call +44 20 7096 1079

Blog


July 01, 2013 | Javier Ruiz

Open Rights Group at Latin American open data events

Open Rights Group participated in two international conferences in Uruguay last week. We were invited to cover the junction between privacy and open data, an area under increasing scrutiny as governments implement transparency programmes.

ORG has been working on the issues and conflicts around privacy and open data for some time. Recently ORG intervened to help limit access to the National Pupil Database for commercial companies.

The first gathering was Abrelatam 2013, organised by the lovely people of Data Uruguay and Ciudadano Inteligente from Chile, the Latin equivalent to MySociety. If you want to hear more about the Chileans, founder Felipe Heusser will be in London at the Guardian Activate conference on Tuesday 9th of July.

Abrelatam 2013 unconference

Abrelatam brought together tech and transparency activists from across Latin America and beyond, including OKFN, Sunlight Foundation and MySociety. There were many inspiring stories and groups, from the data journalists from La Nacion to the mobile tech lab in a bus from Brazilians Transparencia Hacker.

The conference covered the usual open data topics from measuring the success of programmes - users, impacts, etc. - and smart cities to how to convince governments to open up. But quite refreshingly there were also many conversations around grassroots participation and involvement, with a very genuine concern that open data is not just about playing with tech toys. The discussion on the relationship between transparency and social movements took place against the backdrop of mass protests in Brazil.

We were particularly impressed with the work of the ACIJ from Argentina shedding light on the opaque selection process of magistrates in Buenos Aires using open data and visualisation tools. This case also brings important lessons on how privacy claims should not hinder the transparency of public appointments. Another excellent project, presented by Laura Sommer, is Chequeado.com, where citizens can “verify public discourse”, with a classification system that besides true or false includes finer verdicts such as “not supported by evidence”, “exaggerated” and “true, but”, meaning that a crucial aspect has been ommited.

ORG’s proposed session on privacy brought up many interesting examples of conflicts and difficult choices. Among others we heard of exam results being published in Mexico and the electoral register with Google indexed photos in Argentina. The consensus was that the privacy and open data nexus is very important but we lack the framework to analyse it. This is particularly complicated with the diversity of legal and cultural contexts we find in different countries. Many activists asked for more information and capacity building.

The second event we attended involved governments and international bodies. The Regional Conference on Open Data for Latin America and the Caribbean covered a fairly comprehensive range of public information topics: agriculture, health, education archives and statistics, etc. The region can boast some transparency giants such as Brazil, and there are efforts in most other countries. But there is a long way to go in terms of accountability and genuine civic participation, as evidenced in the Brazilian riots.

Conf Datos Abiertos Uruguay 2013

ORG participated in a panel on the regulation of open data. The room was full despite the session partially clashing with the football match between Uruguay and Brazil that wrecked havoc with the planned schedule. Our contribution again centred on the privacy aspects of these policies. Other panelists included the data protection agencies of Uruguay and Mexico, the Brazilian Fundaçao Getulio Vargas and Spanish legal expert Franz Ruz from rooter.es. The discussion touched on the many legal frameworks governing open data, from access to licensing and reuse, but most of the hard questions centred on privacy and data protection.

We covered as much as we could in such a short time:

  • The conflict between open data and the fundamental principles of data processing - purpose limitation, etc.
  • Criteria for assessing the privacy protection of public employees: seniority, work related activities, etc.
  • Asymmetries of public benefit and personal costs: education, health, public registers…
  • The difficulties in asking citizens directly about the value of privacy and transparency
  • Anonymisation and its discontents
  • Voluntary sharing of personal information and the need for control over our data
  • European data protection hot topics: righto to delete (not forget), pseudonymous data, consent
  • Combining regulatory models for hard complexity: participation, multistakeholderism, strong data protection, technical guidelines, sector codes of practice…

On our last day we mananged to squeeze an extra workshop on privacy and open data for local activists and a meeting with the Government of Uruguay to help them improve their work with civil society to produce a national transparency plan, as required by their membership of the Open Government Partnership. ORG is part of the coordination of the UK civil society network working on the Open Government Partnership.

We came back home reassured that open data and privacy is a really important issue, where ORG can really help as one of a handful or organisations currently trying to tackle the difficult questions that arise. Last week also reaffirmed that most of the issues we deal with on the impacts of technology on rights and liberties have a global reach, and that while we must continue leading on UK policies we have to increasingly work internationally as well.

You can join our email list on Open Data Privacy HERE

[Read more]


June 28, 2013 | Jim Killock

PRISM Parliamentary event packed out

Around 70 people attended our PRISM and Tempora event in Parliament yesterday, hosted by Tom Watson MP. The speakers, Caspar Bowden, Simon McKay and David Davis MP, helped give context to some of the recent claims on surveillance made by the government.

The executive claims that all is well with secret surveillance, and that there is nothing to worry about, as everything that takes place is under a strict legal framework. And of course, if you have nothing to hide, you have nothing to fear.

Tom Watson and David Davis

Coincidentally, David Willets on Question Time made the same points about obeying the legal framework as William Hague did after the original PRISM leak from the Guardian.

However, the main message from both Caspar and Simon was that the US and UK legal framework is woefully lacking to the point of irrelevancy.

Caspar BowdenBowden explained that UK citizens lack any constitutional protections in the USA as 'foreign nationals'. FISA s702 contains provisions to target people for broad foreign policy reasons, which in practice means anything political that could be of interest to the US government. He explain that protections for whistleblowers and warnings when data is transferred to regimes like the US are needed in data protection law.

David Davis MP then outlined the political situation in the UK. He noted that the leaks from Snowden had changed the atmosphere surrounding surveillance questions, and that the oversight regime was broken. He said he believed that we have a chance to review the whole of the Act under which this surveillance is being carried out, RIPA. He later extended rare praise to the EU Commission and Viviane Reding in particular.

Simon McKaySimon McKay explained the UK legal framework, starting with provisions that require secrecy from agencies, in ways that can be used to hinder effective oversight. He showed that RIPA section 80 allows more or or less any kind of intelligence activity to be lawful. He described RIPA's oversight provisions as essentially a 'voluntary code'.

The discussion led into questions on the Snoopers' Charter; apparently the Joint Committee are livid with the lack of disclosure they were given surrounding intelligence sources. The justifications made by Theresa May at the time, that it was needed on the basis of terrorism and serious crime, do not now look well founded.

The event is covered in today's GuardianPC Pro and V3. We've posted the audio and slides of the event.

We'd like to thank all three speakers and Tom Watson for hosting the event.

[Read more] (4 comments)


June 26, 2013 | Jim Killock

Prophetic analysis warned about US-based cloud

One of the weak points in the new European data protection regulation that privacy advocates have been warning about is the ease by which data can be exported from the EU into FISAAA-ready services in the USA. In short, the European Commission have been trying to make “data exports” easier, but in the process have made it harder to enforce our fundamental privacy rights.

The Commission's position on data exports relates to their cloud strategy. They see the use of cloud computing as a way to enable EU businesses to save costs and become more efficient. They hope this will increase European competitiveness in a global marketplace. The argument runs that current data protection rules make full use of cloud computing impossible because of the restrictions it imposes on data exports, as all the big cloud providers are non-EU.

As Caspar Bowden and Judith Rauhofer point out in their recent paper, this argument leads to a position where data protection rights are highly unenforceable as soon as data moves outside the EU via data exports. In short, if the US enacts FISAAA laws and initiates PRISM, there’s not much that the new data protection laws can do to help, especially as they are currently drafted.

Rauhofer and Bowden also reference a paper produced back in January by the European Economic and Social Committee.The EESC pointed out the problem with the Commission’s economic argument. They say that an increase in the uptake of cloud services provided by mostly US-based companies will lead to a loss of sovereignty by EU businesses and public sector, not only over personal data, but also over commercially sensitive information and trade secrets:

Page 5-6:

Recent decades have demonstrated the significance of the dependency of the Member States - or even of Europe as a whole - regarding various sources of energy: petrol, gas, electricity, etc. Should European citizens', businesses' and public services' data in future be hosted, managed and controlled by non-European CC operators, there would be legitimate concerns surrounding the impact of this dependency:

  • protection of particularly sensitive data that are crucial to strategic competition between European and non-European countries, such as in the aviation, automotive, pharmaceutical and research sectors;
  • the availability of data in the event of international tensions between "host" countries and Member States;
  • equality of treatment of consumers of digital energy depending on whether or not they are citizens or organisations of a "friendly" country;
  • job and wealth creation from the production of digital energy, and also from the entire service development ecosystem, in the host countries, thus disadvantaging countries that are simply "cloud-friendly" users of digital energy. …

3.5 Currently, although there are some differences between the Member States' regulations, they are close to the European texts, standards and directives; hence users' fears - in some cases justified - of their data being stored outside Europe, leading to difficulties and legal stalemates in the event of disputes.

In addition, the greatest cause for concern among users is the "Patriot Act". This act came out of the war on terror (following the September 11 attacks), and allows the US government or a federal judge to access any data hosted and controlled by an American company, whether or not the owner of the data is American and including data hosted in a centre on European soil. Above all, the owner of the data cannot be informed that the host has disclosed the hosted data.

After Edward Snowden’s revelations about PRISM, now that the public and EU Parliament are more aware of the effects of FISAAA as well as the Patriot Act, there is a very high risk that EU businesses will lose trust in cloud services to everyone’s detriment.

This also creates an opportunity: data protection law can allow citizens and businesses to manage the risks. The increased privacy of European-based services could make them more competitive, especially for businesses who must protect their confidentiality, as the EESC point out. But the EU Parliament will have to be open to making some significant changes, including improving notification and insisting that US and other states’ surveillance laws are only to be applied to EU data in the context of international laws and agreements. This was the intention of Article 42 – which should now be reinstated.

[Read more] (2 comments)


June 24, 2013 | Jim Killock

Questions for the UK government

The Guardian’s revelations about the Tempora programme, including global Internet and telecoms surveillance, leave the UK’s reputation in great danger. Using legal loopholes, and hiding the extent of these programmes from the public eye, the UK has breached the rights of both our own citizens, and those of every country whose citizens’ data has been harvested.

GCHQ Bude

Not everything set out by these leaks is new or unknown, but what is new is the confirmation of the existence of the programmes, and the pressure on governments to come clean and explain what they have done.

While governments can claim a need for secrecy around specific investigations, they cannot reasonably claim a need for secrecy around the programmes they initiate. By making such a massive operation secret, they have undermined the rule of law, denied us democratic accountability and breached legal commitments to human rights that have been made in public to the peoples of other countries.

The position seems to be that the UK government believes it can wiretap whatever it likes, so long as the tapping takes place outside of the UK (ie, the tap is placed on an undersea cable a few miles west of Bude) and involves communications that are not simply UK citizen to UK citizen.

Making this apparent to the political class, reversing the situation, and introducing genuine accountability will not be easy, but is vital. Here are some reasons why we need an unparalleled outbreak of political honesty, to live up to the opportunity that Edward Snowden has given us.

Senior politicians have misled Parliament and the public

Tempora was implemented under Labour, and has carried on under the Conservative-Lib Dem coalition. Some senior politicians including Jacqui Smith, Alan Johnson and Theresa May failed to inform the public and the vast majority of Parliament about Tempora. William Hague has been guilty of making similarly bland justifications and reassurances following revelations about PRISM. MPs should be especially wary of the executive’s justifications for Tempora. They have the most to lose, personally and politically.

However, the members of the three parties, their democratically elected committees and the delegates to their conferences did not know of these programmes. It is also highly unlikely that many MPs knew and it is even probable that many former and current ministers were never told about the programmes. Creating and continuing with Tempora will have been a decision taken by a very narrow group of people.

This places the UK’s political class in a troubling situation, and they badly need guidance from the public.

Malcolm Rifkind and the Snoopers’ Charter cheerleaders

Malcolm Rifkind chairs the Parliamentary committee responsible for overseeing the intelligence agencies, and has recently shown himself to be very much a willing hand of the Home Office. He has reassured everyone that these programmes are highly likely to be working within the law, and recording everyone’s communications is nothing to worry about, since there is too much to read. In essence, Rifkind believes, if you have nothing to hide, you have nothing to fear.

Even four hundred years ago, Cardinal Richelieu understood that this was not a compelling argument:

If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.

and he was hardly a major proponent of universal human rights.

Given Rifkind’s beliefs, can we trust his leadership of the Intelligence and Security Committee to guide the only major inquiry that is currently planned by the UK Parliament?

Rifkind is a particularly powerful example of a kind of UK politician that makes a habit of justifying secret service and Home Office demands. He was one of the first people to argue for the return of the Snooper’s Charter. Others, including Lord Carlile, Lord Reid and Jack Straw have been wheeled out to make the same arguments, as if their experience implementing hardline rollbacks of civil liberties in some way made them the right people to explain to us why we need to trust the secret state. Their credibility is shattered.

Foreign policy

The UK is a major gateway for Internet traffic cross the Atlantic. The volumes of traffic are immense, and provide a major wiretapping opportunity

The UK government clearly thinks it benefits from being close to the US intelligence and helping out by providing such access to them.

Both the UK and the USA need to ask if it is reasonable to use their positions to surveil global communications without regard to individuals’ inalienable human rights, or other nations’ and allies’ legitimate interests. We cannot reasonably expect other countries to behave better, if we do not ourselves. Our position also seems to be at odds with our human rights commitments, which is angering many very reasonable countries, such as Germany.

Damage to the Internet economy

The global Internet economy has become more centralised, with a great deal of data being handled and stored by a few US companies, such as Facebook, Apple, Microsoft, Yahoo and Google. This, as Tim Wu observed at ORGCon, makes them easy to compel. Surveillance benefits from this kind of centralisation. This centralisation is also reflected in the small number of entry and exit points for Internet communications. Such ‘choke points’ increase the ease of surveillance.

However, the confidence of the public and businesses depends on a sense of trust. This balance has been thrown by the Snowden revelations. Internet privacy is not an abstract concern.

Surveillance from the USA and UK will include gathering intelligence for their ‘economic wellbeing’. Why should either nation be trusted when companies think about choosing ecommerce and cloud services? The ‘national interest’ of the UK and USA could easily override the privacy and security of a company based in Germany or France. Taking such an approach is surely bad for business.

Who is really threatened?

There are many threats to individuals from accessing data. These can include:

  1. Businesses, who may be communicating confidential information of interest to competitors;
  2. Businesses who are specifically competing against businesses in the US or UK, when our governments regard their competition as against our ‘national interest’;
  3. Journalists, who need to communicate privately with sources;
  4. Whistleblowers, especially those who act against the will of their government – think of Daniel Ellsberg perhaps;
  5. Anyone whose personal position could be leveraged by security services for their benefit;
  6. Members of groups like Anonymous;
  7. Everyone, as our data might be leaked to a third party against our will

The wider threat is to our democratic culture. If people fear being listened to, or becoming of interest to security services, then they change and limit their behaviour. This is a loss to the whole of society, whether or not you think the specific threats are likely to affect you.

What needs to happen

Everyone should think about how we rein in the security services. Some of the things that are needed include:

  1. The EU draft Data Protection Regulation must allow people to control their data, so they can manage the security threats to their personal data. It should reinstate Article 42, which requires data disclosures from companies should be governed by international agreements.
  2. Transparency calls in the USA must be heeded, immediately
  3. UK law must be revised to remove indiscriminate data collection
  4. US and UK surveillance activities must be brought into a transparent international legal framework

[Read more] (7 comments)


June 21, 2013 | Javier Ruiz

EE Dragging its Feet on Mobile Data Transparency

Mobile company EE has been quite open in explaining the sale of data analytics based on their customers data in partnership with Ipsos MORI. But we are concerned that they think the storm is over and can return to business as usual. We may need your support to make them listen.

EE has already met with ORG to explain how their data services work, how they aggregate data and what general legal framework they operate. For this, we commend EE on their openness and hope that it continues.

We asked EE for a technical meeting with independent experts, but have not received any reply. In order to reassure mobile users over their concerns it’s very important to establish the exact data EE collects, stores and uses for its data products.

The first step in improving transparency would be for EE to allow an independent technical check-up on their data collection and processing. Our proposed technical expert, Richard Clayton, who is based at the Computer Laboratory of the University of Cambridge, has carried out similar work requiring balancing public information with commercial and customer confidentiality. Richard Clayton did a similar study in 2008 with behavioural advertising company PHORM.

EE’s privacy policy explains that they collect and use a wide range of data, including purchasing habits and app use. They have also told us that their data products allow for cross referencing of location data with web history and other parameters. Clearly, there is a lot going on here and customers need more information.

On the 5th of June we held a public debate in Parliament on this issue, kindly hosted by Julian Huppert. The panel included representatives from EE, Ipsos MORI, the Information Commissioner Office (ICO) and Joss Wright from the Oxford Internet Institute. At that meeting Iain Bourne from the ICO made it clear that transparency is a fundamental principle of data protection and there is room for improvement in the way the companies explain to consumers what they are doing with customer data.

We may need your help soon to get EE and other companies to continue being open about their practices. They need to know that these issues are not going away and customers are more aware of what happens to their data.

[Read more]


June 17, 2013 | Jim Killock

Jargon File blocked by O2, Youtube by Orange

We regularly collect blocking reports from mobile users, via blocked.org.uk – and we've recently had some interesting ones.

Youtube content blocked at Orange, error reportReport your blocks here. Please keep them coming! [Note: These blocks are happening on the mobile networks' child safety filtering services. These are switched on by default by all networks except Three. For more detail on mobile network filtering, see our report.]

Orange blocking Youtube videos

www.youtube.com

Orange are blocking Youtube as unsafe for children. Interestingly, this is the first time we've seen this site blocked by a major telco for child protection. The reasoning seems pretty poor. It shows the scale to which default blocks can adversely impact people. Musn't let kids watch the sneezing panda or Justin Bieber!

[UPDATE: Orange deny Youtube is blocked by Safeguard. We demo the block here; if you are on Orange and have Safeguard switched on, let us know what happens for you]

[Update 2: Orange block YouTube under the higher of two settings on their "Safeguard" child protection filters. Under the setting "Safeguard On", user generated content sites including YouTube and Twitter are blocked.  You can read a little more about these settings on the Everything Everywhere site. So this is deliberate blocking on the highest child safety filter, rather than an accidental or mistaken block for all users or for those on the "Safeguard Light" setting". The Safeguard Lite setting is switched on by default, whereas the Safeguard On setting is by choice.]

The Jargon File

catb.org/~esr/jargon/

Venerable Internet and Hacking slang guide, around since the 1970s the Jargon File is hosted by Eric S Raymond. It is currently blocked by O2, presumably because it is classed as a "circumvention" tool. Mustn’t let kids learn how to use their computers!

However, a bug with the O2 URL checker means we can't check web pages with a tilda in them to see what the classification reasoning is, or to appeal it.

[UPDATE: using http://catb.org/%7Eesr/jargon/ shows it is blocked as “hacking”)

Brains of Steel: blocked by O2

brainsofsteel.co.uk

This is a personal blog and it is difficult to see why it is classified as 'self harm' by O2. But perhaps the talk of weight loss without dieting is picked up as pro-anorexia?

[Update, 20th June 2013: This has now been reclassified and unblocked on O2]

Campaign against political correctness 

www.capc.co.uk/

Not really clear how the CAPC is harmful to children, but it is blocked by O2 as 'hate speech'. The campaign is backed by Philip Davies MP and Andrew Percy MP. Blocked by Orange and O2.

Luxury lingerie

www.thehouseofseduction.com

Blocked by Vodaphone / Virgin mobile; allowed on Orange and O2. Sells lingerie but probably not much more pornographic than an average Argos catalogue.

Mari Thomas Jewellery

Online jewellery site Mari Thomas is blocked by O2 and Orange. O2 classify the site as an 'anonymiser', for reasons that are entirely unclear.

Another gift shop blocked over Christmas 

In January we wrote about how Orange had blocked another shop www.foreverandeternity.co.uk over December of last year. Despite reporting the block in early December it took a month to get it unblocked. The reason seemed to be that the site sold engraved lighters and was categorised as smoking related. The site was thus blocked at a key commercial moment. If blocking on such a broad scale becomes more widespread, who is liable?

[Read more] (1 comments)


June 14, 2013 | Javier Ruiz

Open Data: Government Responds to Shakespeare's Review

The government has responded to the independent review of Public Sector Information (PSI) carried out by Stephan Shakespeare, chair of the Data Strategy Board. Here are our first impressions.

A National Data Strategy?

The tone of the Government's response (PDF and ODT) is of general agreement, but without a clearcut commitment to embark on the open data supply revolution asked for by Shakespeare. There will be a process to define a “National Information Infrastructure” composed of the most important datasets held by Government. This is preferred to the term “core reference data”.

A new set of criteria published on data.gov.uk will be used to assess the usefulness and transformative potential of datasets. This is a very good approach, but there is no equivalent of the US executive order forcing departments to simply do it. There are long winded references to the new EU PSI directive that will come into force in 2015. The Transparency Team at the Cabinet Office is going to help departments apply those criteria to identify the key datasets. But the Transparency Team is already quite stretched, so it will be hard to do this without extra resources.

The government will also try to involve local authorities and other public bodies, but with the Trading Funds we can only expect incremental change. There are some good ideas regarding access for micro-businesses and non-profits including a commitment to allow them increased access to the Postcode Address File.

ORG has been campaigning for the file to be freely accessible and we welcome this as a positive step, while acknowledging there is more to be done:

Recognising the continued importance of the Postcode Address File (PAF) to private sector growth and the efficient running the public sector, we have agreed with Royal Mail that they will provide the PAF for free to independent micro-businesses for one year and to and independent small charitable organisations. Royal Mail will consult in July on a radical simplification of the licensing regime for all users.

Simplified governance of Open Data policy

The government promises to tackle the proliferation of open data responsibilities, so ironically the review may cost Shakespeare his post. The one concrete commitment so far is the merger of the Data Strategy Board with the Transparency Board. The remit, authority and oversight of the new board will be an important aspect of this policy until it becomes truly embedded in the departments.

Fuzzy response on privacy

The title of the response section on privacy is Maximising the benefit from personal data. There the government expresses agreement with Shakespeare’s general approach, which they claim is reflected in the UK government’s approach to the new EU Data Protection Regulation.

This approach is meant to balance privacy with growth and innovation. Unfortunately, the evidence in relation to the UK’s engagement with the Data Protection regulations is that protection of rights comes second to perceived business interests. The UK has consistently tried to undermine the progressive proposals in the original regulations.

The response provides few concrete proposals in this area though. This is not surprising given the complexity of privacy regulation and the processes already in place in Brussels. For example, Shakespeare asked for custodial sentences for data protection breaches, but the response is that these are already possible via other legislation, such as the Computer Misuse Act.

There are some worrying moves in relation to data-sharing among departments. The Law Commission is working on a scoping project to see if there are any real legal obstacles to the free flow of data across government. This is an area we will be watching closely.

[Read more]


June 14, 2013 | Lee Maguire

Has the NSA "poisoned the well" for responsible disclosure?

Will secret arrangements between tech companies and US intelligence affect how independent security researchers disclose vulnerabilities?

Revelations about the PRISM project involve US tech companies have been compelled to provide special assistance to US intelligence agencies. This has also drawn fresh attention to "responsible disclosure" systems regarding information about security vulnerabilities in those companies' products.

Early access to security vulnerabilities, flaws in the code or design that would allow an attacker to gain privileged access to computers - from smartphones to servers - and the data they hold, is desired by governments. The information can then be used both in a defensive capacity (protecting their own systems) and offensive (attacking systems they would, for whatever reason, like access to).

A legal commercial market for security vulnerabilities exists. But many security researchers choose to disclose vulnerabilities to companies and agree to wait for a set period of time before publicly disclosing their findings. That is considered 'responsible disclosure'.

However, a report by Bloomberg today highlights the arrangement between companies such as Microsoft and intelligence agencies through which advance information about vulnerabilities is disclosed. These disclosures will be done in the knowledge that the information can be used both defensively or offensively. No implication is made that these arrangements are legally compelled rather than voluntary.

But as the secret arrangements between US tech firms and intelligence services becomes a cause for concern, will this affect how disclosure arrangements are percieved? Will researchers see themselves as assisting US intelligence? If, when they share their findings with service providers, those service providers simply share the details with intelligence agencies, aren't service providers undermining incentives to responsibly disclose? Will foreign governments regard their own citizens participating in responsible disclosure as providing electronic-arms to a foreign power?

[Read more] (1 comments)


google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail