (ISPs) are being asked by the BPI to implement 'voluntary' letter writing schemes, including databases of alleged downloaders, at the behest of rights holder groups.

Such schemes will have the same problems they did some years ago when ISPs rejected the idea. The principle of harvesting data without consent is extremely hard to accept. Back in 2010, the European Data Protection Supervisor Peter Hustinx made it clear that he does not think it is reasonable or proportionate as an approach within EU law.

ISPs should be very cautious about being made to adopt a law enforcement and content curation roles: they risk their position as neutral providers of a network.

As ISPs take on increasing duties over what content flows over their network, then it becomes possible to argue that they should be liable for that content, in specific circumstances, for instance, if they had failed to meet certain policing duties. This is the approach that we were left with in ACTA; private policing in return for a "safe harbour" or limitation on liability.

There is also the question of cost. The BPI could today implement a letter writing scheme, by requesting customer details through the courts, and then asking them to prevent further downloading or risk court action. The costs would have to be met by the BPI in full of course, and that presumably is why the BPI is not keen to use this route. Yet no doubt their claims of economic damage will be very large. If the costs of infringement are really so high, why isn't the BPI able to make a positive economic judgement to pay for letter writing themselves?

Online music revenues are increasing. Companies are learning to adapt to file sharing, by making their films and TV shows available online quickly, when viewers want to watch them. Despite the rhetoric employed by the BPI and others during the DEA debates, it was not necessary to provide warnings and threats of legal action in order to entice people to use Spotify, iPlayer or Netflix. Rather, the content and the services had to be compelling, and then, unsurprisingly, people started to use them, and to pay, directly or indirectly.

The real lesson of the DEA is that it was not justified. Punitive measures in relation to copyright enforcement will always seem over the top, and smack of failing to appreciate how their businesses need to work for customers to provide great user experiences.

Why are the BPI going after heavy-handed enforcement measures? Why do they still insist they need them? It is beginning to feel like the BPI are simply having to justify their existence, and think this is a way of doing it.

[Read more]

August 15, 2013 | Ed Paton-Williams

Open Data Update

August is proving a busy time for open data. There are several initiatives and consultations that end in the following weeks.

Postcodes licensing

Hundreds of ORG supporters joined many others, including Tim Berners-Lee, in asking minister Michael Fallon not to privatise the Postcode database. Our pressure was not enough to stop the sell-off, but we managed to get Fallon to offer an olive branch in the form of free access for “micro-firms”.

This is clearly not enough, and we need to continue reminding the government that the Postcodes are part of the core national data the government plans to open up.

We have an opportunity to raise this issue once again. There is a consultation on new licensing for the Postcode database.

The consultation closes at 5pm on Friday 20th September.

UK Transparency: National Action Plan for the Open Government Partnership

The UK government has published its second Open Government Action Plan, a multilateral initiative that aims to secure concrete commitments from governments to promote transparency, empower citizens, fight corruption, and harness new technologies to strengthen governance.

Civil society groups - including ORG - have been contributing to drafting this plan over the past few months. The process has been positive, but we feel that many critical issues are not included. These have been listed in the Annex.

The draft plan is available for consultation here. But a quicker way to engage is to simply comment online on this interactive platform.

Both channels are equally valid. Consultation responses will be analysed jointly by the Cabinet Office Transparency Team and members of the civil society network.

This draft plan is now open for consultation until 19 September 2013.

The plan will be presented at the OGP summit in London on the 31st of October. ORG is organising some sessions at the summit on privacy and surveillance, and we will keep you posted nearer the date. You can pre-register here.

Public Administration Select Committee calls for evidence on open data

The Public Administration Select Committee (PASC) of the UK Parliament is conducting an inquiry into statistics and open data in Government, with a focus on the progress of the Government in implementing its Open Data strategy. This is part of PASC’s programme of work on statistics and their use in government.

Further information is available here. The deadline is 12 noon on Tuesday 3 September 2013.

HMRC consultation on data sharing

HMRC wants to be able to share more non-identifying information, including general and aggregate data as well as anonymised data sets. HMRC also seeks views on proposals to share VAT registration data, either publicly or under controlled conditions for specified purposes, for example, credit rating.

There are concerns that the proposals don’t go far enough from an open data perspective, and may end up simply funnelling valuable public data to large data brokers such as Experian that already know a lot about us. There are also obvious privacy risks involved in any mass sharing of anonymised data.

The consultation closes on 24 September 2013.

Data sharing is looking to become a big issue in the near future. ORG had a meeting with the Law Commission on this topic in July. They are planning to consult on changing the legal grounds for data sharing within government. Currently, departments have to prove the sharing serves a specific purpose linked to their mission. The proposals will make sharing the default.

[Read more]

August 14, 2013 | Lee Maguire

Virgin and Sky blindly blocking innocent sites

The blind over-blocking of innocent sites by UK ISPs apparently continues.

As reported by PC Pro, the systems implemented by both Virgin and Sky to stop access to websites blocked by the courts appear to be blocking innocent third-party sites with apparently little or no human oversight.  For example the website was reported to have been blocked.

In order to understand why this specific issue happened, you need to be familar with a quirk in how DNS is commonly used in third-party load-balanced site deployments.

Many third-party load balanced systems, for example those using Amazon's AWS infrastructure, are enabled by pointing CNAME records at names controlled by those third-party systems. For example may be pointed at  However, "" usually cannot be directly given a CNAME record (CNAME records cannot be mixed with the other record types needed such as those pointing to nameservers and mailservers). A common approach is to point "" to a server that merely redirects all requests to "".

From forum posts we can see that it's this redirection system, in this specific case an A record used for "", that has been blocked by the ISPs - probably a court-order-blocked site is also using the service - making numerous sites unavailable for any request made without the "www" prefix.

These incidents strongly suggest that the opaque approach to website blocking by ISPs, and the apparent lack of oversight, has the potential to be hugely damaging to the internet. Open Rights Group calls for greater transparency in this area, beginning with making the court orders available for public inspection.

[Read more] (6 comments)

August 09, 2013 | Lee Maguire

Website blocking measures lead to inadvertent censorship

A technical decision made by Sky in implementing website blocking has lead to the blocking of news site TorrentFreak

TorrentFreak reports today that Sky is currently blocking access to their site. Not as a deliberate act of censorship, but as an entirely predictable by-product of its system for complying with court-ordered website blocks.

When the owner of EZTV (a site ordered blocked on the 25th of July) automatically pointed UK visitors to, Sky's blocking system (which from court documents we believe to be codenamed "Hawkeye") apparently automatically added TorrentFreak's IP address to its blacklist.

Inadvertent denial-of-service by pointing DNS records at innocent third-parties is an entirely predictable possibility for anyone attempting to implement blocking systems. If this explanation for blocking proves to be the case, we'd be extremely surprised if the possibility had not occurred to the engineers responsible.

Open Rights Group continues our call for more transparency in the ways these blocks are performed, including access to the orders that would presumably limit the legal scope of blocking. If merely blocking the handful of sites that have received blocking orders in the past 12 months results in collateral damage (such as the blocking of we hold little confidence in the ISPs being able to implement David Cameron's default network filtering plans without causing significant disruption.

[Read more] (4 comments)

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail