call +44 20 7096 1079


June 12, 2013 | Ruth Coustick-Deal

PRISM, Free speech and creativity: Looking back on ORGCon2013

Thanks to all who came along to ORGCon2013! ORG have a summary of the major sessions, plus details on where you can find more on the sessions you missed.

Open Rights Group’s third national conference took place last weekend at the Institute of Engineering and Technology, with a fantastic set of speakers and hundreds of attendees.

Thank you to all who came along, we hope you had a great event!

Due to recent news there was a big buzz around digital rights issues, especially privacy and surveillance, at this year’s ORGCon. The day was was full of energetic debate on a diverse range of topics and was not without a fair share of controversy. With five sessions happening simultaneously, we only regret we couldn’t witness it all! There were some recurring themes and certain topics that sparked much debate. Clearly PRISM was the issue on everyone’s minds, but topics of free speech including its relationship to copyright, feminism, social media and the child’s right to know was also a big area of contention.

The day kicked off with Tim Wu’s keynote speech on The Digital Rights Movement. Wu described how new technologies and movements have a tendency towards centralisation, but that the Internet has the capability to break out of that pattern, especially due to its communication power to allow consumers and rights activists to develop alternatives and share lo-tech ideas. Nevertheless, he left delegates with the warning that ‘any device designed to liberate can be used to enslave.’

Caspar Bowden presenting on FISAA

Caspar Bowden, privacy expert, spoke to an attentive audience keen to hear his insights on FISAAA, Data Protection and PRISM or ‘How to wiretap the Cloud (without almost anybody noticing).’ Bowden began with a disclaimer that he had not known about PRISM, but deduced what was going on from open-sources. Bowden explained how UK citizens have no right to privacy under the 4th Amendment, a subject that was brought up again in John Perry Barlow’s closing speech. You can read the slides of Caspar’s presentation here and watch his talk here.

Creative Citizens panel

The Creative Citizens panel session was as lively as promised with Steve Lawson, Diane Duane and Simon Indelicate sharing their experiences of how the Internet is changing the creative industries and what is means to be an artist, taking the perspective that it isn’t so much winning at the Internet that is important , but the way in which that the Internet allows you to be a failure on such a large scale that it can begin to seem like a new kind of success. As musicians begin to pave their own way and take control of their own marketing, Lawson suggested there might be a market for digital story-tellers or documenters as the the outlook appears grim for artists who are yet to get their heads around Twitter.

This year’s ORGCon for the first time featured a series of ten minute rapid-fire talks and this session was one of the highlights of the day. The talks were a great opportunity for ORG supporters to address the conference and get their point across snappily. In her stand-out talk Milena Popova shared her experience of the tensions between feminism and the digital rights activism in her talk ‘When Worlds Collide’ calling for the digital rights community to “reach out beyond our bubble of geeks in black t-shirts and make this a welcoming community for everyone.” These sessions were a quick introduction to lots of new projects and threats - for instance Tanya O’Caroll’s talk on Panic Button, Amnesty International’s new app, got a lot of interest from developers looking to contribute to the project, and Richard King gave a useful overview of how to start-up an ORG group - take a look at his blog and get involved.

John Perry Barlow presenting at ORGCOn2013

In the closing keynote John Perry Barlow re-asserted the utopian possibilities of the Internet in his speech ‘The Freedom to Know’. Barlow, making a case for radical transparency, asserted that privacy is contextual, making the bold claim that the loss of privacy that the Internet brings may lead to a greater acceptance of our individual idiosyncrasies, face tattoos and all. He took a great range of questions and spoke on issues from the un-taxability of bitcoins to the Internet as a threat to monotheism, on collective ways to assure human rights and on American civil liberties campaigners attitude to the threat to world-wide privacy from FISAA.

If you missed out on the day, and want more of a round-up, there are lots of other ways you can go over the material. Watch Caspar Bowden’s talk on FISAA right now, follow the hashtag #orgcon, look at the photos on Flickr and keep an eye for the upcoming videos of the main sessions where you watch a lot of the event.

If you have written a blog or report on ORGCon we would love to share it and hear your thoughts, so please let us know. If you have any specific feedback on orgcon, please email - A questionnaire for all attendees will be out soon.


Read more blogs on ORGCon!

Milena Popova:

Ray Corrigan:

Andrew McStay:


[Read more]

June 12, 2013 | Peter Bradwell

Baroness Ludford amendment - opening the door to FISAAA?

Liberal Democrat MEP Baroness Ludford has proposed an amendment to the Data Protection Regulation that would mean your data could be transferred to the USA without you being informed.

Baroness Sarah Ludford MEP

Baroness Ludford, by ALDE, cc-by-nc-sa

The UK Liberal Democrat MEP Baroness Ludford has recently published an article in LibDem Voice accusing the Open Rights Group of "overreacting" to a letter she had written to the Financial Times.

In late March ORG wrote an article for the same Lib-Dem blog pointing out that in her letter to the Financial Times, the Baroness had failed to mention the interests of citizens. Instead Baroness Ludford highlighted the well-known concerns of some technology companies – roughly, that the new rules will stifle internet businesses.

But there is more to our concern than the contents of that letter. The Baroness proposed 113 amendments to the draft Regulation [Correction 12/6: the correct number is 129]. You can read all of them on Parltrack. (We'll be putting up an analysis of more of these shortly). These include proposals that we believe would severely undermine people's privacy rights and leave them with less control over their data. 

For instance, the Baroness is behind amendment number 1210.

This removes the right to know if your data might be transferred to a third country or international organisation.  It does this by deleting the following bit of the proposed Regulation:

Article 14 – paragraph 1 – point g
(g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;

It hardly needs spelling out given the recent news about PRISM and state surveillance, but knowing which companies or countries your data might be moved to is likely to increasingly be a fundamental consideration for someone deciding whether to share personal data.

EDRi challenged Baroness Ludford on Twitter to withdraw this amendment in light of the PRISM revelations, yet she refuses to do so:

@EDRi_org: .@SarahLudfordMEP Will you withdraw your AM 1210 that removes obligations to inform if data will be transferred abroad? #prism #eudatap

@SarahLudfordMEP: @EDRi_org: prob is that it's not only 'transferred' data at risk of FISA orders. Glad @VivianeRedingEU pressing Holder, long overdue

@EDRi_org: .@SarahLudfordMEP You won't withdraw AM1210? You seriously want to create a right to export data without telling anyone? #eudatap #prism

This is one reason that we do not believe that ORG and Privacy International have been overreacting, as the Baroness suggested. The Baroness has proposed some of the most damaging amendments we have seen, potentially weakening the definition of consent, creating quite broad loopholes permitting the use of data without consent, and reducing the information people receive when data about them is collected. 

It was no real surprise to see that the Baroness was recently ranked sixth on the list of MEPs who had proposed the most damaging amendments following analysis reported on the website

In her article Baroness Ludford also cites the European consumer BEUC's position on consent in support of her position. In a response sent to members of the LIBE Committee, BEUC have been strongly critical, adding that it was 'to their dismay...that...(she) referred to our position on ‘consent’ in isolation and without referring to the points included in the BEUC position.” BEUC go on to say that other amendments proposed by the Baroness would “systematically reduce the level of protection that consumers in the UK and elsewhere enjoy”.

We will continue looking at her (many) other damaging amendments in a follow up post.

[Read more] (1 comments)

June 12, 2013 | Rachel Wemyss

Caspar Bowden - How to wiretap the Cloud (without almost anybody noticing)

Independent privacy advocate and ex-Microsoft employee Caspar Bowden gives the crucial legal context to PRISM and FISAAA. Bowden explains how the 4th Amendment does not apply to non-US citizens leaving the US government able to conduct mass surveillance of the cloud. This timely ORGCon2013 talk is essential viewing!

[Read more]

June 10, 2013 | Jim Killock

What William Hague and Theresa May need to tell us

While admiration for Edward Snowden's whistleblowing grows in the USA and abroad, in the UK we are listening to Sir Malcolm Rifkind and William Hague with increasing scepticism.

It seems obvious that our security services will have received information from these trawling and retention systems, and equally it would be a little surprising if they had broken international law. The government must answer these questions, especially to tell us what they knew, but Sir Malcolm Rifkind insisting that ministerial warrants would be required seems tiresome and a way of avoiding the real point.

The government cannot simply insist that US-based surveillance, wich is both secret and pervasive, is just a US problem. PRISM in particular seems to be targeted at non-US citizens, for very broad 'foreign policy' considerations. Additionally, the legal position in the US is that there are no constitutional protections for non-US citizens. Caspar Bowden outlined these points in detail (PDF) at ORGCon on Saturday.

Our UK government must have known about US FISAA powers, and most likely the kind of programmes that the new law was creating.

When Parliament thought about a similar problem in preparation for the UK census, they were alarmed and took action. The Patriot Act allows data to be 'seized' secretly under National Security Letters. Parliament asked that the US contractor, Lockheed Martin, be prevented from handling census data, to avoid the possibility that data might be seized and copied under the Patriot Act. Parliament won that battle.

What William Hague and Theresa May should have been doing was making sure that our businesses and citizens knew to shelter from FISAAA powers. They should have been attempting to strengthen our data protection arrangements, or ensuring through procurement that all personal data the government keeps is kept out of the USA, until more reasonable laws are in place.

Instead, their reaction seems to have been to push ahead with our own UK version, in the Snooper's Charter. Frightening and unaccountable US powers seem merely to have inspired in Theresa May the desire to replicate them here.

Laws are meant to guarantee reasonable behaviour. Once secrecy around their interpretation, implementation and use is complete, it should be no surprise that powers get out of control. A lot of this secrecy exists in the UK at present: we do not know which companies retain data, nor whose data is accessed. There is no individual notification; nor court supervision of access. During the Snooper's Charter debate, the Home Office was extraordinarily reluctant to discuss the problems they believed they had, citing national security instead. For FISAAA, the government did nothing to encourage sensible analysis of what this should mean for UK citizens', journalists' and businesses' confidentiality.

The ability of government institutions to turn a blind eye and ignore such serious problems, to the point that our trust in them is dealt a terrible blow, is a failure of leadership. Now our politicians must live up to their duty, and turn their attention to ways to protect British and European citizens from US-based warrantless surveillance.

UK politicians should demand:

  1. That US law recognises the human rights of foreign citizens, in particular their right to privacy
  2. That EU Data Protection requires EU standards of privacy from US companies; or warns when this cannot be guaranteed
  3. That UK and EU procurement be designed to protect personal data from warrantless US surveillance


[Read more]

June 07, 2013 | Jim Killock

Advisory Council nominations

Are you an expert in digital issues, civil liberties or campaigning? Or do you know who should be helping us form policy and campaign strategy?

Once a year, ORG recruits experts to our Advisory Council. This is the your chance to help us be the most expert and forward thinking digital civil liberties organisation in the UK. Send nominations to

This year we particularly want

  1. Privacy experts, in data protection, surveillance laws and digital privacy
  2. People with a legal background
  3. People with a strong background in copyright reform
  4. Campaigners
  5. People with experience in FOI, Subject Access Requests, media work
  6. Journalists and investigative journalists
  7. People with senior political contacts in the Labour, Lib Dem and Conservative parties

Please send us your nominations!

[Read more] (1 comments)

June 07, 2013 | Peter Bradwell

PRISM: The FISAAA smoking gun

We'll be posting analysis through the day about the revelations about PRISM and the NSA. Here's some background on the Foreign Intelligence Services Act.

UPDATED: see presentation by Caspar Bowden below.

The slides about secret data access under the 'PRISM' programme published today seem are somewhat of a smoking gun. Concerns about the implications of the Foreign Intelligence Services Act (FISAA), and in particular section 1881a, have been around for a while. For example, a report for the LIBE Committee of the European Parliament last year (co-authored by Caspar Bowden, who will be speaking about this at ORGCon tomorrow) said:

"So far, almost all the attention on such conflicts has been focussed on the US PATRIOT Act, but there has been virtually no discussion of the implications of the US Foreign Intelligence Surveillance Amendment Act of 2008. §1881a of FISAA for the first time created a power of mass-surveillance specifically targeted at the data of non-US persons located outside the US, which applies to Cloud computing. Although all of the constituent definitions had been defined in earlier statutes, the conjunction of all of these elements was new."

These revelations could have potentially devastating consequences for cloud computing. As noted in our previous blog, the UK government have some big questions to answer. 

This presentation (PDF) by Caspar Bowden contains very detailed explanations.

We also asked Professor of International Law Douwe Korff for his explanation of what's happening. Here's what he said:

 "US law makes non-US citizens living outside the USA completely fair game for unlimited surveillance by the US intelligence agencies, in particular under FISAA para. 1881a.  That paragraph effectively removes all restraints on the monitoring by US intelligence agencies of such non-US-citizens' e-communications, mobile phone communications, SKYPE conversations, social network exchanges, SMS texts or Internet browsing and video- and photograph- and file-sharing.

It is not even necessary that the surveillance is relevant to US national security issues.  Moreover, the US legislators and courts have consistently denied US constitutional protections to non-US citizens:  in all relevant respects in relation to surveillance by the US authorities, the Constitution simply does not apply to such non-US-citizens.  Protestations by US authorities that their legal system provides basically the same protection as is provided to EU citizens under European human rights and data protection law are quite simply untrue and deliberate attempts to hide the absence of any real protection of non-US-citizens from the US  global surveillance system. It is time civil society groups on both sides of the Atlantic join hands to fight against the new global Big Brother environment that is being created by supposedly democratic governments in both the USA and Europe."

Caspar Bowden has been expressing concerns about the FISAA provisions for some time. He'll be giving an hour long talk tomorrow at ORGCon on exactly this topic - it should be rather interesting! 

[Read more] (1 comments)

June 07, 2013 | Jim Killock

PRISM - Diffracting non-US Citizens' basic privacy since 2007?

It's being reported by the Guardian and Washington Post that the US National Security Agency can routinely access the sensitive data stored by big web firms including Facebook, Google, Skype, Microsoft, Yahoo, YouTube and Apple.

Top secret slides from the US National Security Agency say that email, video and voice chat, videos, photos, voice-over-IP chats (eg. Skype), file transfers, video conferencing, social networking details and 'Special Requests' are all collectable.

The web companies' response has been that if this has been happening, they were unaware of it and that they don't give government direct access to their servers. 

The Director of US National Intelligence, clearly talking with a US audience in mind, said that the law allowing this apparent collection of communications ensures that only "non-U.S. persons outside the U.S. are targeted."

Such a statement is intended to put American minds at rest. Where this leaves the rest of the world - including UK citizens, businesses, charities, MPs, campaigners and NGOs - is another matter.

In the light of this, the UK Government has very serious questions to answer.

  1. What did the UK Government know about the PRISM programme?
  2. Given the history of collaboration between the US and the UK, can they give us assurances that UK secret services have not been involved in the PRISM programme?
  3. Will the UK Government be seeking clarification from the US Government about whether the data of UK citizens is being monitored by the NSA?
  4. Has the UK received any intelligence based on queries made through the alleged PRISM programme?
  5. Would the Government advise that UK citizens, businesses and MPs stop using services provided by American web companies such as Google, Facebook and Microsoft?
  6. Can the UK Government give assurance that the commercial confidentiality of UK businesses has not been breached through the PRISM programme?

In addition, a Parliamentary investigation is required. Companies such as Google, Facebook, Microsoft and Yahoo need to answer to Parliament as to what data about UK citizens may have been included in the PRISM programme. The investigation should also ask questions of representatives of the UK Government and the intelligence agencies to bring transparency to clear up whether they had any involvement in the PRISM.

[Read more]

June 06, 2013 | Javier Ruiz

EE debate mobile weblogs and privacy

Yesterday we had a debate on mobile data in Parliament, kindly hosted by Julian Huppert. The panel included representatives from mobile phone company EE, Ipsos MORI, the Information Commissioner Office and Joss Wright from the Oxford Internet Institute.

The companies didn't add anything new to what we had learnt in previous conversations. They clearly don't see a problem with collecting highly personal information, including internet usage, and building commercial insights on it. EE argues that collecting such data is required for business purposes.

For example, if you query your mobile data bill they could use your web history to show you why. This raised a few eyebrows. They also claimed that everything is in their privacy policy, which is partly true. We think however that the policy of EE and those of other companies should provide more detail. Also, there is no opt in or out option here.

Ipsos MORI defended their integrity as handlers of personal information and explained that the data they get is anonymised thoroughly. For them mobile data seems a continuation of their work gaining insights into people's heads as pollsters and market researchers.

Joss Wright argued that data cannot be "anonymised" in binary form, but that instead we should speak of probabilities. Also he queried the concept of personal data and how you can learn a lot about someone without needing their name, date of birth and other identifiers.

The ICO said they didn't see a fundamental problem, although they think that there is a lot of room for improvement in how companies communicate their policies and what happens to data.

There were lots of really interesting contributions from the floor. Our audience was of a very high calibre and very informed. People raised a broad range of issues: highly technical questions on international data sharing, how can value be transferred back to customers, as happens with loyalty cards, and many others.

What we took home is that we still want to know a lot more about what exactly is being collected and processed by EE and other mobile companies. We are going to ask again EE to provide this information and help our technical experts understand the processes.

We remain concerned that collecting customer behaviour data for commercial purposes may require better consent models and current privacy policies may not be enough. We need to establish more clearly that data protection is upheld, not just in the data sharing with Ipsos MORI, but throughout the whole value chain.

Ultimately we think the mobile industry may need to sit down with other stakeholders and develop a code of practice that goes above and beyond minimum levels of mobile companies' views of data protection.

[Read more]

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail