call +44 20 7096 1079


June 28, 2013 | Jim Killock

PRISM Parliamentary event packed out

Around 70 people attended our PRISM and Tempora event in Parliament yesterday, hosted by Tom Watson MP. The speakers, Caspar Bowden, Simon McKay and David Davis MP, helped give context to some of the recent claims on surveillance made by the government.

The executive claims that all is well with secret surveillance, and that there is nothing to worry about, as everything that takes place is under a strict legal framework. And of course, if you have nothing to hide, you have nothing to fear.

Tom Watson and David Davis

Coincidentally, David Willets on Question Time made the same points about obeying the legal framework as William Hague did after the original PRISM leak from the Guardian.

However, the main message from both Caspar and Simon was that the US and UK legal framework is woefully lacking to the point of irrelevancy.

Caspar BowdenBowden explained that UK citizens lack any constitutional protections in the USA as 'foreign nationals'. FISA s702 contains provisions to target people for broad foreign policy reasons, which in practice means anything political that could be of interest to the US government. He explain that protections for whistleblowers and warnings when data is transferred to regimes like the US are needed in data protection law.

David Davis MP then outlined the political situation in the UK. He noted that the leaks from Snowden had changed the atmosphere surrounding surveillance questions, and that the oversight regime was broken. He said he believed that we have a chance to review the whole of the Act under which this surveillance is being carried out, RIPA. He later extended rare praise to the EU Commission and Viviane Reding in particular.

Simon McKaySimon McKay explained the UK legal framework, starting with provisions that require secrecy from agencies, in ways that can be used to hinder effective oversight. He showed that RIPA section 80 allows more or or less any kind of intelligence activity to be lawful. He described RIPA's oversight provisions as essentially a 'voluntary code'.

The discussion led into questions on the Snoopers' Charter; apparently the Joint Committee are livid with the lack of disclosure they were given surrounding intelligence sources. The justifications made by Theresa May at the time, that it was needed on the basis of terrorism and serious crime, do not now look well founded.

The event is covered in today's GuardianPC Pro and V3. We've posted the audio and slides of the event.

We'd like to thank all three speakers and Tom Watson for hosting the event.

[Read more] (4 comments)

June 26, 2013 | Jim Killock

Prophetic analysis warned about US-based cloud

One of the weak points in the new European data protection regulation that privacy advocates have been warning about is the ease by which data can be exported from the EU into FISAAA-ready services in the USA. In short, the European Commission have been trying to make “data exports” easier, but in the process have made it harder to enforce our fundamental privacy rights.

The Commission's position on data exports relates to their cloud strategy. They see the use of cloud computing as a way to enable EU businesses to save costs and become more efficient. They hope this will increase European competitiveness in a global marketplace. The argument runs that current data protection rules make full use of cloud computing impossible because of the restrictions it imposes on data exports, as all the big cloud providers are non-EU.

As Caspar Bowden and Judith Rauhofer point out in their recent paper, this argument leads to a position where data protection rights are highly unenforceable as soon as data moves outside the EU via data exports. In short, if the US enacts FISAAA laws and initiates PRISM, there’s not much that the new data protection laws can do to help, especially as they are currently drafted.

Rauhofer and Bowden also reference a paper produced back in January by the European Economic and Social Committee.The EESC pointed out the problem with the Commission’s economic argument. They say that an increase in the uptake of cloud services provided by mostly US-based companies will lead to a loss of sovereignty by EU businesses and public sector, not only over personal data, but also over commercially sensitive information and trade secrets:

Page 5-6:

Recent decades have demonstrated the significance of the dependency of the Member States - or even of Europe as a whole - regarding various sources of energy: petrol, gas, electricity, etc. Should European citizens', businesses' and public services' data in future be hosted, managed and controlled by non-European CC operators, there would be legitimate concerns surrounding the impact of this dependency:

  • protection of particularly sensitive data that are crucial to strategic competition between European and non-European countries, such as in the aviation, automotive, pharmaceutical and research sectors;
  • the availability of data in the event of international tensions between "host" countries and Member States;
  • equality of treatment of consumers of digital energy depending on whether or not they are citizens or organisations of a "friendly" country;
  • job and wealth creation from the production of digital energy, and also from the entire service development ecosystem, in the host countries, thus disadvantaging countries that are simply "cloud-friendly" users of digital energy. …

3.5 Currently, although there are some differences between the Member States' regulations, they are close to the European texts, standards and directives; hence users' fears - in some cases justified - of their data being stored outside Europe, leading to difficulties and legal stalemates in the event of disputes.

In addition, the greatest cause for concern among users is the "Patriot Act". This act came out of the war on terror (following the September 11 attacks), and allows the US government or a federal judge to access any data hosted and controlled by an American company, whether or not the owner of the data is American and including data hosted in a centre on European soil. Above all, the owner of the data cannot be informed that the host has disclosed the hosted data.

After Edward Snowden’s revelations about PRISM, now that the public and EU Parliament are more aware of the effects of FISAAA as well as the Patriot Act, there is a very high risk that EU businesses will lose trust in cloud services to everyone’s detriment.

This also creates an opportunity: data protection law can allow citizens and businesses to manage the risks. The increased privacy of European-based services could make them more competitive, especially for businesses who must protect their confidentiality, as the EESC point out. But the EU Parliament will have to be open to making some significant changes, including improving notification and insisting that US and other states’ surveillance laws are only to be applied to EU data in the context of international laws and agreements. This was the intention of Article 42 – which should now be reinstated.

[Read more] (2 comments)

June 24, 2013 | Jim Killock

Questions for the UK government

The Guardian’s revelations about the Tempora programme, including global Internet and telecoms surveillance, leave the UK’s reputation in great danger. Using legal loopholes, and hiding the extent of these programmes from the public eye, the UK has breached the rights of both our own citizens, and those of every country whose citizens’ data has been harvested.


Not everything set out by these leaks is new or unknown, but what is new is the confirmation of the existence of the programmes, and the pressure on governments to come clean and explain what they have done.

While governments can claim a need for secrecy around specific investigations, they cannot reasonably claim a need for secrecy around the programmes they initiate. By making such a massive operation secret, they have undermined the rule of law, denied us democratic accountability and breached legal commitments to human rights that have been made in public to the peoples of other countries.

The position seems to be that the UK government believes it can wiretap whatever it likes, so long as the tapping takes place outside of the UK (ie, the tap is placed on an undersea cable a few miles west of Bude) and involves communications that are not simply UK citizen to UK citizen.

Making this apparent to the political class, reversing the situation, and introducing genuine accountability will not be easy, but is vital. Here are some reasons why we need an unparalleled outbreak of political honesty, to live up to the opportunity that Edward Snowden has given us.

Senior politicians have misled Parliament and the public

Tempora was implemented under Labour, and has carried on under the Conservative-Lib Dem coalition. Some senior politicians including Jacqui Smith, Alan Johnson and Theresa May failed to inform the public and the vast majority of Parliament about Tempora. William Hague has been guilty of making similarly bland justifications and reassurances following revelations about PRISM. MPs should be especially wary of the executive’s justifications for Tempora. They have the most to lose, personally and politically.

However, the members of the three parties, their democratically elected committees and the delegates to their conferences did not know of these programmes. It is also highly unlikely that many MPs knew and it is even probable that many former and current ministers were never told about the programmes. Creating and continuing with Tempora will have been a decision taken by a very narrow group of people.

This places the UK’s political class in a troubling situation, and they badly need guidance from the public.

Malcolm Rifkind and the Snoopers’ Charter cheerleaders

Malcolm Rifkind chairs the Parliamentary committee responsible for overseeing the intelligence agencies, and has recently shown himself to be very much a willing hand of the Home Office. He has reassured everyone that these programmes are highly likely to be working within the law, and recording everyone’s communications is nothing to worry about, since there is too much to read. In essence, Rifkind believes, if you have nothing to hide, you have nothing to fear.

Even four hundred years ago, Cardinal Richelieu understood that this was not a compelling argument:

If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.

and he was hardly a major proponent of universal human rights.

Given Rifkind’s beliefs, can we trust his leadership of the Intelligence and Security Committee to guide the only major inquiry that is currently planned by the UK Parliament?

Rifkind is a particularly powerful example of a kind of UK politician that makes a habit of justifying secret service and Home Office demands. He was one of the first people to argue for the return of the Snooper’s Charter. Others, including Lord Carlile, Lord Reid and Jack Straw have been wheeled out to make the same arguments, as if their experience implementing hardline rollbacks of civil liberties in some way made them the right people to explain to us why we need to trust the secret state. Their credibility is shattered.

Foreign policy

The UK is a major gateway for Internet traffic cross the Atlantic. The volumes of traffic are immense, and provide a major wiretapping opportunity

The UK government clearly thinks it benefits from being close to the US intelligence and helping out by providing such access to them.

Both the UK and the USA need to ask if it is reasonable to use their positions to surveil global communications without regard to individuals’ inalienable human rights, or other nations’ and allies’ legitimate interests. We cannot reasonably expect other countries to behave better, if we do not ourselves. Our position also seems to be at odds with our human rights commitments, which is angering many very reasonable countries, such as Germany.

Damage to the Internet economy

The global Internet economy has become more centralised, with a great deal of data being handled and stored by a few US companies, such as Facebook, Apple, Microsoft, Yahoo and Google. This, as Tim Wu observed at ORGCon, makes them easy to compel. Surveillance benefits from this kind of centralisation. This centralisation is also reflected in the small number of entry and exit points for Internet communications. Such ‘choke points’ increase the ease of surveillance.

However, the confidence of the public and businesses depends on a sense of trust. This balance has been thrown by the Snowden revelations. Internet privacy is not an abstract concern.

Surveillance from the USA and UK will include gathering intelligence for their ‘economic wellbeing’. Why should either nation be trusted when companies think about choosing ecommerce and cloud services? The ‘national interest’ of the UK and USA could easily override the privacy and security of a company based in Germany or France. Taking such an approach is surely bad for business.

Who is really threatened?

There are many threats to individuals from accessing data. These can include:

  1. Businesses, who may be communicating confidential information of interest to competitors;
  2. Businesses who are specifically competing against businesses in the US or UK, when our governments regard their competition as against our ‘national interest’;
  3. Journalists, who need to communicate privately with sources;
  4. Whistleblowers, especially those who act against the will of their government – think of Daniel Ellsberg perhaps;
  5. Anyone whose personal position could be leveraged by security services for their benefit;
  6. Members of groups like Anonymous;
  7. Everyone, as our data might be leaked to a third party against our will

The wider threat is to our democratic culture. If people fear being listened to, or becoming of interest to security services, then they change and limit their behaviour. This is a loss to the whole of society, whether or not you think the specific threats are likely to affect you.

What needs to happen

Everyone should think about how we rein in the security services. Some of the things that are needed include:

  1. The EU draft Data Protection Regulation must allow people to control their data, so they can manage the security threats to their personal data. It should reinstate Article 42, which requires data disclosures from companies should be governed by international agreements.
  2. Transparency calls in the USA must be heeded, immediately
  3. UK law must be revised to remove indiscriminate data collection
  4. US and UK surveillance activities must be brought into a transparent international legal framework

[Read more] (7 comments)

June 21, 2013 | Javier Ruiz

EE Dragging its Feet on Mobile Data Transparency

Mobile company EE has been quite open in explaining the sale of data analytics based on their customers data in partnership with Ipsos MORI. But we are concerned that they think the storm is over and can return to business as usual. We may need your support to make them listen.

EE has already met with ORG to explain how their data services work, how they aggregate data and what general legal framework they operate. For this, we commend EE on their openness and hope that it continues.

We asked EE for a technical meeting with independent experts, but have not received any reply. In order to reassure mobile users over their concerns it’s very important to establish the exact data EE collects, stores and uses for its data products.

The first step in improving transparency would be for EE to allow an independent technical check-up on their data collection and processing. Our proposed technical expert, Richard Clayton, who is based at the Computer Laboratory of the University of Cambridge, has carried out similar work requiring balancing public information with commercial and customer confidentiality. Richard Clayton did a similar study in 2008 with behavioural advertising company PHORM.

EE’s privacy policy explains that they collect and use a wide range of data, including purchasing habits and app use. They have also told us that their data products allow for cross referencing of location data with web history and other parameters. Clearly, there is a lot going on here and customers need more information.

On the 5th of June we held a public debate in Parliament on this issue, kindly hosted by Julian Huppert. The panel included representatives from EE, Ipsos MORI, the Information Commissioner Office (ICO) and Joss Wright from the Oxford Internet Institute. At that meeting Iain Bourne from the ICO made it clear that transparency is a fundamental principle of data protection and there is room for improvement in the way the companies explain to consumers what they are doing with customer data.

We may need your help soon to get EE and other companies to continue being open about their practices. They need to know that these issues are not going away and customers are more aware of what happens to their data.

[Read more]

June 17, 2013 | Jim Killock

Jargon File blocked by O2, Youtube by Orange

We regularly collect blocking reports from mobile users, via – and we've recently had some interesting ones.

Youtube content blocked at Orange, error reportReport your blocks here. Please keep them coming! [Note: These blocks are happening on the mobile networks' child safety filtering services. These are switched on by default by all networks except Three. For more detail on mobile network filtering, see our report.]

Orange blocking Youtube videos

Orange are blocking Youtube as unsafe for children. Interestingly, this is the first time we've seen this site blocked by a major telco for child protection. The reasoning seems pretty poor. It shows the scale to which default blocks can adversely impact people. Musn't let kids watch the sneezing panda or Justin Bieber!

[UPDATE: Orange deny Youtube is blocked by Safeguard. We demo the block here; if you are on Orange and have Safeguard switched on, let us know what happens for you]

[Update 2: Orange block YouTube under the higher of two settings on their "Safeguard" child protection filters. Under the setting "Safeguard On", user generated content sites including YouTube and Twitter are blocked.  You can read a little more about these settings on the Everything Everywhere site. So this is deliberate blocking on the highest child safety filter, rather than an accidental or mistaken block for all users or for those on the "Safeguard Light" setting". The Safeguard Lite setting is switched on by default, whereas the Safeguard On setting is by choice.]

The Jargon File

Venerable Internet and Hacking slang guide, around since the 1970s the Jargon File is hosted by Eric S Raymond. It is currently blocked by O2, presumably because it is classed as a "circumvention" tool. Mustn’t let kids learn how to use their computers!

However, a bug with the O2 URL checker means we can't check web pages with a tilda in them to see what the classification reasoning is, or to appeal it.

[UPDATE: using shows it is blocked as “hacking”)

Brains of Steel: blocked by O2

This is a personal blog and it is difficult to see why it is classified as 'self harm' by O2. But perhaps the talk of weight loss without dieting is picked up as pro-anorexia?

[Update, 20th June 2013: This has now been reclassified and unblocked on O2]

Campaign against political correctness

Not really clear how the CAPC is harmful to children, but it is blocked by O2 as 'hate speech'. The campaign is backed by Philip Davies MP and Andrew Percy MP. Blocked by Orange and O2.

Luxury lingerie

Blocked by Vodaphone / Virgin mobile; allowed on Orange and O2. Sells lingerie but probably not much more pornographic than an average Argos catalogue.

Mari Thomas Jewellery

Online jewellery site Mari Thomas is blocked by O2 and Orange. O2 classify the site as an 'anonymiser', for reasons that are entirely unclear.

Another gift shop blocked over Christmas 

In January we wrote about how Orange had blocked another shop over December of last year. Despite reporting the block in early December it took a month to get it unblocked. The reason seemed to be that the site sold engraved lighters and was categorised as smoking related. The site was thus blocked at a key commercial moment. If blocking on such a broad scale becomes more widespread, who is liable?

[Read more] (1 comments)

June 14, 2013 | Javier Ruiz

Open Data: Government Responds to Shakespeare's Review

The government has responded to the independent review of Public Sector Information (PSI) carried out by Stephan Shakespeare, chair of the Data Strategy Board. Here are our first impressions.

A National Data Strategy?

The tone of the Government's response (PDF and ODT) is of general agreement, but without a clearcut commitment to embark on the open data supply revolution asked for by Shakespeare. There will be a process to define a “National Information Infrastructure” composed of the most important datasets held by Government. This is preferred to the term “core reference data”.

A new set of criteria published on will be used to assess the usefulness and transformative potential of datasets. This is a very good approach, but there is no equivalent of the US executive order forcing departments to simply do it. There are long winded references to the new EU PSI directive that will come into force in 2015. The Transparency Team at the Cabinet Office is going to help departments apply those criteria to identify the key datasets. But the Transparency Team is already quite stretched, so it will be hard to do this without extra resources.

The government will also try to involve local authorities and other public bodies, but with the Trading Funds we can only expect incremental change. There are some good ideas regarding access for micro-businesses and non-profits including a commitment to allow them increased access to the Postcode Address File.

ORG has been campaigning for the file to be freely accessible and we welcome this as a positive step, while acknowledging there is more to be done:

Recognising the continued importance of the Postcode Address File (PAF) to private sector growth and the efficient running the public sector, we have agreed with Royal Mail that they will provide the PAF for free to independent micro-businesses for one year and to and independent small charitable organisations. Royal Mail will consult in July on a radical simplification of the licensing regime for all users.

Simplified governance of Open Data policy

The government promises to tackle the proliferation of open data responsibilities, so ironically the review may cost Shakespeare his post. The one concrete commitment so far is the merger of the Data Strategy Board with the Transparency Board. The remit, authority and oversight of the new board will be an important aspect of this policy until it becomes truly embedded in the departments.

Fuzzy response on privacy

The title of the response section on privacy is Maximising the benefit from personal data. There the government expresses agreement with Shakespeare’s general approach, which they claim is reflected in the UK government’s approach to the new EU Data Protection Regulation.

This approach is meant to balance privacy with growth and innovation. Unfortunately, the evidence in relation to the UK’s engagement with the Data Protection regulations is that protection of rights comes second to perceived business interests. The UK has consistently tried to undermine the progressive proposals in the original regulations.

The response provides few concrete proposals in this area though. This is not surprising given the complexity of privacy regulation and the processes already in place in Brussels. For example, Shakespeare asked for custodial sentences for data protection breaches, but the response is that these are already possible via other legislation, such as the Computer Misuse Act.

There are some worrying moves in relation to data-sharing among departments. The Law Commission is working on a scoping project to see if there are any real legal obstacles to the free flow of data across government. This is an area we will be watching closely.

[Read more]

June 14, 2013 | Lee Maguire

Has the NSA "poisoned the well" for responsible disclosure?

Will secret arrangements between tech companies and US intelligence affect how independent security researchers disclose vulnerabilities?

Revelations about the PRISM project involve US tech companies have been compelled to provide special assistance to US intelligence agencies. This has also drawn fresh attention to "responsible disclosure" systems regarding information about security vulnerabilities in those companies' products.

Early access to security vulnerabilities, flaws in the code or design that would allow an attacker to gain privileged access to computers - from smartphones to servers - and the data they hold, is desired by governments. The information can then be used both in a defensive capacity (protecting their own systems) and offensive (attacking systems they would, for whatever reason, like access to).

A legal commercial market for security vulnerabilities exists. But many security researchers choose to disclose vulnerabilities to companies and agree to wait for a set period of time before publicly disclosing their findings. That is considered 'responsible disclosure'.

However, a report by Bloomberg today highlights the arrangement between companies such as Microsoft and intelligence agencies through which advance information about vulnerabilities is disclosed. These disclosures will be done in the knowledge that the information can be used both defensively or offensively. No implication is made that these arrangements are legally compelled rather than voluntary.

But as the secret arrangements between US tech firms and intelligence services becomes a cause for concern, will this affect how disclosure arrangements are percieved? Will researchers see themselves as assisting US intelligence? If, when they share their findings with service providers, those service providers simply share the details with intelligence agencies, aren't service providers undermining incentives to responsibly disclose? Will foreign governments regard their own citizens participating in responsible disclosure as providing electronic-arms to a foreign power?

[Read more] (1 comments)

June 14, 2013 | Peter Bradwell

EU Commission caved to US demands to drop anti-PRISM privacy clause

...and how European policy makers can undo their mistake.

Reports this week revealed that the US successfully pressed the European Commission to drop sections of the Data Protection Regulation that would, as the Financial Times explains, “have nullified any US request for technology and telecoms companies to hand over data on EU citizens.

The article, (as you can read below), would have prohibited transfers of personal information to a third country under a legal request, for example the one used by the NSA for their PRISM programme, unless “expressly authorized by an international agreement or provided for by mutual legal assistance treaties or approved by a supervisory authority.”

The relevant section is Article 42, which you can read in a leaked draft Data Protection Regulation from late 2011, available from State Watch.

The Article was deleted from the draft Regulation proper, which was published shortly afterwards in January 2012. The reports suggest this was due to intense pressure from the US. Commission Vice-President Viviane Reding favoured keeping the the clause, but other Commissioners seemingly did not grasp the significance of the article. The FT explains:

“the move came after repeated visits to Brussels by senior Obama administration officials, including Cameron Kerry, the commerce department’s top lawyer and brother of US secretary of state John Kerry, who chairs an inter-agency task force responsible for vetting EU data-exchange laws.”

In the wake of the PRISM stories and increased awareness of the powers available to the NSA through "FISAAA" (the law enabling the PRISM programme), this looks like a major error of judgment – surrendering Europeans' data and, potentially, damaging the competitive advantage that cloud services based within the EU could have offered.

In response to such strong public concerns, and the fact that EU citizens have no rights protecting their data under FISAAA, the Commission and other European policy makers need to show some leadership and stand up for the citizens they are supposed to represent, by reinstating the Article.

This is the second example that we have publicised this week of European policy makers weakening the Data Protection Regulation and thus making the NSA FISAAA surveillance on European citizens easier. We blogged this week about Baroness Ludford's amendment that would delete your right to know if your data will be transferred to a third country or international organisation. We hope the Baroness withdraws this amendment.

We thought it would be helpful to post up the relevant deleted sections, which are copied below. The full leaked Regulation that includes Article 42 in available from State Watch.

For an introduction to the FISAAA law, watch the video of Caspar Bowden's excellent ORGCon talk on this.  

From the introduction:

"Article 42 clarifies that in accordance with international public law and existing EU legislation, in particular Council Regulation (EC) No 2271/9633, a controller operating in the EU is prohibited to disclose personal to a third country if so requested by a third country's judicial or administrative authority, unless this is expressly authorized by an international agreement or provided for by mutual legal assistance treaties or approved by a supervisory authority."

Article 42

Disclosures not authorized by Union law

1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognized or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.

2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer by the supervisory authority in accordance with point (b) of Article 31(1).

3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of paragraph 1 and paragraph 5 of Article 41.

4. The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorisation by the supervisory authority.

5. The Commission may lay down the standard format of the notifications to the supervisory authority referred to in paragraph 2 and the information of the data subject referred to in paragraph 4 as well as the procedures applicable to the notification and information. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

[Read more] (1 comments)

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail