call +44 20 7096 1079


October 11, 2012 | Jim Killock

Party conferences and the Comms Data Bill

ORG ran two sessions this year, with Big Brother Watch, at the Lib Dem and Labour conferences. We also leafletted all three Conferences, with help from ORG and No2ID volunteers in Brighton, Manchester and Birmingham - a big thank you to everyone who helped!

At Labour's conference on 1 October, we were joined by Stella Creasy MP, Katy Clarke MP and Mike Harris, head of advocacy at Index on Censorship. Stella Creasy outlined her questions, which included:

  • Will it work (is it technically feasible)?
  • How much will it cost?
  • What are the alternatives?

Her concerns were essentially pragmatic. This is understandable, but ignores the fundamental right to the protection of privacy, which is alarming. 

I assume that Stella Creasy and the Labour Party are uncertain or unconvinced by these arguments, but for ORG supporters, I suspect many would like to know that a future Labour government would not simply roll over for the Home Office as seemed to be the case under the last Labour administration.

The usefulness of data comes in part from its intrusiveness. So the collection and access to communications information is balanced against the fundamental right to privacy.  As a start, many politicians accept that the police should have access to communications traffic data. Of course, sometimes law enforcement have had access to this data, as with phone bills.

However, at other times, as with library reading records, or who we send mail to, then the UK government has quite rightly decided that it has no such right to this kind of traffic data at all.

The correct balance is in general that data should be available to law enforcement only if it exists anyway, and then only when they have reasonable suspicion, and also when it is not linked to the content of communications. It must not cause people to limit their access to information or speech. This way, access to data is about investigation, rather than mass surveillance or control, and can be justifiable. 

This approach has been severely upset by data retention laws, which require traffic data to be kept beyond their usefulness for business. Data retention has given politicians the impression that police should have a right to a record of our communications online. This makes the intellectual case for new collection powers, where that data is hard to access otherwise, seem reasonable.

However, there is pushback. Data retention has been challenged in a number of states. The latest challenge to be mounted is in Slovakia. An EU challenge is also due.

The Conservative and Lib Dem conference sessions on the CDB started much more from the point of view of these fundamental issues. All speakers acknowledged the need for lawful access, and were concerned to examine what kinds of gaps in access to data might exist, and how that might be reasonably dealt with.

For instance, companies in other countries do need to have arrangements that allow UK police to request data. These might be through agreeing to co-operate where the justification and request matches their domestic and UK law, or by international legal co-operation.

The good news is that political support outside of the Home Office seems to be pretty thin. Labour are equivocal, sensing public opposition. The Lib Dems know the Bill is bad news, and their position has hardened as the Joint Committee has looked at the CDB; Nick Clegg said he would take Julian Huppert’s advice on the issue. Many Conservatives are very skeptical, both on cost and privacy grounds.

That doesn’t mean the Bill is bound to be defeated. There are three major concerns. Firstly, the degree of wriggle room that the Joint Committee give the government. Secondly, the need that the coalition will have not to humiliate the Home Secretary Theresa May, who pushed this policy for the Home Office. Thirdly, related to this, the temptation to ‘open up RIPA’, and gamble that keeping the Bill alive could lead to a more fundamental reform including the lack of independent supervision of user data that is accessed by law enforcement today.

In general, many MPs are prone to seeing the CDB as a “technical issue” rather than a civil liberties battle. They are somewhat disconnected from the public on the topic, and need to hear more from their constituents. (This will help harden political opposition in Parliament, so please do it!)

While the Parliamentary situation is complicated, compromise and face-saving measures are temptations that must be avoided. ORG and other campaigners are clear about what we want. The Bill is a disaster, and it needs to be scrapped.

[Read more]

October 09, 2012 | Peter Bradwell

Don't make me laugh

Yesterday Matthew Woods was given 12 weeks in a youth offenders institution for posting jokes about the missing 5 year old girl April Jones (see Padraig Reidy's write up of this yesterday on the Index on Censorship blog). Today Azhar Ahmed was given a community order for posting some very stupid and offensive comments about soliders. 

Woods' jokes were sick. Ahmed's comments were offensive. But are they really things that should be landing a person in jail?

It's sometimes said that the Internet is an unregulated wild west where anything goes. It's hard to maintain that position now. People are going to jail for telling bad jokes on the Internet. That tends to not happen to people telling bad jokes in the pub. Or on television. And I'm not saying that people in the pub or on television should be going to jail.

Section 127 (1) of the Communications Act 2003 is aimed at 'public communications networks'. And the aim it has taken is at a very broadly drawn target. What's is as alarming is that the two cases above are just the latest examples of posts on social media resulting in prosecution. The most famous was perhaps the case of Paul Chambers and the 'Twitter Joke' trial.

The consequences go further than potentially undermining the careers of famous comedians who trade on offensiveness. It reduces the available ground for the free expression of opinion and perspective for everyone.

In an environment where the law tries to rigorously enforce what some people think is offensive, the ultimate consequence is that it is harder for everyone to challenge ideas or beliefs they don't like. It is worth remembering that being offended is not a reaction that is exclusive to people you agree with. Being grossly offensive is not difficult. I'd be amazed if people supporting the prosecution of Woods or Ahmed had not managed it at some stage.

This is different from saying Woods or Ahmed were not offensive.  Of course it was. They were awful, awful things to say. They shouldn't have said them.

The CPS is currently looking again at the section 127, running a series of roundtables and then, possibly, a public consultation. We'll be producing some recommedations on how to create a better and more liberal environment for freedom of expression. Funnily enough, the CPS' roundtables started this week, so they have some very fresh examples to consider. In the meantime, it's worth reading Professor Lilian Edwards' write-up of what she thinks the issue is

[Read more] (6 comments)

October 03, 2012 | Jim Killock

Digital Economy Act: Costs Order debate pulled

Open Rights Group has just learnt that the debate in the Lords scheduled for Monday, in the Moses Room, to discuss the DEA Costs Order has been pulled. 

We do not know the reasons why, but there are some very serious concerns with the order. The order had previously been withdrawn due to drafting errors

Firstly, Ofcom ran a consultation at the same time as DCMS laid the Order before Parliament. This seems pretty odd.

Secondly, the £20 charge placed on Appeals is a clear attempt to deter people from complaining. Most worrying of all the stated aim of introducing an appeals fee was to reduce the cost of the appeals system to copyright owners by reduce overall numbers of subscriber appeals. The month given to file appeals is also very tight, given that people will wish to get legal advice.

Thirdly, the costs imposed on ISPs have very bizarre implications. Ofcom and ISPs will incur millions in set-up cost, which they can’t claim back from the members of the BPI and MPAA, who lobbied for the DEA. According to the draft cost order’s impact assessment Ofcom’s set-up costs are a cool £6.8 million, and ISPs will incur some £7.6 million, of which ISPs are suppose to recover 75 percent from copyright owners.

Some costs may be excluded, say BT and others. They believe that Ofcom has underestimated their cost, that the draft cost order does not actually allow cost recovery from copyright owners and/or that ISPs wont recover even 75 percent of their cost if volumes of notifications are “low”. It’s all pretty bizarre, but as the Secondary Legislation Scrutiny Committee has pointed out, there is no commitment from BPI or MPAA members to use the three strikes scheme, or pay for the set-up cost.

Fourthly, there are concerned that the draft costs order encourages copyright owners to send millions of letters accusing subscribers of copyright infringement (there is talk of 2 million copyright infringement reports per year), without much impact. The magic 75% reduction in copyright infringement after the first notification has not materialized in France or New Zealand, where three strikes is now operational.

Never mind, but without the DEA the UK has actually achieved a bigger increase in legal digital music sales than France, where the taxpayer pays about €12 million to send just over 1 million email notifications.

Yet again, the DEA is running into trouble (the first draft cost order was pulled by the Joint Committee on Statutory Instruments for defective drafting). The scheme Ofcom proposes is unworkable, expensive and apart from threatening open WiFi, and basic principles of justice, it’s not really clear what it would achieve. There are better ways to enforce copyright, educate users and encourage private investment in advertising and developing legal online content services.

And just in case anyone hadn’t noticed, the likely 2 million-plus letters will go out around 2014, the lead up to an election. Do politicians really want that kind of advert for their ability to run the country, given by definition most letters will go to people who have done nothing wrong?

The DEA is a mess left over from the fag end of an exhausted Parliament. More than two years after the DEBill was rushed through Parliament by Lord Mandelson the Government should have a serious rethink.

[Read more]

September 24, 2012 | Jim Killock

CleanIT: bad policy making

Thanks to an EDRi leak, European proposals for widespread action against “terrorism” were revealed last week, with press coverage in the Telegraph and elsewhere.

The project – Clean IT – moved swiftly to deny that they had been a closed project, which is partly true. They also tried to reduce the significance of the document they had produced, saying it was “for discussion” (even though page one of the leaked document suggests the contents are ‘detailed recommendations’).

The plans include measures for upload filtering, corporate censorship, plus procedures for flagging dubious content.

The first of these – “upload filtering” – has significant commercial backing, according to EDRi, but would pose a huge privacy problem. Effectively, all content by all users would have to be machine-read as it was submitted to a service like Google Docs, in case it contained “terrorist” material.

The other discussions, focusing on terms and conditions, try to pass responsibility for free speech to companies, rather than courts. Civil society groups have been saying very strongly that this kind of approach is dangerous. Companies are cautious and of course want to avoid being held liable and responsible for their users' content. So using T&Cs is likely to lead to overly sensitive reactions about what content to take action against. Asking companies to use T&Cs is lazy – it allows government to see policies put in place without legislation or safeguards.

It is also something that civil society has been stressing should be avoided in submissions to the European Commission's consultation on 'notice and action' - a process this is seemingly not connected to. 

In the UK, some similar ideas are being considered under the Home Office’s Prevent Counter Terrorism strategy. This strategy has mooted the idea of blocking of “terrorist” websites on the government estate, and “encouraging” private ISPs to voluntarily block the same list.

However, what links these proposals is the absence of an understanding and definition of the problem - for example, clear evidence that terrorism really can be tackled effectively in these ways. The assumption appears to have been made in both cases that terrorist material is easy to define, is in some way “circulating” and is “recruiting” people to extreme and pro-violence views, and then helping shift these people into actively violent networks. 

Surely it is important to know whether recruitment is between people, in specific kinds of real life locations, targeting individuals with particular vulnerabilities or experiences; or whether it is in fact being conducted via certain websites?

This kind of absence of evidence and adoption of wide assumptions is all too prevalent in Internet policy. In the case of supposed terrorist content, it is particularly problematic as the understandable desire to do something about terrorism can swiftly become a reason to support any measure, no matter how unproven.

Quite a few other Internet policies fall into this category of laws, including the now-dying Hadopi, the troubled Digital Economy Act, and the Australian attempts to create a national adult content firewall. Others, like Data Retention, are under legal challenge. Yet others, like the Claire Perry and Daily Mail-inspired adult content filters proposed for the UK, look like angering the public and potentially harming their supposed objectives.

There is hope. EDRi have embarrassed the CleanIT group, and the EU for funding them. Moving straight to solutions without clearly establishing the problem to address; duplicating work the Commission is already doing, for example on notice and action; and failing to take into account due process and the legal obligations created by human rights law: the Clean IT project is seemingly wasting taxpayers’ money with incompetent and dangerous proposals for the private policing of online content.

This is another signal that politicians and policy makers need to gain some scepticism and rigour when thinking about Internet policy, instead of dealing with it on the basis of rhetoric and first guesses about public harms.

[Read more] (1 comments)

September 07, 2012 | Peter Bradwell

When content is noticed and taken down - have your say

Due to some problems with their website, the European Commission have extended the deadline for submissions to the 'notice and takedown' consultation. This is actually pretty good news for anyone who has yet to submit a response - you still have until Tuesday 11th September to have your say. The Commission are asking for responses to a questionnaire.

The consultation is basically about how illegal content is dealt with by online intermediaries (meaning things like social networks or search engines and so on). Central to this is 'notice and action' (N&A), where a hosting provider is notified about some apparently illegal content and then some action is taken to deal with it. As the EC's 'roadmap' (where they set out some of the key points on the issue) says, "N&A procedures are at the heart of debates on the freedom of speech, innovation, security and the dangers of the internet in particular for vulnerable groups."

A significant concern is that currently N&A procedures lack sufficient due process, leading to legal content being removed on the basis of mere allegations. Abuses of the process are also a significant concern, again leading to content being taken down when it shouldn't. N&A procedures are crucial to questions of freedom of expression online – with the removal of legal content chilling citizens’ right to receive and impart information.

After hearing concerns that the current system is fragmented and is pleasing nobody, the Commission said in January that these procedures "must therefore be made more efficient, within a framework which guarantees legal certainty, the proportionality of the rules governing businesses and respect for fundamental rights" (From the Communication on e-commerce and other online services (2012))

We'll be telling them that they need to pay attention to due process and make sure there are robust mechanisms for establishing the illegality of content, for challenging contestable claims and getting redress when things go wrong, and effective sanctions for those that abuse the process. We'll also highlight some of the recent examples where things have gone wrong, and the issues of mistaken blocking we raised in our mobile Internet censorship report. Fundamentally, this is about who or what decides when we should not be allowed to look at something online, and what happens when they get it wrong (mistakenly or otherwise)?

If this is something you are concerned about, please submit something to the consultation. The Commission are asking to responses via their questionnaire. The deadline is Tuesday 11th September. 

Some organisations have already submitted responses. EDRi have put up their submission and annex, and La Quadrature du Net have published theirs too. You can read some notes from JANET here (JANET is the network that connects the UK's research and education institutions). Saskia Walzel of Consumer Focus has posted about the consultation on ORGZine and at the LSE Media Policy Project blog.


[Read more]

September 05, 2012 | Jim Killock

Bruce Willis: one thing is true

The story that Bruce Willis was to sue Apple because he could not leave his MP3s in his will circulated round the UK press last weekend. His wife has since denied it.

However, one thing remains true. Your digital rights are pretty limited when it comes to leaving downloaded copyright material in your will.

This stands in contrast to physical goods, where you can of course resell or leave your books, DVDs and CDs in your will.

Only software downloads can legally be transferred or resold. A recent case in Europe made this clear when Oracle tried to stop UsedSoft from reselling their downloaded, licensed software. The court disagreed, and pointed to the EU Software Directive.

Many of the reports focused on terms and conditions of Apple’s store. On one level, this is true, copyright owners could agree to license their downloads like this. Perhaps this would be complicated, given the myriad levels of contracts and ownerships, but it is possible if consumer demand is there.

More fundamentally, a change in the law is needed. People will start noticing how unfair this is as they write their wills. As they learn that their digital assets, those they have bought, perhaps for thousands of pounds, are worthless on death, they will feel cheated.

Equally, there is little prospect that individuals who inherit hard drives are going to meticulously delete material which has been paid for. The law will turn people inheriting the physical assets into copyright infringers.

Europe missed a chance to resolve these problems in the Consumer Rights Directive in 2011, although some improvements to the digital market have been made.

But the problem isn’t going away. In many cases, where material is downloaded from a single account like iTunes, the excuses for denying transferability are extremely flimsy. Copyright needs to work for people who are investing in their collections, and the inheritability of your collection is a key missing right.

Someone needs to take on Apple and Amazon. And we don't need to wait for Hollywood stars to do it.

[Read more]

August 24, 2012 | Peter Bradwell

Privacy advocates write to Interception of Communications Commissioner

There appear to be mistakes in the report from the Interception of Communications Commissioner that lead him to underestimate how often communications data is mistakenly shared. We've written to the Commissioner to ask why.

Today ORG, Liberty, Privacy International, Big Brother Watch and Professor Ross Anderson of University of Cambridge will write to the Interception of Communications Commissioner to ask about apparent mistakes in his 2011 report into how effective the RIPA oversight regime is.

In his report the Commissioner tries to calculate the 'error percentage' in RIPA requests. Which is basically a way of trying to say how often mistakes are made by those with powers to request data under RIPA. The consequence of these sort of mistakes is information potentially being disclosed when it should not.

The figure has been used by the Home Office to demonstrate how few errors there are and how well RIPA works to guard against unauthorised use - for example the 2010 figure (which was 0.3%) is cited in their Privacy Impact Assessment for the Snooper's Charter (or to give it its official name the draft Communications Data Bill). In his 2011 report, the Commissioner states that the figure is 0.18%. 

However, we're pretty sure this is incorrect. The figure seems to have been worked out by dividing the number of errors he has discovered or had reported to him by the total number of RIPA requests. But the IoCC and his team don't look at every single request. They take a sample. And the sample size is not published.

As we say in our letter, that means the reported error figure of 0.18% is effectively useless. Assuming we're correct, it only identifies the error percentage rate for the total number of RIPA requests if the Commissioner is confident that there are zero further errors in the uninspected requests.

We have already asked for more information about this. The IoCC said they could not publish it. Further, the Prime Minister's Office have acknowledged they hold the relevant information but consider it exempt from the FOI Act for national security reasons, and are considering the public interest in disclosure.

A clear picture of the error percentage is important to help us judge whether the powers to collect and access communications data are working. At the moment, this problem is getting in the way of a proper consideration of the draft Communications Data Bill - which is proposing to extend the current oversight regime to a much broader set of data.

So it needs clearing up. You can read the full letter below.

Friday 24th August 

Dear Sir Paul,

We are writing to you about the number of errors you discovered through your team's inspections, and to express concerns about the conclusions you draw regarding the overall ‘error percentage’ in RIPA requests for communications data.

We welcome the increased breadth of information disclosed in your 2011 Annual Report. Transparency is an important part of any effective scrutiny regime, and at no time is this function more vital than when safeguarding against the unlawful access of private communications data.

Of the 494,078 requests for communications data in the reporting year 2011-2012, you state that “895 communications data errors were reported to my office by public authorities”. Later in the document, you disclose that 99 of those errors were identified by your own inspectors, and not reported by public authorities. Thus, 11% of all errors identified within the Report were only uncovered following your inspections, which examined a random sample of those 494,078 requests. This figure demonstrates the importance of independent scrutiny, and we laud your transparency in permitting its disclosure within the report.

We note, however, that you do not detail the size of the sample inspected, making further accurate independent analysis of this aspect of your report impossible. Based upon those 895 identified errors, you declare that the “overall error percentage rate” is 0.18%; a conclusion we assume to have been reached by the following calculation:

(895/494078) x 100 = 0.18%

Your inspectors have not examined each of the 494,078 requests but, rather, a subset of that total. Thus, with respect, your ‘error percentage rate’ cannot be correct: the calculation assumes that within the uninspected remainder there are no further errors.

A more accurate (although still imperfect) calculation would establish the “error percentage rate” of the random sample, and apply that percentage to the total number of requests. If we assume, for example, that 10,000 requests were scrutinised by your team, the 99 errors identified would equate to an “overall error percentage rate” five times greater than your conclusion within the report:

(99/10000) x 100 = 0.99%

On this assumption, there remain a further 4784 undiscovered errors within the pool of 494,078 requests.

A clear picture of the error percentage is critical for determining the necessity and proportionality of powers used to collect and access communications data. It facilitates a proper understanding of the likely 'collateral intrusion', and helps us to understand the likely frequency of false positives. 

We are concerned that a lack of clarity, or imprecision, in the analysis of error rates under the current RIPA regime may be inhibiting proper scrutiny of the draft Communications Data Bill. For example, the overall error percentage rate from 2010 (0.3%) is cited on page 11 of the Home Office's Privacy Impact Assessment for the draft Bill as evidence of how robust the current oversight regime is. As we explain above, we are unable to accept the accuracy of this figure.

Accordingly, we appeal to you to clarify how your calculations are made and what advice on statistics you have had, and to disclose the number of requests your team inspected.

Yours sincerely,

Professor Ross Anderson FRS FREng, University of Cambridge
Gus Hosein, Executive Director, Privacy International
Jim Killock, Executive Director, Open Rights Group
Nick Pickles, Director, Big Brother Watch
Rachel Robinson, Policy Officer, Liberty

[Read more] (1 comments)

August 07, 2012 | Peter Bradwell

Initial Obligations Code needs rewriting. Again.

ORG has written to the Minister Ed Vaizey MP explaining why we believe the Initial Obligations Code still isn't good enough.

Last week, the Minister for Culture, Communications and Creative Industries Ed Vaizey MP wrote to ORG, explaining how he understood the position of libraries and universities under the revised 'Initial Obligations Code'. (The Initial Obligations Code is the instrument that sets out in detail how the Digital Economy Act will work).

We replied today, asking for approval of the Code to be withheld and that DCMS instruct Ofcom to rewrite the Code once more. (The Code requires the approval of the Secretary of State Jeremy Hunt MP).

You may remember that in our submission to Ofcom's consultation, we asked them to have another go at writing the Code. That is because we think it still leaves cafes, hotels, libraries and other providers of wifi to the public with no clarity as to whether they will be considered 'subscribers' and be the subject of Copyright Infringement Reports. Despite the increasing importance of a widely available 'infrastructure' of publicly available wifi internet access, the Code does nothing to address the position of those providing that access. 

This is what we explained to the Minister in our reply today. We also set out how important wifi access has become to Internet users in the UK, and that it would be damaging for the Government to be taking steps that disincentivise the provision of wifi. 

You can read our letter below. The Minister's letter to us is available here (pdf). 


7th August 2012


Dear Mr Vaizey,

Thank you for your letter of 2nd August regarding the revised Initial Obligations Code, which included an explanation of your understanding of the position in which libraries and universities now find themselves under the Code.

We certainly recognise and welcome the work that Ofcom have put into the revised Code. However, we believe it still does not provide the requisite level of certainty for wifi providers, from libraries through to cafes and hotels, as to whether they will be considered 'subscribers' and as a result be the subject of CIRs. As a result the Code will likely act as a disincentive to the provision of public wifi and undermine a key plank of the UK's Internet infrastructure.

Given the likely low levels of infringement on such networks, this is a significant cost for little gain in terms of a reduction in levels of copyright infringement. We suggest that approval for the current Code is withheld pending a further revision that explicitly addresses the position of these wifi providers. In this letter we focus on this issue, suggest how this might be achieved, and explain why we think it is important to do so.

DCMS and Ofcom say that it is 'likely' that public intermediaries will be classified as non-qualifying ISPs rather than subscribers. We are far from certain this will be the case. Unfortunately, the appeals body does not have the power to issue such binding guidance.

We contrast this to the stance that Ofcom have taken with large wifi providers, who are explicitly excluded from the scope of the Code because “inclusion is likely to lead to them incurring substantial costs to achieve a minimal reduction in overall levels of online copyright infringements.” We note no such analysis been undertaken for other providers.

If the current explanation is a recognition that libraries and other wifi providers are in a problematic position then there is little reason to avoid properly clarifying the issue with certainty now.

This should be possible. Ofcom have claimed that they are prevented from exempting libraries and other wifi providers because this was not the intention of the government when the Act was passed. We do not agree that the will of the past government continues to have this effect.

It is within Ofcom's powers to deal with the central issue: ensuring that wifi providers, including for example libraries, cafes and hotels, will not be considered subscribers that can be subject to CIRs under the Code. Ofcom can create a class of entities which cannot be the subject of a CIR under section 124(A) of the Digital Economy Act. We suggest that they do so through a further revised Code. Failing this, DCMS should provide Ofcom with an instruction to this effect.

We consider this to be such a vital issue because public wifi availability has grown in significance for Internet users in the UK.

As we detailed in our submission to the consultation on the revised Code (which we have attached to this letter), Ofcom's own research demonstrates the importance of broadly available wifi infrastructure. The most recent Ofcom market report suggests that 81% of smartphone data traffic was carried over wifi in January 2012. Similarly, the Oxford Internet Institute's Internet Survey 2011 defines the 'next generation' Internet user as being 'someone who accesses the Internet from multiple locations and devices.' Many providers of wifi have repeatedly asked for clarity and suggested that without it they may withdraw wifi provision. The Act and Code effectively kills off open wifi and places disincentives to the continued proliferation of wifi spots in the UK.

Given how easily this could be resolved, we see no reason to avoid taking definitive action on this problem now. We suggest that approval is withheld for this version of the Code, and that Ofcom produce a further revised Code that properly addresses the substantive issues identified by so many over the past two years.

Yours sincerely, 

Jim Killock
Executive Director

[Read more]

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail