call +44 20 7096 1079


June 12, 2013 | Peter Bradwell

Baroness Ludford amendment - opening the door to FISAAA?

Liberal Democrat MEP Baroness Ludford has proposed an amendment to the Data Protection Regulation that would mean your data could be transferred to the USA without you being informed.

Baroness Sarah Ludford MEP

Baroness Ludford, by ALDE, cc-by-nc-sa

The UK Liberal Democrat MEP Baroness Ludford has recently published an article in LibDem Voice accusing the Open Rights Group of "overreacting" to a letter she had written to the Financial Times.

In late March ORG wrote an article for the same Lib-Dem blog pointing out that in her letter to the Financial Times, the Baroness had failed to mention the interests of citizens. Instead Baroness Ludford highlighted the well-known concerns of some technology companies – roughly, that the new rules will stifle internet businesses.

But there is more to our concern than the contents of that letter. The Baroness proposed 113 amendments to the draft Regulation [Correction 12/6: the correct number is 129]. You can read all of them on Parltrack. (We'll be putting up an analysis of more of these shortly). These include proposals that we believe would severely undermine people's privacy rights and leave them with less control over their data. 

For instance, the Baroness is behind amendment number 1210.

This removes the right to know if your data might be transferred to a third country or international organisation.  It does this by deleting the following bit of the proposed Regulation:

Article 14 – paragraph 1 – point g
(g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;

It hardly needs spelling out given the recent news about PRISM and state surveillance, but knowing which companies or countries your data might be moved to is likely to increasingly be a fundamental consideration for someone deciding whether to share personal data.

EDRi challenged Baroness Ludford on Twitter to withdraw this amendment in light of the PRISM revelations, yet she refuses to do so:

@EDRi_org: .@SarahLudfordMEP Will you withdraw your AM 1210 that removes obligations to inform if data will be transferred abroad? #prism #eudatap

@SarahLudfordMEP: @EDRi_org: prob is that it's not only 'transferred' data at risk of FISA orders. Glad @VivianeRedingEU pressing Holder, long overdue

@EDRi_org: .@SarahLudfordMEP You won't withdraw AM1210? You seriously want to create a right to export data without telling anyone? #eudatap #prism

This is one reason that we do not believe that ORG and Privacy International have been overreacting, as the Baroness suggested. The Baroness has proposed some of the most damaging amendments we have seen, potentially weakening the definition of consent, creating quite broad loopholes permitting the use of data without consent, and reducing the information people receive when data about them is collected. 

It was no real surprise to see that the Baroness was recently ranked sixth on the list of MEPs who had proposed the most damaging amendments following analysis reported on the website

In her article Baroness Ludford also cites the European consumer BEUC's position on consent in support of her position. In a response sent to members of the LIBE Committee, BEUC have been strongly critical, adding that it was 'to their dismay...that...(she) referred to our position on ‘consent’ in isolation and without referring to the points included in the BEUC position.” BEUC go on to say that other amendments proposed by the Baroness would “systematically reduce the level of protection that consumers in the UK and elsewhere enjoy”.

We will continue looking at her (many) other damaging amendments in a follow up post.

[Read more] (1 comments)

June 12, 2013 | Rachel Wemyss

Caspar Bowden - How to wiretap the Cloud (without almost anybody noticing)

Independent privacy advocate and ex-Microsoft employee Caspar Bowden gives the crucial legal context to PRISM and FISAAA. Bowden explains how the 4th Amendment does not apply to non-US citizens leaving the US government able to conduct mass surveillance of the cloud. This timely ORGCon2013 talk is essential viewing!

[Read more]

June 10, 2013 | Jim Killock

What William Hague and Theresa May need to tell us

While admiration for Edward Snowden's whistleblowing grows in the USA and abroad, in the UK we are listening to Sir Malcolm Rifkind and William Hague with increasing scepticism.

It seems obvious that our security services will have received information from these trawling and retention systems, and equally it would be a little surprising if they had broken international law. The government must answer these questions, especially to tell us what they knew, but Sir Malcolm Rifkind insisting that ministerial warrants would be required seems tiresome and a way of avoiding the real point.

The government cannot simply insist that US-based surveillance, wich is both secret and pervasive, is just a US problem. PRISM in particular seems to be targeted at non-US citizens, for very broad 'foreign policy' considerations. Additionally, the legal position in the US is that there are no constitutional protections for non-US citizens. Caspar Bowden outlined these points in detail (PDF) at ORGCon on Saturday.

Our UK government must have known about US FISAA powers, and most likely the kind of programmes that the new law was creating.

When Parliament thought about a similar problem in preparation for the UK census, they were alarmed and took action. The Patriot Act allows data to be 'seized' secretly under National Security Letters. Parliament asked that the US contractor, Lockheed Martin, be prevented from handling census data, to avoid the possibility that data might be seized and copied under the Patriot Act. Parliament won that battle.

What William Hague and Theresa May should have been doing was making sure that our businesses and citizens knew to shelter from FISAAA powers. They should have been attempting to strengthen our data protection arrangements, or ensuring through procurement that all personal data the government keeps is kept out of the USA, until more reasonable laws are in place.

Instead, their reaction seems to have been to push ahead with our own UK version, in the Snooper's Charter. Frightening and unaccountable US powers seem merely to have inspired in Theresa May the desire to replicate them here.

Laws are meant to guarantee reasonable behaviour. Once secrecy around their interpretation, implementation and use is complete, it should be no surprise that powers get out of control. A lot of this secrecy exists in the UK at present: we do not know which companies retain data, nor whose data is accessed. There is no individual notification; nor court supervision of access. During the Snooper's Charter debate, the Home Office was extraordinarily reluctant to discuss the problems they believed they had, citing national security instead. For FISAAA, the government did nothing to encourage sensible analysis of what this should mean for UK citizens', journalists' and businesses' confidentiality.

The ability of government institutions to turn a blind eye and ignore such serious problems, to the point that our trust in them is dealt a terrible blow, is a failure of leadership. Now our politicians must live up to their duty, and turn their attention to ways to protect British and European citizens from US-based warrantless surveillance.

UK politicians should demand:

  1. That US law recognises the human rights of foreign citizens, in particular their right to privacy
  2. That EU Data Protection requires EU standards of privacy from US companies; or warns when this cannot be guaranteed
  3. That UK and EU procurement be designed to protect personal data from warrantless US surveillance


[Read more]

June 07, 2013 | Jim Killock

Advisory Council nominations

Are you an expert in digital issues, civil liberties or campaigning? Or do you know who should be helping us form policy and campaign strategy?

Once a year, ORG recruits experts to our Advisory Council. This is the your chance to help us be the most expert and forward thinking digital civil liberties organisation in the UK. Send nominations to

This year we particularly want

  1. Privacy experts, in data protection, surveillance laws and digital privacy
  2. People with a legal background
  3. People with a strong background in copyright reform
  4. Campaigners
  5. People with experience in FOI, Subject Access Requests, media work
  6. Journalists and investigative journalists
  7. People with senior political contacts in the Labour, Lib Dem and Conservative parties

Please send us your nominations!

[Read more] (1 comments)

June 07, 2013 | Peter Bradwell

PRISM: The FISAAA smoking gun

We'll be posting analysis through the day about the revelations about PRISM and the NSA. Here's some background on the Foreign Intelligence Services Act.

UPDATED: see presentation by Caspar Bowden below.

The slides about secret data access under the 'PRISM' programme published today seem are somewhat of a smoking gun. Concerns about the implications of the Foreign Intelligence Services Act (FISAA), and in particular section 1881a, have been around for a while. For example, a report for the LIBE Committee of the European Parliament last year (co-authored by Caspar Bowden, who will be speaking about this at ORGCon tomorrow) said:

"So far, almost all the attention on such conflicts has been focussed on the US PATRIOT Act, but there has been virtually no discussion of the implications of the US Foreign Intelligence Surveillance Amendment Act of 2008. §1881a of FISAA for the first time created a power of mass-surveillance specifically targeted at the data of non-US persons located outside the US, which applies to Cloud computing. Although all of the constituent definitions had been defined in earlier statutes, the conjunction of all of these elements was new."

These revelations could have potentially devastating consequences for cloud computing. As noted in our previous blog, the UK government have some big questions to answer. 

This presentation (PDF) by Caspar Bowden contains very detailed explanations.

We also asked Professor of International Law Douwe Korff for his explanation of what's happening. Here's what he said:

 "US law makes non-US citizens living outside the USA completely fair game for unlimited surveillance by the US intelligence agencies, in particular under FISAA para. 1881a.  That paragraph effectively removes all restraints on the monitoring by US intelligence agencies of such non-US-citizens' e-communications, mobile phone communications, SKYPE conversations, social network exchanges, SMS texts or Internet browsing and video- and photograph- and file-sharing.

It is not even necessary that the surveillance is relevant to US national security issues.  Moreover, the US legislators and courts have consistently denied US constitutional protections to non-US citizens:  in all relevant respects in relation to surveillance by the US authorities, the Constitution simply does not apply to such non-US-citizens.  Protestations by US authorities that their legal system provides basically the same protection as is provided to EU citizens under European human rights and data protection law are quite simply untrue and deliberate attempts to hide the absence of any real protection of non-US-citizens from the US  global surveillance system. It is time civil society groups on both sides of the Atlantic join hands to fight against the new global Big Brother environment that is being created by supposedly democratic governments in both the USA and Europe."

Caspar Bowden has been expressing concerns about the FISAA provisions for some time. He'll be giving an hour long talk tomorrow at ORGCon on exactly this topic - it should be rather interesting! 

[Read more] (1 comments)

June 07, 2013 | Jim Killock

PRISM - Diffracting non-US Citizens' basic privacy since 2007?

It's being reported by the Guardian and Washington Post that the US National Security Agency can routinely access the sensitive data stored by big web firms including Facebook, Google, Skype, Microsoft, Yahoo, YouTube and Apple.

Top secret slides from the US National Security Agency say that email, video and voice chat, videos, photos, voice-over-IP chats (eg. Skype), file transfers, video conferencing, social networking details and 'Special Requests' are all collectable.

The web companies' response has been that if this has been happening, they were unaware of it and that they don't give government direct access to their servers. 

The Director of US National Intelligence, clearly talking with a US audience in mind, said that the law allowing this apparent collection of communications ensures that only "non-U.S. persons outside the U.S. are targeted."

Such a statement is intended to put American minds at rest. Where this leaves the rest of the world - including UK citizens, businesses, charities, MPs, campaigners and NGOs - is another matter.

In the light of this, the UK Government has very serious questions to answer.

  1. What did the UK Government know about the PRISM programme?
  2. Given the history of collaboration between the US and the UK, can they give us assurances that UK secret services have not been involved in the PRISM programme?
  3. Will the UK Government be seeking clarification from the US Government about whether the data of UK citizens is being monitored by the NSA?
  4. Has the UK received any intelligence based on queries made through the alleged PRISM programme?
  5. Would the Government advise that UK citizens, businesses and MPs stop using services provided by American web companies such as Google, Facebook and Microsoft?
  6. Can the UK Government give assurance that the commercial confidentiality of UK businesses has not been breached through the PRISM programme?

In addition, a Parliamentary investigation is required. Companies such as Google, Facebook, Microsoft and Yahoo need to answer to Parliament as to what data about UK citizens may have been included in the PRISM programme. The investigation should also ask questions of representatives of the UK Government and the intelligence agencies to bring transparency to clear up whether they had any involvement in the PRISM.

[Read more]

June 06, 2013 | Javier Ruiz

EE debate mobile weblogs and privacy

Yesterday we had a debate on mobile data in Parliament, kindly hosted by Julian Huppert. The panel included representatives from mobile phone company EE, Ipsos MORI, the Information Commissioner Office and Joss Wright from the Oxford Internet Institute.

The companies didn't add anything new to what we had learnt in previous conversations. They clearly don't see a problem with collecting highly personal information, including internet usage, and building commercial insights on it. EE argues that collecting such data is required for business purposes.

For example, if you query your mobile data bill they could use your web history to show you why. This raised a few eyebrows. They also claimed that everything is in their privacy policy, which is partly true. We think however that the policy of EE and those of other companies should provide more detail. Also, there is no opt in or out option here.

Ipsos MORI defended their integrity as handlers of personal information and explained that the data they get is anonymised thoroughly. For them mobile data seems a continuation of their work gaining insights into people's heads as pollsters and market researchers.

Joss Wright argued that data cannot be "anonymised" in binary form, but that instead we should speak of probabilities. Also he queried the concept of personal data and how you can learn a lot about someone without needing their name, date of birth and other identifiers.

The ICO said they didn't see a fundamental problem, although they think that there is a lot of room for improvement in how companies communicate their policies and what happens to data.

There were lots of really interesting contributions from the floor. Our audience was of a very high calibre and very informed. People raised a broad range of issues: highly technical questions on international data sharing, how can value be transferred back to customers, as happens with loyalty cards, and many others.

What we took home is that we still want to know a lot more about what exactly is being collected and processed by EE and other mobile companies. We are going to ask again EE to provide this information and help our technical experts understand the processes.

We remain concerned that collecting customer behaviour data for commercial purposes may require better consent models and current privacy policies may not be enough. We need to establish more clearly that data protection is upheld, not just in the data sharing with Ipsos MORI, but throughout the whole value chain.

Ultimately we think the mobile industry may need to sit down with other stakeholders and develop a code of practice that goes above and beyond minimum levels of mobile companies' views of data protection.

[Read more]

June 06, 2013 | Peter Bradwell

DCMS call summit on dealing with extreme or illegal content online

ORG to write to Minister to ensure civil society presence

This morning comes news that Maria Miller, Secretary of State for Culture, Media and Sport, has summoned internet companies to a summit on how they deal with illegal and extreme content online. This morning we will be writing to the Minister to make sure that Open Rights Group and representatives of civil society are present.

[Update: You can read a joint letter, written with Index on Censorship, English PEN and Big Brother Watch, on our correspondence page.]

In one sense this is not particularly surprising - politicians are reacting to the heated coverage in the media of exposure to various types of illegal or extreme content online over the past two weeks, which stemmed largely from the two tragic cases of Lee Rigby and April Jones.

It is understandable that the Minister wants to see what can be done to deal with illegal content online. But powers to make decisions about what people are allowed to see and do on the Internet are significant and must be treated with great care. Efforts to ensure a 'safer' online environment can inadvertently lead to overreaching or unaccountable powers or practices that block far too much content, for example. There are particularly serious problems when governments ask or expect companies to police content on their platforms, for example through industry practices.

For example, in our research into mobile networks' Internet filtering we found routine over blocking, including of shops, political blogs and community sites. Similarly, in Australia last month, it emerged that 1,200 websites were accidentally blocked when a government agency tried to take down two sites allegedly involved with fraud. [Update: it emerges that in fact 250,000 websites were accidentally blocked, on top of the already reported 1,200 - thanks to Pete on Twitter for pointing this out!]

We will post our letter, and any response, on the blog as soon as possible.

[Read more] (1 comments)

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail